This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang-tidy/cert/
-
cert/
1/1
CERTTidyModule.cpp
-
CMakeLists.txt
1/1
LimitedRandomnessCheck.h
6/17
LimitedRandomnessCheck.cpp
-
docs/clang-tidy/checks/
-
clang-tidy/
-
checks/
-
cert-msc30-c.rst
4/4
cert-msc50-cpp.rst
2/2
list.rst
-
test/clang-tidy/
-
clang-tidy/
-
cert-limited-randomness.c
1/1
cert-limited-randomness.cpp

Differential D22346

[Clang-tidy] CERT-MSC50-CPP (std:rand() )
ClosedPublic

Authored by falho on Jul 14 2016, 5:13 AM.

Download Raw Diff

Details

Reviewers

Prazek
aaron.ballman
hokein
alexfh
xazax.hun
o.gyorgy

Summary

This checker warns fors the usage of std:rand() function

more info about the problem can be found here:
https://www.securecoding.cert.org/confluence/display/cplusplus/MSC50-CPP.+Do+not+use+std%3A%3Arand%28%29+for+generating+pseudorandom+numbers

Diff Detail

Event Timeline

falho updated this revision to Diff 63955.Jul 14 2016, 5:13 AM

falho retitled this revision from to CERT-MSC50-CPP (std:rand() ).

falho updated this object.

Herald added a subscriber: nemanjai. · View Herald TranscriptJul 14 2016, 5:13 AM

falho updated this revision to Diff 67728.Aug 11 2016, 12:41 PM

falho added subscribers: alex, o.gyorgy, xazax.hun.Aug 11 2016, 12:44 PM

falho added reviewers: o.gyorgy, xazax.hun, alex.Aug 11 2016, 12:49 PM

falho retitled this revision from CERT-MSC50-CPP (std:rand() ) to [Clang-tidy] CERT-MSC50-CPP (std:rand() ).Aug 11 2016, 2:21 PM

falho added reviewers: alexfh, aaron.ballman, etienneb, hokein, Prazek.

falho set the repository for this revision to rL LLVM.

falho edited subscribers, added: Eugene.Zelenko, cfe-commits; removed: xazax.hun, o.gyorgy, alex, nemanjai.

Please mention this check in docs/ReleaseNotes.rst (in alphabetical order).

docs/clang-tidy/checks/cert-msc50-cpp.rst
5	Should be same length as section name above.
7	Please use check and highlight std::rand() with ``.

LGTM with the fixes of docs.

clang-tidy/cert/LimitedRandomnessCheck.cpp
32	I am not sure about the diagnostics convention, it is possible that you should replace comma with semicolon.

This revision is now accepted and ready to land.Aug 14 2016, 1:25 AM

Thank you for working on this check!

clang-tidy/cert/CERTTidyModule.cpp
37	Please place this under a MSC heading rather than DCL. This check should additionally be listed as cert-msc30-c (https://www.securecoding.cert.org/confluence/display/c/MSC30-C.+Do+not+use+the+rand%28%29+function+for+generating+pseudorandom+numbers).
clang-tidy/cert/LimitedRandomnessCheck.cpp
23–24	This should be looking at a callExpr() rather than a declRefExpr(), should it not?
32	This diagnostic is incorrect for C code. Should only suggest C++ <random> in C++ mode. Also, it should be a semicolon rather than a comma in the diagnostic text.
clang-tidy/cert/LimitedRandomnessCheck.h
20	Both sentences are correct, but it doesn't clarify why `std::rand()` is bad. Should add a sentence between these two that says something about why std::rand() in particular is called out rather than the other pseudorandom number generators.
docs/clang-tidy/checks/cert-msc50-cpp.rst
7	The same argument could be used to disallow C++ <random> generators that aren't true truly random sources. Should specify more about why rand() is particularly bad.
docs/clang-tidy/checks/list.rst
21	Please also add a cert-msc30-c file with a redirect (like fio38-c from above).
test/clang-tidy/cert-limited-randomness.cpp
2	Please also add a test for C since the check works there as well, and will have different diagnostic text.

This revision now requires changes to proceed.Aug 14 2016, 4:20 AM

alex resigned from this revision.Aug 14 2016, 6:20 AM

alex removed a reviewer: alex.

Prazek added inline comments.Aug 14 2016, 11:59 AM

clang-tidy/cert/LimitedRandomnessCheck.cpp
23–24	I was also thinking about this, but this is actually better, because it will also match with binding rand with function pointer.

aaron.ballman added inline comments.Aug 14 2016, 1:37 PM

clang-tidy/cert/LimitedRandomnessCheck.cpp
23–24	True, but a DeclRefExpr doesn't mean it's a function call. Binding the function is not contrary to the CERT rule, just calling it. For instance, the following pathological case will be caught by this check: if (std::rand) {} The behavior of this check should be consistent with cert-env33-c, which only looks at calls. (If we really care about bound functions, we'd need flow control analysis, and I think that's overkill for both of those checks, but wouldn't be opposed to someone writing the flow analysis if they really wanted to.)

Hi! Thanks for the reviews! I will be off for a few days so I will start working on it when Im back. Greetz! Benedek

Prazek added inline comments.Aug 14 2016, 2:08 PM

clang-tidy/cert/LimitedRandomnessCheck.cpp
23–24	It would indeed fire on this pathological case, but I don't think we should care about cases like this, because no one is writing code like this (and if he would then it would probably be a bug). I don't think that there is much code that binds pointer to std::rand either, but I think it would be good to display warning for this, because even if the function would be never called, then it means that this is a bug, and if it would be called then it would be nice to tell user that rand might be used here. Anyway I don't oppose for changing it to callExpr, but I think it is better this way.

aaron.ballman added inline comments.Aug 14 2016, 3:10 PM

clang-tidy/cert/LimitedRandomnessCheck.cpp
23–24	It would indeed fire on this pathological case, but I don't think we should care about cases like this, because no one is writing code like this (and if he would then it would probably be a bug). It would be a known false-positive for a check designed to conform to a particular coding standard. When deviations have come up in the past for various coding standards, we've added an option to enable the additional functionality, which I don't think would be reasonable in this case. Alternatively, the CERT guideline could be modified, but that is unlikely to occur because binding the function pointer is not a security concern (only calling the function).

xazax.hun added inline comments.Aug 15 2016, 12:07 AM

clang-tidy/cert/LimitedRandomnessCheck.cpp
23–24	In case you let binding to function pointer you introduce potential false negatives which is worse in this case in my opinion.

aaron.ballman added inline comments.Aug 15 2016, 5:37 AM

clang-tidy/cert/LimitedRandomnessCheck.cpp
23–24	Basically: this half-measure is sufficient for the CERT coding rule, but isn't ideal. The ideal check isn't likely to uncover many more cases than the half-measure, which is why it was not implemented in the past. If someone wants to implement the whole-measure, that's great! But implementing a half, half-measure that isn't consistent with other, similar checks is the wrong thing to do.

xazax.hun added inline comments.Aug 15 2016, 5:46 AM

clang-tidy/cert/LimitedRandomnessCheck.cpp
23–24	You can not implement an ideal checker. In general, it is undecidable whether std::rand is called or not. (You can easily create an example where you would need to solve the halting problem in order to decide whether std::rand is called.) Since the ideal checker is infeasible the question is whether you are OK with false positives or false negatives. The approach you are suggesting result in false negatives. The current approach results in false positives. I think, for this security checker, a false positive is much less serious to have than a false negative. Moreover, I doubt that people write code where such false positives are intended and the code should not be changed. But in case you can think of an example, please let us know.

xazax.hun added inline comments.Aug 15 2016, 5:52 AM

clang-tidy/cert/LimitedRandomnessCheck.cpp
23–24	I think consisteny with other checks are not always a good argument. You might want to ask what is the expected false positive and false nagtive rate from a check, and what is the guarantee that a user expects from a check. And I think base on that it is a unique decision that should be considered independently for each check. In this case I think it is more valuable to have a guarantee that in case all of the code is covered, std::rand() is not invoked. Using a callExpr instead of declRefExpr we would loose this guarantee at the cost of not reporting some false positive cases that are unlikely to annoy anyone anyways.

aaron.ballman added inline comments.Aug 15 2016, 5:52 AM

clang-tidy/cert/LimitedRandomnessCheck.cpp
23–24	You can not implement an ideal checker. In general, it is undecidable whether std::rand is called or not. (You can easily create an example where you would need to solve the halting problem in order to decide whether std::rand is called.) I said "ideal", not "perfect", but we're splitting hairs. You are correct, you're never going to get perfect clarity without runtime instrumentation. By "ideal", I meant "something that actually pays attention to the bound value from the point it is bound to the point the function pointer is called." Simply having the address of the function is not a security concern; calling it is. I think, for this security checker, a false positive is much less serious to have than a false negative. We'll have to agree to disagree. As the person who maintains the CERT rules (and their checkers), my preference for right now is to use callExpr().

falho marked 5 inline comments as done.Sep 13 2016, 9:23 AM

falho added inline comments.

clang-tidy/cert/LimitedRandomnessCheck.cpp
23–24	Thank you for the reviews! So what is the conclusion? Should I change to callExpr()?

dkrupp added a subscriber: dkrupp.Sep 13 2016, 9:41 AM

aaron.ballman added inline comments.Sep 14 2016, 10:58 AM

clang-tidy/cert/LimitedRandomnessCheck.cpp
23–24	My preference is that the check use `callExpr()` -- otherwise the check will trigger as a false positive for code that is allowed by MSC50-CPP and MSC30-C. If others feel strongly that `declRefExpr()` is the better approach, then I'd like `CommandProcessorCheck::registerMatchers()`, `SetLongJmpCheck::registerMatchers()`, and `StrToNumCheck::registerMatchers()` changed to behave similarly (though not as part of this patch).

ilya-palachev added a subscriber: ilya-palachev.Sep 15 2016, 1:32 AM

etienneb removed a reviewer: etienneb.Sep 26 2016, 8:47 AM

falho marked 5 inline comments as done.Oct 17 2016, 2:30 PM

updated diff according to first reviews

Herald added subscribers: modocache, mgorny, beanz. · View Herald TranscriptOct 17 2016, 2:50 PM

Thank you for continuing your efforts on this, I have just a few minor nits remaining.

clang-tidy/cert/LimitedRandomnessCheck.cpp
36	For C code, this diagnostic will read strangely due to the trailing semicolon. You should move the semicolon into the `msg` above. Perhaps we can also drop "function" from the diagnostic as well.
docs/clang-tidy/checks/cert-msc50-cpp.rst
4	This should be cert-msc50-cpp instead.
docs/clang-tidy/checks/list.rst
21	This should be cert-msc30-c

falho marked 3 inline comments as done.Oct 19 2016, 2:36 AM

I noticed you marked several comments as done, but the patch is not updated with changes. Have I missed something?

changes according to 2nd review

clang-tidy/cert/.LimitedRandomnessCheck.cpp.swo was added and should not have been; also, there's one minor issue with the diagnostic wording that is still outstanding.

clang-tidy/cert/LimitedRandomnessCheck.cpp
36	This comment does not appear to have been handled -- the semicolon is still present even when `msg` is empty.

removed semicolon, and replaced it with a comma that only appears in .cpp diagnostics
test cases corrected according to this

removed junk .swo file

In D22346#580242, @falho wrote:

removed semicolon, and replaced it with a comma that only appears in .cpp diagnostics

The semicolon was the correct punctuator to use, but thank you for moving it into the cpp message.

test cases corrected according to this

removed junk .swo file

Thanks!

clang-tidy/cert/LimitedRandomnessCheck.cpp
31	Switch the "," to ";", and remove the curly braces.

in cpp diagnostics message: comma changed back to semicolon, + curly braces removed
testfiles corrected accordingly

LGTM, thank you for working on this!

This revision is now accepted and ready to land.Oct 27 2016, 1:27 PM

Cool! Thank you for the reviews!

In D22346#581329, @falho wrote:

Cool! Thank you for the reviews!

If you don't have commit privileges, let me know and I'm happy to commit on your behalf.

Thanks but I think I will try it!

I just figured out that I don't have right to commit to llvm so I would appreciate if you could commit this check for me. Do you need any info about me? Thank you!

Thanks! I've commit in r285809

Thanks !

Revision Contents

Path

Size

clang-tidy/

cert/

CERTTidyModule.cpp

7 lines

CMakeLists.txt

1 line

LimitedRandomnessCheck.h

38 lines

LimitedRandomnessCheck.cpp

40 lines

docs/

clang-tidy/

checks/

cert-msc30-c.rst

7 lines

cert-msc50-cpp.rst

6 lines

list.rst

2 lines

test/

clang-tidy/

cert-limited-randomness.c

13 lines

cert-limited-randomness.cpp

28 lines

Diff 76072

clang-tidy/cert/CERTTidyModule.cpp

	Show All 12 Lines
	#include "../google/UnnamedNamespaceInHeaderCheck.h"			#include "../google/UnnamedNamespaceInHeaderCheck.h"
	#include "../misc/MoveConstructorInitCheck.h"			#include "../misc/MoveConstructorInitCheck.h"
	#include "../misc/NewDeleteOverloadsCheck.h"			#include "../misc/NewDeleteOverloadsCheck.h"
	#include "../misc/NonCopyableObjects.h"			#include "../misc/NonCopyableObjects.h"
	#include "../misc/StaticAssertCheck.h"			#include "../misc/StaticAssertCheck.h"
	#include "../misc/ThrowByValueCatchByReferenceCheck.h"			#include "../misc/ThrowByValueCatchByReferenceCheck.h"
	#include "CommandProcessorCheck.h"			#include "CommandProcessorCheck.h"
	#include "FloatLoopCounter.h"			#include "FloatLoopCounter.h"
				#include "LimitedRandomnessCheck.h"
	#include "SetLongJmpCheck.h"			#include "SetLongJmpCheck.h"
	#include "StaticObjectExceptionCheck.h"			#include "StaticObjectExceptionCheck.h"
	#include "StrToNumCheck.h"			#include "StrToNumCheck.h"
	#include "ThrownExceptionTypeCheck.h"			#include "ThrownExceptionTypeCheck.h"
	#include "VariadicFunctionDefCheck.h"			#include "VariadicFunctionDefCheck.h"

	namespace clang {			namespace clang {
	namespace tidy {			namespace tidy {
	namespace cert {			namespace cert {

	class CERTModule : public ClangTidyModule {			class CERTModule : public ClangTidyModule {
	public:			public:
	void addCheckFactories(ClangTidyCheckFactories &CheckFactories) override {			void addCheckFactories(ClangTidyCheckFactories &CheckFactories) override {
	// C++ checkers			// C++ checkers
	// DCL			// DCL
	CheckFactories.registerCheck<VariadicFunctionDefCheck>(			CheckFactories.registerCheck<VariadicFunctionDefCheck>(
				aaron.ballmanUnsubmitted Done Reply Inline Actions Please place this under a MSC heading rather than DCL. This check should additionally be listed as cert-msc30-c (https://www.securecoding.cert.org/confluence/display/c/MSC30-C.+Do+not+use+the+rand%28%29+function+for+generating+pseudorandom+numbers). aaron.ballman: Please place this under a // MSC heading rather than // DCL. This check should additionally be…
	"cert-dcl50-cpp");			"cert-dcl50-cpp");
	CheckFactories.registerCheck<misc::NewDeleteOverloadsCheck>(			CheckFactories.registerCheck<misc::NewDeleteOverloadsCheck>(
	"cert-dcl54-cpp");			"cert-dcl54-cpp");
	CheckFactories.registerCheck<google::build::UnnamedNamespaceInHeaderCheck>(			CheckFactories.registerCheck<google::build::UnnamedNamespaceInHeaderCheck>(
	"cert-dcl59-cpp");			"cert-dcl59-cpp");
	// OOP			// OOP
	CheckFactories.registerCheck<misc::MoveConstructorInitCheck>(			CheckFactories.registerCheck<misc::MoveConstructorInitCheck>(
	"cert-oop11-cpp");			"cert-oop11-cpp");
	// ERR			// ERR
	CheckFactories.registerCheck<misc::ThrowByValueCatchByReferenceCheck>(			CheckFactories.registerCheck<misc::ThrowByValueCatchByReferenceCheck>(
	"cert-err09-cpp");			"cert-err09-cpp");
	CheckFactories.registerCheck<SetLongJmpCheck>(			CheckFactories.registerCheck<SetLongJmpCheck>(
	"cert-err52-cpp");			"cert-err52-cpp");
	CheckFactories.registerCheck<StaticObjectExceptionCheck>(			CheckFactories.registerCheck<StaticObjectExceptionCheck>(
	"cert-err58-cpp");			"cert-err58-cpp");
	CheckFactories.registerCheck<ThrownExceptionTypeCheck>(			CheckFactories.registerCheck<ThrownExceptionTypeCheck>(
	"cert-err60-cpp");			"cert-err60-cpp");
	CheckFactories.registerCheck<misc::ThrowByValueCatchByReferenceCheck>(			CheckFactories.registerCheck<misc::ThrowByValueCatchByReferenceCheck>(
	"cert-err61-cpp");			"cert-err61-cpp");
				// MSC
				CheckFactories.registerCheck<LimitedRandomnessCheck>(
				"cert-msc50-cpp");

	// C checkers			// C checkers
	// DCL			// DCL
	CheckFactories.registerCheck<misc::StaticAssertCheck>(			CheckFactories.registerCheck<misc::StaticAssertCheck>(
	"cert-dcl03-c");			"cert-dcl03-c");
	// ENV			// ENV
	CheckFactories.registerCheck<CommandProcessorCheck>(			CheckFactories.registerCheck<CommandProcessorCheck>(
	"cert-env33-c");			"cert-env33-c");
	// FLP			// FLP
	CheckFactories.registerCheck<FloatLoopCounter>(			CheckFactories.registerCheck<FloatLoopCounter>(
	"cert-flp30-c");			"cert-flp30-c");
	// FIO			// FIO
	CheckFactories.registerCheck<misc::NonCopyableObjectsCheck>(			CheckFactories.registerCheck<misc::NonCopyableObjectsCheck>(
	"cert-fio38-c");			"cert-fio38-c");
	// ERR			// ERR
	CheckFactories.registerCheck<StrToNumCheck>(			CheckFactories.registerCheck<StrToNumCheck>(
	"cert-err34-c");			"cert-err34-c");
				// MSC
				CheckFactories.registerCheck<LimitedRandomnessCheck>(
				"cert-msc30-c");
	}			}
	ClangTidyOptions getModuleOptions() override {			ClangTidyOptions getModuleOptions() override {
	ClangTidyOptions Options;			ClangTidyOptions Options;
	Options.CheckOptions["cert-oop11-cpp.UseCERTSemantics"] = "1";			Options.CheckOptions["cert-oop11-cpp.UseCERTSemantics"] = "1";
	return Options;			return Options;
	}			}
	};			};

	Show All 13 Lines

clang-tidy/cert/CMakeLists.txt

	set(LLVM_LINK_COMPONENTS support)			set(LLVM_LINK_COMPONENTS support)

	add_clang_library(clangTidyCERTModule			add_clang_library(clangTidyCERTModule
	CERTTidyModule.cpp			CERTTidyModule.cpp
	CommandProcessorCheck.cpp			CommandProcessorCheck.cpp
	FloatLoopCounter.cpp			FloatLoopCounter.cpp
				LimitedRandomnessCheck.cpp
	SetLongJmpCheck.cpp			SetLongJmpCheck.cpp
	StaticObjectExceptionCheck.cpp			StaticObjectExceptionCheck.cpp
	StrToNumCheck.cpp			StrToNumCheck.cpp
	ThrownExceptionTypeCheck.cpp			ThrownExceptionTypeCheck.cpp
	VariadicFunctionDefCheck.cpp			VariadicFunctionDefCheck.cpp

	LINK_LIBS			LINK_LIBS
	clangAnalysis			clangAnalysis
	Show All 9 Lines

clang-tidy/cert/LimitedRandomnessCheck.h

This file was added.

				//===--- LimitedRandomnessCheck.h - clang-tidy-------------------- C++ --===//
				//
				// The LLVM Compiler Infrastructure
				//
				// This file is distributed under the University of Illinois Open Source
				// License. See LICENSE.TXT for details.
				//
				//===----------------------------------------------------------------------===//

				#ifndef LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_CERT_LIMITED_RANDOMNESS_H
				#define LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_CERT_LIMITED_RANDOMNESS_H

				#include "../ClangTidy.h"

				namespace clang {
				namespace tidy {
				namespace cert {

				/// Pseudorandom number generators are not genuinely random. The result of the
				/// std::rand() function makes no guarantees as to the quality of the random
				aaron.ballmanUnsubmitted Done Reply Inline Actions Both sentences are correct, but it doesn't clarify why `std::rand()` is bad. Should add a sentence between these two that says something about why std::rand() in particular is called out rather than the other pseudorandom number generators. aaron.ballman: Both sentences are correct, but it doesn't clarify why `std::rand()` is bad. Should add a…
				/// sequence produced.
				/// This check warns for the usage of std::rand() function.
				///
				/// For the user-facing documentation see:
				/// http://clang.llvm.org/extra/clang-tidy/checks/cert-msc50-cpp.html
				class LimitedRandomnessCheck : public ClangTidyCheck {
				public:
				LimitedRandomnessCheck(StringRef Name, ClangTidyContext *Context)
				: ClangTidyCheck(Name, Context) {}
				void registerMatchers(ast_matchers::MatchFinder *Finder) override;
				void check(const ast_matchers::MatchFinder::MatchResult &Result) override;
				};

				} // namespace cert
				} // namespace tidy
				} // namespace clang

				#endif // LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_CERT_LIMITED_RANDOMNESS_H

clang-tidy/cert/LimitedRandomnessCheck.cpp

This file was added.

				//===--- LimitedRandomnessCheck.cpp - clang-tidy---------------------------===//
				//
				// The LLVM Compiler Infrastructure
				//
				// This file is distributed under the University of Illinois Open Source
				// License. See LICENSE.TXT for details.
				//
				//===----------------------------------------------------------------------===//

				#include "LimitedRandomnessCheck.h"
				#include "clang/AST/ASTContext.h"
				#include "clang/ASTMatchers/ASTMatchFinder.h"

				using namespace clang::ast_matchers;

				namespace clang {
				namespace tidy {
				namespace cert {

				void LimitedRandomnessCheck::registerMatchers(MatchFinder *Finder) {
				Finder->addMatcher(callExpr(callee(functionDecl(namedDecl(hasName("::rand")),
				parameterCountIs(0))))
				.bind("randomGenerator"),
				this);
				aaron.ballmanUnsubmitted Done Reply Inline Actions This should be looking at a callExpr() rather than a declRefExpr(), should it not? aaron.ballman: This should be looking at a callExpr() rather than a declRefExpr(), should it not?
				PrazekUnsubmitted Not Done Reply Inline Actions I was also thinking about this, but this is actually better, because it will also match with binding rand with function pointer. Prazek: I was also thinking about this, but this is actually better, because it will also match with…
				aaron.ballmanUnsubmitted Not Done Reply Inline Actions True, but a DeclRefExpr doesn't mean it's a function call. Binding the function is not contrary to the CERT rule, just calling it. For instance, the following pathological case will be caught by this check: if (std::rand) {} The behavior of this check should be consistent with cert-env33-c, which only looks at calls. (If we really care about bound functions, we'd need flow control analysis, and I think that's overkill for both of those checks, but wouldn't be opposed to someone writing the flow analysis if they really wanted to.) aaron.ballman: True, but a DeclRefExpr doesn't mean it's a function call. Binding the function is not contrary…
				PrazekUnsubmitted Not Done Reply Inline Actions It would indeed fire on this pathological case, but I don't think we should care about cases like this, because no one is writing code like this (and if he would then it would probably be a bug). I don't think that there is much code that binds pointer to std::rand either, but I think it would be good to display warning for this, because even if the function would be never called, then it means that this is a bug, and if it would be called then it would be nice to tell user that rand might be used here. Anyway I don't oppose for changing it to callExpr, but I think it is better this way. Prazek: It would indeed fire on this pathological case, but I don't think we should care about cases…
				aaron.ballmanUnsubmitted Not Done Reply Inline Actions It would indeed fire on this pathological case, but I don't think we should care about cases like this, because no one is writing code like this (and if he would then it would probably be a bug). It would be a known false-positive for a check designed to conform to a particular coding standard. When deviations have come up in the past for various coding standards, we've added an option to enable the additional functionality, which I don't think would be reasonable in this case. Alternatively, the CERT guideline could be modified, but that is unlikely to occur because binding the function pointer is not a security concern (only calling the function). aaron.ballman: > It would indeed fire on this pathological case, but I don't think we should care about cases…
				xazax.hunUnsubmitted Not Done Reply Inline Actions In case you let binding to function pointer you introduce potential false negatives which is worse in this case in my opinion. xazax.hun: In case you let binding to function pointer you introduce potential false negatives which is…
				aaron.ballmanUnsubmitted Not Done Reply Inline Actions Basically: this half-measure is sufficient for the CERT coding rule, but isn't ideal. The ideal check isn't likely to uncover many more cases than the half-measure, which is why it was not implemented in the past. If someone wants to implement the whole-measure, that's great! But implementing a half, half-measure that isn't consistent with other, similar checks is the wrong thing to do. aaron.ballman: Basically: this half-measure is sufficient for the CERT coding rule, but isn't ideal. The ideal…
				xazax.hunUnsubmitted Not Done Reply Inline Actions You can not implement an ideal checker. In general, it is undecidable whether std::rand is called or not. (You can easily create an example where you would need to solve the halting problem in order to decide whether std::rand is called.) Since the ideal checker is infeasible the question is whether you are OK with false positives or false negatives. The approach you are suggesting result in false negatives. The current approach results in false positives. I think, for this security checker, a false positive is much less serious to have than a false negative. Moreover, I doubt that people write code where such false positives are intended and the code should not be changed. But in case you can think of an example, please let us know. xazax.hun: You can not implement an ideal checker. In general, it is undecidable whether std::rand is…
				aaron.ballmanUnsubmitted Not Done Reply Inline Actions You can not implement an ideal checker. In general, it is undecidable whether std::rand is called or not. (You can easily create an example where you would need to solve the halting problem in order to decide whether std::rand is called.) I said "ideal", not "perfect", but we're splitting hairs. You are correct, you're never going to get perfect clarity without runtime instrumentation. By "ideal", I meant "something that actually pays attention to the bound value from the point it is bound to the point the function pointer is called." Simply having the address of the function is not a security concern; calling it is. I think, for this security checker, a false positive is much less serious to have than a false negative. We'll have to agree to disagree. As the person who maintains the CERT rules (and their checkers), my preference for right now is to use callExpr(). aaron.ballman: > You can not implement an ideal checker. In general, it is undecidable whether std::rand is…
				xazax.hunUnsubmitted Not Done Reply Inline Actions I think consisteny with other checks are not always a good argument. You might want to ask what is the expected false positive and false nagtive rate from a check, and what is the guarantee that a user expects from a check. And I think base on that it is a unique decision that should be considered independently for each check. In this case I think it is more valuable to have a guarantee that in case all of the code is covered, std::rand() is not invoked. Using a callExpr instead of declRefExpr we would loose this guarantee at the cost of not reporting some false positive cases that are unlikely to annoy anyone anyways. xazax.hun: I think consisteny with other checks are not always a good argument. You might want to ask what…
				falhoAuthorUnsubmitted Not Done Reply Inline Actions Thank you for the reviews! So what is the conclusion? Should I change to callExpr()? falho: Thank you for the reviews! So what is the conclusion? Should I change to callExpr()?
				aaron.ballmanUnsubmitted Not Done Reply Inline Actions My preference is that the check use `callExpr()` -- otherwise the check will trigger as a false positive for code that is allowed by MSC50-CPP and MSC30-C. If others feel strongly that `declRefExpr()` is the better approach, then I'd like `CommandProcessorCheck::registerMatchers()`, `SetLongJmpCheck::registerMatchers()`, and `StrToNumCheck::registerMatchers()` changed to behave similarly (though not as part of this patch). aaron.ballman: My preference is that the check use `callExpr()` -- otherwise the check will trigger as a false…
				}

				void LimitedRandomnessCheck::check(const MatchFinder::MatchResult &Result) {
				std::string msg = "";
				if (getLangOpts().CPlusPlus)
				msg = "; use C++11 random library instead";

				aaron.ballmanUnsubmitted Done Reply Inline Actions Switch the "," to ";", and remove the curly braces. aaron.ballman: Switch the "," to ";", and remove the curly braces.
				const auto *MatchedDecl = Result.Nodes.getNodeAs<CallExpr>("randomGenerator");
				PrazekUnsubmitted Done Reply Inline Actions I am not sure about the diagnostics convention, it is possible that you should replace comma with semicolon. Prazek: I am not sure about the diagnostics convention, it is possible that you should replace comma…
				aaron.ballmanUnsubmitted Done Reply Inline Actions This diagnostic is incorrect for C code. Should only suggest C++ <random> in C++ mode. Also, it should be a semicolon rather than a comma in the diagnostic text. aaron.ballman: This diagnostic is incorrect for C code. Should only suggest C++ <random> in C++ mode. Also, it…
				diag(MatchedDecl->getLocStart(),
				"rand() has limited randomness" + msg);
				}

				aaron.ballmanUnsubmitted Done Reply Inline Actions For C code, this diagnostic will read strangely due to the trailing semicolon. You should move the semicolon into the `msg` above. Perhaps we can also drop "function" from the diagnostic as well. aaron.ballman: For C code, this diagnostic will read strangely due to the trailing semicolon. You should move…
				aaron.ballmanUnsubmitted Done Reply Inline Actions This comment does not appear to have been handled -- the semicolon is still present even when `msg` is empty. aaron.ballman: This comment does not appear to have been handled -- the semicolon is still present even when…
				} // namespace cert
				} // namespace tidy
				} // namespace clang

docs/clang-tidy/checks/cert-msc30-c.rst

This file was added.

				.. title:: clang-tidy - cert-msc30-c

				cert-msc30-c
				============

				The cert-msc30-c check is an alias, please see
				`cert-msc50-cpp <cert-msc50-cpp.html>`_ for more information.

docs/clang-tidy/checks/cert-msc50-cpp.rst

This file was added.

				.. title:: clang-tidy - cert-msc50-cpp

				cert-msc50-cpp
				==============
				aaron.ballmanUnsubmitted Done Reply Inline Actions This should be cert-msc50-cpp instead. aaron.ballman: This should be cert-msc50-cpp instead.

				Eugene.ZelenkoUnsubmitted Done Reply Inline Actions Should be same length as section name above. Eugene.Zelenko: Should be same length as section name above.
				Pseudorandom number generators use mathematical algorithms to produce a sequence of numbers with good statistical properties, but the numbers produced are not genuinely random. The ``std::rand()`` function takes a seed (number), runs a mathematical operation on it and returns the result. By manipulating the seed the result can be predictible. This check warns for the usage of ``std::rand()``.
				Eugene.ZelenkoUnsubmitted Done Reply Inline Actions Please use check and highlight std::rand() with ``. Eugene.Zelenko: Please use check and highlight std::rand() with ``.
				aaron.ballmanUnsubmitted Done Reply Inline Actions The same argument could be used to disallow C++ <random> generators that aren't true truly random sources. Should specify more about why rand() is particularly bad. aaron.ballman: The same argument could be used to disallow C++ <random> generators that aren't true truly…

docs/clang-tidy/checks/list.rst

Show All 12 Lines	.. toctree::
cert-err09-cpp (redirects to misc-throw-by-value-catch-by-reference) <cert-err09-cpp>		cert-err09-cpp (redirects to misc-throw-by-value-catch-by-reference) <cert-err09-cpp>
cert-err34-c		cert-err34-c
cert-err52-cpp		cert-err52-cpp
cert-err58-cpp		cert-err58-cpp
cert-err60-cpp		cert-err60-cpp
cert-err61-cpp (redirects to misc-throw-by-value-catch-by-reference) <cert-err61-cpp>		cert-err61-cpp (redirects to misc-throw-by-value-catch-by-reference) <cert-err61-cpp>
cert-fio38-c (redirects to misc-non-copyable-objects) <cert-fio38-c>		cert-fio38-c (redirects to misc-non-copyable-objects) <cert-fio38-c>
cert-flp30-c		cert-flp30-c
		cert-msc30-c (redirects to cert-limited-randomness) <cert-msc30-c>
		aaron.ballmanUnsubmitted Done Reply Inline Actions Please also add a cert-msc30-c file with a redirect (like fio38-c from above). aaron.ballman: Please also add a cert-msc30-c file with a redirect (like fio38-c from above).
		aaron.ballmanUnsubmitted Done Reply Inline Actions This should be cert-msc30-c aaron.ballman: This should be cert-msc30-c
		cert-msc50-cpp
cert-oop11-cpp (redirects to misc-move-constructor-init) <cert-oop11-cpp>		cert-oop11-cpp (redirects to misc-move-constructor-init) <cert-oop11-cpp>
cppcoreguidelines-interfaces-global-init		cppcoreguidelines-interfaces-global-init
cppcoreguidelines-pro-bounds-array-to-pointer-decay		cppcoreguidelines-pro-bounds-array-to-pointer-decay
cppcoreguidelines-pro-bounds-constant-array-index		cppcoreguidelines-pro-bounds-constant-array-index
cppcoreguidelines-pro-bounds-pointer-arithmetic		cppcoreguidelines-pro-bounds-pointer-arithmetic
cppcoreguidelines-pro-type-const-cast		cppcoreguidelines-pro-type-const-cast
cppcoreguidelines-pro-type-cstyle-cast		cppcoreguidelines-pro-type-cstyle-cast
cppcoreguidelines-pro-type-member-init		cppcoreguidelines-pro-type-member-init
▲ Show 20 Lines • Show All 114 Lines • Show Last 20 Lines

test/clang-tidy/cert-limited-randomness.c

This file was added.

				// RUN: %check_clang_tidy %s cert-msc30-c %t

				extern int rand(void);
				int nonrand();

				int cTest() {
				int i = rand();
				// CHECK-MESSAGES: :[[@LINE-1]]:11: warning: rand() has limited randomness [cert-msc30-c]

				int k = nonrand();

				return 0;
				}

test/clang-tidy/cert-limited-randomness.cpp

This file was added.

				// RUN: %check_clang_tidy %s cert-msc50-cpp %t

				aaron.ballmanUnsubmitted Done Reply Inline Actions Please also add a test for C since the check works there as well, and will have different diagnostic text. aaron.ballman: Please also add a test for C since the check works there as well, and will have different…
				int rand();
				int rand(int);

				namespace std {
				using ::rand;
				}

				namespace nonstd {
				int rand();
				}

				void testFunction1() {
				int i = std::rand();
				// CHECK-MESSAGES: :[[@LINE-1]]:11: warning: rand() has limited randomness; use C++11 random library instead [cert-msc50-cpp]

				int j = ::rand();
				// CHECK-MESSAGES: :[[@LINE-1]]:11: warning: rand() has limited randomness; use C++11 random library instead [cert-msc50-cpp]

				int k = rand(i);

				int l = nonstd::rand();

				int m = rand();
				// CHECK-MESSAGES: :[[@LINE-1]]:11: warning: rand() has limited randomness; use C++11 random library instead [cert-msc50-cpp]
				}

This is an archive of the discontinued LLVM Phabricator instance.

[Clang-tidy] CERT-MSC50-CPP (std:rand() )ClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 76072

clang-tidy/cert/CERTTidyModule.cpp

clang-tidy/cert/CMakeLists.txt

clang-tidy/cert/LimitedRandomnessCheck.h

clang-tidy/cert/LimitedRandomnessCheck.cpp

docs/clang-tidy/checks/cert-msc30-c.rst

docs/clang-tidy/checks/cert-msc50-cpp.rst

docs/clang-tidy/checks/list.rst

test/clang-tidy/cert-limited-randomness.c

test/clang-tidy/cert-limited-randomness.cpp

[Clang-tidy] CERT-MSC50-CPP (std:rand() )
ClosedPublic