This is an archive of the discontinued LLVM Phabricator instance.

Differential D71433

[analyzer] CERT: POS34-C
ClosedPublic

Authored by zukatsinadze on Dec 12 2019, 1:21 PM.

Details

Reviewers
NoQ
Charusso
aaron.ballman
Szelethus
Commits
rGa54d81f59796: [analyzer] CERT: POS34-C
Summary

This patch introduces a new checker:
alpha.security.cert.pos.34c

This checker is implemented based on the following rule:
https://wiki.sei.cmu.edu/confluence/display/c/POS34-C.+Do+not+call+putenv%28%29+with+a+pointer+to+an+automatic+variable+as+the+argument
The check warns if putenv function is
called with automatic storage variable as an argument.

Diff Detail

Event Timeline

zukatsinadze created this revision.Dec 12 2019, 1:21 PM
Herald added subscribers: cfe-commits, dkrupp, donat.nagy and 7 others. · View Herald TranscriptDec 12 2019, 1:21 PM
zukatsinadze edited the summary of this revision. (Show Details)Dec 12 2019, 1:21 PM
Charusso added a reviewer: Charusso.Dec 12 2019, 1:22 PM
Charusso added a reviewer: aaron.ballman.Dec 13 2019, 4:33 AM
Charusso added a subscriber: aaron.ballman.
Charusso added inline comments.
clang/docs/analyzer/checkers.rst
1954

I would remove that line.

1966

I think it is clear it is a CERT-checker.

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
839

I would write `putenv` -> 'putenv' and the CERT rule-number should be clear from that point so you could emit it.

clang/lib/StaticAnalyzer/Checkers/cert/PutenvWithAutoChecker.cpp
53

I think you could shrink that into:

!IsPossiblyAutoVar && !isa<StackSapceRegion>(MSR)

What you have specified is a negation of

!isa<StackSapceRegion>(MSR) && !isa<CodeSpaceRegion>(MSR) && !isa<GlobalInternalSpaceRegion>(MSR)

~ according to: https://clang.llvm.org/doxygen/classclang_1_1ento_1_1MemSpaceRegion.html

where the CodeSpaceRegion and GlobalInternalSpaceRegion is not that interesting for the checker.

59

@NoQ, it is from your documentation. Would we prefer that or the registerChecker(CheckerManager &) is the new way to construct the BugType? I believe the latter is more appropriate.

61

We would like to point out the allocation's site, where it comes from.
We have two facilities to do so: MallocBugVisitor to track dynamic allocation and trackExpressionValue() to track any kind of an expression.

You could find examples from my CERT-checker: D70411. The rough idea is that:

// Track the argument.
if (isa<StackSpaceRegion>(MSR)) {
  bugreporter::trackExpressionValue(C.getPredecessor(), ArgExpr, *Report);
} else if (const SymbolRef Sym = ArgV.getAsSymbol()) { // It is a `HeapSpaceRegion`
  Report->addVisitor(allocation_state::getMallocBRVisitor(Sym));
}

~ here you need to copy-paste the getMallocBRVisitor() from my review. Sorry!

clang/test/Analysis/cert/pos34-c.cpp
5

Could you inject the rule's page please?

14

I would name the rule properly, as a sentence like: Example from the CERT rule's page.

My idea was that to have a /cert/pos34-c.cpp which only consists of the rule's page stuff mentioning the rule's page on the top. And having a separate file which only consists of arbitrary tests called like /cert/pos34-c-fp-suppression.cpp as it shows some false-positive suppression what you have found on tests or something. Like @aaron.ballman wrote two tests in D70823 and I would copy-paste them from his comment.

NoQ added a comment.Dec 13 2019, 2:05 PM

Thanks! This looks like a simple and efficient check. I have one overall suggestion.

Currently the check may warn on non-bugs of the following kind:

void foo() {
  char env[] = "NAME=value";
  putenv(env);
  doStuff();
  putenv("NAME=anothervalue");
}

I.e., it's obviously harmless if the local variable pointer is removed from the environment before it goes out of scope. Can we instead warn when the *last* putenv() on the execution path through the current stack frame is a local variable (that goes out of scope at the end of the stack frame)?

That'd allow the checker to be enabled by default, which will give a lot more users access to it. Otherwise we'll have to treat it as an opt-in check and users will only enable it when they know about it, which is much less usefulness.

clang/lib/StaticAnalyzer/Checkers/cert/PutenvWithAutoChecker.cpp
28

The modern idiom is BugType BT{this, "Bug kind", "Bug category"}; - and drop the lazy initialization as well.

36–38

The modern idiom here is CallDescription.

43–44

You can call getMemorySpace() directly on any region.

46–53

Simply check whether the memory space is a stack memory space. This should be a one-liner.

59

Replied above^^

61

I'm not sure it's valid to use C.getPredecessor() for tracking; it might get you into trouble for the same reason that using C.getPredecessor() as error node will get you into trouble. Please use the error node itself instead.

zukatsinadze updated this revision to Diff 233946.Dec 14 2019, 2:57 PM

Addressed most of the inline comments.

zukatsinadze marked 10 inline comments as done.Dec 14 2019, 3:00 PM
zukatsinadze marked 4 inline comments as done.Dec 14 2019, 3:05 PM
zukatsinadze added inline comments.
clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
839

Oops. Forgot this one. Will fix it later.

clang/lib/StaticAnalyzer/Checkers/cert/PutenvWithAutoChecker.cpp
46–53

I could not get rid of isPossiblyAutoVar and GlobalInternalSpaceRegion.

clang/test/Analysis/cert/pos34-c-fp-suppression.cpp
16

I need isPossiblyAutoVar for this type.

21

And GlobalInternalSpaceRegion for this.

zukatsinadze added a comment.Dec 14 2019, 3:20 PM
In D71433#1784238, @NoQ wrote:

Thanks! This looks like a simple and efficient check. I have one overall suggestion.

Currently the check may warn on non-bugs of the following kind:

void foo() {
  char env[] = "NAME=value";
  putenv(env);
  doStuff();
  putenv("NAME=anothervalue");
}

I.e., it's obviously harmless if the local variable pointer is removed from the environment before it goes out of scope. Can we instead warn when the *last* putenv() on the execution path through the current stack frame is a local variable (that goes out of scope at the end of the stack frame)?

That'd allow the checker to be enabled by default, which will give a lot more users access to it. Otherwise we'll have to treat it as an opt-in check and users will only enable it when they know about it, which is much less usefulness.

@NoQ I like the idea, but I am not really sure how to do that. I started working on Static Analyzer just lask week.

NoQ added a comment.Dec 14 2019, 6:42 PM
In D71433#1784920, @zukatsinadze wrote:

@NoQ I like the idea, but I am not really sure how to do that. I started working on Static Analyzer just lask week.

Let's get the initial attempt right first, and delay this for the next patch. You could accomplish this by keeping track of the last putenv() in a program state trait and moving the warning in checkEndFunction().

clang/test/Analysis/cert/pos34-c-fp-suppression.cpp
16

This test is pretty questionable. There is no indication in the code that a points to an automatic variable.

21

This test is wrong. "hello" is not an automatic variable.

zukatsinadze updated this revision to Diff 233955.Dec 15 2019, 1:21 AM
  • Removed extra test
  • Used CallDescription for checking call.
zukatsinadze marked 6 inline comments as done.Dec 15 2019, 1:22 AM
Charusso accepted this revision.Jan 7 2020, 10:18 AM

I have created a notes.cpp test-file to test the notes in my checkers, but I think this checker is fine without that test file. @NoQ, what do you think?

This revision is now accepted and ready to land.Jan 7 2020, 10:18 AM
Charusso added a comment.Jan 7 2020, 10:39 AM
In D71433#1784238, @NoQ wrote:

Currently the check may warn on non-bugs of the following kind:

void foo() {
  char env[] = "NAME=value";
  putenv(env);
  doStuff();
  putenv("NAME=anothervalue");
}

That could be the next round as a follow-up patch as the next semester starts in February after the 10.0.0 release-tag has been set, so both of the patches could land in LLVM 11. We have not seen any putenv() in the wild yet.

NoQ added inline comments.Feb 3 2020, 7:58 AM
clang/lib/StaticAnalyzer/Checkers/cert/PutenvWithAutoChecker.cpp
58–59

This is impossible because StackSpaceRegion and HeapSpaceRegion do not overlap and above you checked that it's the former.

clang/test/Analysis/cert/pos34-c.cpp
7

Btw - CERT has minified links!

zukatsinadze updated this revision to Diff 243127.Feb 7 2020, 3:38 AM

Addressed new inline comments.

zukatsinadze marked 2 inline comments as done.Feb 7 2020, 3:39 AM
Charusso added a comment.Feb 7 2020, 3:44 AM
In D71433#1808316, @Charusso wrote:
In D71433#1784238, @NoQ wrote:

Currently the check may warn on non-bugs of the following kind:

void foo() {
  char env[] = "NAME=value";
  putenv(env);
  doStuff();
  putenv("NAME=anothervalue");
}

That could be the next round as a follow-up patch as the next semester starts in February [...]

Well, the next semester is about to start. Could you implement that request please?

zukatsinadze added a comment.Feb 7 2020, 3:56 AM
In D71433#1863638, @Charusso wrote:
In D71433#1808316, @Charusso wrote:
In D71433#1784238, @NoQ wrote:

Currently the check may warn on non-bugs of the following kind:

void foo() {
  char env[] = "NAME=value";
  putenv(env);
  doStuff();
  putenv("NAME=anothervalue");
}

That could be the next round as a follow-up patch as the next semester starts in February [...]

Well, the next semester is about to start. Could you implement that request please?

Sure. I plan to start working on it next week.

Szelethus accepted this revision.Feb 7 2020, 5:24 AM

This is a very neat checker, the source code reads so easily, we might as well put it as the official CERT rule description.

I think adding the non-compliant and compliant code examples would be nice. I also wrote some inline comments, but I'm fine with leaving them for a later patch. LGTM, granted that @NoQ and @Charusso are happy.

clang/include/clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h
16–22

We could turns these into llvm::StringLiterals one day.

clang/lib/StaticAnalyzer/Checkers/AllocationState.h
28–30 ↗(On Diff #243127)

Is this deadcode now?

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
3383–3386 ↗(On Diff #243127)

And this?

clang/lib/StaticAnalyzer/Checkers/cert/PutenvWithAutoChecker.cpp
51

How about The 'putenv' function should not be called with arguments that have automatic storage. But I guess we could leave wordsmithing for later.

56

This should always be true, since we bail out a couple lines up if it isn't, right?

zukatsinadze updated this revision to Diff 243149.Feb 7 2020, 5:55 AM
zukatsinadze marked an inline comment as done.
  • Removed dead code.
  • Removed unnecessary if condition.
  • Changed error phrasing.
zukatsinadze marked 2 inline comments as done.Feb 7 2020, 5:56 AM
zukatsinadze added inline comments.
clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
3383–3386 ↗(On Diff #243127)

Forgot to delete. Thanks

Szelethus added a comment.Feb 18 2020, 5:01 AM

I think for an alpha checker this is ready to land if you're ready -- do you have commit access or need assistance?

Herald added a subscriber: martong. · View Herald TranscriptFeb 18 2020, 5:01 AM
zukatsinadze added a comment.Feb 18 2020, 10:54 AM
In D71433#1880436, @Szelethus wrote:

I think for an alpha checker this is ready to land if you're ready -- do you have commit access or need assistance?

Thank you. @Charusso will help.

Closed by commit rGa54d81f59796: [analyzer] CERT: POS34-C (authored by zukatsinadze). · Explain WhyFeb 19 2020, 9:21 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
clang/
docs/
analyzer/
32 lines
include/
clang/
StaticAnalyzer/
Checkers/
12 lines
Core/
BugReporter/
24 lines
lib/
StaticAnalyzer/
Checkers/
1 line
cert/
64 lines
Core/
23 lines
test/
Analysis/
cert/
51 lines
61 lines

Diff 245438

clang/docs/analyzer/checkers.rst

Show First 20 LinesShow All 1,923 Lines▼ Show 20 Lines if (reminderCount == 1) {
reminderText = reminderText =
[NSString stringWithFormat: [NSString stringWithFormat:
NSLocalizedString(@"%@ Reminders", @"Indicates multiple reminders"), NSLocalizedString(@"%@ Reminders", @"Indicates multiple reminders"),
reminderCount]; reminderCount];
} }
alpha.security alpha.security
^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^
alpha.security.cert
^^^^^^^^^^^^^^^^^^^
SEI CERT checkers which tries to find errors based on their `C coding rules<https://wiki.sei.cmu.edu/confluence/display/c/2+Rules>`_.
.. _alpha-security-cert-pos-checkers:
alpha.security.cert.pos
^^^^^^^^^^^^^^^^^^^^^^^
SEI CERT checkers of POSIX `C coding rules<https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152405>`_.
.. _alpha-security-cert-pos-34c:
alpha.security.cert.pos.34c
"""""""""""""""""""""""""""
Finds calls to the ``putenv`` function which pass a pointer to an automatic variable as the argument.
.. code-block:: c
int func(const char *var) {
CharussoUnsubmitted
Done
ReplyInline Actions

I would remove that line.

Charusso: I would remove that line.
char env[1024];
int retval = snprintf(env, sizeof(env),"TEST=%s", var);
if (retval < 0 || (size_t)retval >= sizeof(env)) {
/* Handle error */
}
return putenv(env); // putenv function should not be called with auto variables
}
.. _alpha-security-ArrayBound: .. _alpha-security-ArrayBound:
alpha.security.ArrayBound (C) alpha.security.ArrayBound (C)
CharussoUnsubmitted
Done
ReplyInline Actions

I think it is clear it is a CERT-checker.

Charusso: I think it is clear it is a CERT-checker.
""""""""""""""""""""""""""""" """""""""""""""""""""""""""""
Warn about buffer overflows (older checker). Warn about buffer overflows (older checker).
.. code-block:: c .. code-block:: c
void test() { void test() {
char *s = ""; char *s = "";
char c = s[1]; // warn char c = s[1]; // warn
▲ Show 20 LinesShow All 453 LinesShow Last 20 Lines

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

Show First 20 LinesShow All 65 Lines▼ Show 20 Lines
def Performance : Package<"performance">, ParentPackage<OptIn>; def Performance : Package<"performance">, ParentPackage<OptIn>;
def Security : Package <"security">; def Security : Package <"security">;
def InsecureAPI : Package<"insecureAPI">, ParentPackage<Security>; def InsecureAPI : Package<"insecureAPI">, ParentPackage<Security>;
def SecurityAlpha : Package<"security">, ParentPackage<Alpha>; def SecurityAlpha : Package<"security">, ParentPackage<Alpha>;
def Taint : Package<"taint">, ParentPackage<SecurityAlpha>; def Taint : Package<"taint">, ParentPackage<SecurityAlpha>;
def CERT : Package<"cert">, ParentPackage<SecurityAlpha>;
def POS : Package<"pos">, ParentPackage<CERT>;
def Unix : Package<"unix">; def Unix : Package<"unix">;
def UnixAlpha : Package<"unix">, ParentPackage<Alpha>; def UnixAlpha : Package<"unix">, ParentPackage<Alpha>;
def CString : Package<"cstring">, ParentPackage<Unix>; def CString : Package<"cstring">, ParentPackage<Unix>;
def CStringAlpha : Package<"cstring">, ParentPackage<UnixAlpha>; def CStringAlpha : Package<"cstring">, ParentPackage<UnixAlpha>;
def OSX : Package<"osx">; def OSX : Package<"osx">;
def OSXAlpha : Package<"osx">, ParentPackage<Alpha>; def OSXAlpha : Package<"osx">, ParentPackage<Alpha>;
def OSXOptIn : Package<"osx">, ParentPackage<OptIn>; def OSXOptIn : Package<"osx">, ParentPackage<OptIn>;
▲ Show 20 LinesShow All 742 Lines▼ Show 20 Lines
def FloatLoopCounter : Checker<"FloatLoopCounter">, def FloatLoopCounter : Checker<"FloatLoopCounter">,
HelpText<"Warn on using a floating point value as a loop counter (CERT: " HelpText<"Warn on using a floating point value as a loop counter (CERT: "
"FLP30-C, FLP30-CPP)">, "FLP30-C, FLP30-CPP)">,
Dependencies<[SecuritySyntaxChecker]>, Dependencies<[SecuritySyntaxChecker]>,
Documentation<HasDocumentation>; Documentation<HasDocumentation>;
} // end "security" } // end "security"
let ParentPackage = POS in {
def PutenvWithAuto : Checker<"34c">,
HelpText<"Finds calls to the 'putenv' function which pass a pointer to "
"an automatic variable as the argument.">,
CharussoUnsubmitted
Done
ReplyInline Actions

I would write `putenv` -> 'putenv' and the CERT rule-number should be clear from that point so you could emit it.

Charusso: I would write ##`putenv`## -> `'putenv'` and the CERT rule-number should be clear from that…
zukatsinadzeAuthorUnsubmitted
Done
ReplyInline Actions

Oops. Forgot this one. Will fix it later.

zukatsinadze: Oops. Forgot this one. Will fix it later.
Documentation<HasDocumentation>;
} // end "alpha.cert.pos"
let ParentPackage = SecurityAlpha in { let ParentPackage = SecurityAlpha in {
def ArrayBoundChecker : Checker<"ArrayBound">, def ArrayBoundChecker : Checker<"ArrayBound">,
HelpText<"Warn about buffer overflows (older checker)">, HelpText<"Warn about buffer overflows (older checker)">,
Documentation<HasAlphaDocumentation>; Documentation<HasAlphaDocumentation>;
def ArrayBoundCheckerV2 : Checker<"ArrayBoundV2">, def ArrayBoundCheckerV2 : Checker<"ArrayBoundV2">,
HelpText<"Warn about buffer overflows (newer checker)">, HelpText<"Warn about buffer overflows (newer checker)">,
▲ Show 20 LinesShow All 652 LinesShow Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h

//=--- CommonBugCategories.h - Provides common issue categories -*- C++ -*-===// //=--- CommonBugCategories.h - Provides common issue categories -*- C++ -*-===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_COMMONBUGCATEGORIES_H #ifndef LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_COMMONBUGCATEGORIES_H
#define LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_COMMONBUGCATEGORIES_H #define LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_COMMONBUGCATEGORIES_H
// Common strings used for the "category" of many static analyzer issues. // Common strings used for the "category" of many static analyzer issues.
namespace clang { namespace clang {
namespace ento { namespace ento {
namespace categories { namespace categories {
extern const char * const CoreFoundationObjectiveC; extern const char *const CoreFoundationObjectiveC;
extern const char * const LogicError; extern const char *const LogicError;
extern const char * const MemoryRefCount; extern const char *const MemoryRefCount;
extern const char * const MemoryError; extern const char *const MemoryError;
extern const char * const UnixAPI; extern const char *const UnixAPI;
extern const char * const CXXObjectLifecycle; extern const char *const CXXObjectLifecycle;
} extern const char *const SecurityError;
SzelethusUnsubmitted
Not Done
ReplyInline Actions

We could turns these into llvm::StringLiterals one day.

Szelethus: We could turns these into `llvm::StringLiteral`s one day.
} } // namespace categories
} } // namespace ento
} // namespace clang
#endif #endif

clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt

Show First 20 LinesShow All 83 Lines▼ Show 20 Linesadd_clang_library(clangStaticAnalyzerCheckers
ObjCUnusedIVarsChecker.cpp ObjCUnusedIVarsChecker.cpp
OSObjectCStyleCast.cpp OSObjectCStyleCast.cpp
PaddingChecker.cpp PaddingChecker.cpp
PointerArithChecker.cpp PointerArithChecker.cpp
PointerIterationChecker.cpp PointerIterationChecker.cpp
PointerSortingChecker.cpp PointerSortingChecker.cpp
PointerSubChecker.cpp PointerSubChecker.cpp
PthreadLockChecker.cpp PthreadLockChecker.cpp
cert/PutenvWithAutoChecker.cpp
RetainCountChecker/RetainCountChecker.cpp RetainCountChecker/RetainCountChecker.cpp
RetainCountChecker/RetainCountDiagnostics.cpp RetainCountChecker/RetainCountDiagnostics.cpp
ReturnPointerRangeChecker.cpp ReturnPointerRangeChecker.cpp
ReturnUndefChecker.cpp ReturnUndefChecker.cpp
ReturnValueChecker.cpp ReturnValueChecker.cpp
RunLoopAutoreleaseLeakChecker.cpp RunLoopAutoreleaseLeakChecker.cpp
SimpleStreamChecker.cpp SimpleStreamChecker.cpp
SmartPtrModeling.cpp SmartPtrModeling.cpp
Show All 31 Lines

clang/lib/StaticAnalyzer/Checkers/cert/PutenvWithAutoChecker.cpp

  • This file was added.
//== PutenvWithAutoChecker.cpp --------------------------------- -*- C++ -*--=//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This file defines PutenvWithAutoChecker which finds calls of ``putenv``
// function with automatic variable as the argument.
// https://wiki.sei.cmu.edu/confluence/x/6NYxBQ
//
//===----------------------------------------------------------------------===//
#include "AllocationState.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
using namespace clang;
using namespace ento;
class PutenvWithAutoChecker : public Checker<check::PostCall> {
private:
NoQUnsubmitted
Done
ReplyInline Actions

The modern idiom is BugType BT{this, "Bug kind", "Bug category"}; - and drop the lazy initialization as well.

NoQ: The modern idiom is `BugType BT{this, "Bug kind", "Bug category"};` - and drop the lazy…
BugType BT{this, "'putenv' function should not be called with auto variables",
categories::SecurityError};
const CallDescription Putenv{"putenv", 1};
public:
void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
};
void PutenvWithAutoChecker::checkPostCall(const CallEvent &Call,
CheckerContext &C) const {
NoQUnsubmitted
Done
ReplyInline Actions

The modern idiom here is CallDescription.

NoQ: The modern idiom here is `CallDescription`.
if (!Call.isCalled(Putenv))
return;
SVal ArgV = Call.getArgSVal(0);
const Expr *ArgExpr = Call.getArgExpr(0);
const MemSpaceRegion *MSR = ArgV.getAsRegion()->getMemorySpace();
NoQUnsubmitted
Done
ReplyInline Actions

You can call getMemorySpace() directly on any region.

NoQ: You can call `getMemorySpace()` directly on any region.
if (!isa<StackSpaceRegion>(MSR))
return;
StringRef ErrorMsg = "The 'putenv' function should not be called with "
"arguments that have automatic storage";
ExplodedNode *N = C.generateErrorNode();
SzelethusUnsubmitted
Done
ReplyInline Actions

How about The 'putenv' function should not be called with arguments that have automatic storage. But I guess we could leave wordsmithing for later.

Szelethus: How about `The 'putenv' function should not be called with arguments that have automatic…
auto Report = std::make_unique<PathSensitiveBugReport>(BT, ErrorMsg, N);
CharussoUnsubmitted
Done
ReplyInline Actions

I think you could shrink that into:

!IsPossiblyAutoVar && !isa<StackSapceRegion>(MSR)

What you have specified is a negation of

!isa<StackSapceRegion>(MSR) && !isa<CodeSpaceRegion>(MSR) && !isa<GlobalInternalSpaceRegion>(MSR)

~ according to: https://clang.llvm.org/doxygen/classclang_1_1ento_1_1MemSpaceRegion.html

where the CodeSpaceRegion and GlobalInternalSpaceRegion is not that interesting for the checker.

Charusso: I think you could shrink that into: ```lang=c !IsPossiblyAutoVar && !isa<StackSapceRegion>(MSR)…
NoQUnsubmitted
Done
ReplyInline Actions

Simply check whether the memory space is a stack memory space. This should be a one-liner.

NoQ: Simply check whether the memory space is a stack memory space. This should be a one-liner.
zukatsinadzeAuthorUnsubmitted
Done
ReplyInline Actions

I could not get rid of isPossiblyAutoVar and GlobalInternalSpaceRegion.

zukatsinadze: I could not get rid of `isPossiblyAutoVar` and `GlobalInternalSpaceRegion`.
// Track the argument.
bugreporter::trackExpressionValue(Report->getErrorNode(), ArgExpr, *Report);
SzelethusUnsubmitted
Done
ReplyInline Actions

This should always be true, since we bail out a couple lines up if it isn't, right?

Szelethus: This should always be true, since we bail out a couple lines up if it isn't, right?
C.emitReport(std::move(Report));
}
CharussoUnsubmitted
Done
ReplyInline Actions

@NoQ, it is from your documentation. Would we prefer that or the registerChecker(CheckerManager &) is the new way to construct the BugType? I believe the latter is more appropriate.

Charusso: @NoQ, it is from your documentation. Would we prefer that or the `registerChecker…
NoQUnsubmitted
Done
ReplyInline Actions

Replied above^^

NoQ: Replied above^^
NoQUnsubmitted
Done
ReplyInline Actions

This is impossible because StackSpaceRegion and HeapSpaceRegion do not overlap and above you checked that it's the former.

NoQ: This is impossible because `StackSpaceRegion` and `HeapSpaceRegion` do not overlap and above…
void ento::registerPutenvWithAuto(CheckerManager &Mgr) {
Mgr.registerChecker<PutenvWithAutoChecker>();
CharussoUnsubmitted
Done
ReplyInline Actions

We would like to point out the allocation's site, where it comes from.
We have two facilities to do so: MallocBugVisitor to track dynamic allocation and trackExpressionValue() to track any kind of an expression.

You could find examples from my CERT-checker: D70411. The rough idea is that:

// Track the argument.
if (isa<StackSpaceRegion>(MSR)) {
  bugreporter::trackExpressionValue(C.getPredecessor(), ArgExpr, *Report);
} else if (const SymbolRef Sym = ArgV.getAsSymbol()) { // It is a `HeapSpaceRegion`
  Report->addVisitor(allocation_state::getMallocBRVisitor(Sym));
}

~ here you need to copy-paste the getMallocBRVisitor() from my review. Sorry!

Charusso: We would like to point out the allocation's site, where it comes from. We have two facilities…
NoQUnsubmitted
Done
ReplyInline Actions

I'm not sure it's valid to use C.getPredecessor() for tracking; it might get you into trouble for the same reason that using C.getPredecessor() as error node will get you into trouble. Please use the error node itself instead.

NoQ: I'm not sure it's valid to use `C.getPredecessor()` for tracking; it might get you into trouble…
}
bool ento::shouldRegisterPutenvWithAuto(const LangOptions &) { return true; }

clang/lib/StaticAnalyzer/Core/CommonBugCategories.cpp

//=--- CommonBugCategories.cpp - Provides common issue categories -*- C++ -*-=// //=--- CommonBugCategories.cpp - Provides common issue categories -*- C++ -*-=//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h" #include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h"
// Common strings used for the "category" of many static analyzer issues. // Common strings used for the "category" of many static analyzer issues.
namespace clang { namespace ento { namespace categories { namespace clang {
namespace ento {
namespace categories {
const char * const CoreFoundationObjectiveC = "Core Foundation/Objective-C"; const char *const CoreFoundationObjectiveC = "Core Foundation/Objective-C";
const char * const LogicError = "Logic error"; const char *const LogicError = "Logic error";
const char * const MemoryRefCount = const char *const MemoryRefCount =
"Memory (Core Foundation/Objective-C/OSObject)"; "Memory (Core Foundation/Objective-C/OSObject)";
const char * const MemoryError = "Memory error"; const char *const MemoryError = "Memory error";
const char * const UnixAPI = "Unix API"; const char *const UnixAPI = "Unix API";
const char * const CXXObjectLifecycle = "C++ object lifecycle"; const char *const CXXObjectLifecycle = "C++ object lifecycle";
}}} const char *const SecurityError = "Security error";
} // namespace categories
} // namespace ento
} // namespace clang

clang/test/Analysis/cert/pos34-c-fp-suppression.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=alpha.security.cert.pos.34c\
// RUN: -verify %s
#include "../Inputs/system-header-simulator.h"
void free(void *memblock);
void *malloc(size_t size);
int putenv(char *);
int rand();
namespace test_auto_var_used_good {
extern char *ex;
int test_extern() {
return putenv(ex); // no-warning: extern storage class.
}
zukatsinadzeAuthorUnsubmitted
Done
ReplyInline Actions

I need isPossiblyAutoVar for this type.

zukatsinadze: I need `isPossiblyAutoVar` for this type.
NoQUnsubmitted
Done
ReplyInline Actions

This test is pretty questionable. There is no indication in the code that a points to an automatic variable.

NoQ: This test is pretty questionable. There is no indication in the code that `a` points to an…
void foo(void) {
char *buffer = (char *)"huttah!";
if (rand() % 2 == 0) {
buffer = (char *)malloc(5);
zukatsinadzeAuthorUnsubmitted
Done
ReplyInline Actions

And GlobalInternalSpaceRegion for this.

zukatsinadze: And `GlobalInternalSpaceRegion` for this.
NoQUnsubmitted
Done
ReplyInline Actions

This test is wrong. "hello" is not an automatic variable.

NoQ: This test is wrong. `"hello"` is not an automatic variable.
strcpy(buffer, "woot");
}
putenv(buffer);
}
void bar(void) {
char *buffer = (char *)malloc(5);
strcpy(buffer, "woot");
if (rand() % 2 == 0) {
free(buffer);
buffer = (char *)"blah blah blah";
}
putenv(buffer);
}
void baz() {
char env[] = "NAME=value";
// TODO: False Positive
putenv(env);
// expected-warning@-1 {{The 'putenv' function should not be called with arguments that have automatic storage}}
/*
DO SOMETHING
*/
putenv((char *)"NAME=anothervalue");
}
} // namespace test_auto_var_used_good

clang/test/Analysis/cert/pos34-c.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=alpha.security.cert.pos.34c\
// RUN: -verify %s
// Examples from the CERT rule's page.
CharussoUnsubmitted
Done
ReplyInline Actions

Could you inject the rule's page please?

Charusso: Could you inject the rule's page please?
// https://wiki.sei.cmu.edu/confluence/x/6NYxBQ
NoQUnsubmitted
Done
ReplyInline Actions

Btw - CERT has minified links!

NoQ: Btw - CERT has minified links! {F11286962} {F11286963}
#include "../Inputs/system-header-simulator.h"
void free(void *memblock);
void *malloc(size_t size);
int putenv(char *);
int snprintf(char *str, size_t size, const char *format, ...);
namespace test_auto_var_used_bad {
CharussoUnsubmitted
Done
ReplyInline Actions

I would name the rule properly, as a sentence like: Example from the CERT rule's page.

My idea was that to have a /cert/pos34-c.cpp which only consists of the rule's page stuff mentioning the rule's page on the top. And having a separate file which only consists of arbitrary tests called like /cert/pos34-c-fp-suppression.cpp as it shows some false-positive suppression what you have found on tests or something. Like @aaron.ballman wrote two tests in D70823 and I would copy-paste them from his comment.

Charusso: I would name the rule properly, as a sentence like: `Example from the CERT rule's page.` My…
int volatile_memory1(const char *var) {
char env[1024];
int retval = snprintf(env, sizeof(env), "TEST=%s", var);
if (retval < 0 || (size_t)retval >= sizeof(env)) {
/* Handle error */
}
return putenv(env);
// expected-warning@-1 {{The 'putenv' function should not be called with arguments that have automatic storage}}
}
} // namespace test_auto_var_used_bad
namespace test_auto_var_used_good {
int test_static(const char *var) {
static char env[1024];
int retval = snprintf(env, sizeof(env), "TEST=%s", var);
if (retval < 0 || (size_t)retval >= sizeof(env)) {
/* Handle error */
}
return putenv(env);
}
int test_heap_memory(const char *var) {
static char *oldenv;
const char *env_format = "TEST=%s";
const size_t len = strlen(var) + strlen(env_format);
char *env = (char *)malloc(len);
if (env == NULL) {
return -1;
}
if (putenv(env) != 0) { // no-warning: env was dynamically allocated.
free(env);
return -1;
}
if (oldenv != NULL) {
free(oldenv); /* avoid memory leak */
}
oldenv = env;
return 0;
}
} // namespace test_auto_var_used_good