This is an archive of the discontinued LLVM Phabricator instance.

Differential D90851

[clang-tidy] Extending bugprone-signal-handler with POSIX functions.
ClosedPublic

Authored by balazske on Nov 5 2020, 7:13 AM.

Details

Reviewers
alexfh
hokein
aaron.ballman
njames93
baloghadamsoftware
martong
Commits
rG2c54b293373c: [clang-tidy] Extending bugprone-signal-handler with POSIX functions.
Summary

An option is added to the check to select wich set of functions is
defined as asynchronous-safe functions.

Diff Detail

Event Timeline

balazske created this revision.Nov 5 2020, 7:13 AM
Herald added a project: Restricted Project. · View Herald TranscriptNov 5 2020, 7:13 AM
Herald added subscribers: cfe-commits, martong, gamesh411 and 4 others. · View Herald Transcript
balazske requested review of this revision.Nov 5 2020, 7:13 AM
Eugene.Zelenko added a subscriber: Eugene.Zelenko.Nov 5 2020, 7:16 AM
Eugene.Zelenko added inline comments.
clang-tools-extra/docs/clang-tidy/checks/bugprone-signal-handler.rst
38

Please add newline.

Eugene.Zelenko added reviewers: alexfh, hokein, aaron.ballman, njames93.Nov 5 2020, 7:16 AM
Eugene.Zelenko added a project: Restricted Project.
Harbormaster completed remote builds in B77699: Diff 303116.Nov 5 2020, 7:59 AM
balazske updated this revision to Diff 303356.Nov 6 2020, 12:59 AM

Small fixes.

Harbormaster completed remote builds in B77835: Diff 303356.Nov 6 2020, 1:47 AM
balazske added a child revision: D91164: [clang-tidy] Improve C++ support in bugprone-signal-handler..Nov 10 2020, 7:05 AM
balazske added reviewers: baloghadamsoftware, martong.
Herald added a subscriber: rnkovacs. · View Herald TranscriptNov 10 2020, 7:05 AM
aaron.ballman added a comment.Nov 10 2020, 7:13 AM

One thing that's not clear to me in the patch is what the behavior should be when the user specifies that they want the POSIX set but they're compiling for a non-POSIX system like Windows. Do you have thoughts on that situation?

clang-tools-extra/clang-tidy/bugprone/SignalHandlerCheck.cpp
215

You should also mention here that the POSIX list is not a strict superset of the minimal list.

clang-tools-extra/clang-tidy/bugprone/SignalHandlerCheck.h
25

I don't think this needs to be public?

clang-tools-extra/docs/clang-tidy/checks/bugprone-signal-handler.rst
24–25

Huh, that's really strange that POSIX leaves quick_exit off the list. I'm going to reach out to someone from the Austin Group to see if that's intentional or not.

clang-tools-extra/test/clang-tidy/checkers/Inputs/Headers/signal.h
1

I think we should strive to replicate the system headers rather than fake up a system header (these headers can be used by more than one check). So I think we want to keep signal.h and stdlib.h, and should include the POSIX-specific functionality with a macro. This also helps us test the behavior on systems like Windows which are not POSIX systems.

clang-tools-extra/test/clang-tidy/checkers/bugprone-signal-handler-posix.c
5

I'd like to make sure we have a test for this that explicitly runs on Windows.

balazske added a comment.Nov 10 2020, 8:19 AM
In D90851#2385744, @aaron.ballman wrote:

One thing that's not clear to me in the patch is what the behavior should be when the user specifies that they want the POSIX set but they're compiling for a non-POSIX system like Windows. Do you have thoughts on that situation?

I think that really it does not matter on what system the checker runs, at least from the check's point of view. The check itself is not dependent on the compilation target. If the compile target is not POSIX compliant but the flag is still set to POSIX it may indicate a problem but how to detect this? If we could detect this automatically the new option would not be needed, POSIX mode could be enabled automatically.
Because this issue maybe it is safer to have the minimal as the default option?

clang-tools-extra/clang-tidy/bugprone/SignalHandlerCheck.h
25

The getEnumMapping function uses it that is external to the class.

clang-tools-extra/test/clang-tidy/checkers/Inputs/Headers/signal.h
1

My concern was to add these many small header files with just some functions in them. For accept more than one header is needed if we want to exactly replicate the system files. And data types like size_t should have a common header too. So I decided to have one header that contains all system functions and data types. This can be used by multiple tests and extended as needed.

aaron.ballman added inline comments.Nov 10 2020, 8:37 AM
clang-tools-extra/clang-tidy/bugprone/SignalHandlerCheck.h
25

Ah, I hadn't caught that, thanks!

clang-tools-extra/docs/clang-tidy/checks/bugprone-signal-handler.rst
24–25

I didn't need to reach out to them because I realized the latest POSIX spec is still based on C99 and they've not released the updated POSIX spec yet.

I think the POSIX functions should be a superset of the C functions.

clang-tools-extra/test/clang-tidy/checkers/Inputs/Headers/signal.h
1

I don't think we're too worried about having a bunch of small test headers around -- I think it's more important the headers used to check system header behavior be understandable as to what you're getting from them. For instance, there are clang-tidy checks for llvm-libc that may have very different needs from what you're doing here.

What's more, these changes break existing tests -- I don't see any companion changes to fix those up.

balazske added inline comments.Nov 17 2020, 2:11 AM
clang-tools-extra/test/clang-tidy/checkers/Inputs/Headers/signal.h
1

On my system (Ubuntu) I do not see failing tests, and these changes do not touch files that were created before D87449, no new problems should happen. I am not against "mirroring" the POSIX API header structure into the test stub header structure, only do not like the overhead of adding these many files with just 1-2 lines (that is needed for this test) in them. It is not done this way in the clang tests either (there are multiple "system-header-simulator" files that contain every declaration usable for specific purposes at one or more tests). Also I want to have the opinion of another reviewer for this question.

aaron.ballman added inline comments.Nov 17 2020, 5:31 AM
clang-tools-extra/test/clang-tidy/checkers/Inputs/Headers/signal.h
1

On my system (Ubuntu) I do not see failing tests, and these changes do not touch files that were created before D87449, no new problems should happen.

You renamed stdlib.h and lllvmlibc-restrict-system-libc-headers.cpp includes stdlib.h, but after closer inspection, I see now that it's including one from a different directory. So this doesn't break the things I thought it was breaking, good!

Also I want to have the opinion of another reviewer for this question.

I'm happy to go with whatever @alexfh thinks.

balazske added a comment.Jan 5 2021, 8:26 AM

Ping

balazske added inline comments.Feb 3 2021, 12:55 AM
clang-tools-extra/docs/clang-tidy/checks/bugprone-signal-handler.rst
24–25

Do you mean that we should add quick_exit to the POSIX set? And have a requirement that minimal set is subset of the POSIX set (if the lists are modified in the future)?

alexfh added inline comments.Feb 3 2021, 4:25 PM
clang-tools-extra/test/clang-tidy/checkers/Inputs/Headers/signal.h
1

Based on the experience with our internal set of checks and tests for them, I tend to think that keeping mock API definitions arranged in a similar way to the corresponding real library is a more sustainable way to manage mock headers. When arranged this way, it's easier to find the origins of, verify, and update definitions, when, for example, a higher fidelity replication of a system/STL/... entity becomes necessary. Dependencies between these mock headers (if necessary) can repeat those in the real library, and #includes of these mock headers can be composed in a similar way. Though the structure of the mock headers can start be approximate and the level of detail can be added when necessary. For example, one can start with a mock header for <string> that would contain initializer_list implementation. But when another test would need <initializer_list>, the corresponding entities can be moved to a separate initializer_list header.

As for different header contents depending on target platform, preprocessor macros seem to be a better way to handle this than using separate mock headers.

The set of mock headers can be shared by all tests that examine the corresponding API. I don't see good reasons to keep different mocks of the same API for different tests.

balazske added inline comments.Feb 5 2021, 8:20 AM
clang-tools-extra/test/clang-tidy/checkers/bugprone-signal-handler-posix.c
5

If an extra test file only for windows, can you tell what additionally to test for in that file? I think the current tests run an all platforms, to add a new test there should be additional cases that are Windows-specific. The header files should come only from the test directory (same for all platforms), not from the real system includes.

Herald added a subscriber: nullptr.cpp. · View Herald TranscriptFeb 5 2021, 8:20 AM
balazske updated this revision to Diff 321766.Feb 5 2021, 8:22 AM

Re-organized testing header files.

Harbormaster completed remote builds in B88091: Diff 321766.Feb 5 2021, 10:18 AM
aaron.ballman added inline comments.Feb 8 2021, 7:45 AM
clang-tools-extra/docs/clang-tidy/checks/bugprone-signal-handler.rst
24–25

Do you mean that we should add quick_exit to the POSIX set? And have a requirement that minimal set is subset of the POSIX set (if the lists are modified in the future)?

Sorry for having missed your question earlier!

I think any function in the minimally safe set should also be safe within the POSIX set unless there's some documentation to suggest that POSIX removed an allowance the C standard provides for a given API (which would be pretty surprising). So yes, I think the minimal set should be a subset of the POSIX set.

balazske updated this revision to Diff 322362.Feb 9 2021, 5:57 AM

Added quick_exit to POSIX-allowed set.

balazske updated this revision to Diff 322364.Feb 9 2021, 5:57 AM

Update relative to previous commit.

Harbormaster completed remote builds in B88452: Diff 322364.Feb 9 2021, 6:40 AM
Harbormaster completed remote builds in B88451: Diff 322362.Feb 9 2021, 7:01 AM
aaron.ballman added inline comments.Feb 10 2021, 7:53 AM
clang-tools-extra/test/clang-tidy/checkers/Inputs/Headers/string.h
12

I think this is causing some test failures: https://reviews.llvm.org/harbormaster/unit/view/324847/

A better way to do this would be: typedef __typeof__(sizeof(0)) size_t;

balazske updated this revision to Diff 323340.Feb 12 2021, 8:15 AM

Changed definition of size_t in test header.

Harbormaster completed remote builds in B89007: Diff 323340.Feb 12 2021, 10:26 AM
aaron.ballman accepted this revision.Feb 16 2021, 6:47 AM

LGTM!

This revision is now accepted and ready to land.Feb 16 2021, 6:47 AM
balazske updated this revision to Diff 325453.Feb 22 2021, 8:24 AM

Rebase, improved documentation.

Harbormaster completed remote builds in B90224: Diff 325453.Feb 22 2021, 9:02 AM
Closed by commit rG2c54b293373c: [clang-tidy] Extending bugprone-signal-handler with POSIX functions. (authored by balazske). · Explain WhyFeb 23 2021, 5:38 AM
This revision was automatically updated to reflect the committed changes.
balazske added a commit: rG2c54b293373c: [clang-tidy] Extending bugprone-signal-handler with POSIX functions..

Revision Contents

PathSize
clang-tools-extra/
clang-tidy/
bugprone/
9 lines
243 lines
docs/
8 lines
clang-tidy/
checks/
31 lines
test/
clang-tidy/
checkers/
Inputs/
Headers/
3 lines
4 lines
string.h
stdlib.h
14 lines
14 lines
unistd.h
stdlib.h
14 lines
32 lines
29 lines
25 lines

Diff 325752

clang-tools-extra/clang-tidy/bugprone/SignalHandlerCheck.h

Show All 16 Lines
namespace bugprone { namespace bugprone {
/// Checker for signal handler functions. /// Checker for signal handler functions.
/// ///
/// For the user-facing documentation see: /// For the user-facing documentation see:
/// http://clang.llvm.org/extra/clang-tidy/checks/bugprone-signal-handler-check.html /// http://clang.llvm.org/extra/clang-tidy/checks/bugprone-signal-handler-check.html
class SignalHandlerCheck : public ClangTidyCheck { class SignalHandlerCheck : public ClangTidyCheck {
public: public:
enum class AsyncSafeFunctionSetType { Minimal, POSIX };
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

I don't think this needs to be public?

aaron.ballman: I don't think this needs to be public?
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

The getEnumMapping function uses it that is external to the class.

balazske: The `getEnumMapping` function uses it that is external to the class.
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Ah, I hadn't caught that, thanks!

aaron.ballman: Ah, I hadn't caught that, thanks!
SignalHandlerCheck(StringRef Name, ClangTidyContext *Context); SignalHandlerCheck(StringRef Name, ClangTidyContext *Context);
void storeOptions(ClangTidyOptions::OptionMap &Opts) override;
bool isLanguageVersionSupported(const LangOptions &LangOpts) const override; bool isLanguageVersionSupported(const LangOptions &LangOpts) const override;
void registerMatchers(ast_matchers::MatchFinder *Finder) override; void registerMatchers(ast_matchers::MatchFinder *Finder) override;
void check(const ast_matchers::MatchFinder::MatchResult &Result) override; void check(const ast_matchers::MatchFinder::MatchResult &Result) override;
private: private:
void reportBug(const FunctionDecl *CalledFunction, const Expr *CallOrRef, void reportBug(const FunctionDecl *CalledFunction, const Expr *CallOrRef,
const CallExpr *SignalCall, const FunctionDecl *HandlerDecl); const CallExpr *SignalCall, const FunctionDecl *HandlerDecl);
bool isSystemCallAllowed(const FunctionDecl *FD) const; bool isSystemCallAllowed(const FunctionDecl *FD) const;
static llvm::StringSet<> StrictConformingFunctions; AsyncSafeFunctionSetType AsyncSafeFunctionSet;
llvm::StringSet<> &ConformingFunctions;
static llvm::StringSet<> MinimalConformingFunctions;
static llvm::StringSet<> POSIXConformingFunctions;
}; };
} // namespace bugprone } // namespace bugprone
} // namespace tidy } // namespace tidy
} // namespace clang } // namespace clang
#endif // LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_BUGPRONE_SIGNALHANDLERCHECK_H #endif // LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_BUGPRONE_SIGNALHANDLERCHECK_H

clang-tools-extra/clang-tidy/bugprone/SignalHandlerCheck.cpp

Show All 15 Lines
#include "llvm/ADT/SmallVector.h" #include "llvm/ADT/SmallVector.h"
#include <iterator> #include <iterator>
#include <queue> #include <queue>
using namespace clang::ast_matchers; using namespace clang::ast_matchers;
namespace clang { namespace clang {
namespace tidy { namespace tidy {
template <>
struct OptionEnumMapping<
bugprone::SignalHandlerCheck::AsyncSafeFunctionSetType> {
static llvm::ArrayRef<std::pair<
bugprone::SignalHandlerCheck::AsyncSafeFunctionSetType, StringRef>>
getEnumMapping() {
static constexpr std::pair<
bugprone::SignalHandlerCheck::AsyncSafeFunctionSetType, StringRef>
Mapping[] = {
{bugprone::SignalHandlerCheck::AsyncSafeFunctionSetType::Minimal,
"minimal"},
{bugprone::SignalHandlerCheck::AsyncSafeFunctionSetType::POSIX,
"POSIX"},
};
return makeArrayRef(Mapping);
}
};
namespace bugprone { namespace bugprone {
static bool isSystemCall(const FunctionDecl *FD) { static bool isSystemCall(const FunctionDecl *FD) {
// Find a possible redeclaration in system header. // Find a possible redeclaration in system header.
// FIXME: Looking at the canonical declaration is not the most exact way // FIXME: Looking at the canonical declaration is not the most exact way
// to do this. // to do this.
// Most common case will be inclusion directly from a header. // Most common case will be inclusion directly from a header.
Show All 19 Linesstatic bool isSystemCall(const FunctionDecl *FD) {
// #include <sysheader.h> // #include <sysheader.h>
return FD->getASTContext().getSourceManager().isInSystemHeader( return FD->getASTContext().getSourceManager().isInSystemHeader(
FD->getCanonicalDecl()->getLocation()); FD->getCanonicalDecl()->getLocation());
} }
AST_MATCHER(FunctionDecl, isSystemCall) { return isSystemCall(&Node); } AST_MATCHER(FunctionDecl, isSystemCall) { return isSystemCall(&Node); }
// This is the minimal set of safe functions.
// FIXME: Add checker option to allow a POSIX compliant extended set.
llvm::StringSet<> SignalHandlerCheck::StrictConformingFunctions{
"signal", "abort", "_Exit", "quick_exit"};
SignalHandlerCheck::SignalHandlerCheck(StringRef Name, SignalHandlerCheck::SignalHandlerCheck(StringRef Name,
ClangTidyContext *Context) ClangTidyContext *Context)
: ClangTidyCheck(Name, Context) {} : ClangTidyCheck(Name, Context),
AsyncSafeFunctionSet(
Options.get("AsyncSafeFunctionSet", AsyncSafeFunctionSetType::POSIX)),
ConformingFunctions(AsyncSafeFunctionSet ==
AsyncSafeFunctionSetType::Minimal
? MinimalConformingFunctions
: POSIXConformingFunctions) {}
void SignalHandlerCheck::storeOptions(ClangTidyOptions::OptionMap &Opts) {
Options.store(Opts, "AsyncSafeFunctionSet", AsyncSafeFunctionSet);
}
bool SignalHandlerCheck::isLanguageVersionSupported( bool SignalHandlerCheck::isLanguageVersionSupported(
const LangOptions &LangOpts) const { const LangOptions &LangOpts) const {
// FIXME: Make the checker useful on C++ code. // FIXME: Make the checker useful on C++ code.
if (LangOpts.CPlusPlus) if (LangOpts.CPlusPlus)
return false; return false;
return true; return true;
▲ Show 20 LinesShow All 81 Lines▼ Show 20 Lines
bool SignalHandlerCheck::isSystemCallAllowed(const FunctionDecl *FD) const { bool SignalHandlerCheck::isSystemCallAllowed(const FunctionDecl *FD) const {
const IdentifierInfo *II = FD->getIdentifier(); const IdentifierInfo *II = FD->getIdentifier();
// Unnamed functions are not explicitly allowed. // Unnamed functions are not explicitly allowed.
if (!II) if (!II)
return false; return false;
// FIXME: Improve for C++ (check for namespace). // FIXME: Improve for C++ (check for namespace).
if (StrictConformingFunctions.count(II->getName())) if (ConformingFunctions.count(II->getName()))
return true; return true;
return false; return false;
} }
void SignalHandlerCheck::reportBug(const FunctionDecl *CalledFunction, void SignalHandlerCheck::reportBug(const FunctionDecl *CalledFunction,
const Expr *CallOrRef, const Expr *CallOrRef,
const CallExpr *SignalCall, const CallExpr *SignalCall,
const FunctionDecl *HandlerDecl) { const FunctionDecl *HandlerDecl) {
diag(CallOrRef->getBeginLoc(), diag(CallOrRef->getBeginLoc(),
"%0 may not be asynchronous-safe; " "%0 may not be asynchronous-safe; "
"calling it from a signal handler may be dangerous") "calling it from a signal handler may be dangerous")
<< CalledFunction; << CalledFunction;
diag(SignalCall->getSourceRange().getBegin(), diag(SignalCall->getSourceRange().getBegin(),
"signal handler registered here", DiagnosticIDs::Note); "signal handler registered here", DiagnosticIDs::Note);
diag(HandlerDecl->getBeginLoc(), "handler function declared here", diag(HandlerDecl->getBeginLoc(), "handler function declared here",
DiagnosticIDs::Note); DiagnosticIDs::Note);
} }
// This is the minimal set of safe functions.
// https://wiki.sei.cmu.edu/confluence/display/c/SIG30-C.+Call+only+asynchronous-safe+functions+within+signal+handlers
llvm::StringSet<> SignalHandlerCheck::MinimalConformingFunctions{
"signal", "abort", "_Exit", "quick_exit"};
// The POSIX-defined set of safe functions.
// https://pubs.opengroup.org/onlinepubs/9699919799/functions/V2_chap02.html#tag_15_04_03
// 'quick_exit' is added to the set additionally because it looks like the
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

You should also mention here that the POSIX list is not a strict superset of the minimal list.

aaron.ballman: You should also mention here that the POSIX list is not a strict superset of the minimal list.
// mentioned POSIX specification was not updated after 'quick_exit' appeared
// in the C11 standard.
// Also, we want to keep the "minimal set" a subset of the "POSIX set".
llvm::StringSet<> SignalHandlerCheck::POSIXConformingFunctions{
"_Exit",
"_exit",
"abort",
"accept",
"access",
"aio_error",
"aio_return",
"aio_suspend",
"alarm",
"bind",
"cfgetispeed",
"cfgetospeed",
"cfsetispeed",
"cfsetospeed",
"chdir",
"chmod",
"chown",
"clock_gettime",
"close",
"connect",
"creat",
"dup",
"dup2",
"execl",
"execle",
"execv",
"execve",
"faccessat",
"fchdir",
"fchmod",
"fchmodat",
"fchown",
"fchownat",
"fcntl",
"fdatasync",
"fexecve",
"ffs",
"fork",
"fstat",
"fstatat",
"fsync",
"ftruncate",
"futimens",
"getegid",
"geteuid",
"getgid",
"getgroups",
"getpeername",
"getpgrp",
"getpid",
"getppid",
"getsockname",
"getsockopt",
"getuid",
"htonl",
"htons",
"kill",
"link",
"linkat",
"listen",
"longjmp",
"lseek",
"lstat",
"memccpy",
"memchr",
"memcmp",
"memcpy",
"memmove",
"memset",
"mkdir",
"mkdirat",
"mkfifo",
"mkfifoat",
"mknod",
"mknodat",
"ntohl",
"ntohs",
"open",
"openat",
"pause",
"pipe",
"poll",
"posix_trace_event",
"pselect",
"pthread_kill",
"pthread_self",
"pthread_sigmask",
"quick_exit",
"raise",
"read",
"readlink",
"readlinkat",
"recv",
"recvfrom",
"recvmsg",
"rename",
"renameat",
"rmdir",
"select",
"sem_post",
"send",
"sendmsg",
"sendto",
"setgid",
"setpgid",
"setsid",
"setsockopt",
"setuid",
"shutdown",
"sigaction",
"sigaddset",
"sigdelset",
"sigemptyset",
"sigfillset",
"sigismember",
"siglongjmp",
"signal",
"sigpause",
"sigpending",
"sigprocmask",
"sigqueue",
"sigset",
"sigsuspend",
"sleep",
"sockatmark",
"socket",
"socketpair",
"stat",
"stpcpy",
"stpncpy",
"strcat",
"strchr",
"strcmp",
"strcpy",
"strcspn",
"strlen",
"strncat",
"strncmp",
"strncpy",
"strnlen",
"strpbrk",
"strrchr",
"strspn",
"strstr",
"strtok_r",
"symlink",
"symlinkat",
"tcdrain",
"tcflow",
"tcflush",
"tcgetattr",
"tcgetpgrp",
"tcsendbreak",
"tcsetattr",
"tcsetpgrp",
"time",
"timer_getoverrun",
"timer_gettime",
"timer_settime",
"times",
"umask",
"uname",
"unlink",
"unlinkat",
"utime",
"utimensat",
"utimes",
"wait",
"waitpid",
"wcpcpy",
"wcpncpy",
"wcscat",
"wcschr",
"wcscmp",
"wcscpy",
"wcscspn",
"wcslen",
"wcsncat",
"wcsncmp",
"wcsncpy",
"wcsnlen",
"wcspbrk",
"wcsrchr",
"wcsspn",
"wcsstr",
"wcstok",
"wmemchr",
"wmemcmp",
"wmemcpy",
"wmemmove",
"wmemset",
"write"};
} // namespace bugprone } // namespace bugprone
} // namespace tidy } // namespace tidy
} // namespace clang } // namespace clang

clang-tools-extra/docs/ReleaseNotes.rst

Show First 20 LinesShow All 81 Lines▼ Show 20 Lines
New check aliases New check aliases
^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^
- New alias :doc:`cert-pos47-c - New alias :doc:`cert-pos47-c
<clang-tidy/checks/cert-pos47-c>` to <clang-tidy/checks/cert-pos47-c>` to
:doc:`concurrency-thread-canceltype-asynchronous :doc:`concurrency-thread-canceltype-asynchronous
<clang-tidy/checks/concurrency-thread-canceltype-asynchronous>` was added. <clang-tidy/checks/concurrency-thread-canceltype-asynchronous>` was added.
Changes in existing checks
^^^^^^^^^^^^^^^^^^^^^^^^^^
- Improved :doc:`bugprone-signal-handler
<clang-tidy/checks/bugprone-signal-handler>` check.
Added an option to choose the set of allowed functions.
Improvements to include-fixer Improvements to include-fixer
----------------------------- -----------------------------
The improvements are... The improvements are...
Improvements to clang-include-fixer Improvements to clang-include-fixer
----------------------------------- -----------------------------------
Show All 14 Lines

clang-tools-extra/docs/clang-tidy/checks/bugprone-signal-handler.rst

.. title:: clang-tidy - bugprone-signal-handler .. title:: clang-tidy - bugprone-signal-handler
bugprone-signal-handler bugprone-signal-handler
======================= =======================
Finds functions registered as signal handlers that call non asynchronous-safe Finds functions registered as signal handlers that call non asynchronous-safe
functions. Any function that cannot be determined to be an asynchronous-safe functions. Any function that cannot be determined to be an asynchronous-safe
function call is assumed to be non-asynchronous-safe by the checker, function call is assumed to be non-asynchronous-safe by the checker,
including user functions for which only the declaration is visible. including user functions for which only the declaration is visible.
User function calls with visible definition are checked recursively. User function calls with visible definition are checked recursively.
The check handles only C code. The check handles only C code. Only the function names are considered and the
fact that the function is a system-call, but no other restrictions on the
The minimal list of asynchronous-safe system functions is: arguments passed to the functions (the ``signal`` call is allowed without
``abort()``, ``_Exit()``, ``quick_exit()`` and ``signal()`` restrictions).
(for ``signal`` there are additional conditions that are not checked).
The check accepts only these calls as asynchronous-safe.
This check corresponds to the CERT C Coding Standard rule This check corresponds to the CERT C Coding Standard rule
`SIG30-C. Call only asynchronous-safe functions within signal handlers `SIG30-C. Call only asynchronous-safe functions within signal handlers
<https://www.securecoding.cert.org/confluence/display/c/SIG30-C.+Call+only+asynchronous-safe+functions+within+signal+handlers>`_. <https://www.securecoding.cert.org/confluence/display/c/SIG30-C.+Call+only+asynchronous-safe+functions+within+signal+handlers>`_
and has an alias name ``cert-sig30-c``.
.. option:: AsyncSafeFunctionSet
Selects wich set of functions is considered as asynchronous-safe
(and therefore allowed in signal handlers). Value ``minimal`` selects
a minimal set that is defined in the CERT SIG30-C rule and includes functions
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Huh, that's really strange that POSIX leaves quick_exit off the list. I'm going to reach out to someone from the Austin Group to see if that's intentional or not.

aaron.ballman: Huh, that's really strange that POSIX leaves `quick_exit` off the list. I'm going to reach out…
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

I didn't need to reach out to them because I realized the latest POSIX spec is still based on C99 and they've not released the updated POSIX spec yet.

I think the POSIX functions should be a superset of the C functions.

aaron.ballman: I didn't need to reach out to them because I realized the latest POSIX spec is still based on…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

Do you mean that we should add quick_exit to the POSIX set? And have a requirement that minimal set is subset of the POSIX set (if the lists are modified in the future)?

balazske: Do you mean that we should add `quick_exit` to the POSIX set? And have a requirement that…
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Do you mean that we should add quick_exit to the POSIX set? And have a requirement that minimal set is subset of the POSIX set (if the lists are modified in the future)?

Sorry for having missed your question earlier!

I think any function in the minimally safe set should also be safe within the POSIX set unless there's some documentation to suggest that POSIX removed an allowance the C standard provides for a given API (which would be pretty surprising). So yes, I think the minimal set should be a subset of the POSIX set.

aaron.ballman: > Do you mean that we should add quick_exit to the POSIX set? And have a requirement that…
``abort()``, ``_Exit()``, ``quick_exit()`` and ``signal()``. Value ``POSIX``
selects a larger set of functions that is listed in POSIX.1-2017 (see `this
link
<https://pubs.opengroup.org/onlinepubs/9699919799/functions/V2_chap02.html#tag_15_04_03>`_
for more information).
The function ``quick_exit`` is not included in the shown list. It is
assumable that the reason is that the list was not updated for C11.
The checker includes ``quick_exit`` in the set of safe functions.
Functions registered as exit handlers are not checked.
Default is ``POSIX``.
Eugene.ZelenkoUnsubmitted
Not Done
ReplyInline Actions

Please add newline.

Eugene.Zelenko: Please add newline.

clang-tools-extra/test/clang-tidy/checkers/Inputs/Headers/signal.h

//===--- signal.h - Stub header for tests -----------------------*- C++ -*-===// //===--- signal.h - Stub header for tests -----------------------*- C++ -*-===//
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

I think we should strive to replicate the system headers rather than fake up a system header (these headers can be used by more than one check). So I think we want to keep signal.h and stdlib.h, and should include the POSIX-specific functionality with a macro. This also helps us test the behavior on systems like Windows which are not POSIX systems.

aaron.ballman: I think we should strive to replicate the system headers rather than fake up a system header…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

My concern was to add these many small header files with just some functions in them. For accept more than one header is needed if we want to exactly replicate the system files. And data types like size_t should have a common header too. So I decided to have one header that contains all system functions and data types. This can be used by multiple tests and extended as needed.

balazske: My concern was to add these many small header files with just some functions in them. For…
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

I don't think we're too worried about having a bunch of small test headers around -- I think it's more important the headers used to check system header behavior be understandable as to what you're getting from them. For instance, there are clang-tidy checks for llvm-libc that may have very different needs from what you're doing here.

What's more, these changes break existing tests -- I don't see any companion changes to fix those up.

aaron.ballman: I don't think we're too worried about having a bunch of small test headers around -- I think…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

On my system (Ubuntu) I do not see failing tests, and these changes do not touch files that were created before D87449, no new problems should happen. I am not against "mirroring" the POSIX API header structure into the test stub header structure, only do not like the overhead of adding these many files with just 1-2 lines (that is needed for this test) in them. It is not done this way in the clang tests either (there are multiple "system-header-simulator" files that contain every declaration usable for specific purposes at one or more tests). Also I want to have the opinion of another reviewer for this question.

balazske: On my system (Ubuntu) I do not see failing tests, and these changes do not touch files that…
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

On my system (Ubuntu) I do not see failing tests, and these changes do not touch files that were created before D87449, no new problems should happen.

You renamed stdlib.h and lllvmlibc-restrict-system-libc-headers.cpp includes stdlib.h, but after closer inspection, I see now that it's including one from a different directory. So this doesn't break the things I thought it was breaking, good!

Also I want to have the opinion of another reviewer for this question.

I'm happy to go with whatever @alexfh thinks.

aaron.ballman: > On my system (Ubuntu) I do not see failing tests, and these changes do not touch files that…
alexfhUnsubmitted
Not Done
ReplyInline Actions

Based on the experience with our internal set of checks and tests for them, I tend to think that keeping mock API definitions arranged in a similar way to the corresponding real library is a more sustainable way to manage mock headers. When arranged this way, it's easier to find the origins of, verify, and update definitions, when, for example, a higher fidelity replication of a system/STL/... entity becomes necessary. Dependencies between these mock headers (if necessary) can repeat those in the real library, and #includes of these mock headers can be composed in a similar way. Though the structure of the mock headers can start be approximate and the level of detail can be added when necessary. For example, one can start with a mock header for <string> that would contain initializer_list implementation. But when another test would need <initializer_list>, the corresponding entities can be moved to a separate initializer_list header.

As for different header contents depending on target platform, preprocessor macros seem to be a better way to handle this than using separate mock headers.

The set of mock headers can be shared by all tests that examine the corresponding API. I don't see good reasons to keep different mocks of the same API for different tests.

alexfh: Based on the experience with our internal set of checks and tests for them, I tend to think…
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#ifndef _SIGNAL_H_ #ifndef _SIGNAL_H_
#define _SIGNAL_H_ #define _SIGNAL_H_
typedef void (*sighandler_t)(int);
void _sig_ign(int); void _sig_ign(int);
void _sig_dfl(int); void _sig_dfl(int);
#define SIGINT 1 #define SIGINT 1
#define SIG_IGN _sig_ign #define SIG_IGN _sig_ign
#define SIG_DFL _sig_dfl #define SIG_DFL _sig_dfl
typedef void (*sighandler_t)(int);
sighandler_t signal(int, sighandler_t); sighandler_t signal(int, sighandler_t);
#endif // _SIGNAL_H_ #endif // _SIGNAL_H_

clang-tools-extra/test/clang-tidy/checkers/Inputs/Headers/stdlib.h

  • This file was copied to clang-tools-extra/test/clang-tidy/checkers/Inputs/Headers/string.h, clang-tools-extra/test/clang-tidy/checkers/Inputs/Headers/system-other.h, clang-tools-extra/test/clang-tidy/checkers/Inputs/Headers/unistd.h.
//===--- stdlib.h - Stub header for tests -----------------------*- C++ -*-===// //===--- stdlib.h - Stub header for tests------ -----------------*- C++ -*-===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#ifndef _STDLIB_H_ #ifndef _STDLIB_H_
#define _STDLIB_H_ #define _STDLIB_H_
void abort(void); void abort(void);
void _Exit(int); void _Exit(int);
void quick_exit(int); void quick_exit(int);
void other_call(int);
#endif // _STDLIB_H_ #endif // _STDLIB_H_

clang-tools-extra/test/clang-tidy/checkers/Inputs/Headers/string.h

  • This file was copied from clang-tools-extra/test/clang-tidy/checkers/Inputs/Headers/stdlib.h.
//===--- stdlib.h - Stub header for tests -----------------------*- C++ -*-===// //===--- string.h - Stub header for tests------ -----------------*- C++ -*-===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#ifndef _STDLIB_H_ #ifndef _STRING_H_
#define _STDLIB_H_ #define _STRING_H_
void abort(void); typedef __typeof__(sizeof(0)) size_t;
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

I think this is causing some test failures: https://reviews.llvm.org/harbormaster/unit/view/324847/

A better way to do this would be: typedef __typeof__(sizeof(0)) size_t;

aaron.ballman: I think this is causing some test failures: https://reviews.llvm.
void _Exit(int);
void quick_exit(int);
void other_call(int); void *memcpy(void *dest, const void *src, size_t n);
#endif // _STDLIB_H_ #endif // _STRING_H_

clang-tools-extra/test/clang-tidy/checkers/Inputs/Headers/system-other.h

  • This file was copied from clang-tools-extra/test/clang-tidy/checkers/Inputs/Headers/stdlib.h.
//===--- stdlib.h - Stub header for tests -----------------------*- C++ -*-===// //===--- system-other.h - Stub header for tests -----------------*- C++ -*-===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#ifndef _STDLIB_H_ #ifndef _SYSTEM_OTHER_H_
#define _STDLIB_H_ #define _SYSTEM_OTHER_H_
void abort(void); // Special system calls.
void _Exit(int);
void quick_exit(int);
void other_call(int); void other_call();
#endif // _STDLIB_H_ #endif // _SYSTEM_OTHER_H_

clang-tools-extra/test/clang-tidy/checkers/Inputs/Headers/unistd.h

  • This file was copied from clang-tools-extra/test/clang-tidy/checkers/Inputs/Headers/stdlib.h.
//===--- stdlib.h - Stub header for tests -----------------------*- C++ -*-===// //===--- unistd.h - Stub header for tests------ -----------------*- C++ -*-===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#ifndef _STDLIB_H_ #ifndef _UNISTD_H_
#define _STDLIB_H_ #define _UNISTD_H_
void abort(void); void _exit(int status);
void _Exit(int);
void quick_exit(int);
void other_call(int); #endif // _UNISTD_H_
#endif // _STDLIB_H_

clang-tools-extra/test/clang-tidy/checkers/bugprone-signal-handler-minimal.c

  • This file was added.
// RUN: %check_clang_tidy %s bugprone-signal-handler %t \
// RUN: -config='{CheckOptions: \
// RUN: [{key: bugprone-signal-handler.AsyncSafeFunctionSet, value: "minimal"}]}' \
// RUN: -- -isystem %S/Inputs/Headers
#include "signal.h"
#include "stdlib.h"
#include "string.h"
#include "unistd.h"
void handler_bad1(int) {
_exit(0);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: '_exit' may not be asynchronous-safe; calling it from a signal handler may be dangerous [bugprone-signal-handler]
}
void handler_bad2(void *dst, const void *src) {
memcpy(dst, src, 10);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: 'memcpy' may not be asynchronous-safe; calling it from a signal handler may be dangerous [bugprone-signal-handler]
}
void handler_good(int) {
abort();
_Exit(0);
quick_exit(0);
signal(0, SIG_DFL);
}
void test() {
signal(SIGINT, handler_bad1);
signal(SIGINT, handler_bad2);
signal(SIGINT, handler_good);
}

clang-tools-extra/test/clang-tidy/checkers/bugprone-signal-handler-posix.c

  • This file was added.
// RUN: %check_clang_tidy %s bugprone-signal-handler %t \
// RUN: -config='{CheckOptions: \
// RUN: [{key: bugprone-signal-handler.AsyncSafeFunctionSet, value: "POSIX"}]}' \
// RUN: -- -isystem %S/Inputs/Headers
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

I'd like to make sure we have a test for this that explicitly runs on Windows.

aaron.ballman: I'd like to make sure we have a test for this that explicitly runs on Windows.
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

If an extra test file only for windows, can you tell what additionally to test for in that file? I think the current tests run an all platforms, to add a new test there should be additional cases that are Windows-specific. The header files should come only from the test directory (same for all platforms), not from the real system includes.

balazske: If an extra test file only for windows, can you tell what additionally to test for in that file?
#include "signal.h"
#include "stdlib.h"
#include "stdio.h"
#include "string.h"
#include "unistd.h"
void handler_bad(int) {
printf("1234");
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: 'printf' may not be asynchronous-safe; calling it from a signal handler may be dangerous [bugprone-signal-handler]
}
void handler_good(int) {
abort();
_Exit(0);
_exit(0);
quick_exit(0);
signal(0, SIG_DFL);
memcpy((void*)10, (const void*)20, 1);
}
void test() {
signal(SIGINT, handler_good);
signal(SIGINT, handler_bad);
}

clang-tools-extra/test/clang-tidy/checkers/bugprone-signal-handler.c

// RUN: %check_clang_tidy %s cert-sig30-c %t -- -- -isystem %S/Inputs/Headers // RUN: %check_clang_tidy %s bugprone-signal-handler %t -- -- -isystem %S/Inputs/Headers
#include "signal.h" #include "signal.h"
#include "stdio.h"
#include "stdlib.h" #include "stdlib.h"
#include "stdio.h"
#include "system-other.h"
// The function should be classified as system call even if there is // The function should be classified as system call even if there is
// declaration the in source file. // declaration the in source file.
// FIXME: The detection works only if the first declaration is in system // FIXME: The detection works only if the first declaration is in system
// header. // header.
int printf(const char *, ...); int printf(const char *, ...);
typedef void (*sighandler_t)(int); typedef void (*sighandler_t)(int);
sighandler_t signal(int signum, sighandler_t handler); sighandler_t signal(int signum, sighandler_t handler);
void handler_abort(int) { void handler_abort(int) {
abort(); abort();
} }
void handler__Exit(int) {
_Exit(0);
}
void handler_quick_exit(int) {
quick_exit(0);
}
void handler_other(int) { void handler_other(int) {
printf("1234"); printf("1234");
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: 'printf' may not be asynchronous-safe; calling it from a signal handler may be dangerous [cert-sig30-c] // CHECK-MESSAGES: :[[@LINE-1]]:3: warning: 'printf' may not be asynchronous-safe; calling it from a signal handler may be dangerous [bugprone-signal-handler]
} }
void handler_signal(int) { void handler_signal(int) {
// FIXME: It is only OK to call signal with the current signal number. // FIXME: It is only OK to call signal with the current signal number.
signal(0, SIG_DFL); signal(0, SIG_DFL);
} }
void f_ok() { void f_ok() {
abort(); abort();
} }
void f_bad() { void f_bad() {
printf("1234"); printf("1234");
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: 'printf' may not be asynchronous-safe; calling it from a signal handler may be dangerous [cert-sig30-c] // CHECK-MESSAGES: :[[@LINE-1]]:3: warning: 'printf' may not be asynchronous-safe; calling it from a signal handler may be dangerous [bugprone-signal-handler]
} }
void f_extern(); void f_extern();
void handler_ok(int) { void handler_ok(int) {
f_ok(); f_ok();
} }
void handler_bad(int) { void handler_bad(int) {
f_bad(); f_bad();
} }
void handler_extern(int) { void handler_extern(int) {
f_extern(); f_extern();
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: 'f_extern' may not be asynchronous-safe; calling it from a signal handler may be dangerous [cert-sig30-c] // CHECK-MESSAGES: :[[@LINE-1]]:3: warning: 'f_extern' may not be asynchronous-safe; calling it from a signal handler may be dangerous [bugprone-signal-handler]
} }
void test() { void test() {
signal(SIGINT, handler_abort); signal(SIGINT, handler_abort);
signal(SIGINT, handler__Exit);
signal(SIGINT, handler_quick_exit);
signal(SIGINT, handler_signal); signal(SIGINT, handler_signal);
signal(SIGINT, handler_other); signal(SIGINT, handler_other);
signal(SIGINT, handler_ok); signal(SIGINT, handler_ok);
signal(SIGINT, handler_bad); signal(SIGINT, handler_bad);
signal(SIGINT, handler_extern); signal(SIGINT, handler_extern);
signal(SIGINT, quick_exit); signal(SIGINT, _Exit);
signal(SIGINT, other_call); signal(SIGINT, other_call);
// CHECK-MESSAGES: :[[@LINE-1]]:18: warning: 'other_call' may not be asynchronous-safe; calling it from a signal handler may be dangerous [cert-sig30-c] // CHECK-MESSAGES: :[[@LINE-1]]:18: warning: 'other_call' may not be asynchronous-safe; calling it from a signal handler may be dangerous [bugprone-signal-handler]
signal(SIGINT, SIG_IGN); signal(SIGINT, SIG_IGN);
signal(SIGINT, SIG_DFL); signal(SIGINT, SIG_DFL);
} }