resolving the almost decade old checker dependency issue
play

Resolving the almost decade old checker dependency issue in the - PowerPoint PPT Presentation

. . . . . . . . . . . . . . . . Resolving the almost decade old checker dependency issue in the Clang Static Analyzer Kristf Umann dkszelethus@gmail.com Etvs Lornd University, Budapest Ericsson Hungary . . . . . .


  1. . . . . . . . . . . . . . . . . Resolving the almost decade old checker dependency issue in the Clang Static Analyzer Kristóf Umann dkszelethus@gmail.com Eötvös Loránd University, Budapest Ericsson Hungary . . . . . . . . . . . . . . . . . . . . . . . . April 8., 2019

  2. . . . . . . . . . . . . . . . The original problem: easy-to-mess-up command line interface clang -cc1 -analyze myfile.cpp \ -analyzer-checker=cplusplus.InnerPointer \ ...meant to be notes-as-warnings clang -cc1 -analyze myfile.cpp \ -analyzer-checker=cplusplus.InnerPointer \ -analyzer-config unix.Malloc:Optimist=true . . . . . . . . . . . . . . . . . . . . . . . . . ...meant to be Optimistic -analyzer-config note-as-warning=true

  3. . . . . . . . . . . . . . . . . . . No warnings, no errors, the analyzer simply . . . . . . . . . . . . . . . . . . . . . . doesn’t do what you intended...

  4. . . . . . . . . . . . . . . . . . Bug unearthed: ”The Checker Naming Bug” Multiple checker objects could receive the same name Incorrect checker names in bug reports . . . . . . . . . . . . . . . . . . . . . . . Errors while parsing checker confjgurations

  5. . . . . . . . . . . . . . . . . . Real-life problems coming from the Checker Naming Bug clang -cc1 -analyze myfile.cpp \ -analyzer-checker=cplusplus.InnerPointer \ . . . . . . . . . . . . . . . . . . . . . . . -analyzer-config unix.Malloc:Optimistic=true

  6. . . . . . . . . . . . . . . . . . Real-life problems coming from the Checker Naming Bug clang -cc1 -analyze myfile.cpp \ -analyzer-checker=cplusplus.InnerPointer \ . . . . . . . . . . . . . . . . . . . . . . . -analyzer-config cplusplus.InnerPointer:Optimistic=true

  7. . . . . . . . . . . . . . . . . . InnerPointerChecker and MallocChecker have the same name! Turns out InnerPointerChecker depends on MallocChecker! InnerPointerChecker enables both itself and MallocChecker . . . . . . . . . . . . . . . . . . . . . . . Fixing this bug implies the need to reimplement dependencies...

  8. . cplusplus.NewDeleteLeaks security.insecureAPI.DeprecatedOrUnsafeBufgerHandling security.insecureAPI.mktemp a bunch more security checkers security.insecureAPI.bcopy security.insecureAPI.bcmp security.insecureAPI.UncheckedReturn security.insecureAPI.SecuritySyntaxChecker cplusplus.NewDelete alpha.cplusplus.IteratorModeling unix.MismatchedDeallocator unix.Malloc cplusplus.InnerPointer unix.DynamicMemoryModeling unix.cstring.BadSizeArg alpha.unix.cstring.OutOfBounds unix.cstring.NullArg alpha.unix.cstring.NotNullTerminated security.FloatLoopCounter alpha.cplusplus.InvalidatedIterator unix.cstring.CStringModeling core.StackAddrEscapeBase valist.Uninitialized valist.CopyToSelf valist.ValistBase alpha.core.CallAndMessageUnInitRefArg core.CallAndMessage core.StackAddressEscape alpha.core.StackAddressAsyncEscape osx.cocoa.RetainCount alpha.cplusplus.IteratorRange osx.OSObjectRetainCount osx.cocoa.RetainCountBase osx.cocoa.ObjCGenerics core.DynamicTypePropagation alpha.osx.MissingInvalidationMethod alpha.osx.InstanceVariableInvalidation alpha.osx.IvarInvalidationModeling alpha.cplusplus.MismatchedIterator alpha.unix.cstring.BufgerOverlap osx.cocoa.NSError . . . . . . . . . . . . . . . . . . . . . osx.coreFoundation.CFError . osx.NSOrCFErrorDerefChecker . . . . . . . . . . . . . . . . . valist.Unterminated

  9. . CString Modeling object? . . . . . . . . . . alpha.unix.cstring.BufgerOverlap . alpha.unix.cstring.NotNullTerminated unix.cstring.NullArg alpha.unix.cstring.OutOfBounds unix.cstring.BadSizeArg unix.Malloc cplusplus.InnerPointer unix.MismatchedDeallocator cplusplus.NewDelete cplusplus.NewDeleteLeaks clang -cc1 -analyze myfile.cpp \ -analyzer-checker=cplusplus.InnerPointer \ . . . . . . . . . . . . . . . . . . . . . . . . . . . . -analyzer-config unix.Malloc:Optimistic=true Too complex to fjt on a slide...

  10. . CString Modeling object? . . . . . . . . . . alpha.unix.cstring.BufgerOverlap . alpha.unix.cstring.NotNullTerminated unix.cstring.NullArg alpha.unix.cstring.OutOfBounds unix.cstring.BadSizeArg unix.Malloc cplusplus.InnerPointer unix.MismatchedDeallocator cplusplus.NewDelete cplusplus.NewDeleteLeaks clang -cc1 -analyze myfile.cpp \ -analyzer-checker=cplusplus.InnerPointer \ . . . . . . . . . . . . . . . . . . . . . . . . . . . . -analyzer-config cplusplus.InnerPointer:Optimistic=true

  11. . . . . . . . . . . . . CString Modeling object? . alpha.unix.cstring.BufgerOverlap alpha.unix.cstring.NotNullTerminated unix.cstring.NullArg alpha.unix.cstring.OutOfBounds unix.cstring.BadSizeArg unix.Malloc cplusplus.InnerPointer unix.MismatchedDeallocator cplusplus.NewDelete cplusplus.NewDeleteLeaks . . . . . . . . . . . . . . . . . . . . . . . . . . . How do we solve this?

  12. . . . . . . . . . . . . unix.cstring.CStringModeling . alpha.unix.cstring.BufgerOverlap alpha.unix.cstring.NotNullTerminated unix.cstring.NullArg alpha.unix.cstring.OutOfBounds unix.cstring.BadSizeArg unix.DynamicMemoryModeling cplusplus.InnerPointer unix.Malloc unix.MismatchedDeallocator cplusplus.NewDelete cplusplus.NewDeleteLeaks . . . . . . . . . . . . . . . . . . . . . . . . . . . Be able to represent dependencies with a directed tree

  13. . . . . . . . . . . . . . . . Resolve dependencies at a higher level Declare dependencies in TableGen Don’t allow checkers to enable more than one checker Make sure dependencies are enabled in the correct order def InnerPointerChecker : Checker<"InnerPointer">, HelpText<"Looks for pointers to temp. strings">, Dependencies<[DynamicMemoryModeling]> , . . . . . . . . . . . . . . . . . . . . . . . . . Documentation<NotDocumented>;

  14. . . . . . . . . . . . . . . . . Conclusion We are able to list checker dependencies We can now list and verify checker options Checker names won’t depend on how we invoke the analyzer Plugins can now depend on builtin checkers . . . . . . . . . . . . . . . . . . . . . . . . Already in trunk!

  15. . cplusplus.NewDeleteLeaks security.insecureAPI.DeprecatedOrUnsafeBufgerHandling security.insecureAPI.mktemp a bunch more security checkers security.insecureAPI.bcopy security.insecureAPI.bcmp security.insecureAPI.UncheckedReturn security.insecureAPI.SecuritySyntaxChecker cplusplus.NewDelete alpha.cplusplus.IteratorModeling unix.MismatchedDeallocator unix.Malloc cplusplus.InnerPointer unix.DynamicMemoryModeling unix.cstring.BadSizeArg alpha.unix.cstring.OutOfBounds unix.cstring.NullArg alpha.unix.cstring.NotNullTerminated security.FloatLoopCounter alpha.cplusplus.InvalidatedIterator unix.cstring.CStringModeling core.StackAddrEscapeBase valist.Unterminated valist.Uninitialized valist.CopyToSelf valist.ValistBase alpha.core.CallAndMessageUnInitRefArg core.CallAndMessage core.StackAddressEscape alpha.core.StackAddressAsyncEscape osx.cocoa.RetainCount alpha.cplusplus.IteratorRange osx.OSObjectRetainCount osx.cocoa.RetainCountBase osx.cocoa.ObjCGenerics core.DynamicTypePropagation alpha.osx.MissingInvalidationMethod alpha.osx.InstanceVariableInvalidation alpha.osx.IvarInvalidationModeling alpha.cplusplus.MismatchedIterator alpha.unix.cstring.BufgerOverlap osx.cocoa.NSError . . . . . . . . . . . . . . . . . . . . . osx.coreFoundation.CFError . osx.NSOrCFErrorDerefChecker . . . . . . . . . . . . . . . . . Thank you for your attention!

Recommend


More recommend