On Mon, 2022-01-24 at 19:49 +0530, Ankur Saini wrote: > The following can be a possible example of a case where the analyzer > fails > to understand POSIX file-descriptor API. > > - - - > #include <stdio.h> > #include <fcntl.h> > > void test() > { > int fd; > fd = open("foo.txt", O_RDONLY | O_CREAT); > } > > void test_2() > { > FILE *f; > f = fopen("demo.c", "r"); > } > > godbolt link: https://godbolt.org/z/vbTq6fTnd > - - - > > You can see that unlike the "File *” pointer ( f ), analyzer is not > tracking integer file descriptor ( fd ) which is also leaking at the > end of > function "test ()” and should ideally be reported with CWE-775 > ( https://cwe.mitre.org/data/definitions/775.html ) > > If you look at the exploded graph of the given program, the analyzer > is not > able to identify the call to `open ()` and treating it as a "call to > unknown function”.
Thanks, that's a good explanation. The analyzer could handle the "open" call by bifurcating the state into "succeeded" and "failed" cases; see region_model::impl_call_strchr for an example of this. We don't yet have a way for the analyzer to know about functions that set errno, but the "failed" case ought to do so. Dave