On Mon, 2022-01-24 at 19:49 +0530, Ankur Saini wrote:
> The following can be a possible example of a case where the analyzer
> fails
> to understand POSIX file-descriptor API.
> 
> - - -
> #include <stdio.h>
> #include <fcntl.h>
> 
> void test()
> {
>     int fd;
>     fd = open("foo.txt", O_RDONLY | O_CREAT);
> }
> 
> void test_2()
> {
>     FILE *f;
>     f = fopen("demo.c", "r");
> }
> 
> godbolt link: https://godbolt.org/z/vbTq6fTnd
> - - -
> 
> You can see that unlike the "File *” pointer ( f ), analyzer is not
> tracking integer file descriptor ( fd ) which is also leaking at the
> end of
> function "test ()” and should ideally be reported with CWE-775
> ( https://cwe.mitre.org/data/definitions/775.html )
> 
> If you look at the exploded graph of the given program, the analyzer
> is not
> able to identify the call to `open ()` and treating it as a "call to
> unknown function”.

Thanks, that's a good explanation.

The analyzer could handle the "open" call by bifurcating the state into
"succeeded" and "failed" cases; see region_model::impl_call_strchr for
an example of this.  We don't yet have a way for the analyzer to know
about functions that set errno, but the "failed" case ought to do so.

Dave

Reply via email to