On Mon, 2022-01-24 at 19:49 +0530, Ankur Saini wrote:
> The following can be a possible example of a case where the analyzer
> fails
> to understand POSIX file-descriptor API.
>
> - - -
> #include <stdio.h>
> #include <fcntl.h>
>
> void test()
> {
> int fd;
> fd = open("foo.txt", O_RDONLY | O_CREAT);
> }
>
> void test_2()
> {
> FILE *f;
> f = fopen("demo.c", "r");
> }
>
> godbolt link: https://godbolt.org/z/vbTq6fTnd
> - - -
>
> You can see that unlike the "File *” pointer ( f ), analyzer is not
> tracking integer file descriptor ( fd ) which is also leaking at the
> end of
> function "test ()” and should ideally be reported with CWE-775
> ( https://cwe.mitre.org/data/definitions/775.html )
>
> If you look at the exploded graph of the given program, the analyzer
> is not
> able to identify the call to `open ()` and treating it as a "call to
> unknown function”.
Thanks, that's a good explanation.
The analyzer could handle the "open" call by bifurcating the state into
"succeeded" and "failed" cases; see region_model::impl_call_strchr for
an example of this. We don't yet have a way for the analyzer to know
about functions that set errno, but the "failed" case ought to do so.
Dave
