proposal: cmd/vet: add check for common error mishandling pattern

[robpike]

People have proposed adding a test to vet to catch certain unused errors. This can be very noisy, and there are many cases where the error is genuinely known to be nil and can be ignored, such as in a call to bufio.Writer.Write. Therefore a general "unused error" check will be too noisy and fail the precision criterion described in cmd/vet/README.

However, my project has been badly bitten twice recently by a particular problem of unused errors that should be caught. The two looked schematically like these snippets:

func e() error { ... }
var err error

# Error value not caught in if init:
if e(); err != nil {...}

# Error value not caught before if:
e()
if err != nil { ... }

I did some experiments to catch calls to functions with the type of e that did not catch the error, and found too may false positives for things like os.Setenv.

However, since the real problem isn't that the error is discarded, but that it is discarded immediately before a check, I think it's worth trying a more targeted approach, one that would catch both of the problems in the snippets above.

The -unusedresult flag, on by default, already checks for things like calls to fmt.Sprintf where the value is not used, which is clearly a bug - there is no other reason to call fmt.Sprintf. That check works with a whitelist, but the problems in the examples above involved local functions that would never appear on a whitelist unless explicitly added when vet is called, which is error-prone (and not done in general).

I therefore propose to add to the -unusedresult check a test for the specific case with these three properties:

1. a call to a function that returns an error as one of its possibly several arguments;
2. return values from the function are dropped (no explicit _);
3. the next statement reads a variable of type error.

It's point 3 that makes this work, I think, eliminating almost all the noise from calls to things like os.Setenv while catching the real bugs. If you just called an error function and then ask about the error, if there's no flow from the call to the check, you almost certainly made a mistake.

Regarding the criteria:

Correctness: This is a real bug, and it's bitten our project twice with severe security problems as a result. This is a problem that needs fixing.

Frequency: It's hit our project twice, and our project isn't big. I believe the severity is high enough that even a modest frequency of hits justifies the fix. If I implement this, I predict it will find more.

Precision: I believe that rule 3 in this proposal should make it precise enough.

[griesemer]

This seems worthwhile doing. I think the proof is in the pudding - let's implement it and see if it can be made to work as advertised.

[dlsniper]

Hi,

I'm not sure about the full context of those issues, but both these tools would catch the error, with this code https://play.golang.org/p/pkaWAqDUY0 as an example:

• https://github.com/dominikh/go-tools/tree/master/cmd/staticcheck
• https://github.com/kisielk/errcheck

Both of them are included in this other tool: https://github.com/alecthomas/gometalinter

I wonder if rather than having the effort duplicate, more gophers should be made aware by these tools via the https://golang.org website by adding a (third-party) tooling section (cc @rakyll). Or do you think having this check in the vet tool would bring any advantage over the existing tools in the ecosystem?

Thank you.

[ianlancetaylor]

This is a refinement of #19727.

[dominikh]

It's worth pointing out that neither staticcheck nor errcheck fulfill Rob's requirements. Staticcheck doesn't actually catch this problem at all (yet), its output for https://play.golang.org/p/pkaWAqDUY0 is complaining about something unrelated. Errcheck does catch the issue – being the canonical tool for finding unchecked errors – but it's also a tool that's too noisy for a lot of people, see Rob's original message that mentions bufio.Writer.Write.

[kevinburke]

On a slightly related note: I sometimes try to make it impossible to have this problem by trying to never reuse an error; specifically to never assign to an error value with =.

Sometimes I get caught up though with code like this:

val, err := doSomething()
if err != nil {
    return err
}

val2, err2 := doSomethingElse()
if err2 != nil {
    return err
}

And then get confused why I'm returning nil from the function.

[cznic]

I sometimes try to make it impossible to have this problem by trying to never reuse an error; specifically to never assign to an error value with =.

I would go the opposite way. It's the := which causes the trouble. (While being undeniably handy in almost every other situation.)

[rsc]

Leaving on hold until @robpike has time to further explore a prototype.

[velovix]

I'm not especially comfortable with the idea of ignoring errors when they are generally expected not to happen. It doesn't sound like a good idea, but perhaps I don't understand just how unlikely these errors are. It seems like the best case scenario is that you save three lines of code to panic on the error, and the worse case is that your program silently fails in a potentially subtle way.

Is this something a lot of Gophers do in practice? Has anyone run errcheck against as sizeable amount of Go code to make sure this is the case?