[analyzer] getenv() state split missing a note. #53276
Comments
haoNoQ
changed the title
|
Well, AFAIK there is currently no way in the Even though the DSL is already on the complex side, these NoteTags would be beneficial in all cases. More often than not we are interested in why something is assumed by the analyzer. So, an
That being said, we haven't thought about this, but we definitely should have. |
|
Folks, are you actively working on this issue these days? I'm thinking of disabling the getenv split by default (eg., by disabling the controlled environment flag by default) if there's no quick fix for this issue. |
|
I'm not working on it. Would you please reflect on the proposed implementation in my previous post? |
|
Yes, I think a simple string message is probably sufficient. Especially given that a summary should almost never have more than two branches anyway (very hard to justify a more-than-2-way state split). |
I agree. It's often conditional or prunable but most of the time it has to be there. |
This is a solution to the issue with `getenv()` (llvm#53276) but I covered a few more functions just because I could. The patch is straightforward except the tiny fix in `BugReporterVisitors.cpp` that suppresses a default note for "Assuming pointer value is null" when a note tag from the checker is present. This is probably the right thing to do but also definitely not a complete solution to the problem of different sources of path notes being unaware of each other, which is a large and annoying issue that we have to deal with. Note tags really help there because they're nicely introspectable. The problem is demonstrated by the newly added `getenv()` test; I did not investigate why doesn't the original buggy report have the same note but I agree that this might be interesting to figure out. The notes are currently optional but I think we should eventually implement all of them and then make them mandatory. The notes are prunable, i.e. they won't bring-in entire stack frames worth of notes just because they're there, but they will be always visible regardless of whether the value is of interest to the bug report. I think this is debatable, the arguably better solution is to make them non-prunable but conditional to the value being tracked back to the call, which would probably need a better tracking infrastructure. Differential Revision: https://reviews.llvm.org/D122285
|
Solved by the referenced commit. |
|
Indeed, fixed by f68c0a2. |
Now that we're bifurcating on
getenv()by default, we should explain to the user why we think that the pointer may be null. Eg. this isn't an understandable report:Ideally this should be a two-step report with the first step saying something like "Assuming the variable is not present in the environment".
@martong @steakhal how close are we to attaching note tag material to summaries?
P.S. I love the new bugzilla, was just waiting for a chance to use it^^
The text was updated successfully, but these errors were encountered: