bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Using Clang's static analyzer on bash


From: Eduardo Bustamante
Subject: Re: Using Clang's static analyzer on bash
Date: Wed, 26 Apr 2017 10:10:10 -0500

On Mon, Apr 24, 2017 at 10:13 AM, Chet Ramey <address@hidden> wrote:
[...]
> I'd be interested in seeing the results.  In my experience with similar
> tools, the false positive ratio is very high.

Most of the "errors" identified are due to unused variables. It does
have some interesting reports though:

#1 optimized_assignment in variables.c does not check if xrealloc was
successful (i.e. not NULL), so if it fails, strcpy will end up
dereferencing a null pointer.

#2 command_substitute in subst.c the value of old_pid is uninitialized
when pipe() returns an error, so last_made_pid ends up being a garbage
value. I modified the code to print the value of last_made_pid in
`error_exit'. I don't know how last_made_pid is used, so I don't know
if this is a problem or not.

| address@hidden:~/src/gnu/bash$ ./bash -c 'ulimit -n 3; $(:); echo hi'
| ./bash: cannot make pipe for command substitution: Too many open files
| last_made_pid = -1074209592
| hi

#3 parameter_brace_expand_indir in subst.c the value of `v' (SHELL_VAR
pointer) when var_is_special > 0 is not defined, so `legal_identifier
(name) && v == 0' relies on undefined behavior.

I've attached the build log to https://savannah.gnu.org/support/index.php?109301



reply via email to

[Prev in Thread] Current Thread [Next in Thread]