Re: Using Clang's static analyzer on bash

[Chet Ramey]

On 4/26/17 11:10 AM, Eduardo Bustamante wrote:
> On Mon, Apr 24, 2017 at 10:13 AM, Chet Ramey <chet.ramey@case.edu> wrote:
> [...]
>> I'd be interested in seeing the results.  In my experience with similar
>> tools, the false positive ratio is very high.
> 
> Most of the "errors" identified are due to unused variables. It does
> have some interesting reports though:
> 
> #1 optimized_assignment in variables.c does not check if xrealloc was
> successful (i.e. not NULL), so if it fails, strcpy will end up
> dereferencing a null pointer.

Not a problem; xrealloc aborts on error.

> #2 command_substitute in subst.c the value of old_pid is uninitialized
> when pipe() returns an error, so last_made_pid ends up being a garbage
> value. I modified the code to print the value of last_made_pid in
> `error_exit'. I don't know how last_made_pid is used, so I don't know
> if this is a problem or not.

If you can't create pipes or open files, you're not going to get very far,
but still worth moving the assignment above the call to pipe().

> | dualbus@debian:~/src/gnu/bash$ ./bash -c 'ulimit -n 3; $(:); echo hi'
> | ./bash: cannot make pipe for command substitution: Too many open files
> | last_made_pid = -1074209592
> | hi
> 
> #3 parameter_brace_expand_indir in subst.c the value of `v' (SHELL_VAR
> pointer) when var_is_special > 0 is not defined, so `legal_identifier
> (name) && v == 0' relies on undefined behavior.

When var_is_special == 1, legal_identifier(name) returns 0. `&&' is
evaluated left-to-right, and stops as soon as legal_identifier fails.

Chet

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    chet@case.edu    http://cnswww.cns.cwru.edu/~chet/