[PATCH] ChrootChecker: Bind chroot's result zero and reduce verbose warning

[Hiroo MATSUMOTO]

ChrootChecker tracks a chroot failed case. It will generate warning
even though chroot is used properly.

When finding improper using chroot, ChrootChecker doesn't stop
tracking. It will generate verbose warning.

For example, ChrootChecker will generate warnings from below code
which can switch proper using and improper using with IMPROPER_USE.

When IMPROPER_USE is not defined, 1 warning will be generated.
When IMPROPER_USE is defined, 3 warnings will be generated.


#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main(int argc, char *argv[])
{
  if (argc < 2) {
fprintf(stderr, "usage: %s newroot\n", argv[0]);
return 1;
  }

  if (chroot(argv[1]) < 0) {
perror("chroot"); /** proper using and improper using */
return 1;
  }

#ifndef IMPROPER_USE
  if (chdir("/") < 0) {
perror("chdir");
return 1;
  }
#endif

  if (execv("/bin/sh", argv) < 0) { /** improper using */
perror("execv"); /** improper using */
return 1;
  }

  return 0;
}


This patch will bind return value of chroot to zero. And this patch
will stop tracking when finding improper using chroot.


Index: lib/StaticAnalyzer/Checkers/ChrootChecker.cpp
===================================================================
--- lib/StaticAnalyzer/Checkers/ChrootChecker.cpp (revision 202679)
+++ lib/StaticAnalyzer/Checkers/ChrootChecker.cpp (working copy)
@@ -87,11 +87,13 @@
 void ChrootChecker::Chroot(CheckerContext &C, const CallExpr *CE) const {
   ProgramStateRef state = C.getState();
   ProgramStateManager &Mgr = state->getStateManager();
+  SValBuilder &svalBuilder = C.getSValBuilder();
+  SVal success = svalBuilder.makeZeroVal(svalBuilder.getContext().IntTy);

   // Once encouter a chroot(), set the enum value ROOT_CHANGED directly in
   // the GDM.
   state = Mgr.addGDM(state, ChrootChecker::getTag(), (void*) ROOT_CHANGED);
-  C.addTransition(state);
+  C.addTransition(state->BindExpr(CE, C.getLocationContext(), success));
 }

 void ChrootChecker::Chdir(CheckerContext &C, const CallExpr *CE) const {
@@ -140,7 +142,7 @@
   void *const* k = C.getState()->FindGDM(ChrootChecker::getTag());
   if (k)
     if (isRootChanged((intptr_t) *k))
-      if (ExplodedNode *N = C.addTransition()) {
+      if (ExplodedNode *N = C.generateSink()) {
         if (!BT_BreakJail)
           BT_BreakJail.reset(new BuiltinBug(
               this, "Break out of jail", "No call of chdir(\"/\")
immediately "
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20140303/71dd970e/attachment.html>