[cfe-dev] GSoC 2012: Static Function Blacklisting

Mark McCurry mark.d.mccurry at gmail.com
Fri Mar 30 06:49:02 PDT 2012 

> The general idea is something that's definitely useful.
> I wrote a hacky ad-hoc tool with libclang to perform this kind of check for the xlocale code in FreeBSD and ensure that none of the reentrant functions was touching any global state or calling the non-reentrant versions and it would be great to see it done properly and generalised.

Good to see that the general would be useful.

>
> A few thoughts about the design though:
>
> I am not convinced by the annotations.
> A does-not-call-X attribute doesn't seem to be sufficiently expressive for this kind of test.

I am not by any means really attached to the example syntax.

> You'd need to whitelist dozens of functions at each call.
> I would rather something that allowed you to tag functions with attributes like 'reentrant', or 'realtime' (the annotation attribute could be used here) and then another like __attribute__((may_only_call(reentrant))) to be applied to a function, that would only allow it to call functions whose declarations are marked as reentrant.

I personally think Matthieu has the most interesting syntax for
marking functions themselves ATM, but the may_only_call seems to be
approximately the same in terms of semantics.
On the whitelisting issue, it should be possible for clang to perform
some form of taging non-annotated functions for the purpose of the
static analysis.


> Currently, the analyser does not perform any checking between compilation units.
> That means that with your example, if bar() and func() were in different compilation units then the analyser would be quiet.
> By only calling annotated functions the compilation unit containing func() would warn you if bar() did not have the required attribute or (if it did) the compilation unit containing bar() would warn you if foo() did not have the required attribute.

I think it should be possible to work around this, though I am not
very familiar with clangs internals.
Would it not be possible to:
- check bar() when working on its compilation unit and automatically
annotate it (internally)
- allow func() to check this internal annotation to find the violation


> You might want to take a look at the thread safety annotations (holds lock and friends) for some inspiration.

I will try to dig into the source and take a look at its development state soon.

--Mark

More information about the cfe-dev mailing list