[cfe-dev] [clang-tidy] a simple strncmp checker

Bob Kuo via cfe-dev cfe-dev at lists.llvm.org
Thu Sep 3 18:52:12 PDT 2015

Hello cfe-dev,

I saw a presentation from someone using another static analysis tool (
http://www.slideshare.net/Andrey_Karpov/200-open-sourceprojectslater) and
in that presentation they mentioned finding a relatively simple error with
strncmp.  They searched for calls to strncmp where one or both of the
string parameters were shorter than the limit provided.  That is, we have
something like:

    bar = strncmp(foo, "asdf", 6);

That this was flagged as an error by the static analyzer.  I did a simple
regex search through one of the larger code bases at work and found several
errors of this type.

I've got a basic patch to clang-tidy to add this as a checker.

A few questions:

1)  Is this type of checking sound?  If so, should I put it up for review?
2)  In the above example, would strncmp(foo, "asdf", 5) be an error?  That
is, should we include the null byte at the end of the string?
3)  One possible valid use case of strncmp is to do prefix checking.  In
that case the limit n would be less than one or both of the strings.
However, in my completely unscientific sample at work I saw what appear to
be copy-paste errors where the string was changed but not the size with the
resulting strncmp only checking a prefix of the given string.  Should we
warn in these cases as well?
4)  My clang-tidy checker is implemented with ASTMatchers for very
simplistic checking.  Would it be better to implement this for
context-sensitive checking?  If so, can someone point me to an existing
checker to study?


Bob Kuo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20150903/42cafd4b/attachment.html>

More information about the cfe-dev mailing list