On Mon, 2022-01-24 at 01:41 +0530, Mir Immad wrote:
> Hi, sir.
>
> I've been trying to understand the static analyzer's code. I spent most
> of
> my time learning the state machine's API. I learned how state machine's
> on_stmt is supposed to "recognize" specific functions and how
> on_transition
> takes a specific tree from one state to another, and how the captured
> states are used by pending_diagnostics to report the errors.
> Furthermore, I
> was able to create a dummy checker that mimicked the behaviour of sm-
> file's
> double_fclose and compile GCC with these changes. Is this the right way
> of
> learning?
This sounds great.
>
> As you've mentioned on the projects page that you would like to add
> more
> support for some POSIX APIs. Can you please write (or refer me to a) a
> simple C program that uses such an API (and also what the analyzer
> should
> have done) so that I can attempt to add such a checker to the analyzer.
A couple of project ideas:
(i) treat data coming from a network connection as tainted, by somehow
teaching the analyzer about networking APIs. Ideally: look at some
subset of historical CVEs involving network-facing attacks on user-
space daemons, and find a way to detect them in the analyzer (need to
find a way to mark the incoming data as tainted, so that the analyer
"know" about the trust boundary - that the incoming data needs to be
sanitized and treated with extra caution; see
https://gcc.gnu.org/pipermail/gcc-patches/2021-November/584372.html
for my attempts to do this for the Linux kernel).
Obviously this is potentially a huge project, so maybe just picking a
tiny subset and getting that working as a proof-of-concept would be a
good GSoC project. Maybe find an old CVE that someone has written a
good write-up for, and think about "how could GCC/-fanalyzer have
spotted it?"
(ii) add leak-detection for POSIX file descriptors: i.e. the integer
values returned by "open", "dup", etc. It would be good to have a
check that the user's code doesn't leak these values e.g. on error-
handling paths, by failing to close a file-descriptor (and not storing
it anywhere). I think that much of this could be done by analogy with
the sm-file.cc code.
>
> Also, I didn't realize the complexity of adding SARIF when I mentioned
> it.
> I'd rather work on adding more checkers.
Fair enough.
Hope this above is constructive.
Dave
>
> Regards.
>
> Mir Immad
>
> On Sun, Jan 23, 2022, 11:04 PM Mir Immad wrote:
>
> > Hi Sir,
> >
> > I've been trying to understand the static analyzer's code. I spent
> > most of
> > my time learning the state machine's API. I learned how state
> > machine's
> > on_stmt is supposed to "recognize" specific functions and takes a
> > specific
> > tree from one state to another, and how the captured states are used
> > by
> > pending_diagnostics to report the errors. Furthermore, I was able to
> > create
> > a dummy checker that mimicked the behaviour of sm-file's
> > double_fclose and
> > compile GCC with these changes. Is this the right way of learning?
> >
> > As you've mentioned on the projects page that you would like to add
> > more
> > support for some POSIX APIs. Can you please write (or refer me to a)
> > a
> > simple C program that uses such an API (and also what the analyzer
> > should
> > have done) so that I can attempt to add such a checker to the
> > analyzer.
> >
> > Also, I didn't realize the complexity of adding SARIF when I
> > mentioned it.
> > I'd rather work on adding more checkers.
> >
> > Regards.
> > Mir Immad
> >
> > On Mon, Jan 17, 2022 at 5:41 AM David Malcolm
> > wrote:
> >
> > > On Fri, 2022-01-14 at 22:15 +0530, Mir Immad wrote:
> > > > HI David,
> > > > I've been tinkering with the static analyzer for the last few
> > > > days. I
> > > > find
> > > > the project of adding SARIF output to the analyzer intresting.
> > > > I'm
> > > > writing
> > > > this to let you know that I'm trying to learn the codebase.
> > > > Thank you.
> > >
> > > Excellent.
> > >
> > > BTW, I think adding SARIF output would involve working more with
> > > GCC's
> > > diagnostics subsystem than with the static analyzer, since (in
> > > theory)
> > > all of the static analyzer's output is passing through the
> > > diagnostics
> > > subsystem - though the static analyzer is probably the only GCC
> > > component generating diagnostic paths.
> > >
> > > I'm happy to mentor such a project as I maintain both subsystems
> > > and
> > > SARIF output would benefit both - but it would be rather tangential
> > > to
> > > the analyzer - so if you had specifically wanted to be working on
> > > the
> > > guts of the analyzer itself, you may want to pick a different
> > > subproject.
> > >
> > > The SARIF standard is rather long and complicated, and we would
> > > want to
> > > be compatible with clang's implementation.
> > >
> > > It would be very cool if gcc could also accept SARIF files as an
> > > *input* format, and emit them as diagnostics; that m
