Test code for clang stack pointer escape analyzer with sigsetjmp

Test various combos of sigsetjmp() paths and various configurations
of guard variables + jump buffer handling using clang's stack
escape checker

https://clang.llvm.org/docs/analyzer/checkers.html#core-stackaddressescape-c

following up on discussion on Pg list at

https://www.postgresql.org/message-id/CAMsr+YE8tveiaGPuNzw+5fuo0yeZf7LePVLpx9MxUrFHMBG0gQ@mail.gmail.com

Run

    make clean run_sigjmp_escape

Includes additional test to hide it in a header and separate compilation unit.

Run

    make clean run_sigjmp_escape_hdr

Author: Craig Ringer

c/clang_return_stack_checks/.gitignore

@@ -1,2 +1,10 @@
+*.o
 guard.so
 return_stack_escape
+sigjmp_escape
+sigjmp_escape_fake*
+sigjmp_escape_noinner
+sigjmp_escape_noinner_fake*
+sigjmp_escape_hdr
+sigjmp_escape_inner_pop
+scan-build-*/

c/clang_return_stack_checks/Makefile

@@ -1,22 +1,72 @@
+default: check
+
 ifeq ($(origin CC),default)
-CC = scan-build clang
+CC = scan-build -o '$(SCAN_OUT)' clang
 endif
 
+
+# It doesn't seem to make much difference whether -O0 or -Og is used
+OPTIMIZE_FLAG ?= -O0
+#OPTIMIZE_FLAG ?= -Og
+
 ifeq ($(origin CFLAGS),undefined)
-CFLAGS = -Wall -Wextra -Og -ggdb3
+CFLAGS = -Wall -Wextra $(OPTIMIZE_FLAG) -ggdb3
 endif
 
-all: return_stack_escape
+all: return_stack_escape sigjmp_escape
 
-guard.so: guard.c guard.h
+ifndef SCAN_OUT
+tmpdir:
+	$(eval SCAN_OUT := $(shell mktemp -d scan-build-XXXXXXXX))
+else
+tmpdir: ;
+endif
+
+CFLAGS_LINK ?= $(CFLAGS) -fuse-ld=lld
+
+guard.so: guard.c guard.h | tmpdir
 	$(CC) $(CFLAGS) -shared -fPIC $< -o $@
 
-return_stack_escape: return_stack_escape.c guard.so
+return_stack_escape: return_stack_escape.c guard.so | tmpdir
 	$(CC) $(CFLAGS) $< ./guard.so -o $@
 
+sigjmp_escape: sigjmp_escape.c guard.so | tmpdir
+	$(CC) $(CFLAGS) -DUSE_INNER_GUARDS $< ./guard.so -o $@
+	# These variants aren't run, but they exercise various combos for the static checker
+	$(CC) $(CFLAGS) -DUSE_INNER_GUARDS -DFAKE_SIGSETJMP_RETURN=0 $< ./guard.so -o $@_fake0
+	$(CC) $(CFLAGS) -DUSE_INNER_GUARDS -DFAKE_SIGSETJMP_RETURN=1 $< ./guard.so -o $@_fake1
+	$(CC) $(CFLAGS) $< ./guard.so -o $@_noinner
+	$(CC) $(CFLAGS) -DFAKE_SIGSETJMP_RETURN=0 $< ./guard.so -o $@_noinner_fake0
+	$(CC) $(CFLAGS) -DFAKE_SIGSETJMP_RETURN=1 $< ./guard.so -o $@_noinner_fake1
+	$(CC) $(CFLAGS) -DUSE_INNER_GUARDS -DPOP_ONLY_INNER_GUARDS $< ./guard.so -o $@_inner_pop
+
+
+
+sigjmp_escape_hdr: sigjmp_escape_hdr.c sigjmp_escape_hdr_try.c | tmpdir
+	$(CC) $(CFLAGS) -c sigjmp_escape_hdr_try.c -o sigjmp_escape_hdr_try.o
+	$(CC) $(CFLAGS) -DUSE_FINALLY -c sigjmp_escape_hdr.c -o sigjmp_escape_hdr.o
+	$(CC) $(CFLAGS_LINK) sigjmp_escape_hdr.o sigjmp_escape_hdr_try.o -o $@
+
 clean:
-	rm -f guard.so return_stack_escape
+	rm -f *.o guard.so return_stack_escape sigjmp_escape sigjmp_escape_fake* sigjmp_escape_guard sigjmp_escape_guard_fake* sigjmp_escape_guard_inner_pop sigjmp_escape_hdr
+	rm -rf scan-build-*
 
-run:
+run_return_stack_escape: return_stack_escape
 	./return_stack_escape 0
-	if ./return_stack_escape; then exit 1; fi
+	if ./return_stack_escape 1; then exit 1; fi
+
+run_sigjmp_escape: sigjmp_escape
+	./sigjmp_escape 0 0
+	./sigjmp_escape 1 0
+	if ./sigjmp_escape 0 1; then exit 1; fi
+	if ./sigjmp_escape 1 1; then exit 1; fi
+
+run_sigjmp_escape_hdr: sigjmp_escape_hdr
+	./sigjmp_escape_hdr 0 0
+	if ./sigjmp_escape_hdr 1 0; then exit 1; fi
+	if ./sigjmp_escape_hdr 0 1; then exit 1; fi
+	./sigjmp_escape_hdr 1 1
+
+run: run_return_stack_escape run_sigjmp_escape run_sigjmp_escape_hdr
+
+check: run

c/clang_return_stack_checks/guard.c

@@ -1,3 +1,19 @@
 #include "guard.h"
+#include <stdio.h>
 
 struct guard * guard_ptr = 0;
+
+int
+check_guard(void)
+{
+	if (guard_ptr)
+	{
+		/* can't safely print guard name etc due to stack safety */
+		fprintf(stderr, "guard not ok: guard pointer %p", guard_ptr);
+	}
+	else
+	{
+		fprintf(stderr, "guard ok: guard pointer empty");
+	}
+	return guard_ptr == 0;
+}

c/clang_return_stack_checks/guard.h

@@ -1,29 +1,60 @@
 #include <stdint.h>
 #include <assert.h>
+#include <string.h>
+#include <stdio.h>
+
+#define GUARD_NAME_MAX_LENGTH 20
+
+#ifndef NO_TRACE_GUARDS
+#define TRACE_GUARDS
+#endif
 
 struct guard
 {
 	int8_t guard_set;
+	const char gname[GUARD_NAME_MAX_LENGTH];
 	struct guard * previous;
 };
 
 extern struct guard * guard_ptr;
 
-static void
+static inline void
 set_guard(struct guard * const g)
 {
 	assert(!g->guard_set);
 	g->guard_set = 1;
 	g->previous = guard_ptr;
 	guard_ptr = g;
+#ifdef TRACE_GUARDS
+	fprintf(stderr, "    set_guard(%p=%s) pushed previous %p=%s\n",
+			g, g->gname, g->previous,
+			g->previous ? g->previous->gname : "(nil)");
+#endif
 }
 
 static inline void
 clear_guard(struct guard * const g)
 {
+#ifdef TRACE_GUARDS
+	fprintf(stderr, "    clear_guard(%p=%s) restoring previous %p=%s\n",
+			g, g->gname, g->previous,
+			g->previous ? g->previous->gname : "(nil)");
+#endif
 	assert(g->guard_set);
 	assert(guard_ptr);
-	g->guard_set = 0;
 	assert(guard_ptr == g);
+	g->guard_set = 0;
 	guard_ptr = guard_ptr->previous;
 }
+
+extern int check_guard(void);
+
+#ifndef __has_attribute
+#define __has_attribute(attno) 0
+#endif
+
+#if __has_attribute(unused)
+#define attr_unused() __attribute__((unused))
+#else
+#define attr_unused()
+#endif

c/clang_return_stack_checks/return_stack_escape.c

@@ -7,9 +7,17 @@
 int
 foo(int do_fail)
 {
-	struct guard g = {0};
+	struct guard g = {0, "g", 0};
 	set_guard(&g);
 
+	/*
+	 * This should emit a warning from clang's scan-build like
+	 *
+	 * return_stack_escape.c:14:3: warning: Address of stack memory
+	 * associated with local variable 'g' is still referred to by the
+	 * global variable 'guard_ptr' upon returning to the caller.  This will
+	 * be a dangling reference
+	 */
 	if (do_fail)
 		return do_fail;
 
@@ -32,12 +40,10 @@ main(int argc, char * argv[])
 	if (*endpos != '\0')
 		error(2, 0, "couldn't parse \"%s\" as an integer", argv[1]);
 
-	ret = foo(do_fail);
-
-	if (guard_ptr)
-		printf("guard value: %hhd\n", guard_ptr->guard_set);
-	else
-		printf("guard value: no guard pointer\n");
+	(void) foo(do_fail);
 
+	ret = !check_guard();
+	fputc('\n', stderr);
 	return ret;
+
 }

c/clang_return_stack_checks/sigjmp_escape.c

@@ -0,0 +1,171 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <setjmp.h>
+#include <error.h>
+
+#include "guard.h"
+
+/*
+ * Support faking out sigsetjmp() to see if clang scan-build
+ * behaves differently based on the call provided here.
+ */
+#ifdef FAKE_SIGSETJMP_RETURN
+#ifdef sigsetjmp
+#undef sigsetjmp
+#endif
+#define sigsetjmp(buf,clearsig) (FAKE_SIGSETJMP_RETURN)
+#endif /* FAKE_SIGSETJMP_RETURN */
+
+static sigjmp_buf * jbuf = 0;
+
+static void
+do_a_jump(void)
+{
+	/* Jump back to the alternate branch */
+	fprintf(stderr, "    jumping to branch 1\n");
+	siglongjmp(*jbuf, 1);
+}
+
+static void
+test_jmp(int should_jump, int should_return_early)
+{
+	struct guard g_outer = {0, "g_outer", 0};
+	set_guard(&g_outer);
+
+	sigjmp_buf b;
+	if (sigsetjmp(b, 0) == 0)
+	{
+#ifdef USE_INNER_GUARDS
+		struct guard g_branch_0 = {0, "g_branch_0", 0};
+		set_guard(&g_branch_0);
+		assert(guard_ptr->previous == &g_outer);
+#endif
+
+		jbuf = &b;
+
+		fprintf(stderr, "    took branch 0\n");
+
+		if (should_jump)
+		{
+#ifdef USE_INNER_GUARDS
+			clear_guard(&g_branch_0);
+#endif
+			do_a_jump();
+		}
+
+		if (should_return_early)
+		{
+
+			/*
+			 * Interestingly scan-build appears not to understand that when we
+			 * -DUSE_INNER_GUARDS and run with should_jump=0, the pointer to
+			 *  g_outer stored in g_branch_0->previous by
+			 *  set_guard(&g_branch_0) has still escaped. It either didn't
+			 *  follow the indirection, or only reports the escape of
+			 * g_branch_0. We can check which by optionally popping only one
+			 * level of guards:
+			 */
+#if defined(USE_INNER_GUARDS) && defined(POP_ONLY_INNER_GUARDS)
+			fprintf(stderr, "    clearing g_branch_0 before early return\n");
+			clear_guard(&g_branch_0);
+			assert(guard_ptr == &g_outer);
+#endif
+
+			/*
+			 * Deliberately fail to clear guards guard_outer or g_branch_0 here.
+			 *
+			 * Should raise clang scan-build warning
+			 *     warning: Address of stack memory associated with local variable 'b' is still referred to by the global variable 'jbuf' upon returning to the caller.  This will be a dangling reference
+			 *
+			 * and if USE_INNER_GUARDS then
+			 *     warning: Address of stack memory associated with local variable 'g_branch_0' is still referred to by the global variable 'guard_ptr' upon returning to the caller.  This will be a dangling reference
+			 *
+			 * otherwise the same complaint about g_outer.
+			 */
+			fprintf(stderr, "    escaping branch 0 early\n");
+			return;
+		}
+
+#ifdef USE_INNER_GUARDS
+		clear_guard(&g_branch_0);
+#endif
+	}
+	else
+	{
+#ifdef USE_INNER_GUARDS
+		struct guard g_branch_1 = {0, "g_branch_1", 0};
+		set_guard(&g_branch_1);
+#endif
+
+		/* entered with should_jump == 1 and took the do_a_jump() branch */
+		fprintf(stderr, "    took branch 1\n");
+
+		if (should_return_early)
+		{
+#if defined(USE_INNER_GUARDS) && defined(POP_ONLY_INNER_GUARDS)
+			/*
+			 * Like the branch0 case, we'll also check what happens if we pop
+			 * only one level of guards.
+			 */
+			fprintf(stderr, "    clearing g_branch_1 before early return\n");
+			clear_guard(&g_branch_1);
+			assert(guard_ptr == &g_outer);
+#endif
+
+			/*
+			 * Deliberately fail to clear guards guard_outer or g_branch_1 here.
+			 *
+			 * If -DUSE_INNER_GUARDS, should raise clang scan-build warning:
+			 *
+			 *     warning: Address of stack memory associated with local variable 'g_branch_1' is still referred to by the global variable 'guard_ptr' upon returning to the caller.  This will be a dangling reference
+			 *
+			 * Otherwise it should complain about g_outer.
+			 */
+
+			fprintf(stderr, "     escaping branch 1 early\n");
+			return;
+		}
+
+#ifdef USE_INNER_GUARDS
+		clear_guard(&g_branch_1);
+#endif
+	}
+
+	/* Properly clear stored jump buffer */
+	jbuf = 0;
+
+	/*
+	 * scan-build fails to notice that no path reaches this code when
+	 * called with should_return_early=1 (for either value of should_jump),
+	 * so it does not detect the escape of g_outer.
+	 *
+	 * clang should be warning us when we can escape with a leaked guard
+	 * pointer, but it seems like it gets confused by sigsetjmp.
+	 */
+	clear_guard(&g_outer);
+}
+
+int
+main(int argc, char * argv[])
+{
+	int should_jump;
+	int should_return_early;
+	int guard_ok;
+	if (argc != 3)
+		error(2, 0, "usage: %s {{should_jump 0|1}} {{should_return_early 0|1}}", argv[0]);
+	should_jump = atoi(argv[1]);
+	should_return_early = atoi(argv[2]);
+	fprintf(stderr, "sigjmp_escape(%d,%d):\n",
+			should_jump, should_return_early);
+	test_jmp(should_jump, should_return_early);
+	guard_ok = check_guard();
+	fputs("\n", stderr);
+	if (jbuf != 0)
+		error(1, 0, "    escaped with invalid sigjmp_buf");
+	else if (!guard_ok)
+		error(1, 0, "    escaped with bad guard state");
+	else
+		fprintf(stderr, "    ok\n");
+
+	return 0;
+}