Analysing the SSSD source code with clang

The bottom line is that the static analyser that comes with LLVM’s clang is awesome and you really should be using it. (I’m certainly not the first one to say so.)

Recently, I ran the clang static analyser against SSSD code. The run showed up a number of bugs.

None of the bugs is critical, that is, no bufer overruns or crashes under normal circumstances, but it should be noted that SSSD code was checked using a different static analyser not very long ago. Some of the bugs are very important to get fixed, though, such as this one – if a Host Based Access Control Rule in a FreeIPA server was malformed, the value returned would indicated success parsing and evaluating the rule (not granting access, though).

Most of the bugs are pretty easy to fix. For instance, take a look at one of the two I fixed today via fedorahosted’s github.
The code should speak for itself for the most part..the next couple of lines of the function just clean up and return whatever is in ret. Most of the bugs are very easy to fix, so if you would like to contribute to SSSD, just pick one of those assigned to “somebody” and send a patch.

The instructions on running clang with your favorite project follow and should be very similar for just about any autotools-driven package.

  1. yum install clang-analyzer
    • installs the static analyser
  2. export CC=/usr/bin/clang
    • sets clang as your compiler of choice
  3. scan-build -o clang make
    • perform build and scan it for errors. The output will be stored in the clang directory.

As you may have figured, the scan involves compiling your code with the clang compiler..which is not necessarily a bad thing as most packages are compiled with gcc most of the time and using a different compiler may show poor coding practice in your project.