summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorAdin Scannell <ascannell@google.com>2019-10-04 19:03:07 -0700
committerAdin Scannell <ascannell@google.com>2020-03-25 16:21:27 -0700
commit882ed330e6e7761f482f9bfa771cc6693e0f8008 (patch)
tree55426c6f1d0a7d46be0d9855d3dbd5eefc943a15
parentd440fe0613a3b8fec75d33aff36ebada220106b0 (diff)
nogo: enable sanitizers.
This enables all relevant santizers (though most analyzers will not find much, it will prevent instances from creeping in), and codifies existing exceptions in tools/nogo.js to be fixed.
-rw-r--r--BUILD23
-rw-r--r--tools/BUILD2
-rw-r--r--tools/nogo.js7
-rw-r--r--tools/nogo.json95
4 files changed, 118 insertions, 9 deletions
diff --git a/BUILD b/BUILD
index 5fd929378..a709a9816 100644
--- a/BUILD
+++ b/BUILD
@@ -49,10 +49,31 @@ gazelle(name = "gazelle")
# live in the tools subdirectory (unless they are standard).
nogo(
name = "nogo",
- config = "//tools:nogo.js",
+ config = "//tools:nogo.json",
visibility = ["//visibility:public"],
deps = [
"//tools/checkunsafe",
+ "@org_golang_x_tools//go/analysis/passes/asmdecl:go_tool_library",
+ "@org_golang_x_tools//go/analysis/passes/assign:go_tool_library",
+ "@org_golang_x_tools//go/analysis/passes/atomic:go_tool_library",
+ "@org_golang_x_tools//go/analysis/passes/atomicalign:go_tool_library",
+ "@org_golang_x_tools//go/analysis/passes/bools:go_tool_library",
+ "@org_golang_x_tools//go/analysis/passes/buildtag:go_tool_library",
+ "@org_golang_x_tools//go/analysis/passes/cgocall:go_tool_library",
+ "@org_golang_x_tools//go/analysis/passes/copylock:go_tool_library",
+ "@org_golang_x_tools//go/analysis/passes/deepequalerrors:go_tool_library",
+ "@org_golang_x_tools//go/analysis/passes/loopclosure:go_tool_library",
+ "@org_golang_x_tools//go/analysis/passes/lostcancel:go_tool_library",
+ "@org_golang_x_tools//go/analysis/passes/nilfunc:go_tool_library",
+ "@org_golang_x_tools//go/analysis/passes/nilness:go_tool_library",
+ "@org_golang_x_tools//go/analysis/passes/printf:go_tool_library",
+ "@org_golang_x_tools//go/analysis/passes/shift:go_tool_library",
+ "@org_golang_x_tools//go/analysis/passes/stdmethods:go_tool_library",
+ "@org_golang_x_tools//go/analysis/passes/structtag:go_tool_library",
+ "@org_golang_x_tools//go/analysis/passes/tests:go_tool_library",
+ "@org_golang_x_tools//go/analysis/passes/unmarshal:go_tool_library",
+ "@org_golang_x_tools//go/analysis/passes/unsafeptr:go_tool_library",
+ "@org_golang_x_tools//go/analysis/passes/unusedresult:go_tool_library",
],
)
diff --git a/tools/BUILD b/tools/BUILD
index e73a9c885..ba3506c04 100644
--- a/tools/BUILD
+++ b/tools/BUILD
@@ -1,3 +1,3 @@
package(licenses = ["notice"])
-exports_files(["nogo.js"])
+exports_files(["nogo.json"])
diff --git a/tools/nogo.js b/tools/nogo.js
deleted file mode 100644
index fc0a4d1f0..000000000
--- a/tools/nogo.js
+++ /dev/null
@@ -1,7 +0,0 @@
-{
- "checkunsafe": {
- "exclude_files": {
- "/external/": "not subject to constraint"
- }
- }
-}
diff --git a/tools/nogo.json b/tools/nogo.json
new file mode 100644
index 000000000..ff369be6f
--- /dev/null
+++ b/tools/nogo.json
@@ -0,0 +1,95 @@
+{
+ "assign": {
+ "exclude_files": {
+ "/external/bazel_gazelle/walk/walk.go": "allowed: false positive"
+ }
+ },
+ "checkunsafe": {
+ "exclude_files": {
+ "/external/": "allowed: not subject to unsafe naming rules"
+ }
+ },
+ "copylocks": {
+ "exclude_files": {
+ ".*_state_autogen.go": "fix: m.Failf copies by value",
+ "/pkg/log/json.go": "fix: Emit passes lock by value: gvisor.dev/gvisor/pkg/log.JSONEmitter contains gvisor.dev/gvisor/pkg/log.Writer contains gvisor.dev/gvisor/pkg/sync.Mutex",
+ "/pkg/log/log_test.go": "fix: call of fmt.Printf copies lock value: gvisor.dev/gvisor/pkg/log.Writer contains gvisor.dev/gvisor/pkg/sync.Mutex",
+ "/pkg/sentry/fs/host/socket_test.go": "fix: call of t.Errorf copies lock value: gvisor.dev/gvisor/pkg/sentry/fs/host.ConnectedEndpoint contains gvisor.dev/gvisor/pkg/refs.AtomicRefCount contains gvisor.dev/gvisor/pkg/sync.Mutex",
+ "/pkg/sentry/fs/proc/sys_net.go": "fix: Truncate passes lock by value: gvisor.dev/gvisor/pkg/sentry/fs/proc.tcpMemInode contains gvisor.dev/gvisor/pkg/sentry/fs/fsutil.SimpleFileInode contains gvisor.dev/gvisor/pkg/sentry/fs/fsutil.InodeSimpleAttributes contains gvisor.dev/gvisor/pkg/sync.RWMutex",
+ "/pkg/sentry/fs/proc/sys_net.go": "fix: Truncate passes lock by value: gvisor.dev/gvisor/pkg/sentry/fs/proc.tcpSack contains gvisor.dev/gvisor/pkg/sentry/fs/fsutil.SimpleFileInode contains gvisor.dev/gvisor/pkg/sentry/fs/fsutil.InodeSimpleAttributes contains gvisor.dev/gvisor/pkg/sync.RWMutex",
+ "/pkg/sentry/fs/tty/slave.go": "fix: Truncate passes lock by value: gvisor.dev/gvisor/pkg/sentry/fs/tty.slaveInodeOperations contains gvisor.dev/gvisor/pkg/sentry/fs/fsutil.SimpleFileInode contains gvisor.dev/gvisor/pkg/sentry/fs/fsutil.InodeSimpleAttributes contains gvisor.dev/gvisor/pkg/sync.RWMutex",
+ "/pkg/sentry/kernel/time/time.go": "fix: Readiness passes lock by value: gvisor.dev/gvisor/pkg/sentry/kernel/time.ClockEventsQueue contains gvisor.dev/gvisor/pkg/waiter.Queue contains gvisor.dev/gvisor/pkg/sync.RWMutex",
+ "/pkg/sentry/kernel/syscalls_state.go": "fix: assignment copies lock value to *s: gvisor.dev/gvisor/pkg/sentry/kernel.SyscallTable contains gvisor.dev/gvisor/pkg/sentry/kernel.SyscallFlagsTable contains gvisor.dev/gvisor/pkg/sync.Mutex"
+ }
+ },
+ "lostcancel": {
+ "exclude_files": {
+ "/pkg/tcpip/network/arp/arp_test.go": "fix: the cancel function returned by context.WithTimeout should be called, not discarded, to avoid a context leak",
+ "/pkg/tcpip/stack/ndp_test.go": "fix: the cancel function returned by context.WithTimeout should be called, not discarded, to avoid a context leak",
+ "/pkg/tcpip/transport/udp/udp_test.go": "fix: the cancel function returned by context.WithTimeout should be called, not discarded, to avoid a context leak",
+ "/pkg/tcpip/transport/tcp/testing/context/context.go": "fix: the cancel function returned by context.WithTimeout should be called, not discarded, to avoid a context leak"
+ }
+ },
+ "nilness": {
+ "exclude_files": {
+ "/com_github_vishvananda_netlink/route_linux.go": "allowed: false positive",
+ "/external/bazel_gazelle/cmd/gazelle/.*": "allowed: false positive",
+ "/org_golang_x_tools/go/packages/golist.go": "allowed: runtime internals",
+ "/pkg/sentry/platform/kvm/kvm_test.go": "allowed: intentional"
+ }
+ },
+ "printf": {
+ "exclude_files": {
+ ".*_abi_autogen_test.go": "fix: Sprintf format has insufficient args",
+ "/pkg/segment/test/segment_test.go": "fix: Errorf format %d arg seg.Start is a func value, not called",
+ "/pkg/tcpip/tcpip_test.go": "fix: Error call has possible formatting directive %q",
+ "/pkg/tcpip/header/eth_test.go": "fix: Fatalf format %s reads arg #3, but call has 2 args",
+ "/pkg/tcpip/header/ndp_test.go": "fix: Errorf format %d reads arg #1, but call has 0 args",
+ "/pkg/eventchannel/event_test.go": "fix: Fatal call has possible formatting directive %v",
+ "/pkg/tcpip/stack/ndp.go": "fix: Fatalf format %s has arg protocolAddr of wrong type gvisor.dev/gvisor/pkg/tcpip.ProtocolAddress",
+ "/pkg/sentry/fs/fdpipe/pipe_test.go": "fix: Errorf format %s has arg flags of wrong type gvisor.dev/gvisor/pkg/sentry/fs.FileFlags",
+ "/pkg/sentry/fs/fdpipe/pipe_test.go": "fix: Errorf format %d arg f.FD is a func value, not called",
+ "/pkg/tcpip/link/fdbased/endpoint.go": "fix: Sprintf format %v with arg p causes recursive String method call",
+ "/pkg/tcpip/transport/udp/udp_test.go": "fix: Fatalf format %s has arg h.srcAddr of wrong type gvisor.dev/gvisor/pkg/tcpip.FullAddress",
+ "/pkg/tcpip/transport/tcp/tcp_test.go": "fix: Fatalf format %s has arg tcpTW of wrong type gvisor.dev/gvisor/pkg/tcpip.TCPTimeWaitTimeoutOption",
+ "/pkg/tcpip/transport/tcp/tcp_test.go": "fix: Errorf call needs 1 arg but has 2 args",
+ "/pkg/tcpip/stack/ndp_test.go": "fix: Errorf format %s reads arg #3, but call has 2 args",
+ "/pkg/tcpip/stack/ndp_test.go": "fix: Fatalf format %s reads arg #5, but call has 4 args",
+ "/pkg/tcpip/stack/stack_test.go": "fix: Fatalf format %s has arg protoAddr of wrong type gvisor.dev/gvisor/pkg/tcpip.ProtocolAddress",
+ "/pkg/tcpip/stack/stack_test.go": "fix: Fatalf format %s has arg nic1ProtoAddr of wrong type gvisor.dev/gvisor/pkg/tcpip.ProtocolAddress",
+ "/pkg/tcpip/stack/stack_test.go": "fix: Fatalf format %s has arg nic2ProtoAddr of wrong type gvisor.dev/gvisor/pkg/tcpip.ProtocolAddress",
+ "/pkg/tcpip/stack/stack_test.go": "fix: Fatal call has possible formatting directive %t",
+ "/pkg/tcpip/stack/stack_test.go": "fix: Fatalf call has arguments but no formatting directives",
+ "/pkg/tcpip/link/fdbased/endpoint.go": "fix: Sprintf format %v with arg p causes recursive String method call",
+ "/pkg/sentry/fsimpl/tmpfs/stat_test.go": "fix: Errorf format %v reads arg #1, but call has 0 args",
+ "/runsc/container/test_app/test_app.go": "fix: Fatal call has possible formatting directive %q",
+ "/test/root/cgroup_test.go": "fix: Errorf format %s has arg gots of wrong type []int",
+ "/test/root/cgroup_test.go": "fix: Fatalf format %v reads arg #3, but call has 2 args",
+ "/test/runtimes/runner.go": "fix: Skip call has possible formatting directive %q",
+ "/test/runtimes/blacklist_test.go": "fix: Errorf format %q has arg blacklistFile of wrong type *string"
+ }
+ },
+ "structtag": {
+ "exclude_files": {
+ "/external/": "allowed: may use arbitrary tags"
+ }
+ },
+ "unsafeptr": {
+ "exclude_files": {
+ ".*_test.go": "allowed: exclude tests",
+ "/pkg/flipcall/flipcall_unsafe.go": "allowed: special case",
+ "/pkg/gohacks/gohacks_unsafe.go": "allowed: special case",
+ "/pkg/sentry/fs/fsutil/host_file_mapper_unsafe.go": "allowed: special case",
+ "/pkg/sentry/platform/kvm/(bluepill|machine)_unsafe.go": "allowed: special case",
+ "/pkg/sentry/platform/ring0/pagetables/allocator_unsafe.go": "allowed: special case",
+ "/pkg/sentry/platform/safecopy/safecopy_unsafe.go": "allowed: special case",
+ "/pkg/sentry/vfs/mount_unsafe.go": "allowed: special case"
+ }
+ },
+ "unusedresult": {
+ "exclude_files": {
+ "/pkg/sentry/fsimpl/proc/task_net.go": "fix: result of fmt.Sprintf call not used",
+ "/pkg/sentry/fsimpl/proc/tasks_net.go": "fix: result of fmt.Sprintf call not used"
+ }
+ }
+}