llvm-project
f49ca799 - [clang] Warn on umask() argument bits outside 0777 (#198130)

Commit
4 days ago
[clang] Warn on umask() argument bits outside 0777 (#198130) Add a -Wfortify-source warning when the constant-evaluated argument to umask(mode_t) has bits set outside 0777. Those bits are silently discarded by the kernel, so setting them is almost always a typo (0xFFFF, 7777-as-decimal, etc.). Match the corresponding bionic libc diagnose_if check. The Sema-side dispatch is gated to identify the libc declaration of umask and reject user-supplied lookalikes: at least one redeclaration of the resolved function must come from a system header. That is where libc declares umask. Matching on the `mode_t` typedef name is not used because libcs disagree on the spelling: glibc's <sys/types.h> writes the prototype as `__mode_t umask(__mode_t)` via an internal typedef, bionic and musl use `mode_t` directly, and so on. The system-header origin is the portable libc-identity signal; coarser shape checks (name + extern "C" + non-variadic + 1 integer arg + integer return) fill in the remaining filtering. The negative tests cover: * `int umask(int)` in user code, * `typedef unsigned mode_t; extern mode_t umask(mode_t);` in user code (matches the libc typedef name but not the system-header origin). A positive test mirrors glibc's `__mode_t umask(__mode_t)` shape from a `#pragma GCC system_header`-marked Inputs/ header to lock the gate against regressions on the spelling. No Static Analyzer summary is added: modeling umask's argument as a WithinRange precondition would prune feasible caller branches such as `umask(m); if (m > 0777) ...`, even though umask is defined behavior for any input (the kernel masks off the high bits). The Sema check covers the constant-typo case that bionic's diagnose_if targets.
Author
Parents
Loading