proposal: cmd/vet: add check for common error mishandling pattern

robpike commented 7 years ago

People have proposed adding a test to vet to catch certain unused errors. This can be very noisy, and there are many cases where the error is genuinely known to be nil and can be ignored, such as in a call to bufio.Writer.Write. Therefore a general "unused error" check will be too noisy and fail the precision criterion described in cmd/vet/README.

However, my project has been badly bitten twice recently by a particular problem of unused errors that should be caught. The two looked schematically like these snippets:

func e() error { ... }
var err error

# Error value not caught in if init:
if e(); err != nil {...}

# Error value not caught before if:
e()
if err != nil { ... }

I did some experiments to catch calls to functions with the type of e that did not catch the error, and found too may false positives for things like os.Setenv.

However, since the real problem isn't that the error is discarded, but that it is discarded immediately before a check, I think it's worth trying a more targeted approach, one that would catch both of the problems in the snippets above.

The -unusedresult flag, on by default, already checks for things like calls to fmt.Sprintf where the value is not used, which is clearly a bug - there is no other reason to call fmt.Sprintf. That check works with a whitelist, but the problems in the examples above involved local functions that would never appear on a whitelist unless explicitly added when vet is called, which is error-prone (and not done in general).

I therefore propose to add to the -unusedresult check a test for the specific case with these three properties:

a call to a function that returns an error as one of its possibly several arguments;
return values from the function are dropped (no explicit _);
the next statement reads a variable of type error.

It's point 3 that makes this work, I think, eliminating almost all the noise from calls to things like os.Setenv while catching the real bugs. If you just called an error function and then ask about the error, if there's no flow from the call to the check, you almost certainly made a mistake.

Regarding the criteria:

Correctness: This is a real bug, and it's bitten our project twice with severe security problems as a result. This is a problem that needs fixing.

Frequency: It's hit our project twice, and our project isn't big. I believe the severity is high enough that even a modest frequency of hits justifies the fix. If I implement this, I predict it will find more.

Precision: I believe that rule 3 in this proposal should make it precise enough.

griesemer commented 7 years ago

This seems worthwhile doing. I think the proof is in the pudding - let's implement it and see if it can be made to work as advertised.

dlsniper commented 7 years ago

Hi,

I'm not sure about the full context of those issues, but both these tools would catch the error, with this code https://play.golang.org/p/pkaWAqDUY0 as an example:

Both of them are included in this other tool: https://github.com/alecthomas/gometalinter

I wonder if rather than having the effort duplicate, more gophers should be made aware by these tools via the https://golang.org website by adding a (third-party) tooling section (cc @rakyll). Or do you think having this check in the vet tool would bring any advantage over the existing tools in the ecosystem?

Thank you.

ianlancetaylor commented 7 years ago

This is a refinement of #19727.

dominikh commented 7 years ago

It's worth pointing out that neither staticcheck nor errcheck fulfill Rob's requirements. Staticcheck doesn't actually catch this problem at all (yet), its output for https://play.golang.org/p/pkaWAqDUY0 is complaining about something unrelated. Errcheck does catch the issue – being the canonical tool for finding unchecked errors – but it's also a tool that's too noisy for a lot of people, see Rob's original message that mentions bufio.Writer.Write.

kevinburke commented 7 years ago

On a slightly related note: I sometimes try to make it impossible to have this problem by trying to never reuse an error; specifically to never assign to an error value with =.

Sometimes I get caught up though with code like this:

val, err := doSomething()
if err != nil {
    return err
}

val2, err2 := doSomethingElse()
if err2 != nil {
    return err
}

And then get confused why I'm returning nil from the function.

cznic commented 7 years ago

I sometimes try to make it impossible to have this problem by trying to never reuse an error; specifically to never assign to an error value with =.

I would go the opposite way. It's the := which causes the trouble. (While being undeniably handy in almost every other situation.)

rsc commented 7 years ago

Leaving on hold until @robpike has time to further explore a prototype.

velovix commented 7 years ago

I'm not especially comfortable with the idea of ignoring errors when they are generally expected not to happen. It doesn't sound like a good idea, but perhaps I don't understand just how unlikely these errors are. It seems like the best case scenario is that you save three lines of code to panic on the error, and the worse case is that your program silently fails in a potentially subtle way.

Is this something a lot of Gophers do in practice? Has anyone run errcheck against as sizeable amount of Go code to make sure this is the case?

velovix commented 7 years ago

I have since found out that fmt.Println returns an error, which is itself reason enough for me to be convinced that some errors should be ignored in practice.

leighmcculloch commented 7 years ago

One downside to introducing this into go get, is that while it would introduce less noise than if go vet mimicked errcheck, it would require us to write code that is not consistent. In some cases we may need to explicitly discard an error, in others we won't. Inconsistencies degrade readability because each inconsistency adds noise or calls attention to something that's different for a real reason. In this case the inconsistency would not aid the reader and may raise questions for the reader.

Example: If we need to call a function that returns an unimportant error, in between calling a function with an error and handling that error, we'll be required to insert _ = to signal an intent to discard the error.

fmt.Println("Welcome") // not required to signal intent to discard
n, err := doThing()
_ = metrics.Track("action", n, err) // required to signal intent to discard
if err != nil {
    handleError(err)
    return
}

But this is one downside and it seems like the benefits would out way it.

networkimprov commented 5 years ago

A solution via Go 2 Error Handling: https://github.com/golang/go/issues/20803#issuecomment-443411043

dgryski commented 4 years ago

I've found that nilness and ineffassign end up catching these cases.

timothy-king commented 3 years ago

I think these two cases are fairly distinct.

if e(); err != nil {...}

It seems like the checker Rob described should have a low false positive rate already for this case. I would be curious to see a prototype explore this.

e() if err != nil { ... }

Due to things like fmt.Println, more evidence seems needed here to infer intent. Knowing that err != nil is always false seems sufficiently precise. One can pick this back up from the control flow and conditions. I am not 100% on how the nilness pass works, but I am not surprised this would also report these. Example:

val, err := doSomething()
if err != nil {
    return err
}
e(val) // where e has an error return value.
if err != nil {...} // err must be nil due to the previous if

Weaker ways of inferring intent I can think of include:

statistical modeling, i.e. in X% of e() calls this condition is checked (this will have false positives, but they will probably seem reasonable), or
err != nil has been checked without err changing value. This can have false positives if say a programmer wanted to respond to just log when there is an error, continue for a while and then exit. This sounds rare to me but it would need to be tested.

dgryski commented 3 years ago

nilness does indeed catch the second case in your example. The data flow analysis notices that err must be nil (otherwise the function would have returned) and so warns the second err != nil check is redundant. Note that simply checking err != nil twice without the control flow change is not enough to trigger the check, unless the two checks are nested (again, causing the second check to be reundant).

yawaramin commented 3 years ago

Unless I'm misunderstanding something, this proposal wouldn't catch an issue I had recently:

func (c Client) Close() {
  c.Close() // returns type error
}

Not realizing that Close() returns an error, newcomers like myself may easily drop it without checking at all.

DeedleFake commented 3 years ago

Your problem there @yawaramin is that your outer function should be returning an error if you want to implement io.Closer. If it had, the compiler would have complained about a missing return, which would probably tip you off that you'd missed it.

adonovan commented 5 months ago

Some data from the module mirror corpus: running the proposed analyzer across 24000 modules, it reported 6800 diagnostics in 1200 modules. A random 50 are shown at the bottom. The majority seem to be false positives involving Close, of the following form:

err := f.Read()
f.Close()
if err != nil { ... }

or fmt.Println, which is bad form for errors, but not quite a bug:

res, err := f()
fmt.Println(res, err)
if err != nil { ... }

The analyzer could easily be taught to ignore both of these cases. The remainder, though a small fraction, include a number of obviously real bugs, such as these three:

The random 50:

gopherbot commented 5 months ago

Change https://go.dev/cl/590376 mentions this issue: go/analysis/passes/unusedresult: evaluate issue 20148 heuristic

adonovan commented 5 months ago

Discarding Close and [Pp]rint, we get 1100 findings, of which a random 50 are shown here. Inspecting the first 10, four appear to be real bugs.

yawaramin commented 5 months ago

Are these necessarily false positives?

f.Close()

Could we not explicitly assign and ignore the result?

_ := f.Close()

Or

Ignore(f.Close()) // or: ignore f.Close()

ianlancetaylor commented 5 months ago

@yawaramin It's often fine to call the Close method of a file opened for reading. We don't want people to have to write unnecessary syntax merely to silence a program analyzer.

golang / go

proposal: cmd/vet: add check for common error mishandling pattern #20148