Checker alpha.security.taint.TaintPropagation now has user documentation for
taint analysis with an example showing external YAML configuration format.
The format of the taint configuration file is now documented under the user
documentation of Clang SA.
Details
Diff Detail
- Repository
- rG LLVM Github Monorepo
Event Timeline
Excellent work. Don't be afraid of the number of nits I dump on you!
Good job.
clang/docs/analyzer/checkers.rst | ||
---|---|---|
2338 | Same for the rest. | |
2351 | Per https://reviews.llvm.org/D113004#inline-1078695 we should not advocate users use the -Xclang machinery, we should rather refer to it by other tools such as scan-build. However, we haven't reached a consensus about this decision yet. | |
2356 | Please note that this configuration file is not stable (yet). | |
clang/docs/analyzer/user-docs/TaintAnalysisConfiguration.rst | ||
19 | ||
41–51 | Since there the SrcArgs is empty, fread will work as an unconditional propagator - aka. a taint source. By doing so you could signify that in the next example you have a non-empty SrcArgs list, thus the propagation is conditional. I think it would be better to follow this pattern in the corresponding section later as well. | |
49 | ||
76 | The literature probably refers to cleansing functions as sanitizers. Wikipedia | |
89 | Previously it was referred to by the key word. Chose one for consistency. | |
89 | I would rather use the operation or function call instead of event everywhere. | |
91 | ||
92 | This sentence definitely needs some polishing.
| |
94 | ||
102 | ||
109 | ||
114 | In the following section, you have an empty line after this marker line. Consolidate these. | |
117 | You sometimes use parameter and in other cases argument seemingly interchangeably. You should consider consolidating these. | |
133 | It's not exactly for this patch, but we should investigate If we could infer this index from the declaration of the function. |
clang/docs/analyzer/checkers.rst | ||
---|---|---|
2341–2342 | What does it mean that these are "default propagations"? That taint passes through calls to them trivially? | |
2345 | execvp and execvP? What is the capital P for? I can't find this overload in the POSIX docs. | |
2353 | Perhaps we should link to the in-house YAML doc (http://llvm.org/docs/YamlIO.html#introduction-to-yaml) first, and have the user move to other sources from there? | |
clang/docs/analyzer/user-docs/TaintAnalysisConfiguration.rst | ||
5 | The Clang Static [...]? | |
5 | uses, or can use? | |
6 | Clang -> Clang SA / CSA? | |
6 | So the checker has the defaults all the time, or only by enabling the alias can I get the defaults? | |
7 | Ditto about YAML. | |
13 | I think this wanted to be an anchor? Also see how the syntax highlighting broke in the next section. | |
23 | AFAIK, RST anchors are global identifiers for the project, so maybe we should take care in adding "clang-sa" or some other sort of namespaceing... (Although this might depend on how exactly the docs are built!) | |
30 | Filters are not mentioned earlier. | |
31–36 | If none of the comments themselves are just commented out ("optional") keys in the YAML, it would be better readable with a bit of formatting. | |
41 | Why is this comment at indent 0? | |
51 | What are these magic numbers and what is their meaning? | |
125–126 | Ensure that the numeric literal shows up as "code" with double backtick. |
tidy up based on comments from whispy
clang/docs/analyzer/checkers.rst | ||
---|---|---|
2341–2342 | Added just 2 sentences about what default means. | |
2345 | I have found a refence to this function inside TargetLibraryInfoTest.cpp. 926 │ case LibFunc_execv: 927 │ case LibFunc_execvp: 928 │ return (NumParams == 2 && FTy.getParamType(0)->isPointerTy() && 929 │ FTy.getParamType(1)->isPointerTy() && 930 │ FTy.getReturnType()->isIntegerTy(32)); 931 │ case LibFunc_execvP: 932 │ case LibFunc_execvpe: 933 │ case LibFunc_execve: 934 │ return (NumParams == 3 && FTy.getParamType(0)->isPointerTy() && 935 │ FTy.getParamType(1)->isPointerTy() && 936 │ FTy.getParamType(2)->isPointerTy() && 937 │ FTy.getReturnType()->isIntegerTy(32)); It seems like an OSX-specific spelling and seems like it has the semantics of execve. | |
clang/docs/analyzer/user-docs/TaintAnalysisConfiguration.rst | ||
5 | For brevity and clarity, I will leave it at uses, it is just a generic statement about the availability of taint analysis as a method, and I think it would not improve the understanding to change it to can use. IMHO it is implicit, and can use would make people wonder as to what does Clang need to use it etc. | |
6 | Good point, added a line to clarify this. | |
23 | added clangsa- prefix | |
30 | Added a mention with references in the Overview section. | |
31–36 | Reformatted the examples section according to your suggestions. | |
41 | It is because Propagations YAML-keys are used to define both sources and propagations. So to comment the "source-section" 0-indent is used, and to comment on individual entries within, 2-indent comments are used. I have consolidated the indents and introduced vertical whitespace instead of multiple indentation levels. | |
51 | Added an extra comment on top of the example YAML file. |
update with arc diff $(git merge-base HEAD upstream) --update D113251
in order to satisfy workflow pre-merge checks
Same for the rest.