This is an archive of the discontinued LLVM Phabricator instance.

Differential D125225

[WIP][analyzer] Taint Notes enhancements
Needs ReviewPublic

Authored by gamesh411 on May 9 2022, 5:59 AM.

Details

Reviewers
steakhal
Szelethus
Summary

[BugReporter] Transitive interestingness

[Malloc] Pass down a State and a Pred ExplodedNode in the MallocChecker

[BoundV2] ArrayBoundV2 checks if the extent is tainted

[BoundV2][Malloc] Place NoteTags when allocated an interesting tainted amount of memory

[CString] Add ConsiderTaint checker option for CStringChecker

[CString] Consider tainted out-of-bound accesses

[TaintProp] Place NoteTags when propagating taint

Diff Detail

Event Timeline

gamesh411 created this revision.May 9 2022, 5:59 AM
Herald added a reviewer: Szelethus. · View Herald TranscriptMay 9 2022, 5:59 AM
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: manas, ASDenysPetrov, martong and 8 others. · View Herald Transcript
gamesh411 requested review of this revision.May 9 2022, 6:00 AM
Herald added a project: Restricted Project. · View Herald TranscriptMay 9 2022, 6:00 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
Harbormaster completed remote builds in B163465: Diff 428053.May 9 2022, 6:36 AM
gamesh411 updated this revision to Diff 428070.May 9 2022, 6:50 AM
  • [BoolAssign] Add taint to the BoolAssignmentChecker
  • [BugReporter] Transitive interestingness
  • [Malloc] Pass down a State and a Pred ExplodedNode in the MallocChecker
  • [BoundV2] ArrayBoundV2 checks if the extent is tainted
  • [BoundV2][Malloc] Place NoteTags when allocated an interesting tainted amount of memory
  • [CString] Add ConsiderTaint checker option for CStringChecker
  • [CString] Consider tainted out-of-bound accesses
  • [Stdlib] Add taint to the StdLibraryFunctionsChecker
  • [Malloc] Implement the rsize_t like heuristic
gamesh411 added a comment.May 9 2022, 6:58 AM

@steakhal
This is WIP as there is still a stdlib function, that does not pass the test, and I would like to add more complex taint propagation test cases as well.
Could you please glance over these commits:
[Malloc] Pass down a State and a Pred ExplodedNode in the MallocChecker
[BoundV2][Malloc] Place NoteTags when allocated an interesting tainted amount of memory
[Stdlib] Add taint to the StdLibraryFunctionsChecker

steakhal added inline comments.May 9 2022, 7:13 AM
clang/lib/StaticAnalyzer/Core/BugReporter.cpp
2363

I think this is the superior way of checking this.

clang/test/Analysis/taint-diagnostic-visitor.c
36

If we emit a specific note-tag, we definitely shouldn't emit a Taint originated here note.

I think in my original patch stack I did actually remove the archaic visitor producing this since the propagation note tags completely supersedes that approach.

Harbormaster completed remote builds in B163475: Diff 428070.May 9 2022, 7:28 AM
martong added a comment.May 9 2022, 9:06 AM

I've checked the StdLibraryFunctionsChecker related changes and they are promising.

clang/test/Analysis/std-c-library-functions-taint.c
88 ↗(On Diff #428070)

typo

95–113 ↗(On Diff #428070)

I am missing a call to a standard library function which has a NotNullConstraint attached.

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Checkers/
10 lines
lib/
StaticAnalyzer/
Checkers/
10 lines
34 lines
147 lines
365 lines
Core/
29 lines
test/
Analysis/
1 line
29 lines
29 lines

Diff 428053

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

Show First 20 LinesShow All 465 Lines▼ Show 20 Lines
} // end "unix.cstring" } // end "unix.cstring"
let ParentPackage = CStringAlpha in { let ParentPackage = CStringAlpha in {
def CStringOutOfBounds : Checker<"OutOfBounds">, def CStringOutOfBounds : Checker<"OutOfBounds">,
HelpText<"Check for out-of-bounds access in string functions">, HelpText<"Check for out-of-bounds access in string functions">,
Dependencies<[CStringModeling]>, Dependencies<[CStringModeling]>,
CheckerOptions<[
CmdLineOption<Boolean,
"ConsiderTaint",
"If set to true and the access under test depends on tainted "
"value we will emit a warning even if we can not ensure that "
"we encountered a bug",
"false",
Released,
Hide>
]>,
Documentation<HasDocumentation>; Documentation<HasDocumentation>;
def CStringBufferOverlap : Checker<"BufferOverlap">, def CStringBufferOverlap : Checker<"BufferOverlap">,
HelpText<"Checks for overlap in two buffer arguments">, HelpText<"Checks for overlap in two buffer arguments">,
Dependencies<[CStringModeling]>, Dependencies<[CStringModeling]>,
Documentation<HasDocumentation>; Documentation<HasDocumentation>;
def CStringNotNullTerm : Checker<"NotNullTerminated">, def CStringNotNullTerm : Checker<"NotNullTerminated">,
▲ Show 20 LinesShow All 1,243 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp

Show All 30 Lines
namespace { namespace {
class ArrayBoundCheckerV2 : class ArrayBoundCheckerV2 :
public Checker<check::Location> { public Checker<check::Location> {
mutable std::unique_ptr<BuiltinBug> BT; mutable std::unique_ptr<BuiltinBug> BT;
enum OOB_Kind { OOB_Precedes, OOB_Excedes, OOB_Tainted }; enum OOB_Kind { OOB_Precedes, OOB_Excedes, OOB_Tainted };
void reportOOB(CheckerContext &C, ProgramStateRef errorState, OOB_Kind kind, void reportOOB(CheckerContext &C, ProgramStateRef errorState, OOB_Kind kind,
SVal InterestingValue = UndefinedVal(),
std::unique_ptr<BugReporterVisitor> Visitor = nullptr) const; std::unique_ptr<BugReporterVisitor> Visitor = nullptr) const;
public: public:
void checkLocation(SVal l, bool isLoad, const Stmt*S, void checkLocation(SVal l, bool isLoad, const Stmt*S,
CheckerContext &C) const; CheckerContext &C) const;
}; };
// FIXME: Eventually replace RegionRawOffset with this class. // FIXME: Eventually replace RegionRawOffset with this class.
▲ Show 20 LinesShow All 153 Lines▼ Show 20 Lines if (!upperboundToCheck)
break; break;
ProgramStateRef state_exceedsUpperBound, state_withinUpperBound; ProgramStateRef state_exceedsUpperBound, state_withinUpperBound;
std::tie(state_exceedsUpperBound, state_withinUpperBound) = std::tie(state_exceedsUpperBound, state_withinUpperBound) =
state->assume(*upperboundToCheck); state->assume(*upperboundToCheck);
// If we are under constrained and the index variables are tainted, report. // If we are under constrained and the index variables are tainted, report.
if (state_exceedsUpperBound && state_withinUpperBound) { if (state_exceedsUpperBound && state_withinUpperBound) {
SVal ByteOffset = rawOffset.getByteOffset(); if (isTainted(state, *upperboundToCheck)) {
if (isTainted(state, ByteOffset)) {
reportOOB(checkerContext, state_exceedsUpperBound, OOB_Tainted, reportOOB(checkerContext, state_exceedsUpperBound, OOB_Tainted,
std::make_unique<TaintBugVisitor>(ByteOffset)); *upperboundToCheck,
std::make_unique<TaintBugVisitor>(*upperboundToCheck));
return; return;
} }
} else if (state_exceedsUpperBound) { } else if (state_exceedsUpperBound) {
// If we are constrained enough to definitely exceed the upper bound, // If we are constrained enough to definitely exceed the upper bound,
// report. // report.
assert(!state_withinUpperBound); assert(!state_withinUpperBound);
reportOOB(checkerContext, state_exceedsUpperBound, OOB_Excedes); reportOOB(checkerContext, state_exceedsUpperBound, OOB_Excedes);
return; return;
} }
assert(state_withinUpperBound); assert(state_withinUpperBound);
state = state_withinUpperBound; state = state_withinUpperBound;
} }
while (false); while (false);
checkerContext.addTransition(state); checkerContext.addTransition(state);
} }
void ArrayBoundCheckerV2::reportOOB( void ArrayBoundCheckerV2::reportOOB(
CheckerContext &checkerContext, ProgramStateRef errorState, OOB_Kind kind, CheckerContext &checkerContext, ProgramStateRef errorState, OOB_Kind kind,
std::unique_ptr<BugReporterVisitor> Visitor) const { SVal InterestingValue, std::unique_ptr<BugReporterVisitor> Visitor) const {
ExplodedNode *errorNode = checkerContext.generateErrorNode(errorState); ExplodedNode *errorNode = checkerContext.generateErrorNode(errorState);
if (!errorNode) if (!errorNode)
return; return;
if (!BT) if (!BT)
BT.reset(new BuiltinBug(this, "Out-of-bound access")); BT.reset(new BuiltinBug(this, "Out-of-bound access"));
Show All 11 Lines case OOB_Excedes:
os << "(access exceeds upper limit of memory block)"; os << "(access exceeds upper limit of memory block)";
break; break;
case OOB_Tainted: case OOB_Tainted:
os << "(index is tainted)"; os << "(index is tainted)";
break; break;
} }
auto BR = std::make_unique<PathSensitiveBugReport>(*BT, os.str(), errorNode); auto BR = std::make_unique<PathSensitiveBugReport>(*BT, os.str(), errorNode);
BR->markInteresting(InterestingValue);
BR->addVisitor(std::move(Visitor)); BR->addVisitor(std::move(Visitor));
checkerContext.emitReport(std::move(BR)); checkerContext.emitReport(std::move(BR));
} }
#ifndef NDEBUG #ifndef NDEBUG
LLVM_DUMP_METHOD void RegionRawOffsetV2::dump() const { LLVM_DUMP_METHOD void RegionRawOffsetV2::dump() const {
dumpToStream(llvm::errs()); dumpToStream(llvm::errs());
} }
▲ Show 20 LinesShow All 94 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp

//= CStringChecker.cpp - Checks calls to C string functions --------*- C++ -*-// //= CStringChecker.cpp - Checks calls to C string functions --------*- C++ -*-//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This defines CStringChecker, which is an assortment of checks on calls // This defines CStringChecker, which is an assortment of checks on calls
// to functions in <string.h>. // to functions in <string.h>.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "InterCheckerAPI.h" #include "InterCheckerAPI.h"
#include "clang/Basic/CharInfo.h" #include "clang/Basic/CharInfo.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Checkers/Taint.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
Show All 25 Lines
struct SizeArgExpr : AnyArgExpr { struct SizeArgExpr : AnyArgExpr {
using AnyArgExpr::AnyArgExpr; // FIXME: Same. using AnyArgExpr::AnyArgExpr; // FIXME: Same.
}; };
using ErrorMessage = SmallString<128>; using ErrorMessage = SmallString<128>;
enum class AccessKind { write, read }; enum class AccessKind { write, read };
static ErrorMessage createOutOfBoundErrorMsg(StringRef FunctionDescription, static ErrorMessage createOutOfBoundErrorMsg(StringRef FunctionDescription,
AccessKind Access) { AccessKind Access,
bool IsTainted = false) {
ErrorMessage Message; ErrorMessage Message;
llvm::raw_svector_ostream Os(Message); llvm::raw_svector_ostream Os(Message);
// Function classification like: Memory copy function // Function classification like: Memory copy function
Os << toUppercase(FunctionDescription.front()) Os << toUppercase(FunctionDescription.front())
<< &FunctionDescription.data()[1]; << &FunctionDescription.data()[1];
if (Access == AccessKind::write) { if (Access == AccessKind::write) {
Os << " overflows the destination buffer"; Os << (IsTainted ? " might" : "") << " overflows the destination buffer";
} else { // read access } else { // read access
Os << " accesses out-of-bound array element"; Os << (IsTainted ? " might" : "") << " accesses out-of-bound array element";
} }
return Message; return Message;
} }
enum class ConcatFnKind { none = 0, strcat = 1, strlcat = 2 }; enum class ConcatFnKind { none = 0, strcat = 1, strlcat = 2 };
class CStringChecker : public Checker< eval::Call, class CStringChecker : public Checker< eval::Call,
check::PreStmt<DeclStmt>, check::PreStmt<DeclStmt>,
Show All 11 Linespublic:
/// the user. /// the user.
struct CStringChecksFilter { struct CStringChecksFilter {
bool CheckCStringNullArg = false; bool CheckCStringNullArg = false;
bool CheckCStringOutOfBounds = false; bool CheckCStringOutOfBounds = false;
bool CheckCStringBufferOverlap = false; bool CheckCStringBufferOverlap = false;
bool CheckCStringNotNullTerm = false; bool CheckCStringNotNullTerm = false;
bool CheckCStringUninitializedRead = false; bool CheckCStringUninitializedRead = false;
// Taint makes no sense for NullArg, BufferOverlap and NotNullTerm checks.
bool ConsiderTaintForCStringOutOfBounds = false;
CheckerNameRef CheckNameCStringNullArg; CheckerNameRef CheckNameCStringNullArg;
CheckerNameRef CheckNameCStringOutOfBounds; CheckerNameRef CheckNameCStringOutOfBounds;
CheckerNameRef CheckNameCStringBufferOverlap; CheckerNameRef CheckNameCStringBufferOverlap;
CheckerNameRef CheckNameCStringNotNullTerm; CheckerNameRef CheckNameCStringNotNullTerm;
CheckerNameRef CheckNameCStringUninitializedRead; CheckerNameRef CheckNameCStringUninitializedRead;
}; };
CStringChecksFilter Filter; CStringChecksFilter Filter;
▲ Show 20 LinesShow All 259 Lines▼ Show 20 Lines if (StOutBound && !StInBound) {
if (!Filter.CheckCStringOutOfBounds) if (!Filter.CheckCStringOutOfBounds)
return nullptr; return nullptr;
// Emit a bug report. // Emit a bug report.
ErrorMessage Message = ErrorMessage Message =
createOutOfBoundErrorMsg(CurrentFunctionDescription, Access); createOutOfBoundErrorMsg(CurrentFunctionDescription, Access);
emitOutOfBoundsBug(C, StOutBound, Buffer.Expression, Message); emitOutOfBoundsBug(C, StOutBound, Buffer.Expression, Message);
return nullptr; return nullptr;
} else if (Filter.CheckCStringOutOfBounds &&
Filter.ConsiderTaintForCStringOutOfBounds && StOutBound &&
StInBound &&
(taint::isTainted(state, Idx) || taint::isTainted(state, Size))) {
// FIXME: Explain whether the index or the extent was tainted.
// FIXME: Add a visitor explaining where the taint was introduced.
ErrorMessage Message = createOutOfBoundErrorMsg(CurrentFunctionDescription,
Access, /*IsTainted=*/true);
emitOutOfBoundsBug(C, StOutBound, Buffer.Expression, Message);
} }
// Ensure that we wouldn't read uninitialized value. // Ensure that we wouldn't read uninitialized value.
if (Access == AccessKind::read) { if (Access == AccessKind::read) {
if (Filter.CheckCStringUninitializedRead && if (Filter.CheckCStringUninitializedRead &&
StInBound->getSVal(ER).isUndef()) { StInBound->getSVal(ER).isUndef()) {
emitUninitializedReadBug(C, StInBound, Buffer.Expression); emitUninitializedReadBug(C, StInBound, Buffer.Expression);
return nullptr; return nullptr;
▲ Show 20 LinesShow All 2,104 Lines▼ Show 20 Lines#define REGISTER_CHECKER(name) \
void ento::register##name(CheckerManager &mgr) { \ void ento::register##name(CheckerManager &mgr) { \
CStringChecker *checker = mgr.getChecker<CStringChecker>(); \ CStringChecker *checker = mgr.getChecker<CStringChecker>(); \
checker->Filter.Check##name = true; \ checker->Filter.Check##name = true; \
checker->Filter.CheckName##name = mgr.getCurrentCheckerName(); \ checker->Filter.CheckName##name = mgr.getCurrentCheckerName(); \
} \ } \
\ \
bool ento::shouldRegister##name(const CheckerManager &mgr) { return true; } bool ento::shouldRegister##name(const CheckerManager &mgr) { return true; }
#define REGISTER_CHECKER_WITH_TAINT(name) \
void ento::register##name(CheckerManager &mgr) { \
CStringChecker *checker = mgr.getChecker<CStringChecker>(); \
checker->Filter.Check##name = true; \
checker->Filter.CheckName##name = mgr.getCurrentCheckerName(); \
checker->Filter.ConsiderTaintFor##name = \
mgr.getAnalyzerOptions().getCheckerBooleanOption( \
mgr.getCurrentCheckerName().getName(), "ConsiderTaint"); \
} \
\
bool ento::shouldRegister##name(const CheckerManager &mgr) { return true; }
REGISTER_CHECKER(CStringNullArg) REGISTER_CHECKER(CStringNullArg)
REGISTER_CHECKER(CStringOutOfBounds)
REGISTER_CHECKER(CStringBufferOverlap) REGISTER_CHECKER(CStringBufferOverlap)
REGISTER_CHECKER(CStringNotNullTerm) REGISTER_CHECKER(CStringNotNullTerm)
REGISTER_CHECKER(CStringUninitializedRead) REGISTER_CHECKER(CStringUninitializedRead)
REGISTER_CHECKER_WITH_TAINT(CStringOutOfBounds)

clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp

Show All 13 Lines
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "Yaml.h" #include "Yaml.h"
#include "clang/AST/Attr.h" #include "clang/AST/Attr.h"
#include "clang/Basic/Builtins.h" #include "clang/Basic/Builtins.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Checkers/Taint.h" #include "clang/StaticAnalyzer/Checkers/Taint.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include "llvm/ADT/STLExtras.h"
#include "llvm/Support/YAMLTraits.h" #include "llvm/Support/YAMLTraits.h"
#include <limits> #include <limits>
#include <memory> #include <memory>
#include <utility> #include <utility>
#define DEBUG_TYPE "taint-checker" #define DEBUG_TYPE "taint-checker"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
using namespace taint; using namespace taint;
using llvm::ImmutableSet; using llvm::ImmutableList;
namespace { namespace {
class GenericTaintChecker; class GenericTaintChecker;
/// Check for CWE-134: Uncontrolled Format String. /// Check for CWE-134: Uncontrolled Format String.
constexpr llvm::StringLiteral MsgUncontrolledFormatString = constexpr llvm::StringLiteral MsgUncontrolledFormatString =
"Untrusted data is used as a format string " "Untrusted data is used as a format string "
▲ Show 20 LinesShow All 377 Lines▼ Show 20 Lines static void enumeration(IO &IO, TaintConfiguration::VariadicType &Value) {
IO.enumCase(Value, "None", TaintConfiguration::VariadicType::None); IO.enumCase(Value, "None", TaintConfiguration::VariadicType::None);
IO.enumCase(Value, "Src", TaintConfiguration::VariadicType::Src); IO.enumCase(Value, "Src", TaintConfiguration::VariadicType::Src);
IO.enumCase(Value, "Dst", TaintConfiguration::VariadicType::Dst); IO.enumCase(Value, "Dst", TaintConfiguration::VariadicType::Dst);
} }
}; };
} // namespace yaml } // namespace yaml
} // namespace llvm } // namespace llvm
/// A set which is used to pass information from call pre-visit instruction namespace {
/// to the call post-visit. The values are signed integers, which are either struct FunctionParameter {
/// ReturnValueIndex, or indexes of the pointer/reference argument, which SVal Value;
/// points to data, which should be tainted on return. ArgIdxTy Index;
FunctionParameter(SVal Value, ArgIdxTy Index) : Value{Value}, Index{Index} {}
void Profile(llvm::FoldingSetNodeID &ID) const {
Value.Profile(ID);
ID.AddInteger(Index);
}
};
bool operator==(const FunctionParameter& lhs, const FunctionParameter& rhs) {
return lhs.Value == rhs.Value && lhs.Index == rhs.Index;
}
} // namespace
REGISTER_TRAIT_WITH_PROGRAMSTATE(ReturnsTainted, bool)
/// A list which is used to pass information from call pre-visit program point
/// to the call post-visit. Contains the symbolic value of the tainted
/// pointer/reference parameter and its index.
REGISTER_MAP_WITH_PROGRAMSTATE(TaintArgsOnPostVisit, const LocationContext *, REGISTER_MAP_WITH_PROGRAMSTATE(TaintArgsOnPostVisit, const LocationContext *,
ImmutableSet<ArgIdxTy>) ImmutableList<FunctionParameter>)
REGISTER_SET_FACTORY_WITH_PROGRAMSTATE(ArgIdxFactory, ArgIdxTy) REGISTER_LIST_FACTORY_WITH_PROGRAMSTATE(FunctionParamFactory, FunctionParameter)
void GenericTaintRuleParser::validateArgVector(const std::string &Option, void GenericTaintRuleParser::validateArgVector(const std::string &Option,
const ArgVecTy &Args) const { const ArgVecTy &Args) const {
for (ArgIdxTy Arg : Args) { for (ArgIdxTy Arg : Args) {
if (Arg < ReturnValueIndex) { if (Arg < ReturnValueIndex) {
Mgr.reportInvalidCheckerOptionValue( Mgr.reportInvalidCheckerOptionValue(
Mgr.getChecker<GenericTaintChecker>(), Option, Mgr.getChecker<GenericTaintChecker>(), Option,
"an argument number for propagation rules greater or equal to -1"); "an argument number for propagation rules greater or equal to -1");
▲ Show 20 LinesShow All 328 Lines▼ Show 20 Lines
} }
void GenericTaintChecker::checkPostCall(const CallEvent &Call, void GenericTaintChecker::checkPostCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
// Set the marked values as tainted. The return value only accessible from // Set the marked values as tainted. The return value only accessible from
// checkPostStmt. // checkPostStmt.
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
const StackFrameContext *CurrentFrame = C.getStackFrame(); const StackFrameContext *CurrentFrame = C.getStackFrame();
ExplodedNode *Pred = C.getPredecessor();
// Depending on what was tainted at pre-visit, we determined a set of // Depending on what was tainted at pre-visit, we determined a set of
// arguments which should be tainted after the function returns. These are // arguments which should be tainted after the function returns. These are
// stored in the state as TaintArgsOnPostVisit set. // stored in the state as TaintArgsOnPostVisit set.
TaintArgsOnPostVisitTy TaintArgsMap = State->get<TaintArgsOnPostVisit>();
const ImmutableSet<ArgIdxTy> *TaintArgs = TaintArgsMap.lookup(CurrentFrame); if (State->get<ReturnsTainted>()) {
State = State->set<ReturnsTainted>(false);
State = taint::addTaint(State, Call.getReturnValue());
const NoteTag *Note =
C.getNoteTag([RetVal = Call.getReturnValue()](
PathSensitiveBugReport &BR) -> std::string {
return BR.isInteresting(RetVal) ? "Returned tainted value" : "";
});
Pred = C.addTransition(State, Pred, Note);
}
TaintArgsOnPostVisitTy TaintArgsMap = State->get<TaintArgsOnPostVisit>();
const ImmutableList<FunctionParameter> *TaintArgs = TaintArgsMap.lookup(CurrentFrame);
if (!TaintArgs) if (!TaintArgs)
return; return;
assert(!TaintArgs->isEmpty()); assert(!TaintArgs->isEmpty());
LLVM_DEBUG(for (ArgIdxTy I LLVM_DEBUG(for (FunctionParameter FP
: *TaintArgs) { : *TaintArgs) {
llvm::dbgs() << "PostCall<"; llvm::dbgs() << "PostCall<";
Call.dump(llvm::dbgs()); Call.dump(llvm::dbgs());
llvm::dbgs() << "> actually wants to taint arg index: " << I << '\n'; llvm::dbgs() << "> actually wants to taint arg index: " << FP.Index << '\n';
}); });
for (ArgIdxTy ArgNum : *TaintArgs) { struct Pack {
SVal PreValue;
SVal PostValue;
ArgIdxTy Index;
};
SmallVector<Pack, 6> ActualTaintedParams;
for (FunctionParameter Param : *TaintArgs) {
// Special handling for the tainted return value. // Special handling for the tainted return value.
if (ArgNum == ReturnValueIndex) { if (Param.Index == ReturnValueIndex) {
State = addTaint(State, Call.getReturnValue()); State = addTaint(State, Call.getReturnValue());
continue; continue;
} }
// The arguments are pointer arguments. The data they are pointing at is // The arguments are pointer arguments. The data they are pointing at is
// tainted after the call. // tainted after the call.
if (auto V = getPointeeOf(C, Call.getArgSVal(ArgNum))) if (auto V = getPointeeOf(C, Call.getArgSVal(Param.Index))) {
State = addTaint(State, *V); State = addTaint(State, *V);
ActualTaintedParams.push_back({Param.Value, V.getValue(), Param.Index});
}
} }
// Clear up the taint info from the state. // Clear up the taint info from the state.
State = State->remove<TaintArgsOnPostVisit>(CurrentFrame); State = State->remove<TaintArgsOnPostVisit>(CurrentFrame);
C.addTransition(State); const NoteTag *Note = [&]() -> const NoteTag * {
if (ActualTaintedParams.empty())
return nullptr;
return C.getNoteTag(
[ActualTaintedParams](PathSensitiveBugReport &BR) -> std::string {
const auto Interesting = [&BR](const auto &Param) -> bool {
return BR.isInteresting(Param.PostValue);
};
auto InterestingTaintedParams =
llvm::make_filter_range(ActualTaintedParams, Interesting);
if (InterestingTaintedParams.empty())
return "";
SmallVector<std::string, 6> MsgParts;
for (const auto &Param : InterestingTaintedParams) {
BR.markInteresting(Param.PreValue);
const auto ParamOrdinal = Param.Index + 1;
MsgParts.emplace_back((Twine(std::to_string(ParamOrdinal)) +
llvm::getOrdinalSuffix(ParamOrdinal))
.str());
}
return (Twine("Propagated taint to the ") +
llvm::join(std::move(MsgParts), ", ") +
(MsgParts.size() == 1 ? " parameter" : " parameters"))
.str();
});
}();
C.addTransition(State, Pred, Note);
} }
void GenericTaintChecker::printState(raw_ostream &Out, ProgramStateRef State, void GenericTaintChecker::printState(raw_ostream &Out, ProgramStateRef State,
const char *NL, const char *Sep) const { const char *NL, const char *Sep) const {
printTaint(State, Out, NL, Sep); printTaint(State, Out, NL, Sep);
} }
void GenericTaintRule::process(const GenericTaintChecker &Checker, void GenericTaintRule::process(const GenericTaintChecker &Checker,
Show All 23 Lines if (FilterArgs.contains(I)) {
State = removeTaint(State, *P); State = removeTaint(State, *P);
} }
}); });
/// Check for taint propagation sources. /// Check for taint propagation sources.
/// A rule is relevant if PropSrcArgs is empty, or if any of its signified /// A rule is relevant if PropSrcArgs is empty, or if any of its signified
/// args are tainted in context of the current CallEvent. /// args are tainted in context of the current CallEvent.
bool IsMatching = PropSrcArgs.isEmpty(); bool IsMatching = PropSrcArgs.isEmpty();
ForEachCallArg( ArgIdxTy TaintedArgIdx;
[this, &C, &IsMatching, &State](ArgIdxTy I, const Expr *E, SVal) { ForEachCallArg([this, &C, &IsMatching, &State,
IsMatching = IsMatching || (PropSrcArgs.contains(I) && &TaintedArgIdx](ArgIdxTy I, const Expr *E, SVal) {
isTaintedOrPointsToTainted(E, State, C)); if (IsMatching)
return;
IsMatching =
PropSrcArgs.contains(I) && isTaintedOrPointsToTainted(E, State, C);
if (IsMatching)
TaintedArgIdx = I;
}); });
if (!IsMatching) if (!IsMatching)
return; return;
const auto WouldEscape = [](SVal V, QualType Ty) -> bool { const auto WouldEscape = [](SVal V, QualType Ty) -> bool {
if (!V.getAs<Loc>()) if (!V.getAs<Loc>())
return false; return false;
const bool IsNonConstRef = Ty->isReferenceType() && !Ty.isConstQualified(); const bool IsNonConstRef = Ty->isReferenceType() && !Ty.isConstQualified();
const bool IsNonConstPtr = const bool IsNonConstPtr =
Ty->isPointerType() && !Ty->getPointeeType().isConstQualified(); Ty->isPointerType() && !Ty->getPointeeType().isConstQualified();
return IsNonConstRef || IsNonConstPtr; return IsNonConstRef || IsNonConstPtr;
}; };
struct Pack {
SVal PreValue;
SVal PostValue;
unsigned Index;
};
SmallVector<Pack, 6> ActualTaintedParams;
/// Propagate taint where it is necessary. /// Propagate taint where it is necessary.
auto &F = State->getStateManager().get_context<ArgIdxFactory>(); auto &F = State->getStateManager().get_context<FunctionParamFactory>();
ImmutableSet<ArgIdxTy> Result = F.getEmptySet(); ImmutableList<FunctionParameter> Result = F.getEmptyList();
ForEachCallArg( ForEachCallArg(
[&](ArgIdxTy I, const Expr *E, SVal V) { [&](ArgIdxTy I, const Expr *E, SVal V) {
if (PropDstArgs.contains(I)) { if (PropDstArgs.contains(I)) {
LLVM_DEBUG(llvm::dbgs() << "PreCall<"; Call.dump(llvm::dbgs()); LLVM_DEBUG(llvm::dbgs() << "PreCall<"; Call.dump(llvm::dbgs());
llvm::dbgs() llvm::dbgs()
<< "> prepares tainting arg index: " << I << '\n';); << "> prepares tainting arg index: " << I << '\n';);
Result = F.add(Result, I); if (I == ReturnValueIndex)
State = State->set<ReturnsTainted>(true);
else
Result = F.add<FunctionParameter>({V, I}, Result);
return;
} }
// TODO: We should traverse all reachable memory regions via the // TODO: We should traverse all reachable memory regions via the
// escaping parameter. Instead of doing that we simply mark only the // escaping parameter. Instead of doing that we simply mark only the
// referred memory region as tainted. // referred memory region as tainted.
if (WouldEscape(V, E->getType())) { if (WouldEscape(V, E->getType())) {
LLVM_DEBUG(if (!Result.contains(I)) { LLVM_DEBUG(if (!Result.contains({V, I})) {
llvm::dbgs() << "PreCall<"; llvm::dbgs() << "PreCall<";
Call.dump(llvm::dbgs()); Call.dump(llvm::dbgs());
llvm::dbgs() << "> prepares tainting arg index: " << I << '\n'; llvm::dbgs() << "> prepares tainting arg index: " << I << '\n';
}); });
Result = F.add(Result, I); Result = F.add<FunctionParameter>({V, I}, Result);
} }
}); });
if (!Result.isEmpty()) if (!Result.isEmpty())
State = State->set<TaintArgsOnPostVisit>(C.getStackFrame(), Result); State = State->set<TaintArgsOnPostVisit>(C.getStackFrame(), Result);
C.addTransition(State); C.addTransition(State);
} }
Show All 10 Linesbool GenericTaintChecker::generateReportIfTainted(const Expr *E, StringRef Msg,
if (!TaintedSVal) if (!TaintedSVal)
return false; return false;
// Generate diagnostic. // Generate diagnostic.
if (ExplodedNode *N = C.generateNonFatalErrorNode()) { if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
auto report = std::make_unique<PathSensitiveBugReport>(BT, Msg, N); auto report = std::make_unique<PathSensitiveBugReport>(BT, Msg, N);
report->addRange(E->getSourceRange()); report->addRange(E->getSourceRange());
report->markInteresting(*TaintedSVal);
report->addVisitor(std::make_unique<TaintBugVisitor>(*TaintedSVal)); report->addVisitor(std::make_unique<TaintBugVisitor>(*TaintedSVal));
C.emitReport(std::move(report)); C.emitReport(std::move(report));
return true; return true;
} }
return false; return false;
} }
/// TODO: remove checking for printf format attributes and socket whitelisting /// TODO: remove checking for printf format attributes and socket whitelisting
▲ Show 20 LinesShow All 54 Lines▼ Show 20 Linesvoid GenericTaintChecker::taintUnsafeSocketProtocol(const CallEvent &Call,
// Allow internal communication protocols. // Allow internal communication protocols.
bool SafeProtocol = DomName.equals("AF_SYSTEM") || bool SafeProtocol = DomName.equals("AF_SYSTEM") ||
DomName.equals("AF_LOCAL") || DomName.equals("AF_UNIX") || DomName.equals("AF_LOCAL") || DomName.equals("AF_UNIX") ||
DomName.equals("AF_RESERVED_36"); DomName.equals("AF_RESERVED_36");
if (SafeProtocol) if (SafeProtocol)
return; return;
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
auto &F = State->getStateManager().get_context<ArgIdxFactory>(); State = State->set<ReturnsTainted>(true);
ImmutableSet<ArgIdxTy> Result = F.add(F.getEmptySet(), ReturnValueIndex); auto &F = State->getStateManager().get_context<FunctionParamFactory>();
State = State->set<TaintArgsOnPostVisit>(C.getStackFrame(), Result); State = State->set<TaintArgsOnPostVisit>(C.getStackFrame(), F.create<FunctionParameter>({Call.getReturnValue(), ReturnValueIndex}));
C.addTransition(State); C.addTransition(State);
} }
/// Checker registration /// Checker registration
void ento::registerGenericTaintChecker(CheckerManager &Mgr) { void ento::registerGenericTaintChecker(CheckerManager &Mgr) {
Mgr.registerChecker<GenericTaintChecker>(); Mgr.registerChecker<GenericTaintChecker>();
} }
bool ento::shouldRegisterGenericTaintChecker(const CheckerManager &mgr) { bool ento::shouldRegisterGenericTaintChecker(const CheckerManager &mgr) {
return true; return true;
} }

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 LinesShow All 54 Lines▼ Show 20 Lines
#include "clang/ASTMatchers/ASTMatchFinder.h" #include "clang/ASTMatchers/ASTMatchFinder.h"
#include "clang/ASTMatchers/ASTMatchers.h" #include "clang/ASTMatchers/ASTMatchers.h"
#include "clang/Analysis/ProgramPoint.h" #include "clang/Analysis/ProgramPoint.h"
#include "clang/Basic/LLVM.h" #include "clang/Basic/LLVM.h"
#include "clang/Basic/SourceManager.h" #include "clang/Basic/SourceManager.h"
#include "clang/Basic/TargetInfo.h" #include "clang/Basic/TargetInfo.h"
#include "clang/Lex/Lexer.h" #include "clang/Lex/Lexer.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Checkers/Taint.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h" #include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
▲ Show 20 LinesShow All 138 Lines▼ Show 20 Lines#define CASE(ID) case ID: OS << #ID; break;
LLVM_DUMP_METHOD void dump() const { dump(llvm::errs()); } LLVM_DUMP_METHOD void dump() const { dump(llvm::errs()); }
}; };
} // end of anonymous namespace } // end of anonymous namespace
REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState) REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState)
namespace {
struct StateAndPred {
ProgramStateRef State;
ExplodedNode *Pred;
};
} // namespace
/// Check if the memory associated with this symbol was released. /// Check if the memory associated with this symbol was released.
static bool isReleased(SymbolRef Sym, CheckerContext &C); static bool isReleased(SymbolRef Sym, CheckerContext &C);
/// Update the RefState to reflect the new memory allocation. /// Update the RefState to reflect the new memory allocation.
/// The optional \p RetVal parameter specifies the newly allocated pointer /// The optional \p RetVal parameter specifies the newly allocated pointer
/// value; if unspecified, the value of expression \p E is used. /// value; if unspecified, the value of expression \p E is used.
static ProgramStateRef MallocUpdateRefState(CheckerContext &C, const Expr *E, static StateAndPred MallocUpdateRefState(CheckerContext &C, const Expr *E,
ProgramStateRef State, ProgramStateRef State,
ExplodedNode *Pred,
AllocationFamily Family, AllocationFamily Family,
Optional<SVal> RetVal = None); Optional<SVal> RetVal = None);
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// The modeling of memory reallocation. // The modeling of memory reallocation.
// //
// The terminology 'toPtr' and 'fromPtr' will be used: // The terminology 'toPtr' and 'fromPtr' will be used:
// toPtr = realloc(fromPtr, 20); // toPtr = realloc(fromPtr, 20);
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
▲ Show 20 LinesShow All 215 Lines▼ Show 20 Lines#define CHECK_FN(NAME) \
/// The value is initialized at first use, before first use the outer /// The value is initialized at first use, before first use the outer
/// Optional is empty, afterwards it contains another Optional that indicates /// Optional is empty, afterwards it contains another Optional that indicates
/// if the macro value could be determined, and if yes the value itself. /// if the macro value could be determined, and if yes the value itself.
mutable Optional<KernelZeroSizePtrValueTy> KernelZeroSizePtrValue; mutable Optional<KernelZeroSizePtrValueTy> KernelZeroSizePtrValue;
/// Process C++ operator new()'s allocation, which is the part of C++ /// Process C++ operator new()'s allocation, which is the part of C++
/// new-expression that goes before the constructor. /// new-expression that goes before the constructor.
LLVM_NODISCARD LLVM_NODISCARD
ProgramStateRef processNewAllocation(const CXXAllocatorCall &Call, StateAndPred processNewAllocation(const CXXAllocatorCall &Call,
CheckerContext &C, CheckerContext &C,
AllocationFamily Family) const; AllocationFamily Family) const;
/// Perform a zero-allocation check. /// Perform a zero-allocation check.
/// ///
/// \param [in] Call The expression that allocates memory. /// \param [in] Call The expression that allocates memory.
/// \param [in] IndexOfSizeArg Index of the argument that specifies the size /// \param [in] IndexOfSizeArg Index of the argument that specifies the size
/// of the memory that needs to be allocated. E.g. for malloc, this would be /// of the memory that needs to be allocated. E.g. for malloc, this would be
/// 0. /// 0.
/// \param [in] RetVal Specifies the newly allocated pointer value; /// \param [in] RetVal Specifies the newly allocated pointer value;
Show All 16 Lines#define CHECK_FN(NAME) \
/// - first: name of the resource (e.g. 'malloc') /// - first: name of the resource (e.g. 'malloc')
/// - (OPTIONAL) second: size of the allocated region /// - (OPTIONAL) second: size of the allocated region
/// ///
/// \param [in] Call The expression that allocates memory. /// \param [in] Call The expression that allocates memory.
/// \param [in] Att The ownership_returns attribute. /// \param [in] Att The ownership_returns attribute.
/// \param [in] State The \c ProgramState right before allocation. /// \param [in] State The \c ProgramState right before allocation.
/// \returns The ProgramState right after allocation. /// \returns The ProgramState right after allocation.
LLVM_NODISCARD LLVM_NODISCARD
ProgramStateRef MallocMemReturnsAttr(CheckerContext &C, const CallEvent &Call, StateAndPred MallocMemReturnsAttr(CheckerContext &C, const CallEvent &Call,
const OwnershipAttr *Att, const OwnershipAttr *Att,
ProgramStateRef State) const; ProgramStateRef State,
ExplodedNode *Pred) const;
/// Models memory allocation. /// Models memory allocation.
/// ///
/// \param [in] Call The expression that allocates memory. /// \param [in] Call The expression that allocates memory.
/// \param [in] SizeEx Size of the memory that needs to be allocated. /// \param [in] SizeEx Size of the memory that needs to be allocated.
/// \param [in] Init The value the allocated memory needs to be initialized. /// \param [in] Init The value the allocated memory needs to be initialized.
/// with. For example, \c calloc initializes the allocated memory to 0, /// with. For example, \c calloc initializes the allocated memory to 0,
/// malloc leaves it undefined. /// malloc leaves it undefined.
/// \param [in] State The \c ProgramState right before allocation. /// \param [in] State The \c ProgramState right before allocation.
/// \returns The ProgramState right after allocation. /// \returns The ProgramState right after allocation.
LLVM_NODISCARD LLVM_NODISCARD
static ProgramStateRef MallocMemAux(CheckerContext &C, const CallEvent &Call, static StateAndPred MallocMemAux(CheckerContext &C, const CallEvent &Call,
const Expr *SizeEx, SVal Init, const Expr *SizeEx, SVal Init,
ProgramStateRef State, ProgramStateRef State, ExplodedNode *Pred,
AllocationFamily Family); AllocationFamily Family);
/// Models memory allocation. /// Models memory allocation.
/// ///
/// \param [in] Call The expression that allocates memory. /// \param [in] Call The expression that allocates memory.
/// \param [in] Size Size of the memory that needs to be allocated. /// \param [in] Size Size of the memory that needs to be allocated.
/// \param [in] Init The value the allocated memory needs to be initialized. /// \param [in] Init The value the allocated memory needs to be initialized.
/// with. For example, \c calloc initializes the allocated memory to 0, /// with. For example, \c calloc initializes the allocated memory to 0,
/// malloc leaves it undefined. /// malloc leaves it undefined.
/// \param [in] State The \c ProgramState right before allocation. /// \param [in] State The \c ProgramState right before allocation.
/// \returns The ProgramState right after allocation. /// \returns The ProgramState right after allocation.
LLVM_NODISCARD LLVM_NODISCARD
static ProgramStateRef MallocMemAux(CheckerContext &C, const CallEvent &Call, static StateAndPred MallocMemAux(CheckerContext &C, const CallEvent &Call,
SVal Size, SVal Init, SVal Size, SVal Init, ProgramStateRef State,
ProgramStateRef State, ExplodedNode *Pred, AllocationFamily Family);
AllocationFamily Family);
// Check if this malloc() for special flags. At present that means M_ZERO or // Check if this malloc() for special flags. At present that means M_ZERO or
// __GFP_ZERO (in which case, treat it like calloc). // __GFP_ZERO (in which case, treat it like calloc).
LLVM_NODISCARD LLVM_NODISCARD
llvm::Optional<ProgramStateRef> llvm::Optional<StateAndPred> performKernelMalloc(const CallEvent &Call,
performKernelMalloc(const CallEvent &Call, CheckerContext &C, CheckerContext &C,
const ProgramStateRef &State) const; ProgramStateRef State,
ExplodedNode *Pred) const;
/// Model functions with the ownership_takes and ownership_holds attributes. /// Model functions with the ownership_takes and ownership_holds attributes.
/// ///
/// User-defined function may have the ownership_takes and/or ownership_holds /// User-defined function may have the ownership_takes and/or ownership_holds
/// attributes, which annotates that the function frees the memory passed as a /// attributes, which annotates that the function frees the memory passed as a
/// parameter. /// parameter.
/// ///
/// void __attribute((ownership_takes(malloc, 1))) my_free(void *); /// void __attribute((ownership_takes(malloc, 1))) my_free(void *);
▲ Show 20 LinesShow All 73 Lines▼ Show 20 Lines#define CHECK_FN(NAME) \
/// \param [in] Call The expression that reallocated memory /// \param [in] Call The expression that reallocated memory
/// \param [in] ShouldFreeOnFail Whether if reallocation fails, the supplied /// \param [in] ShouldFreeOnFail Whether if reallocation fails, the supplied
/// memory should be freed. /// memory should be freed.
/// \param [in] State The \c ProgramState right before reallocation. /// \param [in] State The \c ProgramState right before reallocation.
/// \param [in] SuffixWithN Whether the reallocation function we're modeling /// \param [in] SuffixWithN Whether the reallocation function we're modeling
/// has an '_n' suffix, such as g_realloc_n. /// has an '_n' suffix, such as g_realloc_n.
/// \returns The ProgramState right after reallocation. /// \returns The ProgramState right after reallocation.
LLVM_NODISCARD LLVM_NODISCARD
ProgramStateRef ReallocMemAux(CheckerContext &C, const CallEvent &Call, StateAndPred ReallocMemAux(CheckerContext &C, const CallEvent &Call,
bool ShouldFreeOnFail, ProgramStateRef State, bool ShouldFreeOnFail, ProgramStateRef State,
AllocationFamily Family, ExplodedNode *Pred, AllocationFamily Family,
bool SuffixWithN = false) const; bool SuffixWithN = false) const;
/// Evaluates the buffer size that needs to be allocated. /// Evaluates the buffer size that needs to be allocated.
/// ///
/// \param [in] Blocks The amount of blocks that needs to be allocated. /// \param [in] Blocks The amount of blocks that needs to be allocated.
/// \param [in] BlockBytes The size of a block. /// \param [in] BlockBytes The size of a block.
/// \returns The symbolic value of \p Blocks * \p BlockBytes. /// \returns The symbolic value of \p Blocks * \p BlockBytes.
LLVM_NODISCARD LLVM_NODISCARD
static SVal evalMulForBufferSize(CheckerContext &C, const Expr *Blocks, static SVal evalMulForBufferSize(CheckerContext &C, const Expr *Blocks,
const Expr *BlockBytes); const Expr *BlockBytes);
/// Models zero initialized array allocation. /// Models zero initialized array allocation.
/// ///
/// \param [in] Call The expression that reallocated memory /// \param [in] Call The expression that reallocated memory
/// \param [in] State The \c ProgramState right before reallocation. /// \param [in] State The \c ProgramState right before reallocation.
/// \returns The ProgramState right after allocation. /// \returns The ProgramState right after allocation.
LLVM_NODISCARD LLVM_NODISCARD
static ProgramStateRef CallocMem(CheckerContext &C, const CallEvent &Call, static StateAndPred CallocMem(CheckerContext &C, const CallEvent &Call,
ProgramStateRef State); ProgramStateRef State, ExplodedNode *Pred);
/// See if deallocation happens in a suspicious context. If so, escape the /// See if deallocation happens in a suspicious context. If so, escape the
/// pointers that otherwise would have been deallocated and return true. /// pointers that otherwise would have been deallocated and return true.
bool suppressDeallocationsInSuspiciousContexts(const CallEvent &Call, bool suppressDeallocationsInSuspiciousContexts(const CallEvent &Call,
CheckerContext &C) const; CheckerContext &C) const;
/// If in \p S \p Sym is used, check whether \p Sym was already freed. /// If in \p S \p Sym is used, check whether \p Sym was already freed.
bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const; bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const;
▲ Show 20 LinesShow All 481 Lines▼ Show 20 Linesbool MallocChecker::isMemCall(const CallEvent &Call) const {
if (!ShouldIncludeOwnershipAnnotatedFunctions) if (!ShouldIncludeOwnershipAnnotatedFunctions)
return false; return false;
const auto *Func = dyn_cast<FunctionDecl>(Call.getDecl()); const auto *Func = dyn_cast<FunctionDecl>(Call.getDecl());
return Func && Func->hasAttr<OwnershipAttr>(); return Func && Func->hasAttr<OwnershipAttr>();
} }
llvm::Optional<ProgramStateRef> llvm::Optional<StateAndPred>
MallocChecker::performKernelMalloc(const CallEvent &Call, CheckerContext &C, MallocChecker::performKernelMalloc(const CallEvent &Call, CheckerContext &C,
const ProgramStateRef &State) const { ProgramStateRef State,
ExplodedNode *Pred) const {
// 3-argument malloc(), as commonly used in {Free,Net,Open}BSD Kernels: // 3-argument malloc(), as commonly used in {Free,Net,Open}BSD Kernels:
// //
// void *malloc(unsigned long size, struct malloc_type *mtp, int flags); // void *malloc(unsigned long size, struct malloc_type *mtp, int flags);
// //
// One of the possible flags is M_ZERO, which means 'give me back an // One of the possible flags is M_ZERO, which means 'give me back an
// allocation which is already zeroed', like calloc. // allocation which is already zeroed', like calloc.
// 2-argument kmalloc(), as used in the Linux kernel: // 2-argument kmalloc(), as used in the Linux kernel:
▲ Show 20 LinesShow All 54 Lines▼ Show 20 LinesMallocChecker::performKernelMalloc(const CallEvent &Call, CheckerContext &C,
// Check if maskedFlags is non-zero. // Check if maskedFlags is non-zero.
ProgramStateRef TrueState, FalseState; ProgramStateRef TrueState, FalseState;
std::tie(TrueState, FalseState) = State->assume(MaskedFlags); std::tie(TrueState, FalseState) = State->assume(MaskedFlags);
// If M_ZERO is set, treat this like calloc (initialized). // If M_ZERO is set, treat this like calloc (initialized).
if (TrueState && !FalseState) { if (TrueState && !FalseState) {
SVal ZeroVal = C.getSValBuilder().makeZeroVal(Ctx.CharTy); SVal ZeroVal = C.getSValBuilder().makeZeroVal(Ctx.CharTy);
return MallocMemAux(C, Call, Call.getArgExpr(0), ZeroVal, TrueState, return MallocMemAux(C, Call, Call.getArgExpr(0), ZeroVal, TrueState, Pred,
AF_Malloc); AF_Malloc);
} }
return None; return None;
} }
SVal MallocChecker::evalMulForBufferSize(CheckerContext &C, const Expr *Blocks, SVal MallocChecker::evalMulForBufferSize(CheckerContext &C, const Expr *Blocks,
const Expr *BlockBytes) { const Expr *BlockBytes) {
SValBuilder &SB = C.getSValBuilder(); SValBuilder &SB = C.getSValBuilder();
SVal BlocksVal = C.getSVal(Blocks); SVal BlocksVal = C.getSVal(Blocks);
SVal BlockBytesVal = C.getSVal(BlockBytes); SVal BlockBytesVal = C.getSVal(BlockBytes);
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
SVal TotalSize = SB.evalBinOp(State, BO_Mul, BlocksVal, BlockBytesVal, SVal TotalSize = SB.evalBinOp(State, BO_Mul, BlocksVal, BlockBytesVal,
SB.getContext().getSizeType()); SB.getContext().getSizeType());
return TotalSize; return TotalSize;
} }
void MallocChecker::checkBasicAlloc(const CallEvent &Call, void MallocChecker::checkBasicAlloc(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); StateAndPred Pair = {C.getState(), C.getPredecessor()};
State = MallocMemAux(C, Call, Call.getArgExpr(0), UndefinedVal(), State, Pair = MallocMemAux(C, Call, Call.getArgExpr(0), UndefinedVal(), Pair.State,
AF_Malloc); Pair.Pred, AF_Malloc);
State = ProcessZeroAllocCheck(Call, 0, State); Pair.State = ProcessZeroAllocCheck(Call, 0, Pair.State);
C.addTransition(State); C.addTransition(Pair.State, Pair.Pred);
} }
void MallocChecker::checkKernelMalloc(const CallEvent &Call, void MallocChecker::checkKernelMalloc(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); StateAndPred Pair = {C.getState(), C.getPredecessor()};
llvm::Optional<ProgramStateRef> MaybeState = llvm::Optional<StateAndPred> MaybePair =
performKernelMalloc(Call, C, State); performKernelMalloc(Call, C, Pair.State, Pair.Pred);
if (MaybeState.hasValue()) if (MaybePair.hasValue())
State = MaybeState.getValue(); Pair = MaybePair.getValue();
else else
State = MallocMemAux(C, Call, Call.getArgExpr(0), UndefinedVal(), State, Pair = MallocMemAux(C, Call, Call.getArgExpr(0), UndefinedVal(), Pair.State,
AF_Malloc); Pair.Pred, AF_Malloc);
C.addTransition(State); C.addTransition(Pair.State, Pair.Pred);
} }
static bool isStandardRealloc(const CallEvent &Call) { static bool isStandardRealloc(const CallEvent &Call) {
const FunctionDecl *FD = dyn_cast<FunctionDecl>(Call.getDecl()); const FunctionDecl *FD = dyn_cast<FunctionDecl>(Call.getDecl());
assert(FD); assert(FD);
ASTContext &AC = FD->getASTContext(); ASTContext &AC = FD->getASTContext();
if (isa<CXXMethodDecl>(FD)) if (isa<CXXMethodDecl>(FD))
Show All 24 Linesvoid MallocChecker::checkRealloc(const CallEvent &Call, CheckerContext &C,
// HACK: CallDescription currently recognizes non-standard realloc functions // HACK: CallDescription currently recognizes non-standard realloc functions
// as standard because it doesn't check the type, or wether its a non-method // as standard because it doesn't check the type, or wether its a non-method
// function. This should be solved by making CallDescription smarter. // function. This should be solved by making CallDescription smarter.
// Mind that this came from a bug report, and all other functions suffer from // Mind that this came from a bug report, and all other functions suffer from
// this. // this.
// https://bugs.llvm.org/show_bug.cgi?id=46253 // https://bugs.llvm.org/show_bug.cgi?id=46253
if (!isStandardRealloc(Call) && !isGRealloc(Call)) if (!isStandardRealloc(Call) && !isGRealloc(Call))
return; return;
ProgramStateRef State = C.getState(); StateAndPred Pair = ReallocMemAux(C, Call, ShouldFreeOnFail, C.getState(),
State = ReallocMemAux(C, Call, ShouldFreeOnFail, State, AF_Malloc); C.getPredecessor(), AF_Malloc);
State = ProcessZeroAllocCheck(Call, 1, State); Pair.State = ProcessZeroAllocCheck(Call, 1, Pair.State);
C.addTransition(State); C.addTransition(Pair.State, Pair.Pred);
} }
void MallocChecker::checkCalloc(const CallEvent &Call, void MallocChecker::checkCalloc(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); StateAndPred Pair = CallocMem(C, Call, C.getState(), C.getPredecessor());
State = CallocMem(C, Call, State); Pair.State = ProcessZeroAllocCheck(Call, 0, Pair.State);
State = ProcessZeroAllocCheck(Call, 0, State); Pair.State = ProcessZeroAllocCheck(Call, 1, Pair.State);
State = ProcessZeroAllocCheck(Call, 1, State); C.addTransition(Pair.State, Pair.Pred);
C.addTransition(State);
} }
void MallocChecker::checkFree(const CallEvent &Call, CheckerContext &C) const { void MallocChecker::checkFree(const CallEvent &Call, CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
bool IsKnownToBeAllocatedMemory = false; bool IsKnownToBeAllocatedMemory = false;
if (suppressDeallocationsInSuspiciousContexts(Call, C)) if (suppressDeallocationsInSuspiciousContexts(Call, C))
return; return;
State = FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocatedMemory, State = FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocatedMemory,
AF_Malloc); AF_Malloc);
C.addTransition(State); C.addTransition(State);
} }
void MallocChecker::checkAlloca(const CallEvent &Call, void MallocChecker::checkAlloca(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); StateAndPred Pair = {C.getState(), C.getPredecessor()};
State = MallocMemAux(C, Call, Call.getArgExpr(0), UndefinedVal(), State, Pair = MallocMemAux(C, Call, Call.getArgExpr(0), UndefinedVal(), Pair.State,
AF_Alloca); Pair.Pred, AF_Alloca);
State = ProcessZeroAllocCheck(Call, 0, State); Pair.State = ProcessZeroAllocCheck(Call, 0, Pair.State);
C.addTransition(State); C.addTransition(Pair.State, Pair.Pred);
} }
void MallocChecker::checkStrdup(const CallEvent &Call, void MallocChecker::checkStrdup(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState();
const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr()); const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
if (!CE) if (!CE)
return; return;
State = MallocUpdateRefState(C, CE, State, AF_Malloc);
C.addTransition(State); StateAndPred Pair =
MallocUpdateRefState(C, CE, C.getState(), C.getPredecessor(), AF_Malloc);
C.addTransition(Pair.State, Pair.Pred);
} }
void MallocChecker::checkIfNameIndex(const CallEvent &Call, void MallocChecker::checkIfNameIndex(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); StateAndPred Pair = {C.getState(), C.getPredecessor()};
// Should we model this differently? We can allocate a fixed number of // Should we model this differently? We can allocate a fixed number of
// elements with zeros in the last one. // elements with zeros in the last one.
State = Pair = MallocMemAux(C, Call, UnknownVal(), UnknownVal(), Pair.State,
MallocMemAux(C, Call, UnknownVal(), UnknownVal(), State, AF_IfNameIndex); Pair.Pred, AF_IfNameIndex);
C.addTransition(Pair.State, Pair.Pred);
C.addTransition(State);
} }
void MallocChecker::checkIfFreeNameIndex(const CallEvent &Call, void MallocChecker::checkIfFreeNameIndex(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
bool IsKnownToBeAllocatedMemory = false; bool IsKnownToBeAllocatedMemory = false;
State = FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocatedMemory, State = FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocatedMemory,
AF_IfNameIndex); AF_IfNameIndex);
C.addTransition(State); C.addTransition(State);
} }
void MallocChecker::checkCXXNewOrCXXDelete(const CallEvent &Call, void MallocChecker::checkCXXNewOrCXXDelete(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); StateAndPred Pair = {C.getState(), C.getPredecessor()};
bool IsKnownToBeAllocatedMemory = false; bool IsKnownToBeAllocatedMemory = false;
const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr()); const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
if (!CE) if (!CE)
return; return;
assert(isStandardNewDelete(Call)); assert(isStandardNewDelete(Call));
// Process direct calls to operator new/new[]/delete/delete[] functions // Process direct calls to operator new/new[]/delete/delete[] functions
// as distinct from new/new[]/delete/delete[] expressions that are // as distinct from new/new[]/delete/delete[] expressions that are
// processed by the checkPostStmt callbacks for CXXNewExpr and // processed by the checkPostStmt callbacks for CXXNewExpr and
// CXXDeleteExpr. // CXXDeleteExpr.
const FunctionDecl *FD = C.getCalleeDecl(CE); const FunctionDecl *FD = C.getCalleeDecl(CE);
switch (FD->getOverloadedOperator()) { switch (FD->getOverloadedOperator()) {
case OO_New: case OO_New:
State = Pair = MallocMemAux(C, Call, CE->getArg(0), UndefinedVal(), Pair.State,
MallocMemAux(C, Call, CE->getArg(0), UndefinedVal(), State, AF_CXXNew); Pair.Pred, AF_CXXNew);
State = ProcessZeroAllocCheck(Call, 0, State); Pair.State = ProcessZeroAllocCheck(Call, 0, Pair.State);
break; break;
case OO_Array_New: case OO_Array_New:
State = MallocMemAux(C, Call, CE->getArg(0), UndefinedVal(), State, Pair = MallocMemAux(C, Call, CE->getArg(0), UndefinedVal(), Pair.State,
AF_CXXNewArray); Pair.Pred, AF_CXXNewArray);
State = ProcessZeroAllocCheck(Call, 0, State); Pair.State = ProcessZeroAllocCheck(Call, 0, Pair.State);
break; break;
case OO_Delete: case OO_Delete:
State = FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocatedMemory, Pair.State = FreeMemAux(C, Call, Pair.State, 0, false,
AF_CXXNew); IsKnownToBeAllocatedMemory, AF_CXXNew);
break; break;
case OO_Array_Delete: case OO_Array_Delete:
State = FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocatedMemory, Pair.State = FreeMemAux(C, Call, Pair.State, 0, false,
AF_CXXNewArray); IsKnownToBeAllocatedMemory, AF_CXXNewArray);
break; break;
default: default:
llvm_unreachable("not a new/delete operator"); llvm_unreachable("not a new/delete operator");
} }
C.addTransition(State); C.addTransition(Pair.State, Pair.Pred);
} }
void MallocChecker::checkGMalloc0(const CallEvent &Call, void MallocChecker::checkGMalloc0(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); StateAndPred Pair = {C.getState(), C.getPredecessor()};
SValBuilder &svalBuilder = C.getSValBuilder(); SValBuilder &svalBuilder = C.getSValBuilder();
SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy);
State = MallocMemAux(C, Call, Call.getArgExpr(0), zeroVal, State, AF_Malloc); Pair = MallocMemAux(C, Call, Call.getArgExpr(0), zeroVal, Pair.State,
State = ProcessZeroAllocCheck(Call, 0, State); Pair.Pred, AF_Malloc);
C.addTransition(State); Pair.State = ProcessZeroAllocCheck(Call, 0, Pair.State);
C.addTransition(Pair.State, Pair.Pred);
} }
void MallocChecker::checkGMemdup(const CallEvent &Call, void MallocChecker::checkGMemdup(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); StateAndPred Pair = {C.getState(), C.getPredecessor()};
State = Pair = MallocMemAux(C, Call, Call.getArgExpr(1), UnknownVal(), Pair.State,
MallocMemAux(C, Call, Call.getArgExpr(1), UnknownVal(), State, AF_Malloc); Pair.Pred, AF_Malloc);
State = ProcessZeroAllocCheck(Call, 1, State); Pair.State = ProcessZeroAllocCheck(Call, 1, Pair.State);
C.addTransition(State); C.addTransition(Pair.State, Pair.Pred);
} }
void MallocChecker::checkGMallocN(const CallEvent &Call, void MallocChecker::checkGMallocN(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); StateAndPred Pair = {C.getState(), C.getPredecessor()};
SVal Init = UndefinedVal(); SVal Init = UndefinedVal();
SVal TotalSize = evalMulForBufferSize(C, Call.getArgExpr(0), Call.getArgExpr(1)); SVal TotalSize = evalMulForBufferSize(C, Call.getArgExpr(0), Call.getArgExpr(1));
State = MallocMemAux(C, Call, TotalSize, Init, State, AF_Malloc); Pair =
State = ProcessZeroAllocCheck(Call, 0, State); MallocMemAux(C, Call, TotalSize, Init, Pair.State, Pair.Pred, AF_Malloc);
State = ProcessZeroAllocCheck(Call, 1, State); Pair.State = ProcessZeroAllocCheck(Call, 0, Pair.State);
C.addTransition(State); Pair.State = ProcessZeroAllocCheck(Call, 1, Pair.State);
C.addTransition(Pair.State, Pair.Pred);
} }
void MallocChecker::checkGMallocN0(const CallEvent &Call, void MallocChecker::checkGMallocN0(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); StateAndPred Pair = {C.getState(), C.getPredecessor()};
SValBuilder &SB = C.getSValBuilder(); SValBuilder &SB = C.getSValBuilder();
SVal Init = SB.makeZeroVal(SB.getContext().CharTy); SVal Init = SB.makeZeroVal(SB.getContext().CharTy);
SVal TotalSize = evalMulForBufferSize(C, Call.getArgExpr(0), Call.getArgExpr(1)); SVal TotalSize = evalMulForBufferSize(C, Call.getArgExpr(0), Call.getArgExpr(1));
State = MallocMemAux(C, Call, TotalSize, Init, State, AF_Malloc); Pair =
State = ProcessZeroAllocCheck(Call, 0, State); MallocMemAux(C, Call, TotalSize, Init, Pair.State, Pair.Pred, AF_Malloc);
State = ProcessZeroAllocCheck(Call, 1, State); Pair.State = ProcessZeroAllocCheck(Call, 0, Pair.State);
C.addTransition(State); Pair.State = ProcessZeroAllocCheck(Call, 1, Pair.State);
C.addTransition(Pair.State, Pair.Pred);
} }
void MallocChecker::checkReallocN(const CallEvent &Call, void MallocChecker::checkReallocN(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); StateAndPred Pair = ReallocMemAux(C, Call, /*ShouldFreeOnFail=*/false,
State = ReallocMemAux(C, Call, /*ShouldFreeOnFail=*/false, State, AF_Malloc, C.getState(), C.getPredecessor(), AF_Malloc,
/*SuffixWithN=*/true); /*SuffixWithN=*/true);
State = ProcessZeroAllocCheck(Call, 1, State); Pair.State = ProcessZeroAllocCheck(Call, 1, Pair.State);
State = ProcessZeroAllocCheck(Call, 2, State); Pair.State = ProcessZeroAllocCheck(Call, 2, Pair.State);
C.addTransition(State); C.addTransition(Pair.State, Pair.Pred);
} }
void MallocChecker::checkOwnershipAttr(const CallEvent &Call, void MallocChecker::checkOwnershipAttr(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); StateAndPred Pair = {C.getState(), C.getPredecessor()};
const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr()); const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
if (!CE) if (!CE)
return; return;
const FunctionDecl *FD = C.getCalleeDecl(CE); const FunctionDecl *FD = C.getCalleeDecl(CE);
if (!FD) if (!FD)
return; return;
if (ShouldIncludeOwnershipAnnotatedFunctions || if (ShouldIncludeOwnershipAnnotatedFunctions ||
ChecksEnabled[CK_MismatchedDeallocatorChecker]) { ChecksEnabled[CK_MismatchedDeallocatorChecker]) {
// Check all the attributes, if there are any. // Check all the attributes, if there are any.
// There can be multiple of these attributes. // There can be multiple of these attributes.
if (FD->hasAttrs()) if (FD->hasAttrs())
for (const auto *I : FD->specific_attrs<OwnershipAttr>()) { for (const auto *I : FD->specific_attrs<OwnershipAttr>()) {
switch (I->getOwnKind()) { switch (I->getOwnKind()) {
case OwnershipAttr::Returns: case OwnershipAttr::Returns:
State = MallocMemReturnsAttr(C, Call, I, State); Pair = MallocMemReturnsAttr(C, Call, I, Pair.State, Pair.Pred);
break; break;
case OwnershipAttr::Takes: case OwnershipAttr::Takes:
case OwnershipAttr::Holds: case OwnershipAttr::Holds:
State = FreeMemAttr(C, Call, I, State); Pair.State = FreeMemAttr(C, Call, I, Pair.State);
break; break;
} }
} }
} }
C.addTransition(State); C.addTransition(Pair.State, Pair.Pred);
} }
void MallocChecker::checkPostCall(const CallEvent &Call, void MallocChecker::checkPostCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
if (C.wasInlined) if (C.wasInlined)
return; return;
if (!Call.getOriginExpr()) if (!Call.getOriginExpr())
return; return;
▲ Show 20 LinesShow All 123 Lines▼ Show 20 Lines for (const auto *CtorParam : CtorD->parameters()) {
if (CtorParamPointeeT->getAsCXXRecordDecl()) if (CtorParamPointeeT->getAsCXXRecordDecl())
return true; return true;
} }
return false; return false;
} }
ProgramStateRef StateAndPred
MallocChecker::processNewAllocation(const CXXAllocatorCall &Call, MallocChecker::processNewAllocation(const CXXAllocatorCall &Call,
CheckerContext &C, CheckerContext &C,
AllocationFamily Family) const { AllocationFamily Family) const {
if (!isStandardNewDelete(Call)) if (!isStandardNewDelete(Call))
return nullptr; return {nullptr, C.getPredecessor()};
const CXXNewExpr *NE = Call.getOriginExpr(); const CXXNewExpr *NE = Call.getOriginExpr();
const ParentMap &PM = C.getLocationContext()->getParentMap(); const ParentMap &PM = C.getLocationContext()->getParentMap();
ProgramStateRef State = C.getState(); StateAndPred Pair = {C.getState(), C.getPredecessor()};
// Non-trivial constructors have a chance to escape 'this', but marking all // Non-trivial constructors have a chance to escape 'this', but marking all
// invocations of trivial constructors as escaped would cause too great of // invocations of trivial constructors as escaped would cause too great of
// reduction of true positives, so let's just do that for constructors that // reduction of true positives, so let's just do that for constructors that
// have an argument of a pointer-to-record type. // have an argument of a pointer-to-record type.
if (!PM.isConsumedExpr(NE) && hasNonTrivialConstructorCall(NE)) if (!PM.isConsumedExpr(NE) && hasNonTrivialConstructorCall(NE))
return State; return Pair;
// The return value from operator new is bound to a specified initialization // The return value from operator new is bound to a specified initialization
// value (if any) and we don't want to loose this value. So we call // value (if any) and we don't want to loose this value. So we call
// MallocUpdateRefState() instead of MallocMemAux() which breaks the // MallocUpdateRefState() instead of MallocMemAux() which breaks the
// existing binding. // existing binding.
SVal Target = Call.getObjectUnderConstruction(); SVal Target = Call.getObjectUnderConstruction();
State = MallocUpdateRefState(C, NE, State, Family, Target);
State = ProcessZeroAllocCheck(Call, 0, State, Target); Pair = MallocUpdateRefState(C, NE, Pair.State, Pair.Pred, Family, Target);
return State; Pair.State = ProcessZeroAllocCheck(Call, 0, Pair.State, Target);
return Pair;
} }
void MallocChecker::checkNewAllocator(const CXXAllocatorCall &Call, void MallocChecker::checkNewAllocator(const CXXAllocatorCall &Call,
CheckerContext &C) const { CheckerContext &C) const {
if (!C.wasInlined) { if (!C.wasInlined) {
ProgramStateRef State = processNewAllocation( StateAndPred Pair = processNewAllocation(
Call, C, Call, C,
(Call.getOriginExpr()->isArray() ? AF_CXXNewArray : AF_CXXNew)); (Call.getOriginExpr()->isArray() ? AF_CXXNewArray : AF_CXXNew));
C.addTransition(State); C.addTransition(Pair.State, Pair.Pred);
} }
} }
static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call) { static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call) {
// If the first selector piece is one of the names below, assume that the // If the first selector piece is one of the names below, assume that the
// object takes ownership of the memory, promising to eventually deallocate it // object takes ownership of the memory, promising to eventually deallocate it
// with free(). // with free().
// Ex: [NSData dataWithBytesNoCopy:bytes length:10]; // Ex: [NSData dataWithBytesNoCopy:bytes length:10];
Show All 34 Linesvoid MallocChecker::checkPostObjCMessage(const ObjCMethodCall &Call,
ProgramStateRef State = ProgramStateRef State =
FreeMemAux(C, Call.getArgExpr(0), Call, C.getState(), FreeMemAux(C, Call.getArgExpr(0), Call, C.getState(),
/*Hold=*/true, IsKnownToBeAllocatedMemory, AF_Malloc, /*Hold=*/true, IsKnownToBeAllocatedMemory, AF_Malloc,
/*ReturnsNullOnFailure=*/true); /*ReturnsNullOnFailure=*/true);
C.addTransition(State); C.addTransition(State);
} }
ProgramStateRef StateAndPred MallocChecker::MallocMemReturnsAttr(CheckerContext &C,
MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallEvent &Call, const CallEvent &Call,
const OwnershipAttr *Att, const OwnershipAttr *Att,
ProgramStateRef State) const { ProgramStateRef State,
ExplodedNode *Pred) const {
if (!State) if (!State)
return nullptr; return {nullptr, Pred};
if (Att->getModule()->getName() != "malloc") if (Att->getModule()->getName() != "malloc")
return nullptr; return {nullptr, Pred};
OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end();
if (I != E) { if (I != E) {
return MallocMemAux(C, Call, Call.getArgExpr(I->getASTIndex()), return MallocMemAux(C, Call, Call.getArgExpr(I->getASTIndex()),
UndefinedVal(), State, AF_Malloc); UndefinedVal(), State, Pred, AF_Malloc);
} }
return MallocMemAux(C, Call, UnknownVal(), UndefinedVal(), State, AF_Malloc); return MallocMemAux(C, Call, UnknownVal(), UndefinedVal(), State, Pred,
AF_Malloc);
} }
ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, StateAndPred MallocChecker::MallocMemAux(
const CallEvent &Call, CheckerContext &C, const CallEvent &Call, const Expr *SizeEx, SVal Init,
const Expr *SizeEx, SVal Init, ProgramStateRef State, ExplodedNode *Pred, AllocationFamily Family) {
ProgramStateRef State,
AllocationFamily Family) {
if (!State) if (!State)
return nullptr; return {nullptr, Pred};
assert(SizeEx); assert(SizeEx);
return MallocMemAux(C, Call, C.getSVal(SizeEx), Init, State, Family); return MallocMemAux(C, Call, C.getSVal(SizeEx), Init, State, Pred, Family);
} }
ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, StateAndPred MallocChecker::MallocMemAux(CheckerContext &C,
const CallEvent &Call, SVal Size, const CallEvent &Call, SVal Size,
SVal Init, ProgramStateRef State, SVal Init, ProgramStateRef State,
ExplodedNode *Pred,
AllocationFamily Family) { AllocationFamily Family) {
if (!State) if (!State)
return nullptr; return {nullptr, Pred};
const Expr *CE = Call.getOriginExpr(); const Expr *CE = Call.getOriginExpr();
// We expect the malloc functions to return a pointer. // We expect the malloc functions to return a pointer.
if (!Loc::isLocType(CE->getType())) if (!Loc::isLocType(CE->getType()))
return nullptr; return {nullptr, Pred};
// Bind the return value to the symbolic value from the heap region. // Bind the return value to the symbolic value from the heap region.
// TODO: We could rewrite post visit to eval call; 'malloc' does not have // TODO: We could rewrite post visit to eval call; 'malloc' does not have
// side effects other than what we model here. // side effects other than what we model here.
unsigned Count = C.blockCount(); unsigned Count = C.blockCount();
SValBuilder &svalBuilder = C.getSValBuilder(); SValBuilder &svalBuilder = C.getSValBuilder();
const LocationContext *LCtx = C.getPredecessor()->getLocationContext(); const LocationContext *LCtx = C.getPredecessor()->getLocationContext();
DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count) DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count)
.castAs<DefinedSVal>(); .castAs<DefinedSVal>();
State = State->BindExpr(CE, C.getLocationContext(), RetVal); State = State->BindExpr(CE, C.getLocationContext(), RetVal);
// Fill the region with the initialization value. // Fill the region with the initialization value.
State = State->bindDefaultInitial(RetVal, Init, LCtx); State = State->bindDefaultInitial(RetVal, Init, LCtx);
// Set the region's extent. // Set the region's extent.
State = setDynamicExtent(State, RetVal.getAsRegion(), State = setDynamicExtent(State, RetVal.getAsRegion(),
Size.castAs<DefinedOrUnknownSVal>(), svalBuilder); Size.castAs<DefinedOrUnknownSVal>(), svalBuilder);
if (taint::isTainted(State, Size)) {
const NoteTag *Note =
C.getNoteTag([Size](PathSensitiveBugReport &BR) -> std::string {
if (BR.isInteresting(Size))
return "Allocating tainted amount of memory";
return "";
});
Pred = C.addTransition(State, Pred, Note);
}
return MallocUpdateRefState(C, CE, State, Family); return MallocUpdateRefState(C, CE, State, Pred, Family);
} }
static ProgramStateRef MallocUpdateRefState(CheckerContext &C, const Expr *E, static StateAndPred MallocUpdateRefState(CheckerContext &C, const Expr *E,
ProgramStateRef State, ProgramStateRef State,
ExplodedNode *Pred,
AllocationFamily Family, AllocationFamily Family,
Optional<SVal> RetVal) { Optional<SVal> RetVal) {
if (!State) if (!State)
return nullptr; return {nullptr, Pred};
// Get the return value. // Get the return value.
if (!RetVal) if (!RetVal)
RetVal = C.getSVal(E); RetVal = C.getSVal(E);
// We expect the malloc functions to return a pointer. // We expect the malloc functions to return a pointer.
if (!RetVal->getAs<Loc>()) if (!RetVal->getAs<Loc>())
return nullptr; return {nullptr, Pred};
SymbolRef Sym = RetVal->getAsLocSymbol(); SymbolRef Sym = RetVal->getAsLocSymbol();
// This is a return value of a function that was not inlined, such as malloc() // This is a return value of a function that was not inlined, such as malloc()
// or new(). We've checked that in the caller. Therefore, it must be a symbol. // or new(). We've checked that in the caller. Therefore, it must be a symbol.
assert(Sym); assert(Sym);
// Set the symbol's state to Allocated. // Set the symbol's state to Allocated.
return State->set<RegionState>(Sym, RefState::getAllocated(Family, E)); State = State->set<RegionState>(Sym, RefState::getAllocated(Family, E));
return {State, Pred};
} }
ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C, ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C,
const CallEvent &Call, const CallEvent &Call,
const OwnershipAttr *Att, const OwnershipAttr *Att,
ProgramStateRef State) const { ProgramStateRef State) const {
if (!State) if (!State)
return nullptr; return nullptr;
▲ Show 20 LinesShow All 772 Lines▼ Show 20 Lines if (ExplodedNode *N = C.generateErrorNode()) {
auto R = std::make_unique<PathSensitiveBugReport>(*BT_BadFree[*CheckKind], auto R = std::make_unique<PathSensitiveBugReport>(*BT_BadFree[*CheckKind],
Os.str(), N); Os.str(), N);
R->markInteresting(MR); R->markInteresting(MR);
R->addRange(Range); R->addRange(Range);
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
} }
ProgramStateRef StateAndPred
MallocChecker::ReallocMemAux(CheckerContext &C, const CallEvent &Call, MallocChecker::ReallocMemAux(CheckerContext &C, const CallEvent &Call,
bool ShouldFreeOnFail, ProgramStateRef State, bool ShouldFreeOnFail, ProgramStateRef State,
AllocationFamily Family, bool SuffixWithN) const { ExplodedNode *Pred, AllocationFamily Family,
bool SuffixWithN) const {
if (!State) if (!State)
return nullptr; return {nullptr, Pred};
const CallExpr *CE = cast<CallExpr>(Call.getOriginExpr()); const CallExpr *CE = cast<CallExpr>(Call.getOriginExpr());
if (SuffixWithN && CE->getNumArgs() < 3) if (SuffixWithN && CE->getNumArgs() < 3)
return nullptr; return {nullptr, Pred};
else if (CE->getNumArgs() < 2) else if (CE->getNumArgs() < 2)
return nullptr; return {nullptr, Pred};
const Expr *arg0Expr = CE->getArg(0); const Expr *arg0Expr = CE->getArg(0);
SVal Arg0Val = C.getSVal(arg0Expr); SVal Arg0Val = C.getSVal(arg0Expr);
if (!Arg0Val.getAs<DefinedOrUnknownSVal>()) if (!Arg0Val.getAs<DefinedOrUnknownSVal>())
return nullptr; return {nullptr, Pred};
DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>(); DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>();
SValBuilder &svalBuilder = C.getSValBuilder(); SValBuilder &svalBuilder = C.getSValBuilder();
DefinedOrUnknownSVal PtrEQ = svalBuilder.evalEQ( DefinedOrUnknownSVal PtrEQ = svalBuilder.evalEQ(
State, arg0Val, svalBuilder.makeNullWithType(arg0Expr->getType())); State, arg0Val, svalBuilder.makeNullWithType(arg0Expr->getType()));
// Get the size argument. // Get the size argument.
const Expr *Arg1 = CE->getArg(1); const Expr *Arg1 = CE->getArg(1);
// Get the value of the size argument. // Get the value of the size argument.
SVal TotalSize = C.getSVal(Arg1); SVal TotalSize = C.getSVal(Arg1);
if (SuffixWithN) if (SuffixWithN)
TotalSize = evalMulForBufferSize(C, Arg1, CE->getArg(2)); TotalSize = evalMulForBufferSize(C, Arg1, CE->getArg(2));
if (!TotalSize.getAs<DefinedOrUnknownSVal>()) if (!TotalSize.getAs<DefinedOrUnknownSVal>())
return nullptr; return {nullptr, Pred};
// Compare the size argument to 0. // Compare the size argument to 0.
DefinedOrUnknownSVal SizeZero = DefinedOrUnknownSVal SizeZero =
svalBuilder.evalEQ(State, TotalSize.castAs<DefinedOrUnknownSVal>(), svalBuilder.evalEQ(State, TotalSize.castAs<DefinedOrUnknownSVal>(),
svalBuilder.makeIntValWithWidth( svalBuilder.makeIntValWithWidth(
svalBuilder.getContext().getSizeType(), 0)); svalBuilder.getContext().getSizeType(), 0));
ProgramStateRef StatePtrIsNull, StatePtrNotNull; ProgramStateRef StatePtrIsNull, StatePtrNotNull;
std::tie(StatePtrIsNull, StatePtrNotNull) = State->assume(PtrEQ); std::tie(StatePtrIsNull, StatePtrNotNull) = State->assume(PtrEQ);
ProgramStateRef StateSizeIsZero, StateSizeNotZero; ProgramStateRef StateSizeIsZero, StateSizeNotZero;
std::tie(StateSizeIsZero, StateSizeNotZero) = State->assume(SizeZero); std::tie(StateSizeIsZero, StateSizeNotZero) = State->assume(SizeZero);
// We only assume exceptional states if they are definitely true; if the // We only assume exceptional states if they are definitely true; if the
// state is under-constrained, assume regular realloc behavior. // state is under-constrained, assume regular realloc behavior.
bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull; bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull;
bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero; bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero;
// If the ptr is NULL and the size is not 0, the call is equivalent to // If the ptr is NULL and the size is not 0, the call is equivalent to
// malloc(size). // malloc(size).
if (PrtIsNull && !SizeIsZero) { if (PrtIsNull && !SizeIsZero) {
ProgramStateRef stateMalloc = MallocMemAux( return MallocMemAux(C, Call, TotalSize, UndefinedVal(), StatePtrIsNull,
C, Call, TotalSize, UndefinedVal(), StatePtrIsNull, Family); Pred, Family);
return stateMalloc;
} }
if (PrtIsNull && SizeIsZero) if (PrtIsNull && SizeIsZero)
return State; return {State, Pred};
assert(!PrtIsNull); assert(!PrtIsNull);
bool IsKnownToBeAllocated = false; bool IsKnownToBeAllocated = false;
// If the size is 0, free the memory. // If the size is 0, free the memory.
if (SizeIsZero) if (SizeIsZero)
// The semantics of the return value are: // The semantics of the return value are:
// If size was equal to 0, either NULL or a pointer suitable to be passed // If size was equal to 0, either NULL or a pointer suitable to be passed
// to free() is returned. We just free the input pointer and do not add // to free() is returned. We just free the input pointer and do not add
// any constrains on the output pointer. // any constrains on the output pointer.
if (ProgramStateRef stateFree = FreeMemAux( if (ProgramStateRef stateFree = FreeMemAux(
C, Call, StateSizeIsZero, 0, false, IsKnownToBeAllocated, Family)) C, Call, StateSizeIsZero, 0, false, IsKnownToBeAllocated, Family))
return stateFree; return {stateFree, Pred};
// Default behavior. // Default behavior.
if (ProgramStateRef stateFree = if (ProgramStateRef stateFree =
FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocated, Family)) { FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocated, Family)) {
ProgramStateRef stateRealloc = StateAndPred ReallocState =
MallocMemAux(C, Call, TotalSize, UnknownVal(), stateFree, Family); MallocMemAux(C, Call, TotalSize, UnknownVal(), stateFree, Pred, Family);
if (!stateRealloc) if (!ReallocState.State)
return nullptr; return ReallocState;
OwnershipAfterReallocKind Kind = OAR_ToBeFreedAfterFailure; OwnershipAfterReallocKind Kind = OAR_ToBeFreedAfterFailure;
if (ShouldFreeOnFail) if (ShouldFreeOnFail)
Kind = OAR_FreeOnFailure; Kind = OAR_FreeOnFailure;
else if (!IsKnownToBeAllocated) else if (!IsKnownToBeAllocated)
Kind = OAR_DoNotTrackAfterFailure; Kind = OAR_DoNotTrackAfterFailure;
// Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size). // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size).
SymbolRef FromPtr = arg0Val.getLocSymbolInBase(); SymbolRef FromPtr = arg0Val.getLocSymbolInBase();
SVal RetVal = C.getSVal(CE); SVal RetVal = C.getSVal(CE);
SymbolRef ToPtr = RetVal.getAsSymbol(); SymbolRef ToPtr = RetVal.getAsSymbol();
assert(FromPtr && ToPtr && assert(FromPtr && ToPtr &&
"By this point, FreeMemAux and MallocMemAux should have checked " "By this point, FreeMemAux and MallocMemAux should have checked "
"whether the argument or the return value is symbolic!"); "whether the argument or the return value is symbolic!");
// Record the info about the reallocated symbol so that we could properly // Record the info about the reallocated symbol so that we could properly
// process failed reallocation. // process failed reallocation.
stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr, ReallocState.State = ReallocState.State->set<ReallocPairs>(
ReallocPair(FromPtr, Kind)); ToPtr, ReallocPair(FromPtr, Kind));
// The reallocated symbol should stay alive for as long as the new symbol. // The reallocated symbol should stay alive for as long as the new symbol.
C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr); C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr);
return stateRealloc; return ReallocState;
} }
return nullptr; return {nullptr, Pred};
} }
ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, StateAndPred MallocChecker::CallocMem(CheckerContext &C, const CallEvent &Call,
const CallEvent &Call, ProgramStateRef State,
ProgramStateRef State) { ExplodedNode *Pred) {
if (!State) if (!State)
return nullptr; return {nullptr, Pred};
if (Call.getNumArgs() < 2) if (Call.getNumArgs() < 2)
return nullptr; return {nullptr, Pred};
SValBuilder &svalBuilder = C.getSValBuilder(); SValBuilder &svalBuilder = C.getSValBuilder();
SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy);
SVal TotalSize = SVal TotalSize =
evalMulForBufferSize(C, Call.getArgExpr(0), Call.getArgExpr(1)); evalMulForBufferSize(C, Call.getArgExpr(0), Call.getArgExpr(1));
return MallocMemAux(C, Call, TotalSize, zeroVal, State, AF_Malloc); return MallocMemAux(C, Call, TotalSize, zeroVal, State, Pred, AF_Malloc);
} }
MallocChecker::LeakInfo MallocChecker::getAllocationSite(const ExplodedNode *N, MallocChecker::LeakInfo MallocChecker::getAllocationSite(const ExplodedNode *N,
SymbolRef Sym, SymbolRef Sym,
CheckerContext &C) { CheckerContext &C) {
const LocationContext *LeakContext = N->getLocationContext(); const LocationContext *LeakContext = N->getLocationContext();
// Walk the ExplodedGraph backwards and find the first node that referred to // Walk the ExplodedGraph backwards and find the first node that referred to
// the tracked symbol. // the tracked symbol.
▲ Show 20 LinesShow All 936 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/BugReporter.cpp

Show First 20 LinesShow All 2,255 Lines▼ Show 20 Lines if (!sym)
return; return;
insertToInterestingnessMap(InterestingSymbols, sym, TKind); insertToInterestingnessMap(InterestingSymbols, sym, TKind);
// FIXME: No tests exist for this code and it is questionable: // FIXME: No tests exist for this code and it is questionable:
// How to handle multiple metadata for the same region? // How to handle multiple metadata for the same region?
if (const auto *meta = dyn_cast<SymbolMetadata>(sym)) if (const auto *meta = dyn_cast<SymbolMetadata>(sym))
markInteresting(meta->getRegion(), TKind); markInteresting(meta->getRegion(), TKind);
auto SubSyms = llvm::make_range(sym->symbol_begin(), sym->symbol_end());
for (SymbolRef SubSym : SubSyms) {
if (SymbolData::classof(SubSym))
insertToInterestingnessMap(InterestingSymbols, SubSym, TKind);
}
} }
void PathSensitiveBugReport::markNotInteresting(SymbolRef sym) { void PathSensitiveBugReport::markNotInteresting(SymbolRef sym) {
if (!sym) if (!sym)
return; return;
InterestingSymbols.erase(sym); InterestingSymbols.erase(sym);
// The metadata part of markInteresting is not reversed here. // The metadata part of markInteresting is not reversed here.
▲ Show 20 LinesShow All 64 Lines▼ Show 20 Lines
} }
Optional<bugreporter::TrackingKind> Optional<bugreporter::TrackingKind>
PathSensitiveBugReport::getInterestingnessKind(SymbolRef sym) const { PathSensitiveBugReport::getInterestingnessKind(SymbolRef sym) const {
if (!sym) if (!sym)
return None; return None;
// We don't currently consider metadata symbols to be interesting // We don't currently consider metadata symbols to be interesting
// even if we know their region is interesting. Is that correct behavior? // even if we know their region is interesting. Is that correct behavior?
auto It = InterestingSymbols.find(sym); auto TryToLookupTrackingKind =
[this](SymbolRef Sym) -> Optional<bugreporter::TrackingKind> {
auto It = InterestingSymbols.find(Sym);
if (It == InterestingSymbols.end()) if (It == InterestingSymbols.end())
return None; return None;
return It->getSecond(); return It->getSecond();
};
if (auto MaybeTK = TryToLookupTrackingKind(sym))
return MaybeTK;
auto SubSyms = llvm::make_range(sym->symbol_begin(), sym->symbol_end());
for (SymbolRef SubSym : SubSyms) {
if (SymbolData::classof(SubSym)) {
steakhalUnsubmitted
Not Done
ReplyInline Actions
for (SymbolRef SubSym : SubSyms) {
- if (SymbolData::classof(SubSym)) {
+ if (isa<SymbolData>(SubSym)) {
if (auto MaybeTK = TryToLookupTrackingKind(SubSym))

I think this is the superior way of checking this.

steakhal: I think this is the superior way of checking this.
if (auto MaybeTK = TryToLookupTrackingKind(SubSym))
return MaybeTK;
}
}
return None;
} }
Optional<bugreporter::TrackingKind> Optional<bugreporter::TrackingKind>
PathSensitiveBugReport::getInterestingnessKind(const MemRegion *R) const { PathSensitiveBugReport::getInterestingnessKind(const MemRegion *R) const {
if (!R) if (!R)
return None; return None;
R = R->getBaseRegion(); R = R->getBaseRegion();
▲ Show 20 LinesShow All 997 LinesShow Last 20 Lines

clang/test/Analysis/analyzer-config.c

// RUN: %clang_analyze_cc1 -analyzer-checker=debug.ConfigDumper > %t 2>&1 // RUN: %clang_analyze_cc1 -analyzer-checker=debug.ConfigDumper > %t 2>&1
// RUN: FileCheck --input-file=%t %s --match-full-lines // RUN: FileCheck --input-file=%t %s --match-full-lines
// CHECK: [config] // CHECK: [config]
// CHECK-NEXT: add-pop-up-notes = true // CHECK-NEXT: add-pop-up-notes = true
// CHECK-NEXT: aggressive-binary-operation-simplification = false // CHECK-NEXT: aggressive-binary-operation-simplification = false
// CHECK-NEXT: alpha.clone.CloneChecker:IgnoredFilesPattern = "" // CHECK-NEXT: alpha.clone.CloneChecker:IgnoredFilesPattern = ""
// CHECK-NEXT: alpha.clone.CloneChecker:MinimumCloneComplexity = 50 // CHECK-NEXT: alpha.clone.CloneChecker:MinimumCloneComplexity = 50
// CHECK-NEXT: alpha.clone.CloneChecker:ReportNormalClones = true // CHECK-NEXT: alpha.clone.CloneChecker:ReportNormalClones = true
// CHECK-NEXT: alpha.cplusplus.STLAlgorithmModeling:AggressiveStdFindModeling = false // CHECK-NEXT: alpha.cplusplus.STLAlgorithmModeling:AggressiveStdFindModeling = false
// CHECK-NEXT: alpha.osx.cocoa.DirectIvarAssignment:AnnotatedFunctions = false // CHECK-NEXT: alpha.osx.cocoa.DirectIvarAssignment:AnnotatedFunctions = false
// CHECK-NEXT: alpha.security.MmapWriteExec:MmapProtExec = 0x04 // CHECK-NEXT: alpha.security.MmapWriteExec:MmapProtExec = 0x04
// CHECK-NEXT: alpha.security.MmapWriteExec:MmapProtRead = 0x01 // CHECK-NEXT: alpha.security.MmapWriteExec:MmapProtRead = 0x01
// CHECK-NEXT: alpha.security.taint.TaintPropagation:Config = "" // CHECK-NEXT: alpha.security.taint.TaintPropagation:Config = ""
// CHECK-NEXT: alpha.unix.cstring.OutOfBounds:ConsiderTaint = false
// CHECK-NEXT: apiModeling.StdCLibraryFunctions:DisplayLoadedSummaries = false // CHECK-NEXT: apiModeling.StdCLibraryFunctions:DisplayLoadedSummaries = false
// CHECK-NEXT: apiModeling.StdCLibraryFunctions:ModelPOSIX = false // CHECK-NEXT: apiModeling.StdCLibraryFunctions:ModelPOSIX = false
// CHECK-NEXT: apply-fixits = false // CHECK-NEXT: apply-fixits = false
// CHECK-NEXT: assume-controlled-environment = false // CHECK-NEXT: assume-controlled-environment = false
// CHECK-NEXT: avoid-suppressing-null-argument-paths = false // CHECK-NEXT: avoid-suppressing-null-argument-paths = false
// CHECK-NEXT: c++-allocator-inlining = true // CHECK-NEXT: c++-allocator-inlining = true
// CHECK-NEXT: c++-container-inlining = false // CHECK-NEXT: c++-container-inlining = false
// CHECK-NEXT: c++-inlining = destructors // CHECK-NEXT: c++-inlining = destructors
▲ Show 20 LinesShow All 107 LinesShow Last 20 Lines

clang/test/Analysis/string.c

// RUN: %clang_analyze_cc1 -verify %s -Wno-null-dereference \ // RUN: %clang_analyze_cc1 %s -Wno-null-dereference \
// RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=unix.cstring \ // RUN: -analyzer-checker=unix.cstring \
// RUN: -analyzer-checker=unix.Malloc \ // RUN: -analyzer-checker=unix.Malloc \
// RUN: -analyzer-checker=alpha.security.taint \
// RUN: -analyzer-checker=alpha.unix.cstring \ // RUN: -analyzer-checker=alpha.unix.cstring \
// RUN: -analyzer-checker=debug.ExprInspection \ // RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-config eagerly-assume=false // RUN: -analyzer-config alpha.unix.cstring.OutOfBounds:ConsiderTaint=true \
// RUN: -analyzer-config eagerly-assume=false \
// RUN: -verify=expected,tainted,OOB-consider-tainted
// //
// RUN: %clang_analyze_cc1 -verify %s -Wno-null-dereference -DUSE_BUILTINS \ // RUN: %clang_analyze_cc1 -verify %s -Wno-null-dereference -DUSE_BUILTINS \
// RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=unix.cstring \ // RUN: -analyzer-checker=unix.cstring \
// RUN: -analyzer-checker=unix.Malloc \ // RUN: -analyzer-checker=unix.Malloc \
// RUN: -analyzer-checker=alpha.unix.cstring \ // RUN: -analyzer-checker=alpha.unix.cstring \
// RUN: -analyzer-checker=debug.ExprInspection \ // RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-config eagerly-assume=false // RUN: -analyzer-config eagerly-assume=false
// //
// RUN: %clang_analyze_cc1 -verify %s -Wno-null-dereference -DVARIANT \ // RUN: %clang_analyze_cc1 -verify %s -Wno-null-dereference -DVARIANT \
// RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=unix.cstring \ // RUN: -analyzer-checker=unix.cstring \
// RUN: -analyzer-checker=unix.Malloc \ // RUN: -analyzer-checker=unix.Malloc \
// RUN: -analyzer-checker=alpha.unix.cstring \ // RUN: -analyzer-checker=alpha.unix.cstring \
// RUN: -analyzer-checker=debug.ExprInspection \ // RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-config eagerly-assume=false // RUN: -analyzer-config eagerly-assume=false
// //
// RUN: %clang_analyze_cc1 -verify %s -Wno-null-dereference \ // RUN: %clang_analyze_cc1 %s -Wno-null-dereference \
// RUN: -DUSE_BUILTINS -DVARIANT \ // RUN: -DUSE_BUILTINS -DVARIANT \
// RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=alpha.security.taint \ // RUN: -analyzer-checker=alpha.security.taint \
// RUN: -analyzer-checker=unix.cstring \ // RUN: -analyzer-checker=unix.cstring \
// RUN: -analyzer-checker=unix.Malloc \ // RUN: -analyzer-checker=unix.Malloc \
// RUN: -analyzer-checker=alpha.unix.cstring \ // RUN: -analyzer-checker=alpha.unix.cstring \
// RUN: -analyzer-checker=debug.ExprInspection \ // RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-config eagerly-assume=false // RUN: -analyzer-config eagerly-assume=false \
// RUN: -verify=expected,tainted
// //
// RUN: %clang_analyze_cc1 -verify %s -Wno-null-dereference \ // RUN: %clang_analyze_cc1 -verify %s -Wno-null-dereference \
// RUN: -DSUPPRESS_OUT_OF_BOUND \ // RUN: -DSUPPRESS_OUT_OF_BOUND \
// RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=unix.cstring \ // RUN: -analyzer-checker=unix.cstring \
// RUN: -analyzer-checker=unix.Malloc \ // RUN: -analyzer-checker=unix.Malloc \
// RUN: -analyzer-checker=alpha.unix.cstring.BufferOverlap \ // RUN: -analyzer-checker=alpha.unix.cstring.BufferOverlap \
// RUN: -analyzer-checker=alpha.unix.cstring.NotNullTerminated \ // RUN: -analyzer-checker=alpha.unix.cstring.NotNullTerminated \
▲ Show 20 LinesShow All 434 Lines▼ Show 20 Lines
void strcat_overflow_2(char *y) { void strcat_overflow_2(char *y) {
char x[4] = "12"; char x[4] = "12";
if (strlen(y) == 2) if (strlen(y) == 2)
strcat(x, y); // expected-warning{{String concatenation function overflows the destination buffer}} strcat(x, y); // expected-warning{{String concatenation function overflows the destination buffer}}
} }
#endif #endif
void strcat_overflow_tainted_dst_extent(char *y) {
int n;
scanf("%d", &n);
char *p = malloc(n); // tainted-warning {{Untrusted data is used to specify the buffer size}}
p[0] = '\0';
if (strlen(y) == 3)
strcat(p, y); // OOB-consider-tainted-warning {{String concatenation function might overflows the destination buffer}}
free(p);
}
void strcat_overflow_tainted_src_content(char *y) {
char x[4] = "12";
scanf("%s100", y); // Assuming that y is at least 100 bytes long.
strcat(x, y); // FIXME: The extent is not tainted, but we should still emit a warning here.
}
void strcat_no_overflow(char *y) { void strcat_no_overflow(char *y) {
char x[5] = "12"; char x[5] = "12";
if (strlen(y) == 2) if (strlen(y) == 2)
strcat(x, y); // no-warning strcat(x, y); // no-warning
} }
void strcat_symbolic_dst_length(char *dst) { void strcat_symbolic_dst_length(char *dst) {
strcat(dst, "1234"); strcat(dst, "1234");
▲ Show 20 LinesShow All 1,163 LinesShow Last 20 Lines

clang/test/Analysis/taint-diagnostic-visitor.c

// RUN: %clang_cc1 -analyze -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -analyzer-output=text -verify %s // RUN: %clang_cc1 -analyze -analyzer-checker=alpha.security.taint,core,unix.Malloc,alpha.security.ArrayBoundV2 -analyzer-output=text -verify %s
// This file is for testing enhanced diagnostics produced by the GenericTaintChecker // This file is for testing enhanced diagnostics produced by the GenericTaintChecker
int scanf(const char *restrict format, ...); int scanf(const char *restrict format, ...);
int system(const char *command); int system(const char *command);
typedef __typeof(sizeof(int)) size_t;
void *malloc(size_t size);
void free(void *ptr);
void taintDiagnostic(void) void taintDiagnostic(void)
{ {
char buf[128]; char buf[128];
scanf("%s", buf); // expected-note {{Taint originated here}} scanf("%s", buf); // expected-note {{Propagated taint to the 2nd parameter}}
system(buf); // expected-warning {{Untrusted data is passed to a system call}} // expected-note {{Untrusted data is passed to a system call (CERT/STR02-C. Sanitize data passed to complex subsystems)}} system(buf); // expected-warning {{Untrusted data is passed to a system call}} // expected-note {{Untrusted data is passed to a system call (CERT/STR02-C. Sanitize data passed to complex subsystems)}}
} }
int taintDiagnosticOutOfBound(void) { int taintDiagnosticOutOfBound(void) {
int index; int index;
int Array[] = {1, 2, 3, 4, 5}; int Array[] = {1, 2, 3, 4, 5};
scanf("%d", &index); // expected-note {{Taint originated here}} scanf("%d", &index); // expected-note {{Taint originated here}} expected-note {{Propagated taint to the 2nd parameter}}
return Array[index]; // expected-warning {{Out of bound memory access (index is tainted)}} return Array[index]; // expected-warning {{Out of bound memory access (index is tainted)}}
// expected-note@-1 {{Out of bound memory access (index is tainted)}} // expected-note@-1 {{Out of bound memory access (index is tainted)}}
} }
int taintDiagnosticDivZero(int operand) { int taintDiagnosticDivZero(int operand) {
scanf("%d", &operand); // expected-note {{Value assigned to 'operand'}} scanf("%d", &operand); // expected-note {{Value assigned to 'operand'}}
// expected-note@-1 {{Taint originated here}} // expected-note@-1 {{Taint originated here}} expected-note@-1 {{Propagated taint to the 2nd parameter}}
return 10 / operand; // expected-warning {{Division by a tainted value, possibly zero}} return 10 / operand; // expected-warning {{Division by a tainted value, possibly zero}}
// expected-note@-1 {{Division by a tainted value, possibly zero}} // expected-note@-1 {{Division by a tainted value, possibly zero}}
} }
void taintDiagnosticVLA(void) { void taintDiagnosticVLA(void) {
int x; int x;
scanf("%d", &x); // expected-note {{Value assigned to 'x'}} scanf("%d", &x); // expected-note {{Value assigned to 'x'}}
// expected-note@-1 {{Taint originated here}} // expected-note@-1 {{Taint originated here}} expected-note@-1 {{Propagated taint to the 2nd parameter}}
steakhalUnsubmitted
Not Done
ReplyInline Actions

If we emit a specific note-tag, we definitely shouldn't emit a Taint originated here note.

I think in my original patch stack I did actually remove the archaic visitor producing this since the propagation note tags completely supersedes that approach.

steakhal: If we emit a specific note-tag, we definitely shouldn't emit a `Taint originated here` note. I…
int vla[x]; // expected-warning {{Declared variable-length array (VLA) has tainted size}} int vla[x]; // expected-warning {{Declared variable-length array (VLA) has tainted size}}
// expected-note@-1 {{Declared variable-length array (VLA) has tainted size}} // expected-note@-1 {{Declared variable-length array (VLA) has tainted size}}
} }
void taintDiagnosticMalloc(int conj) {
int x;
scanf("%d", &x); // expected-note {{Taint originated here}}
// expected-note@-1 2 {{Propagated taint to the 2nd parameter}} Once for malloc(tainted), once for BoundsV2.
int *p = (int *)malloc(x + conj); // Generic taint checker forbids tainted allocation.
// expected-warning@-1 {{Untrusted data is used to specify the buffer size}}
// expected-note@-2 {{Untrusted data is used to specify the buffer size}}
// expected-note@-3 {{Allocating tainted amount of memory}}
p[1] = 1; // BoundsV2 checker can not prove that the access is safe.
// expected-warning@-1 {{Out of bound memory access (index is tainted)}}
// expected-note@-2 {{Out of bound memory access (index is tainted)}}
free(p);
}