Page MenuHomePhabricator

[WIP][analyzer] Taint Notes enhancements
Needs ReviewPublic

Authored by gamesh411 on May 9 2022, 5:59 AM.

Details

Summary

[BugReporter] Transitive interestingness

[Malloc] Pass down a State and a Pred ExplodedNode in the MallocChecker

[BoundV2] ArrayBoundV2 checks if the extent is tainted

[BoundV2][Malloc] Place NoteTags when allocated an interesting tainted amount of memory

[CString] Add ConsiderTaint checker option for CStringChecker

[CString] Consider tainted out-of-bound accesses

[TaintProp] Place NoteTags when propagating taint

Diff Detail

Event Timeline

gamesh411 created this revision.May 9 2022, 5:59 AM
Herald added a project: Restricted Project. · View Herald Transcript
gamesh411 requested review of this revision.May 9 2022, 6:00 AM
Herald added a project: Restricted Project. · View Herald TranscriptMay 9 2022, 6:00 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
gamesh411 updated this revision to Diff 428070.May 9 2022, 6:50 AM
  • [BoolAssign] Add taint to the BoolAssignmentChecker
  • [BugReporter] Transitive interestingness
  • [Malloc] Pass down a State and a Pred ExplodedNode in the MallocChecker
  • [BoundV2] ArrayBoundV2 checks if the extent is tainted
  • [BoundV2][Malloc] Place NoteTags when allocated an interesting tainted amount of memory
  • [CString] Add ConsiderTaint checker option for CStringChecker
  • [CString] Consider tainted out-of-bound accesses
  • [Stdlib] Add taint to the StdLibraryFunctionsChecker
  • [Malloc] Implement the rsize_t like heuristic

@steakhal
This is WIP as there is still a stdlib function, that does not pass the test, and I would like to add more complex taint propagation test cases as well.
Could you please glance over these commits:
[Malloc] Pass down a State and a Pred ExplodedNode in the MallocChecker
[BoundV2][Malloc] Place NoteTags when allocated an interesting tainted amount of memory
[Stdlib] Add taint to the StdLibraryFunctionsChecker

steakhal added inline comments.May 9 2022, 7:13 AM
clang/lib/StaticAnalyzer/Core/BugReporter.cpp
2363

I think this is the superior way of checking this.

clang/test/Analysis/taint-diagnostic-visitor.c
36

If we emit a specific note-tag, we definitely shouldn't emit a Taint originated here note.

I think in my original patch stack I did actually remove the archaic visitor producing this since the propagation note tags completely supersedes that approach.

I've checked the StdLibraryFunctionsChecker related changes and they are promising.

clang/test/Analysis/std-c-library-functions-taint.c
88 ↗(On Diff #428070)

typo

95–113 ↗(On Diff #428070)

I am missing a call to a standard library function which has a NotNullConstraint attached.