This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/StaticAnalyzer/Checkers/
-
StaticAnalyzer/
-
Checkers/
-
ArrayBoundCheckerV2.cpp
-
test/Analysis/
-
Analysis/
-
taint-generic.c

Differential D149460

[analyzer] ArrayBoundCheckerV2: suppress false positives from ctype macros
ClosedPublic

Authored by donat.nagy on Apr 28 2023, 9:39 AM.

Download Raw Diff

Details

Reviewers

gamesh411
Szelethus
steakhal
dkrupp
NoQ

Commits

rG8c22cbea87be: [analyzer] ArrayBoundCheckerV2: suppress false positives from ctype macros

Summary

The checker alpha.security.ArrayBoundV2 created bug reports in situations when the (tainted) result of fgetc() or getchar() was passed to one of the isXXXXX() macros from ctype.h. This is a common input handling pattern (within the limited toolbox of the C language) and several open source projects contained code where it led to false positive reports; so this commit suppresses ArrayBoundV2 reports generated within the isXXXXX() macros. (Note that here even true positive reports would be difficult to understand, as they'd refer to the implementation details of these macros.)

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

donat.nagy created this revision.Apr 28 2023, 9:39 AM

Herald added a reviewer: NoQ. · View Herald TranscriptApr 28 2023, 9:39 AM

Herald added a project: Restricted Project. · View Herald Transcript

Herald added subscribers: manas, ASDenysPetrov, martong and 6 others. · View Herald Transcript

donat.nagy requested review of this revision.Apr 28 2023, 9:39 AM

Herald added a project: Restricted Project. · View Herald TranscriptApr 28 2023, 9:39 AM

Herald added a subscriber: cfe-commits. · View Herald Transcript

Harbormaster completed remote builds in B228855: Diff 517957.Apr 28 2023, 12:34 PM

LGTM.

This revision is now accepted and ready to land.May 3 2023, 7:18 AM

donat.nagy mentioned this in D149259: [analyzer][NFC] Use std::optional instead of custom "empty" state.May 3 2023, 7:34 AM

Closed by commit rG8c22cbea87be: [analyzer] ArrayBoundCheckerV2: suppress false positives from ctype macros (authored by donat.nagy). · Explain WhyMay 3 2023, 9:55 AM

This revision was automatically updated to reflect the committed changes.

donat.nagy added a commit: rG8c22cbea87be: [analyzer] ArrayBoundCheckerV2: suppress false positives from ctype macros.

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Checkers/

ArrayBoundCheckerV2.cpp

32 lines

test/

Analysis/

taint-generic.c

22 lines

Diff 519138

clang/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp

Show All 36 Lines	class ArrayBoundCheckerV2 :

enum OOB_Kind { OOB_Precedes, OOB_Excedes };		enum OOB_Kind { OOB_Precedes, OOB_Excedes };

void reportOOB(CheckerContext &C, ProgramStateRef errorState,		void reportOOB(CheckerContext &C, ProgramStateRef errorState,
OOB_Kind kind) const;		OOB_Kind kind) const;
void reportTaintOOB(CheckerContext &C, ProgramStateRef errorState,		void reportTaintOOB(CheckerContext &C, ProgramStateRef errorState,
SVal TaintedSVal) const;		SVal TaintedSVal) const;

		static bool isFromCtypeMacro(const Stmt *S, ASTContext &AC);

public:		public:
void checkLocation(SVal l, bool isLoad, const Stmt*S,		void checkLocation(SVal l, bool isLoad, const Stmt *S,
CheckerContext &C) const;		CheckerContext &C) const;
};		};

// FIXME: Eventually replace RegionRawOffset with this class.		// FIXME: Eventually replace RegionRawOffset with this class.
class RegionRawOffsetV2 {		class RegionRawOffsetV2 {
private:		private:
const SubRegion *baseRegion;		const SubRegion *baseRegion;
SVal byteOffset;		SVal byteOffset;
▲ Show 20 Lines • Show All 95 Lines • ▼ Show 20 Lines	void ArrayBoundCheckerV2::checkLocation(SVal location, bool isLoad,
// some new logic here that reasons directly about memory region extents.		// some new logic here that reasons directly about memory region extents.
// Once that logic is more mature, we can bring it back to assumeInBound()		// Once that logic is more mature, we can bring it back to assumeInBound()
// for all clients to use.		// for all clients to use.
//		//
// The algorithm we are using here for bounds checking is to see if the		// The algorithm we are using here for bounds checking is to see if the
// memory access is within the extent of the base region. Since we		// memory access is within the extent of the base region. Since we
// have some flexibility in defining the base region, we can achieve		// have some flexibility in defining the base region, we can achieve
// various levels of conservatism in our buffer overflow checking.		// various levels of conservatism in our buffer overflow checking.

		// The header ctype.h (from e.g. glibc) implements the isXXXXX() macros as
		// #define isXXXXX(arg) (LOOKUP_TABLE[arg] & BITMASK_FOR_XXXXX)
		// and incomplete analysis of these leads to false positives. As even
		// accurate reports would be confusing for the users, just disable reports
		// from these macros:
		if (isFromCtypeMacro(LoadS, checkerContext.getASTContext()))
		return;

ProgramStateRef state = checkerContext.getState();		ProgramStateRef state = checkerContext.getState();

SValBuilder &svalBuilder = checkerContext.getSValBuilder();		SValBuilder &svalBuilder = checkerContext.getSValBuilder();
const RegionRawOffsetV2 &rawOffset =		const RegionRawOffsetV2 &rawOffset =
RegionRawOffsetV2::computeOffset(state, svalBuilder, location);		RegionRawOffsetV2::computeOffset(state, svalBuilder, location);

if (!rawOffset.getRegion())		if (!rawOffset.getRegion())
return;		return;
▲ Show 20 Lines • Show All 96 Lines • ▼ Show 20 Lines	void ArrayBoundCheckerV2::reportOOB(CheckerContext &checkerContext,
case OOB_Excedes:		case OOB_Excedes:
os << "(access exceeds upper limit of memory block)";		os << "(access exceeds upper limit of memory block)";
break;		break;
}		}
auto BR = std::make_unique<PathSensitiveBugReport>(*BT, os.str(), errorNode);		auto BR = std::make_unique<PathSensitiveBugReport>(*BT, os.str(), errorNode);
checkerContext.emitReport(std::move(BR));		checkerContext.emitReport(std::move(BR));
}		}

		bool ArrayBoundCheckerV2::isFromCtypeMacro(const Stmt *S, ASTContext &ACtx) {
		SourceLocation Loc = S->getBeginLoc();
		if (!Loc.isMacroID())
		return false;

		StringRef MacroName = Lexer::getImmediateMacroName(
		Loc, ACtx.getSourceManager(), ACtx.getLangOpts());

		if (MacroName.size() < 7 \|\| MacroName[0] != 'i' \|\| MacroName[1] != 's')
		return false;

		return ((MacroName == "isalnum") \|\| (MacroName == "isalpha") \|\|
		(MacroName == "isblank") \|\| (MacroName == "isdigit") \|\|
		(MacroName == "isgraph") \|\| (MacroName == "islower") \|\|
		(MacroName == "isnctrl") \|\| (MacroName == "isprint") \|\|
		(MacroName == "ispunct") \|\| (MacroName == "isspace") \|\|
		(MacroName == "isupper") \|\| (MacroName == "isxdigit"));
		}

#ifndef NDEBUG		#ifndef NDEBUG
LLVM_DUMP_METHOD void RegionRawOffsetV2::dump() const {		LLVM_DUMP_METHOD void RegionRawOffsetV2::dump() const {
dumpToStream(llvm::errs());		dumpToStream(llvm::errs());
}		}

void RegionRawOffsetV2::dumpToStream(raw_ostream &os) const {		void RegionRawOffsetV2::dumpToStream(raw_ostream &os) const {
os << "raw_offset_v2{" << getRegion() << ',' << getByteOffset() << '}';		os << "raw_offset_v2{" << getRegion() << ',' << getByteOffset() << '}';
}		}
▲ Show 20 Lines • Show All 89 Lines • Show Last 20 Lines

clang/test/Analysis/taint-generic.c

Show First 20 Lines • Show All 150 Lines • ▼ Show 20 Lines	void scanfArg(void) {
scanf("%d", t); // expected-warning {{format specifies type 'int *' but the argument has type 'int'}}		scanf("%d", t); // expected-warning {{format specifies type 'int *' but the argument has type 'int'}}
}		}

void bufferGetchar(int x) {		void bufferGetchar(int x) {
int m = getchar();		int m = getchar();
Buffer[m] = 1; //expected-warning {{Out of bound memory access (index is tainted)}}		Buffer[m] = 1; //expected-warning {{Out of bound memory access (index is tainted)}}
}		}

		extern const unsigned short int **__ctype_b_loc (void);
		enum { _ISdigit = 2048 };
		# define isdigit(c) ((*__ctype_b_loc ())[(int) (c)] & (unsigned short int) _ISdigit)

		int isdigitImplFalsePositive(void) {
		// If this code no longer produces a bug report, then consider removing the
		// special case that disables buffer overflow reports coming from the isXXXXX
		// macros in ctypes.h.
		int c = getchar();
		return ((*__ctype_b_loc ())[(int) (c)] & (unsigned short int) _ISdigit);
		//expected-warning@-1 {{Out of bound memory access (index is tainted)}}
		}

		int isdigitSuppressed(void) {
		// Same code as above, but reports are suppressed based on macro name:
		int c = getchar();
		return isdigit(c); //no-warning
		}

		// Some later tests use isdigit as a function, so we need to undef it:
		#undef isdigit

void testUncontrolledFormatString(char **p) {		void testUncontrolledFormatString(char **p) {
char s[80];		char s[80];
fscanf(stdin, "%s", s);		fscanf(stdin, "%s", s);
char buf[128];		char buf[128];
sprintf(buf,s); // expected-warning {{Uncontrolled Format String}}		sprintf(buf,s); // expected-warning {{Uncontrolled Format String}}
setproctitle(s, 3); // expected-warning {{Uncontrolled Format String}}		setproctitle(s, 3); // expected-warning {{Uncontrolled Format String}}

// Test taint propagation through strcpy and family.		// Test taint propagation through strcpy and family.
▲ Show 20 Lines • Show All 887 Lines • Show Last 20 Lines