This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/StaticAnalyzer/Core/
-
StaticAnalyzer/
-
Core/
-
SVals.cpp
-
test/Analysis/
-
Analysis/
-
taint-generic.c

Differential D155847

[analyzer] Fix crash in GenericTaintChecker when propagatig taint to AllocaRegion
ClosedPublic

Authored by tomasz-kaminski-sonarsource on Jul 20 2023, 7:59 AM.

Download Raw Diff

Details

Reviewers

NoQ
steakhal
xazax.hun

Commits

rG438fc2c83b73: [analyzer] Fix crash in GenericTaintChecker when propagatig taint to…

Summary

The GenericTaintChecker checker was crashing, when the taint
was propagated to AllocaRegion region in following code:

int x;
void* p = alloca(10);
mempcy(p, &x, sizeof(x));

This crash was caused by the fact that determining type of
AllocaRegion returns a null QualType.

This patch makes AllocaRegion expose its type as void,
making them consistent with results of malloc or new
that produce SymRegion with void* symbol.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

tomasz-kaminski-sonarsource created this revision.Jul 20 2023, 7:59 AM

Herald added a reviewer: NoQ. · View Herald TranscriptJul 20 2023, 7:59 AM

Herald added a project: Restricted Project. · View Herald Transcript

Herald added subscribers: steakhal, manas, ASDenysPetrov and 9 others. · View Herald Transcript

tomasz-kaminski-sonarsource requested review of this revision.Jul 20 2023, 7:59 AM

Herald added a project: Restricted Project. · View Herald TranscriptJul 20 2023, 7:59 AM

Herald added a subscriber: cfe-commits. · View Herald Transcript

I belive this fix to be the correct approach, as it reduces the number of edge cases to deal with.
We are using it on internal fork for over a year now, and haven't found any negative impact.

tomasz-kaminski-sonarsource edited the summary of this revision. (Show Details)Jul 20 2023, 8:03 AM

Makes sense to me. Please, someone else also have a look.

This revision is now accepted and ready to land.Jul 20 2023, 9:10 AM

LGTM!

This revision was landed with ongoing or failed builds.Jul 24 2023, 1:57 AM

Closed by commit rG438fc2c83b73: [analyzer] Fix crash in GenericTaintChecker when propagatig taint to… (authored by tomasz-kaminski-sonarsource). · Explain Why

This revision was automatically updated to reflect the committed changes.

tomasz-kaminski-sonarsource added a commit: rG438fc2c83b73: [analyzer] Fix crash in GenericTaintChecker when propagatig taint to….

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Core/

SVals.cpp

3 lines

test/

Analysis/

taint-generic.c

19 lines

Diff 543421

clang/lib/StaticAnalyzer/Core/SVals.cpp

Show First 20 Lines • Show All 168 Lines • ▼ Show 20 Lines	QualType VisitNonLocLazyCompoundVal(nonloc::LazyCompoundVal LCV) {
return LCV.getRegion()->getValueType();		return LCV.getRegion()->getValueType();
}		}
QualType VisitNonLocSymbolVal(nonloc::SymbolVal SV) {		QualType VisitNonLocSymbolVal(nonloc::SymbolVal SV) {
return Visit(SV.getSymbol());		return Visit(SV.getSymbol());
}		}
QualType VisitSymbolicRegion(const SymbolicRegion *SR) {		QualType VisitSymbolicRegion(const SymbolicRegion *SR) {
return Visit(SR->getSymbol());		return Visit(SR->getSymbol());
}		}
		QualType VisitAllocaRegion(const AllocaRegion *) {
		return QualType{Context.VoidPtrTy};
		}
QualType VisitTypedRegion(const TypedRegion *TR) {		QualType VisitTypedRegion(const TypedRegion *TR) {
return TR->getLocationType();		return TR->getLocationType();
}		}
QualType VisitSymExpr(const SymExpr *SE) { return SE->getType(); }		QualType VisitSymExpr(const SymExpr *SE) { return SE->getType(); }
};		};
} // end anonymous namespace		} // end anonymous namespace

QualType SVal::getType(const ASTContext &Context) const {		QualType SVal::getType(const ASTContext &Context) const {
▲ Show 20 Lines • Show All 193 Lines • Show Last 20 Lines

clang/test/Analysis/taint-generic.c

	Show First 20 Lines • Show All 353 Lines • ▼ Show 20 Lines

	// Zero-sized VLAs.			// Zero-sized VLAs.
	void testTaintedVLASize(void) {			void testTaintedVLASize(void) {
	int x;			int x;
	scanf("%d", &x);			scanf("%d", &x);
	int vla[x]; // expected-warning{{Declared variable-length array (VLA) has tainted size}}			int vla[x]; // expected-warning{{Declared variable-length array (VLA) has tainted size}}
	}			}

				int testTaintedAllocaMem() {
				char x;
				void * p;
				scanf("%c", &x);
				p = __builtin_alloca(1);
				__builtin_memcpy(p, &x, 1);
				return 5 / (char)p; // expected-warning {{Division by a tainted value, possibly zero}}
				}

				int testTaintedMallocMem() {
				char x;
				void * p;
				scanf("%c", &x);
				p = malloc(1);
				__builtin_memcpy(p, &x, 1);
				return 5 / (char)p; // expected-warning {{Division by a tainted value, possibly zero}}
				}


	// This computation used to take a very long time.			// This computation used to take a very long time.
	#define longcmp(a,b,c) { \			#define longcmp(a,b,c) { \
	a -= c; a ^= c; c += b; b -= a; b ^= (a<<6) \| (a >> (32-b)); a += c; c -= b; c ^= b; b += a; \			a -= c; a ^= c; c += b; b -= a; b ^= (a<<6) \| (a >> (32-b)); a += c; c -= b; c ^= b; b += a; \
	a -= c; a ^= c; c += b; b -= a; b ^= a; a += c; c -= b; c ^= b; b += a; }			a -= c; a ^= c; c += b; b -= a; b ^= a; a += c; c -= b; c ^= b; b += a; }

	unsigned radar11369570_hanging(const unsigned char *arr, int l) {			unsigned radar11369570_hanging(const unsigned char *arr, int l) {
	unsigned a, b, c;			unsigned a, b, c;
	a = b = c = 0x9899e3 + l;			a = b = c = 0x9899e3 + l;
	▲ Show 20 Lines • Show All 720 Lines • Show Last 20 Lines