This is an archive of the discontinued LLVM Phabricator instance.

Differential D41384

[analyzer] Suppress false positive warnings form security.insecureAPI.strcpy
ClosedPublic

Authored by leanil on Dec 19 2017, 3:00 AM.

Details

Reviewers
dcoughlin
xazax.hun
NoQ
george.karpenkov
Commits
rG1ebd1c4f9d99: [analyzer] Don't flag strcpy of string literals into sufficiently large buffers.
rC322410: [analyzer] Don't flag strcpy of string literals into sufficiently large buffers.
rL322410: [analyzer] Don't flag strcpy of string literals into sufficiently large buffers.
Summary

It is safe to copy a string literal to an array which is compile time known to be large enough.
This reduces the number of false positives, while (hopefully) not introducing any false negatives.

Diff Detail

Event Timeline

leanil created this revision.Dec 19 2017, 3:00 AM
Herald added subscribers: a.sidorin, rnkovacs, szepet. · View Herald TranscriptDec 19 2017, 3:00 AM
xazax.hun added reviewers: NoQ, george.karpenkov.Dec 20 2017, 5:39 AM

In the tests there are multiple variants of the strcpy function guarded by macros. Maybe we should run the tests multiple times to test all variants with different defines?

leanil updated this revision to Diff 127739.Dec 20 2017, 8:47 AM

Move negative test next to the positive ones, because the necessary macros and run-lines are already defined there.

NoQ added a comment.Jan 3 2018, 3:18 PM

This patch makes a totally valid point :)

lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp
513

You might want to use a wider integer type because 64-bit arrays may have 2³¹ or more elements (not sure about string literals).

leanil updated this revision to Diff 129465.Jan 11 2018, 9:48 AM

Change result types to match the query return types.

leanil marked an inline comment as done.Jan 11 2018, 9:49 AM
george.karpenkov added inline comments.Jan 11 2018, 11:37 AM
lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp
522

Nesting this if- inside the previous one would simplify the outer scope and let you assign to ArraySize at declaration size.

526

Why not put this if-expression into the one above where StrLen is found?
That would eliminate StrLenFound and remove the potential error surface of uninitialized read from StrLen (the declaration for which should probably be inside this block as well)

test/Analysis/security-syntax-checks.m
151

I think it would make sense to add another test case where the warning is expected, even though string length and array size are known at compile time.

leanil updated this revision to Diff 129508.Jan 11 2018, 1:33 PM

Nest condition checking. Add positive test.

leanil marked 3 inline comments as done.Jan 11 2018, 1:37 PM
leanil added inline comments.
lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp
526

Good point. This makes StrLen itself redundant as well.

NoQ accepted this revision.Jan 11 2018, 1:47 PM
NoQ added inline comments.
lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp
517

This can be simplified to const auto *Array = DeclRef->getType()->getAs<ConstantArrayType>().
.getTypePtr() is almost always redundant because of the fancy operator->() on QualType.

518

Hmm, actually, ArraySize is the number of elements in the array, not its byte size, so you may want (if you like) to also suppress the warning when the array is not a char array (even if it's a weird code anyway) by instead taking ASTContext.getTypeSize() here instead.

Also i guess it's nice to use uint64_t because that's the return type of .getLimitedValue() and that's what we usually use all over the place when we have to deal with those values.

This revision is now accepted and ready to land.Jan 11 2018, 1:47 PM
NoQ added a comment.Jan 11 2018, 1:48 PM

Do you have commit access or should someone else commit it for you?

leanil updated this revision to Diff 129676.Jan 12 2018, 11:58 AM
leanil marked an inline comment as done.

Measure array size in bytes instead of elements.

leanil marked 2 inline comments as done.Jan 12 2018, 12:03 PM
In D41384#973851, @NoQ wrote:

Do you have commit access or should someone else commit it for you?

I don't have, please commit it.

lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp
517

Using getAs yielded:

error: static assertion failed: ArrayType cannot be used with getAs!

NoQ added inline comments.Jan 12 2018, 12:08 PM
lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp
517

Whoops, yeah, right, array types are the rare exception. It should be ASTContext.getAsConstantArrayType(), see the docs for getAsArrayType() for some explanation of why it was made this way. I guess we don't really care about these aspects, so your code is fine :)

Closed by commit rL322410: [analyzer] Don't flag strcpy of string literals into sufficiently large buffers. (authored by NoQ). · Explain WhyJan 12 2018, 2:13 PM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: llvm-commits. · View Herald TranscriptJan 12 2018, 2:13 PM
dcoughlin added inline comments.Jan 21 2018, 2:19 PM
cfe/trunk/lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp
517 ↗(On Diff #129706)

Rather than dividing by '8', I suggest using ASTContext's getTypeSizeInChars(). This will make sure we handle those annoying platforms that don't have 8-bit chars.

leanil updated this revision to Diff 135795.Feb 24 2018, 6:38 AM
leanil marked an inline comment as done.

Use getTypeSizeInChars to get array size.

leanil mentioned this in D43928: [analyzer] Correctly measure array size in security.insecureAPI.strcpy.Mar 1 2018, 12:19 AM

Revision Contents

PathSize
lib/
StaticAnalyzer/
Checkers/
12 lines
test/
Analysis/
5 lines

Diff 127739

lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp

Show First 20 LinesShow All 504 Lines▼ Show 20 Lines
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
void WalkAST::checkCall_strcpy(const CallExpr *CE, const FunctionDecl *FD) { void WalkAST::checkCall_strcpy(const CallExpr *CE, const FunctionDecl *FD) {
if (!filter.check_strcpy) if (!filter.check_strcpy)
return; return;
if (!checkCall_strCommon(CE, FD)) if (!checkCall_strCommon(CE, FD))
return; return;
int ArraySize = -1, StrLen = -1;
NoQUnsubmitted
Done
ReplyInline Actions

You might want to use a wider integer type because 64-bit arrays may have 2³¹ or more elements (not sure about string literals).

NoQ: You might want to use a wider integer type because 64-bit arrays may have 2³¹ or more elements…
const auto *Target = CE->getArg(0)->IgnoreImpCasts(),
*Source = CE->getArg(1)->IgnoreImpCasts();
if (const auto *DeclRef = dyn_cast<DeclRefExpr>(Target))
if (const auto *Array = dyn_cast<ConstantArrayType>(
NoQUnsubmitted
Done
ReplyInline Actions

This can be simplified to const auto *Array = DeclRef->getType()->getAs<ConstantArrayType>().
.getTypePtr() is almost always redundant because of the fancy operator->() on QualType.

NoQ: This can be simplified to `const auto *Array = DeclRef->getType()->getAs<ConstantArrayType>()`.
leanilAuthorUnsubmitted
Not Done
ReplyInline Actions

Using getAs yielded:

error: static assertion failed: ArrayType cannot be used with getAs!

leanil: Using `getAs` yielded: > error: static assertion failed: ArrayType cannot be used with getAs!
NoQUnsubmitted
Not Done
ReplyInline Actions

Whoops, yeah, right, array types are the rare exception. It should be ASTContext.getAsConstantArrayType(), see the docs for getAsArrayType() for some explanation of why it was made this way. I guess we don't really care about these aspects, so your code is fine :)

NoQ: Whoops, yeah, right, array types are the rare exception. It should be `ASTContext.
DeclRef->getDecl()->getType().getTypePtr()))
NoQUnsubmitted
Done
ReplyInline Actions

Hmm, actually, ArraySize is the number of elements in the array, not its byte size, so you may want (if you like) to also suppress the warning when the array is not a char array (even if it's a weird code anyway) by instead taking ASTContext.getTypeSize() here instead.

Also i guess it's nice to use uint64_t because that's the return type of .getLimitedValue() and that's what we usually use all over the place when we have to deal with those values.

NoQ: Hmm, actually, `ArraySize` is the number of elements in the array, not its byte size, so you…
ArraySize = Array->getSize().getLimitedValue();
if (const auto *String = dyn_cast<StringLiteral>(Source))
StrLen = String->getLength();
if (StrLen != -1 && ArraySize >= StrLen + 1)
george.karpenkovUnsubmitted
Done
ReplyInline Actions

Nesting this if- inside the previous one would simplify the outer scope and let you assign to ArraySize at declaration size.

george.karpenkov: Nesting this if- inside the previous one would simplify the outer scope and let you assign to…
return;
// Issue a warning. // Issue a warning.
PathDiagnosticLocation CELoc = PathDiagnosticLocation CELoc =
george.karpenkovUnsubmitted
Done
ReplyInline Actions

Why not put this if-expression into the one above where StrLen is found?
That would eliminate StrLenFound and remove the potential error surface of uninitialized read from StrLen (the declaration for which should probably be inside this block as well)

george.karpenkov: Why not put this if-expression into the one above where `StrLen` is found? That would eliminate…
leanilAuthorUnsubmitted
Not Done
ReplyInline Actions

Good point. This makes StrLen itself redundant as well.

leanil: Good point. This makes `StrLen` itself redundant as well.
PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC); PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
BR.EmitBasicReport(AC->getDecl(), filter.checkName_strcpy, BR.EmitBasicReport(AC->getDecl(), filter.checkName_strcpy,
"Potential insecure memory buffer bounds restriction in " "Potential insecure memory buffer bounds restriction in "
"call 'strcpy'", "call 'strcpy'",
"Security", "Security",
"Call to function 'strcpy' is insecure as it does not " "Call to function 'strcpy' is insecure as it does not "
"provide bounding of the memory buffer. Replace " "provide bounding of the memory buffer. Replace "
"unbounded copy functions with analogous functions that " "unbounded copy functions with analogous functions that "
▲ Show 20 LinesShow All 255 LinesShow Last 20 Lines

test/Analysis/security-syntax-checks.m

Show First 20 LinesShow All 140 Lines▼ Show 20 Lines
void test_strcpy() { void test_strcpy() {
char x[4]; char x[4];
char *y; char *y;
strcpy(x, y); //expected-warning{{Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119}} strcpy(x, y); //expected-warning{{Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119}}
} }
void test_strcpy_safe() {
char x[5];
strcpy(x, "abcd");
george.karpenkovUnsubmitted
Done
ReplyInline Actions

I think it would make sense to add another test case where the warning is expected, even though string length and array size are known at compile time.

george.karpenkov: I think it would make sense to add another test case where the warning is expected, even though…
}
//===----------------------------------------------------------------------=== //===----------------------------------------------------------------------===
// strcat() // strcat()
//===----------------------------------------------------------------------=== //===----------------------------------------------------------------------===
#ifdef VARIANT #ifdef VARIANT
#define __strcat_chk BUILTIN(__strcat_chk) #define __strcat_chk BUILTIN(__strcat_chk)
char *__strcat_chk(char *restrict s1, const char *restrict s2, size_t destlen); char *__strcat_chk(char *restrict s1, const char *restrict s2, size_t destlen);
▲ Show 20 LinesShow All 48 LinesShow Last 20 Lines