This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
include/clang/StaticAnalyzer/Core/BugReporter/
-
clang/
-
StaticAnalyzer/
-
Core/
-
BugReporter/
-
BugReporterVisitors.h
-
lib/StaticAnalyzer/
-
StaticAnalyzer/
-
Checkers/
-
GenericTaintChecker.cpp
-
Core/
-
BugReporterVisitors.cpp

Differential D45682

[analyzer] Move `TaintBugVisitor` from `GenericTaintChecker.cpp` to `BugReporterVisitors.h`.
ClosedPublic

Authored by MTC on Apr 16 2018, 5:15 AM.

Download Raw Diff

Details

Reviewers

NoQ
george.karpenkov
xazax.hun

Commits

rG29204c2dfa58: [analyzer] Move `TaintBugVisitor` from `GenericTaintChecker.cpp` to…
rL330596: [analyzer] Move `TaintBugVisitor` from `GenericTaintChecker.cpp` to…
rC330596: [analyzer] Move `TaintBugVisitor` from `GenericTaintChecker.cpp` to…

Summary

TaintBugVisitor is a universal visitor, and many checkers rely on it, such as ArrayBoundCheckerV2.cpp, DivZeroChecker.cpp and VLASizeChecker.cpp. Moving TaintBugVisitor to BugReporterVisitors.h enables other checker can also track where tainted value came from.

Diff Detail

Repository: rC Clang

Event Timeline

MTC created this revision.Apr 16 2018, 5:15 AM

Herald added subscribers: cfe-commits, a.sidorin, rnkovacs, szepet. · View Herald TranscriptApr 16 2018, 5:15 AM

Harbormaster completed remote builds in B17103: Diff 142621.Apr 16 2018, 5:17 AM

I'm new to the taint visitor, but I am quite confused by your change description.

and many checkers rely on it

How can other checkers rely on it if it's private to the taint checker?

Also, it's probably to explicitly include BugReporterVisitors.h in the checker file then.

In D45682#1074407, @george.karpenkov wrote:

I'm new to the taint visitor, but I am quite confused by your change description.

and many checkers rely on it

How can other checkers rely on it if it's private to the taint checker?

Thanks for your review, george! TaintBugVisitor is an utility to add extra information to illustrate where the taint information originated from. There are several checkers use taint information, e.g. ArrayBoundCheckerV2.cpp, in some cases it will report a warning, like warning: Out of bound memory access (index is tainted). If TaintBugVisitor moves to BugReporterVisitors.h, ArrayBoundCheckerV2 can add extra notes like Taint originated here to the report by adding TaintBugVisitor.

Also, it's probably to explicitly include BugReporterVisitors.h in the checker file then.

If these checkers want to add Taint originated here using TaintBugVisitor, it is necessary to explicitly include BugReporterVisitors.h in following patch.

can add extra notes like

Ah right, than it's "can rely on" rather than "rely on".

it is necessary to explicitly include

I've meant adding the include to GenericTaintChecker.cpp.

LGTM otherwise.

This revision is now accepted and ready to land.Apr 22 2018, 7:42 AM

Closed by commit rC330596: [analyzer] Move `TaintBugVisitor` from `GenericTaintChecker.cpp` to… (authored by henrywong). · Explain WhyApr 23 2018, 7:44 AM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

include/

clang/

StaticAnalyzer/

Core/

BugReporter/

BugReporterVisitors.h

16 lines

lib/

StaticAnalyzer/

Checkers/

GenericTaintChecker.cpp

39 lines

Core/

BugReporterVisitors.cpp

21 lines

Diff 143561

include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h

Show First 20 Lines • Show All 337 Lines • ▼ Show 20 Lines	public:
void Profile(llvm::FoldingSetNodeID &ID) const override {}		void Profile(llvm::FoldingSetNodeID &ID) const override {}

std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *Succ,		std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *Succ,
const ExplodedNode *Pred,		const ExplodedNode *Pred,
BugReporterContext &BRC,		BugReporterContext &BRC,
BugReport &BR) override;		BugReport &BR) override;
};		};

		/// The bug visitor prints a diagnostic message at the location where a given
		/// variable was tainted.
		class TaintBugVisitor final : public BugReporterVisitorImpl<TaintBugVisitor> {
		private:
		const SVal V;

		public:
		TaintBugVisitor(const SVal V) : V(V) {}
		void Profile(llvm::FoldingSetNodeID &ID) const override { ID.Add(V); }

		std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
		const ExplodedNode *PrevN,
		BugReporterContext &BRC,
		BugReport &BR) override;
		};

namespace bugreporter {		namespace bugreporter {

/// Attempts to add visitors to trace a null or undefined value back to its		/// Attempts to add visitors to trace a null or undefined value back to its
/// point of origin, whether it is a symbol constrained to null or an explicit		/// point of origin, whether it is a symbol constrained to null or an explicit
/// assignment.		/// assignment.
///		///
/// \param N A node "downstream" from the evaluation of the statement.		/// \param N A node "downstream" from the evaluation of the statement.
/// \param S The statement whose value is null or undefined.		/// \param S The statement whose value is null or undefined.
Show All 26 Lines

lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp

Show First 20 Lines • Show All 94 Lines • ▼ Show 20 Lines	private:
static const char MsgTaintedBufferSize[];		static const char MsgTaintedBufferSize[];
bool checkTaintedBufferSize(const CallExpr CE, const FunctionDecl FDecl,		bool checkTaintedBufferSize(const CallExpr CE, const FunctionDecl FDecl,
CheckerContext &C) const;		CheckerContext &C) const;

/// Generate a report if the expression is tainted or points to tainted data.		/// Generate a report if the expression is tainted or points to tainted data.
bool generateReportIfTainted(const Expr *E, const char Msg[],		bool generateReportIfTainted(const Expr *E, const char Msg[],
CheckerContext &C) const;		CheckerContext &C) const;

/// The bug visitor prints a diagnostic message at the location where a given
/// variable was tainted.
class TaintBugVisitor
: public BugReporterVisitorImpl<TaintBugVisitor> {
private:
const SVal V;

public:
TaintBugVisitor(const SVal V) : V(V) {}
void Profile(llvm::FoldingSetNodeID &ID) const override { ID.Add(V); }

std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
const ExplodedNode *PrevN,
BugReporterContext &BRC,
BugReport &BR) override;
};

typedef SmallVector<unsigned, 2> ArgVector;		typedef SmallVector<unsigned, 2> ArgVector;

/// \brief A struct used to specify taint propagation rules for a function.		/// \brief A struct used to specify taint propagation rules for a function.
///		///
/// If any of the possible taint source arguments is tainted, all of the		/// If any of the possible taint source arguments is tainted, all of the
/// destination arguments should also be tainted. Use InvalidArgIndex in the		/// destination arguments should also be tainted. Use InvalidArgIndex in the
/// src list to specify that all of the arguments can introduce taint. Use		/// src list to specify that all of the arguments can introduce taint. Use
/// InvalidArgIndex in the dst arguments to signify that all the non-const		/// InvalidArgIndex in the dst arguments to signify that all the non-const
▲ Show 20 Lines • Show All 81 Lines • ▼ Show 20 Lines
} // end of anonymous namespace		} // end of anonymous namespace

/// A set which is used to pass information from call pre-visit instruction		/// A set which is used to pass information from call pre-visit instruction
/// to the call post-visit. The values are unsigned integers, which are either		/// to the call post-visit. The values are unsigned integers, which are either
/// ReturnValueIndex, or indexes of the pointer/reference argument, which		/// ReturnValueIndex, or indexes of the pointer/reference argument, which
/// points to data, which should be tainted on return.		/// points to data, which should be tainted on return.
REGISTER_SET_WITH_PROGRAMSTATE(TaintArgsOnPostVisit, unsigned)		REGISTER_SET_WITH_PROGRAMSTATE(TaintArgsOnPostVisit, unsigned)

std::shared_ptr<PathDiagnosticPiece>
GenericTaintChecker::TaintBugVisitor::VisitNode(const ExplodedNode *N,
const ExplodedNode *PrevN, BugReporterContext &BRC, BugReport &BR) {

// Find the ExplodedNode where the taint was first introduced
if (!N->getState()->isTainted(V) \|\| PrevN->getState()->isTainted(V))
return nullptr;

const Stmt *S = PathDiagnosticLocation::getStmt(N);
if (!S)
return nullptr;

const LocationContext *NCtx = N->getLocationContext();
PathDiagnosticLocation L =
PathDiagnosticLocation::createBegin(S, BRC.getSourceManager(), NCtx);
if (!L.isValid() \|\| !L.asLocation().isValid())
return nullptr;

return std::make_shared<PathDiagnosticEventPiece>(
L, "Taint originated here");
}

GenericTaintChecker::TaintPropagationRule		GenericTaintChecker::TaintPropagationRule
GenericTaintChecker::TaintPropagationRule::getTaintPropagationRule(		GenericTaintChecker::TaintPropagationRule::getTaintPropagationRule(
const FunctionDecl *FDecl,		const FunctionDecl *FDecl,
StringRef Name,		StringRef Name,
CheckerContext &C) {		CheckerContext &C) {
// TODO: Currently, we might lose precision here: we always mark a return		// TODO: Currently, we might lose precision here: we always mark a return
// value as tainted even if it's just a pointer, pointing to tainted data.		// value as tainted even if it's just a pointer, pointing to tainted data.

▲ Show 20 Lines • Show All 541 Lines • Show Last 20 Lines

lib/StaticAnalyzer/Core/BugReporterVisitors.cpp

Show First 20 Lines • Show All 2,327 Lines • ▼ Show 20 Lines	CXXSelfAssignmentBRVisitor::VisitNode(const ExplodedNode *Succ,
Out << "Assuming " << Met->getParamDecl(0)->getName() <<		Out << "Assuming " << Met->getParamDecl(0)->getName() <<
((Param == This) ? " == " : " != ") << "*this";		((Param == This) ? " == " : " != ") << "*this";

auto Piece = std::make_shared<PathDiagnosticEventPiece>(L, Out.str());		auto Piece = std::make_shared<PathDiagnosticEventPiece>(L, Out.str());
Piece->addRange(Met->getSourceRange());		Piece->addRange(Met->getSourceRange());

return std::move(Piece);		return std::move(Piece);
}		}

		std::shared_ptr<PathDiagnosticPiece>
		TaintBugVisitor::VisitNode(const ExplodedNode N, const ExplodedNode PrevN,
		BugReporterContext &BRC, BugReport &BR) {

		// Find the ExplodedNode where the taint was first introduced
		if (!N->getState()->isTainted(V) \|\| PrevN->getState()->isTainted(V))
		return nullptr;

		const Stmt *S = PathDiagnosticLocation::getStmt(N);
		if (!S)
		return nullptr;

		const LocationContext *NCtx = N->getLocationContext();
		PathDiagnosticLocation L =
		PathDiagnosticLocation::createBegin(S, BRC.getSourceManager(), NCtx);
		if (!L.isValid() \|\| !L.asLocation().isValid())
		return nullptr;

		return std::make_shared<PathDiagnosticEventPiece>(L, "Taint originated here");
		}