This is an archive of the discontinued LLVM Phabricator instance.

Differential D46007

[analyzer] Add `TaintBugVisitor` to the ArrayBoundV2, DivideZero and VLASize.
ClosedPublic

Authored by MTC on Apr 24 2018, 6:15 AM.

Details

Reviewers
NoQ
george.karpenkov
xazax.hun
a.sidorin
Commits
rGe14e591c937e: [analyzer] Add `TaintBugVisitor` to the ArrayBoundV2, DivideZero and VLASize.
rC331345: [analyzer] Add `TaintBugVisitor` to the ArrayBoundV2, DivideZero and VLASize.
rL331345: [analyzer] Add `TaintBugVisitor` to the ArrayBoundV2, DivideZero and VLASize.
Summary

Add TaintBugVisitor to the ArrayBoundV2, DivideZero, VLASize to be able to indicate where the taint information originated from.

Diff Detail

Repository
rL LLVM

Event Timeline

MTC created this revision.Apr 24 2018, 6:15 AM
Herald added subscribers: cfe-commits, rnkovacs, szepet. · View Herald TranscriptApr 24 2018, 6:15 AM
a.sidorin added a comment.Apr 24 2018, 10:23 AM

Mostly LG.

lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp
75 ↗(On Diff #143724)

In this patch, sometimes we check the visitor to be non-null, sometimes not. As I can see, BugReport::addVisitor() works well with nullptr arguments (it checks arguments) so I think we can omit the checks.

MTC marked an inline comment as done.Apr 25 2018, 5:25 AM
MTC added inline comments.
lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp
75 ↗(On Diff #143724)

Thanks for your reminder, a.sidorin!

My mistakes led to some checkers doing the check and some did not check! But as you said, there is no need to check the nullptr.

I will update the patch.

MTC updated this revision to Diff 143908.Apr 25 2018, 5:31 AM
MTC marked an inline comment as done.

Since BugReport::addVisitor() has checks for the null Visitor, remove the checks before BugReport->addVisitor().

NoQ accepted this revision.Apr 27 2018, 5:08 PM

Looks great, thanks!

I think the overall plan for any taint work would be to remove it from the program state API and move getters/setters into its own translation unit (like dynamic type propagation) as part of the overall plan to introduce shared checker states. So, like, not just the visitor, but the whole trait itself.

This revision is now accepted and ready to land.Apr 27 2018, 5:08 PM
Closed by commit rL331345: [analyzer] Add `TaintBugVisitor` to the ArrayBoundV2, DivideZero and VLASize. (authored by henrywong). · Explain WhyMay 2 2018, 5:14 AM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: llvm-commits. · View Herald TranscriptMay 2 2018, 5:14 AM

Revision Contents

PathSize
cfe/
trunk/
lib/
StaticAnalyzer/
Checkers/
21 lines
16 lines
19 lines
test/
Analysis/
25 lines

Diff 144861

cfe/trunk/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp

Show All 27 Lines
namespace { namespace {
class ArrayBoundCheckerV2 : class ArrayBoundCheckerV2 :
public Checker<check::Location> { public Checker<check::Location> {
mutable std::unique_ptr<BuiltinBug> BT; mutable std::unique_ptr<BuiltinBug> BT;
enum OOB_Kind { OOB_Precedes, OOB_Excedes, OOB_Tainted }; enum OOB_Kind { OOB_Precedes, OOB_Excedes, OOB_Tainted };
void reportOOB(CheckerContext &C, ProgramStateRef errorState, void reportOOB(CheckerContext &C, ProgramStateRef errorState, OOB_Kind kind,
OOB_Kind kind) const; std::unique_ptr<BugReporterVisitor> Visitor = nullptr) const;
public: public:
void checkLocation(SVal l, bool isLoad, const Stmt*S, void checkLocation(SVal l, bool isLoad, const Stmt*S,
CheckerContext &C) const; CheckerContext &C) const;
}; };
// FIXME: Eventually replace RegionRawOffset with this class. // FIXME: Eventually replace RegionRawOffset with this class.
class RegionRawOffsetV2 { class RegionRawOffsetV2 {
▲ Show 20 LinesShow All 154 Lines▼ Show 20 Lines if (!upperboundToCheck)
break; break;
ProgramStateRef state_exceedsUpperBound, state_withinUpperBound; ProgramStateRef state_exceedsUpperBound, state_withinUpperBound;
std::tie(state_exceedsUpperBound, state_withinUpperBound) = std::tie(state_exceedsUpperBound, state_withinUpperBound) =
state->assume(*upperboundToCheck); state->assume(*upperboundToCheck);
// If we are under constrained and the index variables are tainted, report. // If we are under constrained and the index variables are tainted, report.
if (state_exceedsUpperBound && state_withinUpperBound) { if (state_exceedsUpperBound && state_withinUpperBound) {
if (state->isTainted(rawOffset.getByteOffset())) { SVal ByteOffset = rawOffset.getByteOffset();
reportOOB(checkerContext, state_exceedsUpperBound, OOB_Tainted); if (state->isTainted(ByteOffset)) {
reportOOB(checkerContext, state_exceedsUpperBound, OOB_Tainted,
llvm::make_unique<TaintBugVisitor>(ByteOffset));
return; return;
} }
} else if (state_exceedsUpperBound) { } else if (state_exceedsUpperBound) {
// If we are constrained enough to definitely exceed the upper bound, // If we are constrained enough to definitely exceed the upper bound,
// report. // report.
assert(!state_withinUpperBound); assert(!state_withinUpperBound);
reportOOB(checkerContext, state_exceedsUpperBound, OOB_Excedes); reportOOB(checkerContext, state_exceedsUpperBound, OOB_Excedes);
return; return;
} }
assert(state_withinUpperBound); assert(state_withinUpperBound);
state = state_withinUpperBound; state = state_withinUpperBound;
} }
while (false); while (false);
if (state != originalState) if (state != originalState)
checkerContext.addTransition(state); checkerContext.addTransition(state);
} }
void ArrayBoundCheckerV2::reportOOB(CheckerContext &checkerContext, void ArrayBoundCheckerV2::reportOOB(
ProgramStateRef errorState, CheckerContext &checkerContext, ProgramStateRef errorState, OOB_Kind kind,
OOB_Kind kind) const { std::unique_ptr<BugReporterVisitor> Visitor) const {
ExplodedNode *errorNode = checkerContext.generateErrorNode(errorState); ExplodedNode *errorNode = checkerContext.generateErrorNode(errorState);
if (!errorNode) if (!errorNode)
return; return;
if (!BT) if (!BT)
BT.reset(new BuiltinBug(this, "Out-of-bound access")); BT.reset(new BuiltinBug(this, "Out-of-bound access"));
Show All 10 Linesvoid ArrayBoundCheckerV2::reportOOB(
case OOB_Excedes: case OOB_Excedes:
os << "(access exceeds upper limit of memory block)"; os << "(access exceeds upper limit of memory block)";
break; break;
case OOB_Tainted: case OOB_Tainted:
os << "(index is tainted)"; os << "(index is tainted)";
break; break;
} }
checkerContext.emitReport( auto BR = llvm::make_unique<BugReport>(*BT, os.str(), errorNode);
llvm::make_unique<BugReport>(*BT, os.str(), errorNode)); BR->addVisitor(std::move(Visitor));
checkerContext.emitReport(std::move(BR));
} }
#ifndef NDEBUG #ifndef NDEBUG
LLVM_DUMP_METHOD void RegionRawOffsetV2::dump() const { LLVM_DUMP_METHOD void RegionRawOffsetV2::dump() const {
dumpToStream(llvm::errs()); dumpToStream(llvm::errs());
} }
void RegionRawOffsetV2::dumpToStream(raw_ostream &os) const { void RegionRawOffsetV2::dumpToStream(raw_ostream &os) const {
▲ Show 20 LinesShow All 88 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/DivZeroChecker.cpp

Show All 18 Lines
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
class DivZeroChecker : public Checker< check::PreStmt<BinaryOperator> > { class DivZeroChecker : public Checker< check::PreStmt<BinaryOperator> > {
mutable std::unique_ptr<BuiltinBug> BT; mutable std::unique_ptr<BuiltinBug> BT;
void reportBug(const char *Msg, void reportBug(const char *Msg, ProgramStateRef StateZero, CheckerContext &C,
ProgramStateRef StateZero, std::unique_ptr<BugReporterVisitor> Visitor = nullptr) const;
CheckerContext &C) const ;
public: public:
void checkPreStmt(const BinaryOperator *B, CheckerContext &C) const; void checkPreStmt(const BinaryOperator *B, CheckerContext &C) const;
}; };
} // end anonymous namespace } // end anonymous namespace
void DivZeroChecker::reportBug(const char *Msg, void DivZeroChecker::reportBug(
ProgramStateRef StateZero, const char *Msg, ProgramStateRef StateZero, CheckerContext &C,
CheckerContext &C) const { std::unique_ptr<BugReporterVisitor> Visitor) const {
if (ExplodedNode *N = C.generateErrorNode(StateZero)) { if (ExplodedNode *N = C.generateErrorNode(StateZero)) {
if (!BT) if (!BT)
BT.reset(new BuiltinBug(this, "Division by zero")); BT.reset(new BuiltinBug(this, "Division by zero"));
auto R = llvm::make_unique<BugReport>(*BT, Msg, N); auto R = llvm::make_unique<BugReport>(*BT, Msg, N);
R->addVisitor(std::move(Visitor));
bugreporter::trackNullOrUndefValue(N, bugreporter::GetDenomExpr(N), *R); bugreporter::trackNullOrUndefValue(N, bugreporter::GetDenomExpr(N), *R);
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
} }
void DivZeroChecker::checkPreStmt(const BinaryOperator *B, void DivZeroChecker::checkPreStmt(const BinaryOperator *B,
CheckerContext &C) const { CheckerContext &C) const {
BinaryOperator::Opcode Op = B->getOpcode(); BinaryOperator::Opcode Op = B->getOpcode();
Show All 22 Linesvoid DivZeroChecker::checkPreStmt(const BinaryOperator *B,
if (!stateNotZero) { if (!stateNotZero) {
assert(stateZero); assert(stateZero);
reportBug("Division by zero", stateZero, C); reportBug("Division by zero", stateZero, C);
return; return;
} }
bool TaintedD = C.getState()->isTainted(*DV); bool TaintedD = C.getState()->isTainted(*DV);
if ((stateNotZero && stateZero && TaintedD)) { if ((stateNotZero && stateZero && TaintedD)) {
reportBug("Division by a tainted value, possibly zero", stateZero, C); reportBug("Division by a tainted value, possibly zero", stateZero, C,
llvm::make_unique<TaintBugVisitor>(*DV));
return; return;
} }
// If we get here, then the denom should not be zero. We abandon the implicit // If we get here, then the denom should not be zero. We abandon the implicit
// zero denom case for now. // zero denom case for now.
C.addTransition(stateNotZero); C.addTransition(stateNotZero);
} }
void ento::registerDivZeroChecker(CheckerManager &mgr) { void ento::registerDivZeroChecker(CheckerManager &mgr) {
mgr.registerChecker<DivZeroChecker>(); mgr.registerChecker<DivZeroChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp

Show All 26 Lines
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
class VLASizeChecker : public Checker< check::PreStmt<DeclStmt> > { class VLASizeChecker : public Checker< check::PreStmt<DeclStmt> > {
mutable std::unique_ptr<BugType> BT; mutable std::unique_ptr<BugType> BT;
enum VLASize_Kind { VLA_Garbage, VLA_Zero, VLA_Tainted, VLA_Negative }; enum VLASize_Kind { VLA_Garbage, VLA_Zero, VLA_Tainted, VLA_Negative };
void reportBug(VLASize_Kind Kind, void reportBug(VLASize_Kind Kind, const Expr *SizeE, ProgramStateRef State,
const Expr *SizeE, CheckerContext &C,
ProgramStateRef State, std::unique_ptr<BugReporterVisitor> Visitor = nullptr) const;
CheckerContext &C) const;
public: public:
void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const; void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const;
}; };
} // end anonymous namespace } // end anonymous namespace
void VLASizeChecker::reportBug(VLASize_Kind Kind, void VLASizeChecker::reportBug(
const Expr *SizeE, VLASize_Kind Kind, const Expr *SizeE, ProgramStateRef State,
ProgramStateRef State, CheckerContext &C, std::unique_ptr<BugReporterVisitor> Visitor) const {
CheckerContext &C) const {
// Generate an error node. // Generate an error node.
ExplodedNode *N = C.generateErrorNode(State); ExplodedNode *N = C.generateErrorNode(State);
if (!N) if (!N)
return; return;
if (!BT) if (!BT)
BT.reset(new BuiltinBug( BT.reset(new BuiltinBug(
this, "Dangerous variable-length array (VLA) declaration")); this, "Dangerous variable-length array (VLA) declaration"));
Show All 12 Lines case VLA_Tainted:
os << "has tainted size"; os << "has tainted size";
break; break;
case VLA_Negative: case VLA_Negative:
os << "has negative size"; os << "has negative size";
break; break;
} }
auto report = llvm::make_unique<BugReport>(*BT, os.str(), N); auto report = llvm::make_unique<BugReport>(*BT, os.str(), N);
report->addVisitor(std::move(Visitor));
report->addRange(SizeE->getSourceRange()); report->addRange(SizeE->getSourceRange());
bugreporter::trackNullOrUndefValue(N, SizeE, *report); bugreporter::trackNullOrUndefValue(N, SizeE, *report);
C.emitReport(std::move(report)); C.emitReport(std::move(report));
} }
void VLASizeChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const { void VLASizeChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const {
if (!DS->isSingleDecl()) if (!DS->isSingleDecl())
return; return;
Show All 19 Linesvoid VLASizeChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const {
// See if the size value is known. It can't be undefined because we would have // See if the size value is known. It can't be undefined because we would have
// warned about that already. // warned about that already.
if (sizeV.isUnknown()) if (sizeV.isUnknown())
return; return;
// Check if the size is tainted. // Check if the size is tainted.
if (state->isTainted(sizeV)) { if (state->isTainted(sizeV)) {
reportBug(VLA_Tainted, SE, nullptr, C); reportBug(VLA_Tainted, SE, nullptr, C,
llvm::make_unique<TaintBugVisitor>(sizeV));
return; return;
} }
// Check if the size is zero. // Check if the size is zero.
DefinedSVal sizeD = sizeV.castAs<DefinedSVal>(); DefinedSVal sizeD = sizeV.castAs<DefinedSVal>();
ProgramStateRef stateNotZero, stateZero; ProgramStateRef stateNotZero, stateZero;
std::tie(stateNotZero, stateZero) = state->assume(sizeD); std::tie(stateNotZero, stateZero) = state->assume(sizeD);
▲ Show 20 LinesShow All 65 LinesShow Last 20 Lines

cfe/trunk/test/Analysis/taint-diagnostic-visitor.c

// RUN: %clang_cc1 -analyze -analyzer-checker=alpha.security.taint,core -analyzer-output=text -verify %s // RUN: %clang_cc1 -analyze -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -analyzer-output=text -verify %s
// This file is for testing enhanced diagnostics produced by the GenericTaintChecker // This file is for testing enhanced diagnostics produced by the GenericTaintChecker
int scanf(const char *restrict format, ...); int scanf(const char *restrict format, ...);
int system(const char *command); int system(const char *command);
void taintDiagnostic() void taintDiagnostic()
{ {
char buf[128]; char buf[128];
scanf("%s", buf); // expected-note {{Taint originated here}} scanf("%s", buf); // expected-note {{Taint originated here}}
system(buf); // expected-warning {{Untrusted data is passed to a system call}} // expected-note {{Untrusted data is passed to a system call (CERT/STR02-C. Sanitize data passed to complex subsystems)}} system(buf); // expected-warning {{Untrusted data is passed to a system call}} // expected-note {{Untrusted data is passed to a system call (CERT/STR02-C. Sanitize data passed to complex subsystems)}}
} }
int taintDiagnosticOutOfBound() {
int index;
int Array[] = {1, 2, 3, 4, 5};
scanf("%d", &index); // expected-note {{Taint originated here}}
return Array[index]; // expected-warning {{Out of bound memory access (index is tainted)}}
// expected-note@-1 {{Out of bound memory access (index is tainted)}}
}
int taintDiagnosticDivZero(int operand) {
scanf("%d", &operand); // expected-note {{Value assigned to 'operand'}}
// expected-note@-1 {{Taint originated here}}
return 10 / operand; // expected-warning {{Division by a tainted value, possibly zero}}
// expected-note@-1 {{Division by a tainted value, possibly zero}}
}
void taintDiagnosticVLA() {
int x;
scanf("%d", &x); // expected-note {{Value assigned to 'x'}}
// expected-note@-1 {{Taint originated here}}
int vla[x]; // expected-warning {{Declared variable-length array (VLA) has tainted size}}
// expected-note@-1 {{Declared variable-length array (VLA) has tainted size}}
}