This is an archive of the discontinued LLVM Phabricator instance.

Differential D59861

[analyzer] NFC: Replace Taint API with a usual inter-checker communication API?
ClosedPublic

Authored by NoQ on Mar 26 2019, 6:44 PM.

Details

Reviewers
dcoughlin
xazax.hun
a_sidorin
rnkovacs
mikhail.ramalho
Szelethus
baloghadamsoftware
Charusso
boga95
Commits
rG44551cf69380: [analyzer] Move taint API from ProgramState to a separate header. NFC.
rL357326: [analyzer] Move taint API from ProgramState to a separate header. NFC.
rC357326: [analyzer] Move taint API from ProgramState to a separate header. NFC.
Summary

Given how much effort @boga95 is spending on the taint checker, i decided to undig my effort to remove the whole taint API business from the ProgramState class and instead implement it as our usual, modern inter-checker communication API.

Modern as in "putting all such stuff into the ProgramState class clearly doesn't scale, but we still didn't come up with anything better, so let's just put it in the header and see if a better design suddenly emerges in the future after we do it a few hundred times". In other words, this was the plan that is part of the even-more-long-term plan of completely deprecating the void*-based Generic Data Map in favor of something that the analyzer core could introspect and help checkers keep track of, which would reduce boilerplate and make developing checkers easier.

The patch is rebased on top of the current master, but most likely conflicts with @boga95's latest patches. I'm sorry i didn't do this quickly enough, but better late than never, i suppose. I do not insist on this design, but i believe it looks much cleaner.

Diff Detail

Repository
rC Clang

Event Timeline

NoQ created this revision.Mar 26 2019, 6:44 PM
Herald added a project: Restricted Project. · View Herald TranscriptMar 26 2019, 6:44 PM
Herald added subscribers: cfe-commits, jdoerfert, dkrupp and 4 others. · View Herald Transcript
NoQ edited reviewers, added: boga95; removed: alexfh.Mar 26 2019, 6:45 PM

(whoops sry nvm typo in reviewer list)

NoQ mentioned this in D59516: [analyzer] Add custom filter functions for GenericTaintChecker.Mar 26 2019, 6:47 PM
Charusso accepted this revision.Mar 27 2019, 1:05 AM

I like the idea to put connecting stuff together in the same file to create more understandable code. LGTM.

clang/lib/StaticAnalyzer/Checkers/Taint.h
8 ↗(On Diff #192398)

Outdated header-blurb.

81 ↗(On Diff #192398)

We left the ProgramState::dump()' context so what about just dump()`?

This revision is now accepted and ready to land.Mar 27 2019, 1:05 AM
boga95 added a comment.Mar 27 2019, 2:43 AM

Thanks, it will make my changes more cleaner.

NoQ updated this revision to Diff 192492.Mar 27 2019, 12:05 PM
NoQ marked 2 inline comments as done.

Address comments. Fix printing taint in state dumps.

clang/lib/StaticAnalyzer/Checkers/Taint.h
8 ↗(On Diff #192398)

Whooooooooooops! Thanks!!

81 ↗(On Diff #192398)

I'm doing using namespace taint; everywhere, so that'd make the code look like dump(State) which would look quite ambiguous to a human. Additionally, this function only needs to be called once, so it's not a problem if it's a bit long.

Also, wait, i didn't really call it even once. I.e., i forgot to implement GenericTaintChecker::printState() to print taint (now that it's not state-specific, there must be a checker responsible for this, and i'm casting my vote for GenericTaintChecker out of 1 potential candidates). Let me fix it.

NoQ updated this revision to Diff 192504.Mar 27 2019, 1:12 PM

Add a test for taint dumps.

Szelethus accepted this revision.Mar 28 2019, 3:50 AM

"putting all such stuff into the ProgramState class clearly doesn't scale, but we still didn't come up with anything better, so let's just put it in the header and see if a better design suddenly emerges in the future after we do it a few hundred times"

Now that we have a maintainer who will dedicate a lot of effort into taint analysis, that might just happen :) For the time being though, I agree, this is much cleaner.

It would be great to land this as soon as you're comfortable with it, in order not to block @boga95's work.

Szelethus added a comment.Mar 29 2019, 3:18 AM

Also, you might as well clang-format the new files, since we already messed with git blame.

boga95 added a child revision: D59555: [analyzer] Add yaml parser to GenericTaintChecker.Mar 29 2019, 5:45 AM
NoQ updated this revision to Diff 192919.Mar 29 2019, 2:47 PM

Cleaned up formatting a bit.

Closed by commit rC357326: [analyzer] Move taint API from ProgramState to a separate header. NFC. (authored by NoQ). · Explain WhyMar 29 2019, 3:48 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
include/
clang/
StaticAnalyzer/
Core/
BugReporter/
14 lines
PathSensitive/
37 lines
58 lines
29 lines
lib/
StaticAnalyzer/
Checkers/
4 lines
1 line
6 lines
23 lines
102 lines
227 lines
5 lines
4 lines
Core/
20 lines
1 line
183 lines
22 lines
test/
Analysis/
14 lines

Diff 192934

include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h

Show First 20 LinesShow All 301 Lines▼ Show 20 Linespublic:
void Profile(llvm::FoldingSetNodeID &ID) const override {} void Profile(llvm::FoldingSetNodeID &ID) const override {}
std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *Succ, std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *Succ,
BugReporterContext &BRC, BugReporterContext &BRC,
BugReport &BR) override; BugReport &BR) override;
}; };
/// The bug visitor prints a diagnostic message at the location where a given
/// variable was tainted.
class TaintBugVisitor final : public BugReporterVisitor {
private:
const SVal V;
public:
TaintBugVisitor(const SVal V) : V(V) {}
void Profile(llvm::FoldingSetNodeID &ID) const override { ID.Add(V); }
std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
BugReporterContext &BRC,
BugReport &BR) override;
};
/// The bug visitor will walk all the nodes in a path and collect all the /// The bug visitor will walk all the nodes in a path and collect all the
/// constraints. When it reaches the root node, will create a refutation /// constraints. When it reaches the root node, will create a refutation
/// manager and check if the constraints are satisfiable /// manager and check if the constraints are satisfiable
class FalsePositiveRefutationBRVisitor final : public BugReporterVisitor { class FalsePositiveRefutationBRVisitor final : public BugReporterVisitor {
private: private:
/// Holds the constraints in a given path /// Holds the constraints in a given path
ConstraintRangeTy Constraints; ConstraintRangeTy Constraints;
▲ Show 20 LinesShow All 51 LinesShow Last 20 Lines

include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h

Show All 14 Lines
#include "clang/Basic/LLVM.h" #include "clang/Basic/LLVM.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ConstraintManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ConstraintManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeInfo.h" #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeInfo.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/Environment.h" #include "clang/StaticAnalyzer/Core/PathSensitive/Environment.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/Store.h" #include "clang/StaticAnalyzer/Core/PathSensitive/Store.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/TaintTag.h"
#include "llvm/ADT/FoldingSet.h" #include "llvm/ADT/FoldingSet.h"
#include "llvm/ADT/ImmutableMap.h" #include "llvm/ADT/ImmutableMap.h"
#include "llvm/Support/Allocator.h" #include "llvm/Support/Allocator.h"
#include <utility> #include <utility>
namespace llvm { namespace llvm {
class APSInt; class APSInt;
} }
namespace clang { namespace clang {
class ASTContext; class ASTContext;
namespace ento { namespace ento {
class AnalysisManager; class AnalysisManager;
class CallEvent; class CallEvent;
class CallEventManager; class CallEventManager;
typedef std::unique_ptr<ConstraintManager>(*ConstraintManagerCreator)( typedef std::unique_ptr<ConstraintManager>(*ConstraintManagerCreator)(
ProgramStateManager &, SubEngine *); ProgramStateManager &, SubEngine *);
typedef std::unique_ptr<StoreManager>(*StoreManagerCreator)( typedef std::unique_ptr<StoreManager>(*StoreManagerCreator)(
ProgramStateManager &); ProgramStateManager &);
typedef llvm::ImmutableMap<const SubRegion*, TaintTagType> TaintedSubRegions;
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// ProgramStateTrait - Traits used by the Generic Data Map of a ProgramState. // ProgramStateTrait - Traits used by the Generic Data Map of a ProgramState.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
template <typename T> struct ProgramStatePartialTrait; template <typename T> struct ProgramStatePartialTrait;
template <typename T> struct ProgramStateTrait { template <typename T> struct ProgramStateTrait {
▲ Show 20 LinesShow All 307 Lines▼ Show 20 Linespublic:
/// MemRegions range using the provided SymbolVisitor. /// MemRegions range using the provided SymbolVisitor.
bool scanReachableSymbols(llvm::iterator_range<region_iterator> Reachable, bool scanReachableSymbols(llvm::iterator_range<region_iterator> Reachable,
SymbolVisitor &visitor) const; SymbolVisitor &visitor) const;
template <typename CB> CB scanReachableSymbols(SVal val) const; template <typename CB> CB scanReachableSymbols(SVal val) const;
template <typename CB> CB template <typename CB> CB
scanReachableSymbols(llvm::iterator_range<region_iterator> Reachable) const; scanReachableSymbols(llvm::iterator_range<region_iterator> Reachable) const;
/// Create a new state in which the statement is marked as tainted.
LLVM_NODISCARD ProgramStateRef
addTaint(const Stmt *S, const LocationContext *LCtx,
TaintTagType Kind = TaintTagGeneric) const;
/// Create a new state in which the value is marked as tainted.
LLVM_NODISCARD ProgramStateRef
addTaint(SVal V, TaintTagType Kind = TaintTagGeneric) const;
/// Create a new state in which the symbol is marked as tainted.
LLVM_NODISCARD ProgramStateRef addTaint(SymbolRef S,
TaintTagType Kind = TaintTagGeneric) const;
/// Create a new state in which the region symbol is marked as tainted.
LLVM_NODISCARD ProgramStateRef
addTaint(const MemRegion *R, TaintTagType Kind = TaintTagGeneric) const;
/// Create a new state in a which a sub-region of a given symbol is tainted.
/// This might be necessary when referring to regions that can not have an
/// individual symbol, e.g. if they are represented by the default binding of
/// a LazyCompoundVal.
LLVM_NODISCARD ProgramStateRef
addPartialTaint(SymbolRef ParentSym, const SubRegion *SubRegion,
TaintTagType Kind = TaintTagGeneric) const;
/// Check if the statement is tainted in the current state.
bool isTainted(const Stmt *S, const LocationContext *LCtx,
TaintTagType Kind = TaintTagGeneric) const;
bool isTainted(SVal V, TaintTagType Kind = TaintTagGeneric) const;
bool isTainted(SymbolRef Sym, TaintTagType Kind = TaintTagGeneric) const;
bool isTainted(const MemRegion *Reg, TaintTagType Kind=TaintTagGeneric) const;
//==---------------------------------------------------------------------==// //==---------------------------------------------------------------------==//
// Accessing the Generic Data Map (GDM). // Accessing the Generic Data Map (GDM).
//==---------------------------------------------------------------------==// //==---------------------------------------------------------------------==//
void *const* FindGDM(void *K) const; void *const* FindGDM(void *K) const;
template <typename T> template <typename T>
LLVM_NODISCARD ProgramStateRef LLVM_NODISCARD ProgramStateRef
▲ Show 20 LinesShow All 47 Lines▼ Show 20 Lines bool contains(typename ProgramStateTrait<T>::key_type key) const {
return ProgramStateTrait<T>::Contains(ProgramStateTrait<T>::MakeData(d), key); return ProgramStateTrait<T>::Contains(ProgramStateTrait<T>::MakeData(d), key);
} }
// Pretty-printing. // Pretty-printing.
void print(raw_ostream &Out, const char *nl = "\n", const char *sep = "", void print(raw_ostream &Out, const char *nl = "\n", const char *sep = "",
const LocationContext *CurrentLC = nullptr) const; const LocationContext *CurrentLC = nullptr) const;
void printDOT(raw_ostream &Out, void printDOT(raw_ostream &Out,
const LocationContext *CurrentLC = nullptr) const; const LocationContext *CurrentLC = nullptr) const;
void printTaint(raw_ostream &Out, const char *nl = "\n") const;
void dump() const; void dump() const;
void dumpTaint() const;
private: private:
friend void ProgramStateRetain(const ProgramState *state); friend void ProgramStateRetain(const ProgramState *state);
friend void ProgramStateRelease(const ProgramState *state); friend void ProgramStateRelease(const ProgramState *state);
/// \sa invalidateValues() /// \sa invalidateValues()
/// \sa invalidateRegions() /// \sa invalidateRegions()
ProgramStateRef ProgramStateRef
Show All 17 Linesprivate:
/// Eng - The SubEngine that owns this state manager. /// Eng - The SubEngine that owns this state manager.
SubEngine *Eng; /* Can be null. */ SubEngine *Eng; /* Can be null. */
EnvironmentManager EnvMgr; EnvironmentManager EnvMgr;
std::unique_ptr<StoreManager> StoreMgr; std::unique_ptr<StoreManager> StoreMgr;
std::unique_ptr<ConstraintManager> ConstraintMgr; std::unique_ptr<ConstraintManager> ConstraintMgr;
ProgramState::GenericDataMap::Factory GDMFactory; ProgramState::GenericDataMap::Factory GDMFactory;
TaintedSubRegions::Factory TSRFactory;
typedef llvm::DenseMap<void*,std::pair<void*,void (*)(void*)> > GDMContextsTy; typedef llvm::DenseMap<void*,std::pair<void*,void (*)(void*)> > GDMContextsTy;
GDMContextsTy GDMContexts; GDMContextsTy GDMContexts;
/// StateSet - FoldingSet containing all the states created for analyzing /// StateSet - FoldingSet containing all the states created for analyzing
/// a particular function. This is used to unique states. /// a particular function. This is used to unique states.
llvm::FoldingSet<ProgramState> StateSet; llvm::FoldingSet<ProgramState> StateSet;
▲ Show 20 LinesShow All 403 LinesShow Last 20 Lines

include/clang/StaticAnalyzer/Core/PathSensitive/TaintManager.h

//===- TaintManager.h - Managing taint --------------------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This file provides APIs for adding, removing, querying symbol taint.
//
//===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_TAINTMANAGER_H
#define LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_TAINTMANAGER_H
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SymExpr.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/TaintTag.h"
#include "llvm/ADT/ImmutableMap.h"
namespace clang {
namespace ento {
/// The GDM component containing the tainted root symbols. We lazily infer the
/// taint of the dependent symbols. Currently, this is a map from a symbol to
/// tag kind. TODO: Should support multiple tag kinds.
// FIXME: This does not use the nice trait macros because it must be accessible
// from multiple translation units.
struct TaintMap {};
using TaintMapImpl = llvm::ImmutableMap<SymbolRef, TaintTagType>;
template<> struct ProgramStateTrait<TaintMap>
: public ProgramStatePartialTrait<TaintMapImpl> {
static void *GDMIndex();
};
/// The GDM component mapping derived symbols' parent symbols to their
/// underlying regions. This is used to efficiently check whether a symbol is
/// tainted when it represents a sub-region of a tainted symbol.
struct DerivedSymTaint {};
using DerivedSymTaintImpl = llvm::ImmutableMap<SymbolRef, TaintedSubRegions>;
template<> struct ProgramStateTrait<DerivedSymTaint>
: public ProgramStatePartialTrait<DerivedSymTaintImpl> {
static void *GDMIndex();
};
class TaintManager {
TaintManager() = default;
};
} // namespace ento
} // namespace clang
#endif // LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_TAINTMANAGER_H

include/clang/StaticAnalyzer/Core/PathSensitive/TaintTag.h

//===- TaintTag.h - Path-sensitive "State" for tracking values --*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// Defines a set of taint tags. Several tags are used to differentiate kinds
// of taint.
//
//===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_TAINTTAG_H
#define LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_TAINTTAG_H
namespace clang {
namespace ento {
/// The type of taint, which helps to differentiate between different types of
/// taint.
using TaintTagType = unsigned;
static const TaintTagType TaintTagGeneric = 0;
} // namespace ento
} // namespace clang
#endif // LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_TAINTTAG_H

lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp

//== ArrayBoundCheckerV2.cpp ------------------------------------*- C++ -*--==// //== ArrayBoundCheckerV2.cpp ------------------------------------*- C++ -*--==//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This file defines ArrayBoundCheckerV2, which is a path-sensitive check // This file defines ArrayBoundCheckerV2, which is a path-sensitive check
// which looks for an out-of-bound array element access. // which looks for an out-of-bound array element access.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "Taint.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/AST/CharUnits.h" #include "clang/AST/CharUnits.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/APSIntType.h" #include "clang/StaticAnalyzer/Core/PathSensitive/APSIntType.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
#include "llvm/ADT/SmallString.h" #include "llvm/ADT/SmallString.h"
#include "llvm/Support/raw_ostream.h" #include "llvm/Support/raw_ostream.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
using namespace taint;
namespace { namespace {
class ArrayBoundCheckerV2 : class ArrayBoundCheckerV2 :
public Checker<check::Location> { public Checker<check::Location> {
mutable std::unique_ptr<BuiltinBug> BT; mutable std::unique_ptr<BuiltinBug> BT;
enum OOB_Kind { OOB_Precedes, OOB_Excedes, OOB_Tainted }; enum OOB_Kind { OOB_Precedes, OOB_Excedes, OOB_Tainted };
▲ Show 20 LinesShow All 164 Lines▼ Show 20 Lines do {
ProgramStateRef state_exceedsUpperBound, state_withinUpperBound; ProgramStateRef state_exceedsUpperBound, state_withinUpperBound;
std::tie(state_exceedsUpperBound, state_withinUpperBound) = std::tie(state_exceedsUpperBound, state_withinUpperBound) =
state->assume(*upperboundToCheck); state->assume(*upperboundToCheck);
// If we are under constrained and the index variables are tainted, report. // If we are under constrained and the index variables are tainted, report.
if (state_exceedsUpperBound && state_withinUpperBound) { if (state_exceedsUpperBound && state_withinUpperBound) {
SVal ByteOffset = rawOffset.getByteOffset(); SVal ByteOffset = rawOffset.getByteOffset();
if (state->isTainted(ByteOffset)) { if (isTainted(state, ByteOffset)) {
reportOOB(checkerContext, state_exceedsUpperBound, OOB_Tainted, reportOOB(checkerContext, state_exceedsUpperBound, OOB_Tainted,
llvm::make_unique<TaintBugVisitor>(ByteOffset)); llvm::make_unique<TaintBugVisitor>(ByteOffset));
return; return;
} }
} else if (state_exceedsUpperBound) { } else if (state_exceedsUpperBound) {
// If we are constrained enough to definitely exceed the upper bound, // If we are constrained enough to definitely exceed the upper bound,
// report. // report.
assert(!state_withinUpperBound); assert(!state_withinUpperBound);
▲ Show 20 LinesShow All 144 LinesShow Last 20 Lines

lib/StaticAnalyzer/Checkers/CMakeLists.txt

Show First 20 LinesShow All 81 Lines▼ Show 20 Linesadd_clang_library(clangStaticAnalyzerCheckers
RetainCountChecker/RetainCountDiagnostics.cpp RetainCountChecker/RetainCountDiagnostics.cpp
ReturnPointerRangeChecker.cpp ReturnPointerRangeChecker.cpp
ReturnUndefChecker.cpp ReturnUndefChecker.cpp
RunLoopAutoreleaseLeakChecker.cpp RunLoopAutoreleaseLeakChecker.cpp
SimpleStreamChecker.cpp SimpleStreamChecker.cpp
StackAddrEscapeChecker.cpp StackAddrEscapeChecker.cpp
StdLibraryFunctionsChecker.cpp StdLibraryFunctionsChecker.cpp
StreamChecker.cpp StreamChecker.cpp
Taint.cpp
TaintTesterChecker.cpp TaintTesterChecker.cpp
TestAfterDivZeroChecker.cpp TestAfterDivZeroChecker.cpp
TraversalChecker.cpp TraversalChecker.cpp
TrustNonnullChecker.cpp TrustNonnullChecker.cpp
UndefBranchChecker.cpp UndefBranchChecker.cpp
UndefCapturedBlockVarChecker.cpp UndefCapturedBlockVarChecker.cpp
UndefResultChecker.cpp UndefResultChecker.cpp
UndefinedArraySubscriptChecker.cpp UndefinedArraySubscriptChecker.cpp
Show All 18 Lines

lib/StaticAnalyzer/Checkers/DivZeroChecker.cpp

//== DivZeroChecker.cpp - Division by zero checker --------------*- C++ -*--==// //== DivZeroChecker.cpp - Division by zero checker --------------*- C++ -*--==//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This defines DivZeroChecker, a builtin check in ExprEngine that performs // This defines DivZeroChecker, a builtin check in ExprEngine that performs
// checks for division by zeros. // checks for division by zeros.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "Taint.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
using namespace taint;
namespace { namespace {
class DivZeroChecker : public Checker< check::PreStmt<BinaryOperator> > { class DivZeroChecker : public Checker< check::PreStmt<BinaryOperator> > {
mutable std::unique_ptr<BuiltinBug> BT; mutable std::unique_ptr<BuiltinBug> BT;
void reportBug(const char *Msg, ProgramStateRef StateZero, CheckerContext &C, void reportBug(const char *Msg, ProgramStateRef StateZero, CheckerContext &C,
std::unique_ptr<BugReporterVisitor> Visitor = nullptr) const; std::unique_ptr<BugReporterVisitor> Visitor = nullptr) const;
public: public:
▲ Show 20 LinesShow All 48 Lines▼ Show 20 Linesvoid DivZeroChecker::checkPreStmt(const BinaryOperator *B,
std::tie(stateNotZero, stateZero) = CM.assumeDual(C.getState(), *DV); std::tie(stateNotZero, stateZero) = CM.assumeDual(C.getState(), *DV);
if (!stateNotZero) { if (!stateNotZero) {
assert(stateZero); assert(stateZero);
reportBug("Division by zero", stateZero, C); reportBug("Division by zero", stateZero, C);
return; return;
} }
bool TaintedD = C.getState()->isTainted(*DV); bool TaintedD = isTainted(C.getState(), *DV);
if ((stateNotZero && stateZero && TaintedD)) { if ((stateNotZero && stateZero && TaintedD)) {
reportBug("Division by a tainted value, possibly zero", stateZero, C, reportBug("Division by a tainted value, possibly zero", stateZero, C,
llvm::make_unique<TaintBugVisitor>(*DV)); llvm::make_unique<taint::TaintBugVisitor>(*DV));
return; return;
} }
// If we get here, then the denom should not be zero. We abandon the implicit // If we get here, then the denom should not be zero. We abandon the implicit
// zero denom case for now. // zero denom case for now.
C.addTransition(stateNotZero); C.addTransition(stateNotZero);
} }
void ento::registerDivZeroChecker(CheckerManager &mgr) { void ento::registerDivZeroChecker(CheckerManager &mgr) {
mgr.registerChecker<DivZeroChecker>(); mgr.registerChecker<DivZeroChecker>();
} }
bool ento::shouldRegisterDivZeroChecker(const LangOptions &LO) { bool ento::shouldRegisterDivZeroChecker(const LangOptions &LO) {
return true; return true;
} }

lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp

//== GenericTaintChecker.cpp ----------------------------------- -*- C++ -*--=// //== GenericTaintChecker.cpp ----------------------------------- -*- C++ -*--=//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This checker defines the attack surface for generic taint propagation. // This checker defines the attack surface for generic taint propagation.
// //
// The taint information produced by it might be useful to other checkers. For // The taint information produced by it might be useful to other checkers. For
// example, checkers should report errors which involve tainted data more // example, checkers should report errors which involve tainted data more
// aggressively, even if the involved symbols are under constrained. // aggressively, even if the involved symbols are under constrained.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "Taint.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/AST/Attr.h" #include "clang/AST/Attr.h"
#include "clang/Basic/Builtins.h" #include "clang/Basic/Builtins.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include <climits> #include <climits>
#include <initializer_list> #include <initializer_list>
#include <utility> #include <utility>
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
using namespace taint;
namespace { namespace {
class GenericTaintChecker class GenericTaintChecker
: public Checker<check::PostStmt<CallExpr>, check::PreStmt<CallExpr>> { : public Checker<check::PostStmt<CallExpr>, check::PreStmt<CallExpr>> {
public: public:
static void *getTag() { static void *getTag() {
static int Tag; static int Tag;
return &Tag; return &Tag;
} }
void checkPostStmt(const CallExpr *CE, CheckerContext &C) const; void checkPostStmt(const CallExpr *CE, CheckerContext &C) const;
void checkPreStmt(const CallExpr *CE, CheckerContext &C) const; void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
void printState(raw_ostream &Out, ProgramStateRef State,
const char *NL, const char *Sep) const override;
private: private:
static const unsigned InvalidArgIndex = UINT_MAX; static const unsigned InvalidArgIndex = UINT_MAX;
/// Denotes the return vale. /// Denotes the return vale.
static const unsigned ReturnValueIndex = UINT_MAX - 1; static const unsigned ReturnValueIndex = UINT_MAX - 1;
mutable std::unique_ptr<BugType> BT; mutable std::unique_ptr<BugType> BT;
void initBugType() const { void initBugType() const {
if (!BT) if (!BT)
▲ Show 20 LinesShow All 95 Lines▼ Show 20 Lines struct TaintPropagationRule {
} }
bool isDestinationArgument(unsigned ArgNum) const { bool isDestinationArgument(unsigned ArgNum) const {
return (llvm::find(DstArgs, ArgNum) != DstArgs.end()); return (llvm::find(DstArgs, ArgNum) != DstArgs.end());
} }
static bool isTaintedOrPointsToTainted(const Expr *E, ProgramStateRef State, static bool isTaintedOrPointsToTainted(const Expr *E, ProgramStateRef State,
CheckerContext &C) { CheckerContext &C) {
if (State->isTainted(E, C.getLocationContext()) || isStdin(E, C)) if (isTainted(State, E, C.getLocationContext()) || isStdin(E, C))
return true; return true;
if (!E->getType().getTypePtr()->isPointerType()) if (!E->getType().getTypePtr()->isPointerType())
return false; return false;
Optional<SVal> V = getPointedToSVal(C, E); Optional<SVal> V = getPointedToSVal(C, E);
return (V && State->isTainted(*V)); return (V && isTainted(State, *V));
} }
/// Pre-process a function which propagates taint according to the /// Pre-process a function which propagates taint according to the
/// taint rule. /// taint rule.
ProgramStateRef process(const CallExpr *CE, CheckerContext &C) const; ProgramStateRef process(const CallExpr *CE, CheckerContext &C) const;
// Functions for custom taintedness propagation. // Functions for custom taintedness propagation.
static bool postSocket(bool IsTainted, const CallExpr *CE, static bool postSocket(bool IsTainted, const CallExpr *CE,
▲ Show 20 LinesShow All 137 Lines▼ Show 20 Lines
void GenericTaintChecker::checkPostStmt(const CallExpr *CE, void GenericTaintChecker::checkPostStmt(const CallExpr *CE,
CheckerContext &C) const { CheckerContext &C) const {
// Set the marked values as tainted. The return value only accessible from // Set the marked values as tainted. The return value only accessible from
// checkPostStmt. // checkPostStmt.
propagateFromPre(CE, C); propagateFromPre(CE, C);
} }
void GenericTaintChecker::printState(raw_ostream &Out, ProgramStateRef State,
const char *NL, const char *Sep) const {
printTaint(State, Out, NL, Sep);
}
void GenericTaintChecker::addSourcesPre(const CallExpr *CE, void GenericTaintChecker::addSourcesPre(const CallExpr *CE,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = nullptr; ProgramStateRef State = nullptr;
const FunctionDecl *FDecl = C.getCalleeDecl(CE); const FunctionDecl *FDecl = C.getCalleeDecl(CE);
if (!FDecl || FDecl->getKind() != Decl::Function) if (!FDecl || FDecl->getKind() != Decl::Function)
return; return;
StringRef Name = C.getCalleeName(FDecl); StringRef Name = C.getCalleeName(FDecl);
Show All 25 Linesbool GenericTaintChecker::propagateFromPre(const CallExpr *CE,
// stored in the state as TaintArgsOnPostVisit set. // stored in the state as TaintArgsOnPostVisit set.
TaintArgsOnPostVisitTy TaintArgs = State->get<TaintArgsOnPostVisit>(); TaintArgsOnPostVisitTy TaintArgs = State->get<TaintArgsOnPostVisit>();
if (TaintArgs.isEmpty()) if (TaintArgs.isEmpty())
return false; return false;
for (unsigned ArgNum : TaintArgs) { for (unsigned ArgNum : TaintArgs) {
// Special handling for the tainted return value. // Special handling for the tainted return value.
if (ArgNum == ReturnValueIndex) { if (ArgNum == ReturnValueIndex) {
State = State->addTaint(CE, C.getLocationContext()); State = addTaint(State, CE, C.getLocationContext());
continue; continue;
} }
// The arguments are pointer arguments. The data they are pointing at is // The arguments are pointer arguments. The data they are pointing at is
// tainted after the call. // tainted after the call.
if (CE->getNumArgs() < (ArgNum + 1)) if (CE->getNumArgs() < (ArgNum + 1))
return false; return false;
const Expr *Arg = CE->getArg(ArgNum); const Expr *Arg = CE->getArg(ArgNum);
Optional<SVal> V = getPointedToSVal(C, Arg); Optional<SVal> V = getPointedToSVal(C, Arg);
if (V) if (V)
State = State->addTaint(*V); State = addTaint(State, *V);
} }
// Clear up the taint info from the state. // Clear up the taint info from the state.
State = State->remove<TaintArgsOnPostVisit>(); State = State->remove<TaintArgsOnPostVisit>();
if (State != C.getState()) { if (State != C.getState()) {
C.addTransition(State); C.addTransition(State);
return true; return true;
▲ Show 20 LinesShow All 188 Lines▼ Show 20 Linesbool GenericTaintChecker::generateReportIfTainted(const Expr *E,
const char Msg[], const char Msg[],
CheckerContext &C) const { CheckerContext &C) const {
assert(E); assert(E);
// Check for taint. // Check for taint.
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
Optional<SVal> PointedToSVal = getPointedToSVal(C, E); Optional<SVal> PointedToSVal = getPointedToSVal(C, E);
SVal TaintedSVal; SVal TaintedSVal;
if (PointedToSVal && State->isTainted(*PointedToSVal)) if (PointedToSVal && isTainted(State, *PointedToSVal))
TaintedSVal = *PointedToSVal; TaintedSVal = *PointedToSVal;
else if (State->isTainted(E, C.getLocationContext())) else if (isTainted(State, E, C.getLocationContext()))
TaintedSVal = C.getSVal(E); TaintedSVal = C.getSVal(E);
else else
return false; return false;
// Generate diagnostic. // Generate diagnostic.
if (ExplodedNode *N = C.generateNonFatalErrorNode()) { if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
initBugType(); initBugType();
auto report = llvm::make_unique<BugReport>(*BT, Msg, N); auto report = llvm::make_unique<BugReport>(*BT, Msg, N);
▲ Show 20 LinesShow All 91 LinesShow Last 20 Lines

lib/StaticAnalyzer/Checkers/Taint.h

//=== Taint.h - Taint tracking and basic propagation rules. --------*- C++ -*-//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// Defines basic, non-domain-specific mechanisms for tracking tainted values.
//
//===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_TAINT_H
#define LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_TAINT_H
#include "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
namespace clang {
namespace ento {
namespace taint {
/// The type of taint, which helps to differentiate between different types of
/// taint.
using TaintTagType = unsigned;
static constexpr TaintTagType TaintTagGeneric = 0;
/// Create a new state in which the value of the statement is marked as tainted.
LLVM_NODISCARD ProgramStateRef
addTaint(ProgramStateRef State, const Stmt *S, const LocationContext *LCtx,
TaintTagType Kind = TaintTagGeneric);
/// Create a new state in which the value is marked as tainted.
LLVM_NODISCARD ProgramStateRef
addTaint(ProgramStateRef State, SVal V,
TaintTagType Kind = TaintTagGeneric);
/// Create a new state in which the symbol is marked as tainted.
LLVM_NODISCARD ProgramStateRef
addTaint(ProgramStateRef State, SymbolRef Sym,
TaintTagType Kind = TaintTagGeneric);
/// Create a new state in which the pointer represented by the region
/// is marked as tainted.
LLVM_NODISCARD ProgramStateRef
addTaint(ProgramStateRef State, const MemRegion *R,
TaintTagType Kind = TaintTagGeneric);
/// Create a new state in a which a sub-region of a given symbol is tainted.
/// This might be necessary when referring to regions that can not have an
/// individual symbol, e.g. if they are represented by the default binding of
/// a LazyCompoundVal.
LLVM_NODISCARD ProgramStateRef
addPartialTaint(ProgramStateRef State,
SymbolRef ParentSym, const SubRegion *SubRegion,
TaintTagType Kind = TaintTagGeneric);
/// Check if the statement has a tainted value in the given state.
bool isTainted(ProgramStateRef State, const Stmt *S,
const LocationContext *LCtx,
TaintTagType Kind = TaintTagGeneric);
/// Check if the value is tainted in the given state.
bool isTainted(ProgramStateRef State, SVal V,
TaintTagType Kind = TaintTagGeneric);
/// Check if the symbol is tainted in the given state.
bool isTainted(ProgramStateRef State, SymbolRef Sym,
TaintTagType Kind = TaintTagGeneric);
/// Check if the pointer represented by the region is tainted in the given
/// state.
bool isTainted(ProgramStateRef State, const MemRegion *Reg,
TaintTagType Kind = TaintTagGeneric);
void printTaint(ProgramStateRef State, raw_ostream &Out, const char *nl = "\n",
const char *sep = "");
LLVM_DUMP_METHOD void dumpTaint(ProgramStateRef State);
/// The bug visitor prints a diagnostic message at the location where a given
/// variable was tainted.
class TaintBugVisitor final : public BugReporterVisitor {
private:
const SVal V;
public:
TaintBugVisitor(const SVal V) : V(V) {}
void Profile(llvm::FoldingSetNodeID &ID) const override { ID.Add(V); }
std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
BugReporterContext &BRC,
BugReport &BR) override;
};
} // namespace taint
} // namespace ento
} // namespace clang
#endif

lib/StaticAnalyzer/Checkers/Taint.cpp

//=== Taint.cpp - Taint tracking and basic propagation rules. ------*- C++ -*-//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// Defines basic, non-domain-specific mechanisms for tracking tainted values.
//
//===----------------------------------------------------------------------===//
#include "Taint.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
using namespace clang;
using namespace ento;
using namespace taint;
// Fully tainted symbols.
REGISTER_MAP_WITH_PROGRAMSTATE(TaintMap, SymbolRef, TaintTagType)
// Partially tainted symbols.
REGISTER_MAP_FACTORY_WITH_PROGRAMSTATE(TaintedSubRegions, const SubRegion *,
TaintTagType);
REGISTER_MAP_WITH_PROGRAMSTATE(DerivedSymTaint, SymbolRef, TaintedSubRegions)
void taint::printTaint(ProgramStateRef State, raw_ostream &Out, const char *NL,
const char *Sep) {
TaintMapTy TM = State->get<TaintMap>();
if (!TM.isEmpty())
Out << "Tainted symbols:" << NL;
for (const auto &I : TM)
Out << I.first << " : " << I.second << NL;
}
void dumpTaint(ProgramStateRef State) {
printTaint(State, llvm::errs());
}
ProgramStateRef taint::addTaint(ProgramStateRef State, const Stmt *S,
const LocationContext *LCtx,
TaintTagType Kind) {
return addTaint(State, State->getSVal(S, LCtx), Kind);
}
ProgramStateRef taint::addTaint(ProgramStateRef State, SVal V,
TaintTagType Kind) {
SymbolRef Sym = V.getAsSymbol();
if (Sym)
return addTaint(State, Sym, Kind);
// If the SVal represents a structure, try to mass-taint all values within the
// structure. For now it only works efficiently on lazy compound values that
// were conjured during a conservative evaluation of a function - either as
// return values of functions that return structures or arrays by value, or as
// values of structures or arrays passed into the function by reference,
// directly or through pointer aliasing. Such lazy compound values are
// characterized by having exactly one binding in their captured store within
// their parent region, which is a conjured symbol default-bound to the base
// region of the parent region.
if (auto LCV = V.getAs<nonloc::LazyCompoundVal>()) {
if (Optional<SVal> binding =
State->getStateManager().getStoreManager()
.getDefaultBinding(*LCV)) {
if (SymbolRef Sym = binding->getAsSymbol())
return addPartialTaint(State, Sym, LCV->getRegion(), Kind);
}
}
const MemRegion *R = V.getAsRegion();
return addTaint(State, R, Kind);
}
ProgramStateRef taint::addTaint(ProgramStateRef State, const MemRegion *R,
TaintTagType Kind) {
if (const SymbolicRegion *SR = dyn_cast_or_null<SymbolicRegion>(R))
return addTaint(State, SR->getSymbol(), Kind);
return State;
}
ProgramStateRef taint::addTaint(ProgramStateRef State, SymbolRef Sym,
TaintTagType Kind) {
// If this is a symbol cast, remove the cast before adding the taint. Taint
// is cast agnostic.
while (const SymbolCast *SC = dyn_cast<SymbolCast>(Sym))
Sym = SC->getOperand();
ProgramStateRef NewState = State->set<TaintMap>(Sym, Kind);
assert(NewState);
return NewState;
}
ProgramStateRef taint::addPartialTaint(ProgramStateRef State,
SymbolRef ParentSym,
const SubRegion *SubRegion,
TaintTagType Kind) {
// Ignore partial taint if the entire parent symbol is already tainted.
if (const TaintTagType *T = State->get<TaintMap>(ParentSym))
if (*T == Kind)
return State;
// Partial taint applies if only a portion of the symbol is tainted.
if (SubRegion == SubRegion->getBaseRegion())
return addTaint(State, ParentSym, Kind);
const TaintedSubRegions *SavedRegs = State->get<DerivedSymTaint>(ParentSym);
TaintedSubRegions::Factory &F = State->get_context<TaintedSubRegions>();
TaintedSubRegions Regs = SavedRegs ? *SavedRegs : F.getEmptyMap();
Regs = F.add(Regs, SubRegion, Kind);
ProgramStateRef NewState = State->set<DerivedSymTaint>(ParentSym, Regs);
assert(NewState);
return NewState;
}
bool taint::isTainted(ProgramStateRef State, const Stmt *S,
const LocationContext *LCtx, TaintTagType Kind) {
SVal val = State->getSVal(S, LCtx);
return isTainted(State, val, Kind);
}
bool taint::isTainted(ProgramStateRef State, SVal V, TaintTagType Kind) {
if (const SymExpr *Sym = V.getAsSymExpr())
return isTainted(State, Sym, Kind);
if (const MemRegion *Reg = V.getAsRegion())
return isTainted(State, Reg, Kind);
return false;
}
bool taint::isTainted(ProgramStateRef State, const MemRegion *Reg,
TaintTagType K) {
if (!Reg)
return false;
// Element region (array element) is tainted if either the base or the offset
// are tainted.
if (const ElementRegion *ER = dyn_cast<ElementRegion>(Reg))
return isTainted(State, ER->getSuperRegion(), K) ||
isTainted(State, ER->getIndex(), K);
if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(Reg))
return isTainted(State, SR->getSymbol(), K);
if (const SubRegion *ER = dyn_cast<SubRegion>(Reg))
return isTainted(State, ER->getSuperRegion(), K);
return false;
}
bool taint::isTainted(ProgramStateRef State, SymbolRef Sym, TaintTagType Kind) {
if (!Sym)
return false;
// Traverse all the symbols this symbol depends on to see if any are tainted.
for (SymExpr::symbol_iterator SI = Sym->symbol_begin(),
SE = Sym->symbol_end(); SI != SE; ++SI) {
if (!isa<SymbolData>(*SI))
continue;
if (const TaintTagType *Tag = State->get<TaintMap>(*SI)) {
if (*Tag == Kind)
return true;
}
if (const auto *SD = dyn_cast<SymbolDerived>(*SI)) {
// If this is a SymbolDerived with a tainted parent, it's also tainted.
if (isTainted(State, SD->getParentSymbol(), Kind))
return true;
// If this is a SymbolDerived with the same parent symbol as another
// tainted SymbolDerived and a region that's a sub-region of that tainted
// symbol, it's also tainted.
if (const TaintedSubRegions *Regs =
State->get<DerivedSymTaint>(SD->getParentSymbol())) {
const TypedValueRegion *R = SD->getRegion();
for (auto I : *Regs) {
// FIXME: The logic to identify tainted regions could be more
// complete. For example, this would not currently identify
// overlapping fields in a union as tainted. To identify this we can
// check for overlapping/nested byte offsets.
if (Kind == I.second && R->isSubRegionOf(I.first))
return true;
}
}
}
// If memory region is tainted, data is also tainted.
if (const auto *SRV = dyn_cast<SymbolRegionValue>(*SI)) {
if (isTainted(State, SRV->getRegion(), Kind))
return true;
}
// If this is a SymbolCast from a tainted value, it's also tainted.
if (const auto *SC = dyn_cast<SymbolCast>(*SI)) {
if (isTainted(State, SC->getOperand(), Kind))
return true;
}
}
return false;
}
std::shared_ptr<PathDiagnosticPiece>
TaintBugVisitor::VisitNode(const ExplodedNode *N, BugReporterContext &BRC,
BugReport &BR) {
// Find the ExplodedNode where the taint was first introduced
if (!isTainted(N->getState(), V) ||
isTainted(N->getFirstPred()->getState(), V))
return nullptr;
const Stmt *S = PathDiagnosticLocation::getStmt(N);
if (!S)
return nullptr;
const LocationContext *NCtx = N->getLocationContext();
PathDiagnosticLocation L =
PathDiagnosticLocation::createBegin(S, BRC.getSourceManager(), NCtx);
if (!L.isValid() || !L.asLocation().isValid())
return nullptr;
return std::make_shared<PathDiagnosticEventPiece>(L, "Taint originated here");
}

lib/StaticAnalyzer/Checkers/TaintTesterChecker.cpp

//== TaintTesterChecker.cpp ----------------------------------- -*- C++ -*--=// //== TaintTesterChecker.cpp ----------------------------------- -*- C++ -*--=//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This checker can be used for testing how taint data is propagated. // This checker can be used for testing how taint data is propagated.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "Taint.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
using namespace taint;
namespace { namespace {
class TaintTesterChecker : public Checker< check::PostStmt<Expr> > { class TaintTesterChecker : public Checker< check::PostStmt<Expr> > {
mutable std::unique_ptr<BugType> BT; mutable std::unique_ptr<BugType> BT;
void initBugType() const; void initBugType() const;
/// Given a pointer argument, get the symbol of the value it contains /// Given a pointer argument, get the symbol of the value it contains
Show All 13 Lines
} }
void TaintTesterChecker::checkPostStmt(const Expr *E, void TaintTesterChecker::checkPostStmt(const Expr *E,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
if (!State) if (!State)
return; return;
if (State->isTainted(E, C.getLocationContext())) { if (isTainted(State, E, C.getLocationContext())) {
if (ExplodedNode *N = C.generateNonFatalErrorNode()) { if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
initBugType(); initBugType();
auto report = llvm::make_unique<BugReport>(*BT, "tainted",N); auto report = llvm::make_unique<BugReport>(*BT, "tainted",N);
report->addRange(E->getSourceRange()); report->addRange(E->getSourceRange());
C.emitReport(std::move(report)); C.emitReport(std::move(report));
} }
} }
} }
void ento::registerTaintTesterChecker(CheckerManager &mgr) { void ento::registerTaintTesterChecker(CheckerManager &mgr) {
mgr.registerChecker<TaintTesterChecker>(); mgr.registerChecker<TaintTesterChecker>();
} }
bool ento::shouldRegisterTaintTesterChecker(const LangOptions &LO) { bool ento::shouldRegisterTaintTesterChecker(const LangOptions &LO) {
return true; return true;
} }

lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp

//=== VLASizeChecker.cpp - Undefined dereference checker --------*- C++ -*-===// //=== VLASizeChecker.cpp - Undefined dereference checker --------*- C++ -*-===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This defines VLASizeChecker, a builtin check in ExprEngine that // This defines VLASizeChecker, a builtin check in ExprEngine that
// performs checks for declaration of VLA of undefined or zero size. // performs checks for declaration of VLA of undefined or zero size.
// In addition, VLASizeChecker is responsible for defining the extent // In addition, VLASizeChecker is responsible for defining the extent
// of the MemRegion that represents a VLA. // of the MemRegion that represents a VLA.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "Taint.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/AST/CharUnits.h" #include "clang/AST/CharUnits.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "llvm/ADT/STLExtras.h" #include "llvm/ADT/STLExtras.h"
#include "llvm/ADT/SmallString.h" #include "llvm/ADT/SmallString.h"
#include "llvm/Support/raw_ostream.h" #include "llvm/Support/raw_ostream.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
using namespace taint;
namespace { namespace {
class VLASizeChecker : public Checker< check::PreStmt<DeclStmt> > { class VLASizeChecker : public Checker< check::PreStmt<DeclStmt> > {
mutable std::unique_ptr<BugType> BT; mutable std::unique_ptr<BugType> BT;
enum VLASize_Kind { VLA_Garbage, VLA_Zero, VLA_Tainted, VLA_Negative }; enum VLASize_Kind { VLA_Garbage, VLA_Zero, VLA_Tainted, VLA_Negative };
void reportBug(VLASize_Kind Kind, const Expr *SizeE, ProgramStateRef State, void reportBug(VLASize_Kind Kind, const Expr *SizeE, ProgramStateRef State,
CheckerContext &C, CheckerContext &C,
▲ Show 20 LinesShow All 65 Lines▼ Show 20 Linesvoid VLASizeChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const {
} }
// See if the size value is known. It can't be undefined because we would have // See if the size value is known. It can't be undefined because we would have
// warned about that already. // warned about that already.
if (sizeV.isUnknown()) if (sizeV.isUnknown())
return; return;
// Check if the size is tainted. // Check if the size is tainted.
if (state->isTainted(sizeV)) { if (isTainted(state, sizeV)) {
reportBug(VLA_Tainted, SE, nullptr, C, reportBug(VLA_Tainted, SE, nullptr, C,
llvm::make_unique<TaintBugVisitor>(sizeV)); llvm::make_unique<TaintBugVisitor>(sizeV));
return; return;
} }
// Check if the size is zero. // Check if the size is zero.
DefinedSVal sizeD = sizeV.castAs<DefinedSVal>(); DefinedSVal sizeD = sizeV.castAs<DefinedSVal>();
▲ Show 20 LinesShow All 71 LinesShow Last 20 Lines

lib/StaticAnalyzer/Core/BugReporterVisitors.cpp

Show First 20 LinesShow All 2,406 Lines▼ Show 20 Lines Out << "Assuming " << Met->getParamDecl(0)->getName() <<
((Param == This) ? " == " : " != ") << "*this"; ((Param == This) ? " == " : " != ") << "*this";
auto Piece = std::make_shared<PathDiagnosticEventPiece>(L, Out.str()); auto Piece = std::make_shared<PathDiagnosticEventPiece>(L, Out.str());
Piece->addRange(Met->getSourceRange()); Piece->addRange(Met->getSourceRange());
return std::move(Piece); return std::move(Piece);
} }
std::shared_ptr<PathDiagnosticPiece>
TaintBugVisitor::VisitNode(const ExplodedNode *N,
BugReporterContext &BRC, BugReport &) {
// Find the ExplodedNode where the taint was first introduced
if (!N->getState()->isTainted(V) || N->getFirstPred()->getState()->isTainted(V))
return nullptr;
const Stmt *S = PathDiagnosticLocation::getStmt(N);
if (!S)
return nullptr;
const LocationContext *NCtx = N->getLocationContext();
PathDiagnosticLocation L =
PathDiagnosticLocation::createBegin(S, BRC.getSourceManager(), NCtx);
if (!L.isValid() || !L.asLocation().isValid())
return nullptr;
return std::make_shared<PathDiagnosticEventPiece>(L, "Taint originated here");
}
FalsePositiveRefutationBRVisitor::FalsePositiveRefutationBRVisitor() FalsePositiveRefutationBRVisitor::FalsePositiveRefutationBRVisitor()
: Constraints(ConstraintRangeTy::Factory().getEmptyMap()) {} : Constraints(ConstraintRangeTy::Factory().getEmptyMap()) {}
void FalsePositiveRefutationBRVisitor::finalizeVisitor( void FalsePositiveRefutationBRVisitor::finalizeVisitor(
BugReporterContext &BRC, const ExplodedNode *EndPathNode, BugReport &BR) { BugReporterContext &BRC, const ExplodedNode *EndPathNode, BugReport &BR) {
// Collect new constraints // Collect new constraints
VisitNode(EndPathNode, BRC, BR); VisitNode(EndPathNode, BRC, BR);
▲ Show 20 LinesShow All 81 LinesShow Last 20 Lines

lib/StaticAnalyzer/Core/CMakeLists.txt

Show All 39 Linesadd_clang_library(clangStaticAnalyzerCore
SimpleConstraintManager.cpp SimpleConstraintManager.cpp
SimpleSValBuilder.cpp SimpleSValBuilder.cpp
SMTConstraintManager.cpp SMTConstraintManager.cpp
Store.cpp Store.cpp
SubEngine.cpp SubEngine.cpp
SValBuilder.cpp SValBuilder.cpp
SVals.cpp SVals.cpp
SymbolManager.cpp SymbolManager.cpp
TaintManager.cpp
WorkList.cpp WorkList.cpp
LINK_LIBS LINK_LIBS
clangAST clangAST
clangASTMatchers clangASTMatchers
clangAnalysis clangAnalysis
clangBasic clangBasic
clangCrossTU clangCrossTU
clangLex clangLex
clangRewrite clangRewrite
) )

lib/StaticAnalyzer/Core/ProgramState.cpp

Show All 10 Lines
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/Analysis/CFG.h" #include "clang/Analysis/CFG.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SubEngine.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SubEngine.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/TaintManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeMap.h" #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeMap.h"
#include "llvm/Support/raw_ostream.h" #include "llvm/Support/raw_ostream.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace clang { namespace ento { namespace clang { namespace ento {
/// Increments the number of times this state is referenced. /// Increments the number of times this state is referenced.
▲ Show 20 LinesShow All 425 Lines▼ Show 20 Linesvoid ProgramState::print(raw_ostream &Out,
Env.print(Out, NL, Sep, Context, LC); Env.print(Out, NL, Sep, Context, LC);
// Print out the constraints. // Print out the constraints.
Mgr.getConstraintManager().print(this, Out, NL, Sep); Mgr.getConstraintManager().print(this, Out, NL, Sep);
// Print out the tracked dynamic types. // Print out the tracked dynamic types.
printDynamicTypeInfo(this, Out, NL, Sep); printDynamicTypeInfo(this, Out, NL, Sep);
// Print out tainted symbols.
printTaint(Out, NL);
// Print checker-specific data. // Print checker-specific data.
Mgr.getOwningEngine().printState(Out, this, NL, Sep, LC); Mgr.getOwningEngine().printState(Out, this, NL, Sep, LC);
} }
void ProgramState::printDOT(raw_ostream &Out, void ProgramState::printDOT(raw_ostream &Out,
const LocationContext *LC) const { const LocationContext *LC) const {
print(Out, "\\l", "\\|", LC); print(Out, "\\l", "\\|", LC);
} }
LLVM_DUMP_METHOD void ProgramState::dump() const { LLVM_DUMP_METHOD void ProgramState::dump() const {
print(llvm::errs()); print(llvm::errs());
} }
void ProgramState::printTaint(raw_ostream &Out,
const char *NL) const {
TaintMapImpl TM = get<TaintMap>();
if (!TM.isEmpty())
Out <<"Tainted symbols:" << NL;
for (TaintMapImpl::iterator I = TM.begin(), E = TM.end(); I != E; ++I) {
Out << I->first << " : " << I->second << NL;
}
}
void ProgramState::dumpTaint() const {
printTaint(llvm::errs());
}
AnalysisManager& ProgramState::getAnalysisManager() const { AnalysisManager& ProgramState::getAnalysisManager() const {
return stateMgr->getOwningEngine().getAnalysisManager(); return stateMgr->getOwningEngine().getAnalysisManager();
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Generic Data Map. // Generic Data Map.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
▲ Show 20 LinesShow All 151 Lines▼ Show 20 Linesbool ProgramState::scanReachableSymbols(
SymbolVisitor &visitor) const { SymbolVisitor &visitor) const {
ScanReachableSymbols S(this, visitor); ScanReachableSymbols S(this, visitor);
for (const MemRegion *R : Reachable) { for (const MemRegion *R : Reachable) {
if (!S.scan(R)) if (!S.scan(R))
return false; return false;
} }
return true; return true;
} }
ProgramStateRef ProgramState::addTaint(const Stmt *S,
const LocationContext *LCtx,
TaintTagType Kind) const {
if (const Expr *E = dyn_cast_or_null<Expr>(S))
S = E->IgnoreParens();
return addTaint(getSVal(S, LCtx), Kind);
}
ProgramStateRef ProgramState::addTaint(SVal V,
TaintTagType Kind) const {
SymbolRef Sym = V.getAsSymbol();
if (Sym)
return addTaint(Sym, Kind);
// If the SVal represents a structure, try to mass-taint all values within the
// structure. For now it only works efficiently on lazy compound values that
// were conjured during a conservative evaluation of a function - either as
// return values of functions that return structures or arrays by value, or as
// values of structures or arrays passed into the function by reference,
// directly or through pointer aliasing. Such lazy compound values are
// characterized by having exactly one binding in their captured store within
// their parent region, which is a conjured symbol default-bound to the base
// region of the parent region.
if (auto LCV = V.getAs<nonloc::LazyCompoundVal>()) {
if (Optional<SVal> binding = getStateManager().StoreMgr->getDefaultBinding(*LCV)) {
if (SymbolRef Sym = binding->getAsSymbol())
return addPartialTaint(Sym, LCV->getRegion(), Kind);
}
}
const MemRegion *R = V.getAsRegion();
return addTaint(R, Kind);
}
ProgramStateRef ProgramState::addTaint(const MemRegion *R,
TaintTagType Kind) const {
if (const SymbolicRegion *SR = dyn_cast_or_null<SymbolicRegion>(R))
return addTaint(SR->getSymbol(), Kind);
return this;
}
ProgramStateRef ProgramState::addTaint(SymbolRef Sym,
TaintTagType Kind) const {
// If this is a symbol cast, remove the cast before adding the taint. Taint
// is cast agnostic.
while (const SymbolCast *SC = dyn_cast<SymbolCast>(Sym))
Sym = SC->getOperand();
ProgramStateRef NewState = set<TaintMap>(Sym, Kind);
assert(NewState);
return NewState;
}
ProgramStateRef ProgramState::addPartialTaint(SymbolRef ParentSym,
const SubRegion *SubRegion,
TaintTagType Kind) const {
// Ignore partial taint if the entire parent symbol is already tainted.
if (contains<TaintMap>(ParentSym) && *get<TaintMap>(ParentSym) == Kind)
return this;
// Partial taint applies if only a portion of the symbol is tainted.
if (SubRegion == SubRegion->getBaseRegion())
return addTaint(ParentSym, Kind);
const TaintedSubRegions *SavedRegs = get<DerivedSymTaint>(ParentSym);
TaintedSubRegions Regs =
SavedRegs ? *SavedRegs : stateMgr->TSRFactory.getEmptyMap();
Regs = stateMgr->TSRFactory.add(Regs, SubRegion, Kind);
ProgramStateRef NewState = set<DerivedSymTaint>(ParentSym, Regs);
assert(NewState);
return NewState;
}
bool ProgramState::isTainted(const Stmt *S, const LocationContext *LCtx,
TaintTagType Kind) const {
if (const Expr *E = dyn_cast_or_null<Expr>(S))
S = E->IgnoreParens();
SVal val = getSVal(S, LCtx);
return isTainted(val, Kind);
}
bool ProgramState::isTainted(SVal V, TaintTagType Kind) const {
if (const SymExpr *Sym = V.getAsSymExpr())
return isTainted(Sym, Kind);
if (const MemRegion *Reg = V.getAsRegion())
return isTainted(Reg, Kind);
return false;
}
bool ProgramState::isTainted(const MemRegion *Reg, TaintTagType K) const {
if (!Reg)
return false;
// Element region (array element) is tainted if either the base or the offset
// are tainted.
if (const ElementRegion *ER = dyn_cast<ElementRegion>(Reg))
return isTainted(ER->getSuperRegion(), K) || isTainted(ER->getIndex(), K);
if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(Reg))
return isTainted(SR->getSymbol(), K);
if (const SubRegion *ER = dyn_cast<SubRegion>(Reg))
return isTainted(ER->getSuperRegion(), K);
return false;
}
bool ProgramState::isTainted(SymbolRef Sym, TaintTagType Kind) const {
if (!Sym)
return false;
// Traverse all the symbols this symbol depends on to see if any are tainted.
for (SymExpr::symbol_iterator SI = Sym->symbol_begin(), SE =Sym->symbol_end();
SI != SE; ++SI) {
if (!isa<SymbolData>(*SI))
continue;
if (const TaintTagType *Tag = get<TaintMap>(*SI)) {
if (*Tag == Kind)
return true;
}
if (const SymbolDerived *SD = dyn_cast<SymbolDerived>(*SI)) {
// If this is a SymbolDerived with a tainted parent, it's also tainted.
if (isTainted(SD->getParentSymbol(), Kind))
return true;
// If this is a SymbolDerived with the same parent symbol as another
// tainted SymbolDerived and a region that's a sub-region of that tainted
// symbol, it's also tainted.
if (const TaintedSubRegions *Regs =
get<DerivedSymTaint>(SD->getParentSymbol())) {
const TypedValueRegion *R = SD->getRegion();
for (auto I : *Regs) {
// FIXME: The logic to identify tainted regions could be more
// complete. For example, this would not currently identify
// overlapping fields in a union as tainted. To identify this we can
// check for overlapping/nested byte offsets.
if (Kind == I.second && R->isSubRegionOf(I.first))
return true;
}
}
}
// If memory region is tainted, data is also tainted.
if (const SymbolRegionValue *SRV = dyn_cast<SymbolRegionValue>(*SI)) {
if (isTainted(SRV->getRegion(), Kind))
return true;
}
// If this is a SymbolCast from a tainted value, it's also tainted.
if (const SymbolCast *SC = dyn_cast<SymbolCast>(*SI)) {
if (isTainted(SC->getOperand(), Kind))
return true;
}
}
return false;
}

lib/StaticAnalyzer/Core/TaintManager.cpp

//== TaintManager.cpp ------------------------------------------ -*- C++ -*--=//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Core/PathSensitive/TaintManager.h"
using namespace clang;
using namespace ento;
void *ProgramStateTrait<TaintMap>::GDMIndex() {
static int index = 0;
return &index;
}
void *ProgramStateTrait<DerivedSymTaint>::GDMIndex() {
static int index;
return &index;
}

test/Analysis/taint-dumps.c

// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.security.taint\
// RUN: -analyzer-checker=debug.ExprInspection %s\
// RUN: 2>&1 | FileCheck %s
void clang_analyzer_printState();
int getchar();
// CHECK: Tainted symbols:
// CHECK-NEXT: conj_$2{{.*}} : 0
int test_taint_dumps() {
int x = getchar();
clang_analyzer_printState();
return x;
}
lib/StaticAnalyzer/Core/ProgramState.cpp