This is an archive of the discontinued LLVM Phabricator instance.

Differential D74131

[analyzer][taint] Add isTainted debug expression inspection check
ClosedPublic

Authored by steakhal on Feb 6 2020, 7:51 AM.

Details

Reviewers
NoQ
Szelethus
baloghadamsoftware
xazax.hun
boga95
Commits
rG5ecc286ca381: [analyzer][taint] Add isTainted debug expression inspection check
rG859bcf4e3bb9: [analyzer][taint] Add isTainted debug expression inspection check
Summary

This patch introduces the clang_analyzer_isTainted expression inspection check for checking taint.

Using this we could query the analyzer whether the expression used as the argument is tainted or not.
This would be useful in tests, where we don't want to issue warning for all tainted expressions in a given file (like the debug.TaintTest would do) but only for certain expressions.

Example usage:

int read_integer() {
  int n;
  clang_analyzer_isTainted(n);     // expected-warning{{NO}}
  scanf("%d", &n);
  clang_analyzer_isTainted(n);     // expected-warning{{YES}}
  clang_analyzer_isTainted(n + 2); // expected-warning{{YES}}
  clang_analyzer_isTainted(n > 0); // expected-warning{{YES}}
  return n;
}

Diff Detail

Event Timeline

steakhal created this revision.Feb 6 2020, 7:51 AM
Herald added subscribers: cfe-commits, Charusso, donat.nagy and 6 others. · View Herald TranscriptFeb 6 2020, 7:51 AM
xazax.hun added a comment.Feb 6 2020, 3:29 PM

Please add a test as well. Otherwise looks good.

clang/lib/StaticAnalyzer/Checkers/ExprInspectionChecker.cpp
78

I think a comment somewhere why/when do we check only the prefix would be useful.

Szelethus added reviewers: baloghadamsoftware, xazax.hun.Feb 7 2020, 4:21 AM
Herald added a subscriber: rnkovacs. · View Herald TranscriptFeb 7 2020, 4:21 AM
Szelethus added a comment.Feb 7 2020, 4:22 AM

After tests are added and clang-format-diff.py is ran, this would be an amazing patch, thanks!

steakhal updated this revision to Diff 243144.Feb 7 2020, 5:20 AM
  • Tests added.
  • Clang-format-diff applied.
steakhal updated this revision to Diff 243146.Feb 7 2020, 5:27 AM

Clarified example usage, especially in contrast of eg.: debug.TaintTest checker.

steakhal marked an inline comment as done.Feb 10 2020, 12:13 AM
steakhal added a comment.Feb 20 2020, 4:20 AM

If this patch is good to go, could someone commit it?
I don't have commit access (yet).

Herald added a subscriber: martong. · View Herald TranscriptFeb 20 2020, 4:20 AM
Szelethus added a reviewer: boga95.Feb 24 2020, 7:51 AM
In D74131#1884372, @steakhal wrote:

If this patch is good to go, could someone commit it?
I don't have commit access (yet).

I think you can apply for a commit access, you have a history of high quality patches!

clang/lib/StaticAnalyzer/Checkers/ExprInspectionChecker.cpp
78

This isn't done?

427–430

Might as well create a test case for this.

steakhal updated this revision to Diff 246420.Feb 25 2020, 5:21 AM

Declaring the purpose of this checker:

[...]
This would help to reduce the *noise* that the TaintTest debug checker would
introduce and let you focus on the expected-warnings that you really care
about.

Added test to exactly one argument requirement.

steakhal marked 2 inline comments as done.Feb 25 2020, 5:21 AM

Marking comments done.

Szelethus accepted this revision.Mar 2 2020, 6:56 AM

LGTM, thanks! Feel free to commit as you're ready.

clang/lib/StaticAnalyzer/Checkers/ExprInspectionChecker.cpp
78

The documentation shows plenty of other similar debug functions, I think this patch is fine in this regard.

This revision is now accepted and ready to land.Mar 2 2020, 6:56 AM
Closed by commit rG859bcf4e3bb9: [analyzer][taint] Add isTainted debug expression inspection check (authored by steakhal). · Explain WhyMar 3 2020, 5:40 AM
This revision was automatically updated to reflect the committed changes.
steakhal marked an inline comment as done.
Szelethus mentioned this in D75682: [Analyzer][StreamChecker] Introduction of stream error handling..Mar 18 2020, 9:30 AM

Revision Contents

PathSize
clang/
docs/
analyzer/
developer-docs/
22 lines
lib/
StaticAnalyzer/
Checkers/
61 lines
test/
Analysis/
27 lines

Diff 247870

clang/docs/analyzer/developer-docs/DebugChecks.rst

Show First 20 LinesShow All 269 Lines▼ Show 20 Lines void foo(int x) {
clang_analyzer_denote(x, "$x"); clang_analyzer_denote(x, "$x");
clang_analyzer_express(x + 1); // expected-warning{{$x + 1}} clang_analyzer_express(x + 1); // expected-warning{{$x + 1}}
} }
- ``void clang_analyzer_express(int);`` - ``void clang_analyzer_express(int);``
See clang_analyzer_denote(). See clang_analyzer_denote().
- ``void clang_analyzer_isTainted(a single argument of any type);``
Queries the analyzer whether the expression used as argument is tainted or not.
This is useful in tests, where we don't want to issue warning for all tainted
expressions but only check for certain expressions.
This would help to reduce the *noise* that the `TaintTest` debug checker would
introduce and let you focus on the `expected-warning`s that you really care
about.
Example usage::
int read_integer() {
int n;
clang_analyzer_isTainted(n); // expected-warning{{NO}}
scanf("%d", &n);
clang_analyzer_isTainted(n); // expected-warning{{YES}}
clang_analyzer_isTainted(n + 2); // expected-warning{{YES}}
clang_analyzer_isTainted(n > 0); // expected-warning{{YES}}
int next_tainted_value = n; // no-warning
return n;
}
Statistics Statistics
========== ==========
The debug.Stats checker collects various information about the analysis of each The debug.Stats checker collects various information about the analysis of each
function, such as how many blocks were reached and if the analyzer timed out. function, such as how many blocks were reached and if the analyzer timed out.
There is also an additional -analyzer-stats flag, which enables various There is also an additional -analyzer-stats flag, which enables various
statistics within the analyzer engine. Note the Stats checker (which produces at statistics within the analyzer engine. Note the Stats checker (which produces at
Show All 9 Lines

clang/lib/StaticAnalyzer/Checkers/ExprInspectionChecker.cpp

//==- ExprInspectionChecker.cpp - Used for regression tests ------*- C++ -*-==// //==- ExprInspectionChecker.cpp - Used for regression tests ------*- C++ -*-==//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "Taint.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Checkers/SValExplainer.h" #include "clang/StaticAnalyzer/Checkers/SValExplainer.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/IssueHash.h" #include "clang/StaticAnalyzer/Core/IssueHash.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h" #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h"
Show All 24 Linesclass ExprInspectionChecker : public Checker<eval::Call, check::DeadSymbols,
void analyzerWarnOnDeadSymbol(const CallExpr *CE, CheckerContext &C) const; void analyzerWarnOnDeadSymbol(const CallExpr *CE, CheckerContext &C) const;
void analyzerDump(const CallExpr *CE, CheckerContext &C) const; void analyzerDump(const CallExpr *CE, CheckerContext &C) const;
void analyzerExplain(const CallExpr *CE, CheckerContext &C) const; void analyzerExplain(const CallExpr *CE, CheckerContext &C) const;
void analyzerPrintState(const CallExpr *CE, CheckerContext &C) const; void analyzerPrintState(const CallExpr *CE, CheckerContext &C) const;
void analyzerGetExtent(const CallExpr *CE, CheckerContext &C) const; void analyzerGetExtent(const CallExpr *CE, CheckerContext &C) const;
void analyzerHashDump(const CallExpr *CE, CheckerContext &C) const; void analyzerHashDump(const CallExpr *CE, CheckerContext &C) const;
void analyzerDenote(const CallExpr *CE, CheckerContext &C) const; void analyzerDenote(const CallExpr *CE, CheckerContext &C) const;
void analyzerExpress(const CallExpr *CE, CheckerContext &C) const; void analyzerExpress(const CallExpr *CE, CheckerContext &C) const;
void analyzerIsTainted(const CallExpr *CE, CheckerContext &C) const;
typedef void (ExprInspectionChecker::*FnCheck)(const CallExpr *, typedef void (ExprInspectionChecker::*FnCheck)(const CallExpr *,
CheckerContext &C) const; CheckerContext &C) const;
ExplodedNode *reportBug(llvm::StringRef Msg, CheckerContext &C) const; ExplodedNode *reportBug(llvm::StringRef Msg, CheckerContext &C) const;
ExplodedNode *reportBug(llvm::StringRef Msg, BugReporter &BR, ExplodedNode *reportBug(llvm::StringRef Msg, BugReporter &BR,
ExplodedNode *N) const; ExplodedNode *N) const;
Show All 11 Lines
bool ExprInspectionChecker::evalCall(const CallEvent &Call, bool ExprInspectionChecker::evalCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr()); const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
if (!CE) if (!CE)
return false; return false;
// These checks should have no effect on the surrounding environment // These checks should have no effect on the surrounding environment
// (globals should not be invalidated, etc), hence the use of evalCall. // (globals should not be invalidated, etc), hence the use of evalCall.
FnCheck Handler = llvm::StringSwitch<FnCheck>(C.getCalleeName(CE)) FnCheck Handler =
xazax.hunUnsubmitted
Done
ReplyInline Actions

I think a comment somewhere why/when do we check only the prefix would be useful.

xazax.hun: I think a comment somewhere why/when do we check only the prefix would be useful.
SzelethusUnsubmitted
Done
ReplyInline Actions

This isn't done?

Szelethus: This isn't done?
SzelethusUnsubmitted
Not Done
ReplyInline Actions

The documentation shows plenty of other similar debug functions, I think this patch is fine in this regard.

Szelethus: The documentation shows plenty of other similar debug functions, I think this patch is fine in…
llvm::StringSwitch<FnCheck>(C.getCalleeName(CE))
.Case("clang_analyzer_eval", &ExprInspectionChecker::analyzerEval) .Case("clang_analyzer_eval", &ExprInspectionChecker::analyzerEval)
.Case("clang_analyzer_checkInlined", .Case("clang_analyzer_checkInlined",
&ExprInspectionChecker::analyzerCheckInlined) &ExprInspectionChecker::analyzerCheckInlined)
.Case("clang_analyzer_crash", &ExprInspectionChecker::analyzerCrash) .Case("clang_analyzer_crash", &ExprInspectionChecker::analyzerCrash)
.Case("clang_analyzer_warnIfReached", .Case("clang_analyzer_warnIfReached",
&ExprInspectionChecker::analyzerWarnIfReached) &ExprInspectionChecker::analyzerWarnIfReached)
.Case("clang_analyzer_warnOnDeadSymbol", .Case("clang_analyzer_warnOnDeadSymbol",
&ExprInspectionChecker::analyzerWarnOnDeadSymbol) &ExprInspectionChecker::analyzerWarnOnDeadSymbol)
.StartsWith("clang_analyzer_explain", &ExprInspectionChecker::analyzerExplain) .StartsWith("clang_analyzer_explain",
.StartsWith("clang_analyzer_dump", &ExprInspectionChecker::analyzerDump) &ExprInspectionChecker::analyzerExplain)
.Case("clang_analyzer_getExtent", &ExprInspectionChecker::analyzerGetExtent) .StartsWith("clang_analyzer_dump",
&ExprInspectionChecker::analyzerDump)
.Case("clang_analyzer_getExtent",
&ExprInspectionChecker::analyzerGetExtent)
.Case("clang_analyzer_printState", .Case("clang_analyzer_printState",
&ExprInspectionChecker::analyzerPrintState) &ExprInspectionChecker::analyzerPrintState)
.Case("clang_analyzer_numTimesReached", .Case("clang_analyzer_numTimesReached",
&ExprInspectionChecker::analyzerNumTimesReached) &ExprInspectionChecker::analyzerNumTimesReached)
.Case("clang_analyzer_hashDump", &ExprInspectionChecker::analyzerHashDump) .Case("clang_analyzer_hashDump",
&ExprInspectionChecker::analyzerHashDump)
.Case("clang_analyzer_denote", &ExprInspectionChecker::analyzerDenote) .Case("clang_analyzer_denote", &ExprInspectionChecker::analyzerDenote)
.Case("clang_analyzer_express", &ExprInspectionChecker::analyzerExpress) .Case("clang_analyzer_express",
&ExprInspectionChecker::analyzerExpress)
.StartsWith("clang_analyzer_isTainted",
&ExprInspectionChecker::analyzerIsTainted)
.Default(nullptr); .Default(nullptr);
if (!Handler) if (!Handler)
return false; return false;
(this->*Handler)(CE, C); (this->*Handler)(CE, C);
return true; return true;
} }
▲ Show 20 LinesShow All 303 Lines▼ Show 20 Linesvoid ExprInspectionChecker::analyzerExpress(const CallExpr *CE,
if (!Str) { if (!Str) {
reportBug("Unable to express", C); reportBug("Unable to express", C);
return; return;
} }
reportBug(*Str, C); reportBug(*Str, C);
} }
void ExprInspectionChecker::analyzerIsTainted(const CallExpr *CE,
CheckerContext &C) const {
if (CE->getNumArgs() != 1) {
reportBug("clang_analyzer_isTainted() requires exactly one argument", C);
return;
}
SzelethusUnsubmitted
Done
ReplyInline Actions

Might as well create a test case for this.

Szelethus: Might as well create a test case for this.
const bool IsTainted =
taint::isTainted(C.getState(), CE->getArg(0), C.getLocationContext());
reportBug(IsTainted ? "YES" : "NO", C);
}
void ento::registerExprInspectionChecker(CheckerManager &Mgr) { void ento::registerExprInspectionChecker(CheckerManager &Mgr) {
Mgr.registerChecker<ExprInspectionChecker>(); Mgr.registerChecker<ExprInspectionChecker>();
} }
bool ento::shouldRegisterExprInspectionChecker(const LangOptions &LO) { bool ento::shouldRegisterExprInspectionChecker(const LangOptions &LO) {
return true; return true;
} }

clang/test/Analysis/debug-exprinspection-istainted.c

  • This file was added.
// RUN: %clang_analyze_cc1 -verify %s \
// RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-checker=alpha.security.taint
int scanf(const char *restrict format, ...);
void clang_analyzer_isTainted(char);
void clang_analyzer_isTainted_any_suffix(char);
void clang_analyzer_isTainted_many_arguments(char, int, int);
void foo() {
char buf[32] = "";
clang_analyzer_isTainted(buf[0]); // expected-warning {{NO}}
clang_analyzer_isTainted_any_suffix(buf[0]); // expected-warning {{NO}}
scanf("%s", buf);
clang_analyzer_isTainted(buf[0]); // expected-warning {{YES}}
clang_analyzer_isTainted_any_suffix(buf[0]); // expected-warning {{YES}}
int tainted_value = buf[0]; // no-warning
}
void exactly_one_argument_required() {
char buf[32] = "";
scanf("%s", buf);
clang_analyzer_isTainted_many_arguments(buf[0], 42, 42);
// expected-warning@-1 {{clang_analyzer_isTainted() requires exactly one argument}}
}