summaryrefslogtreecommitdiffstats
path: root/clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
Commit message (Collapse)AuthorAgeFilesLines
* Refactor: Simplify boolean conditional return statements in ↵Alexander Kornienko2015-12-281-14/+5
| | | | | | | | | | | | | | | | lib/StaticAnalyzer/Checkers Summary: Use clang-tidy to simplify boolean conditional return values Reviewers: dcoughlin, krememek Subscribers: krememek, cfe-commits Patch by Richard Thomson! Differential Revision: http://reviews.llvm.org/D10021 llvm-svn: 256491
* [analyzer] Add generateErrorNode() APIs to CheckerContext.Devin Coughlin2015-09-161-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The analyzer trims unnecessary nodes from the exploded graph before reporting path diagnostics. However, in some cases it can trim all nodes (including the error node), leading to an assertion failure (see https://llvm.org/bugs/show_bug.cgi?id=24184). This commit addresses the issue by adding two new APIs to CheckerContext to explicitly create error nodes. Unless the client provides a custom tag, these APIs tag the node with the checker's tag -- preventing it from being trimmed. The generateErrorNode() method creates a sink error node, while generateNonFatalErrorNode() creates an error node for a path that should continue being explored. The intent is that one of these two methods should be used whenever a checker creates an error node. This commit updates the checkers to use these APIs. These APIs (unlike addTransition() and generateSink()) do not take an explicit Pred node. This is because there are not any error nodes in the checkers that were created with an explicit different than the default (the CheckerContext's Pred node). It also changes generateSink() to require state and pred nodes (previously these were optional) to reduce confusion. Additionally, there were several cases where checkers did check whether a generated node could be null; we now explicitly check for null in these places. This commit also includes a test case written by Ying Yi as part of http://reviews.llvm.org/D12163 (that patch originally addressed this issue but was reverted because it introduced false positive regressions). Differential Revision: http://reviews.llvm.org/D12780 llvm-svn: 247859
* [analyzer] Apply whitespace cleanups by Honggyu Kim.Ted Kremenek2015-09-081-5/+5
| | | | llvm-svn: 246978
* Clarify pointer ownership semantics by hoisting the std::unique_ptr creation ↵Aaron Ballman2015-06-231-2/+2
| | | | | | to the caller instead of hiding it in emitReport. NFC. llvm-svn: 240400
* Fixes a typo in a comment.Enrico Pertoso2015-06-031-1/+1
| | | | llvm-svn: 238910
* [C++11] Use 'nullptr'. StaticAnalyzer edition.Craig Topper2014-05-271-7/+7
| | | | llvm-svn: 209642
* remove a bunch of unused private methodsNuno Lopes2014-03-231-1/+0
| | | | | | | | | | | | | | | | | | found with a smarter version of -Wunused-member-function that I'm playwing with. Appologies in advance if I removed someone's WIP code. ARCMigrate/TransProperties.cpp | 8 ----- AST/MicrosoftMangle.cpp | 1 Analysis/AnalysisDeclContext.cpp | 5 --- Analysis/LiveVariables.cpp | 14 ---------- Index/USRGeneration.cpp | 10 ------- Sema/Sema.cpp | 33 +++++++++++++++++++++--- Sema/SemaChecking.cpp | 3 -- Sema/SemaDecl.cpp | 20 ++------------ StaticAnalyzer/Checkers/GenericTaintChecker.cpp | 1 9 files changed, 34 insertions(+), 61 deletions(-) llvm-svn: 204561
* [C++11] Replacing DeclBase iterators specific_attr_begin() and ↵Aaron Ballman2014-03-101-5/+1
| | | | | | specific_attr_end() with iterator_range specific_attrs(). Updating all of the usages of the iterators with range-based for loops. llvm-svn: 203474
* Replace OwningPtr with std::unique_ptr.Ahmed Charles2014-03-071-1/+1
| | | | | | This compiles cleanly with lldb/lld/clang-tools-extra/llvm. llvm-svn: 203279
* Expose the name of the checker producing each diagnostic message.Alexander Kornienko2014-02-111-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | Summary: In clang-tidy we'd like to know the name of the checker producing each diagnostic message. PathDiagnostic has BugType and Category fields, which are both arbitrary human-readable strings, but we need to know the exact name of the checker in the form that can be used in the CheckersControlList option to enable/disable the specific checker. This patch adds the CheckName field to the CheckerBase class, and sets it in the CheckerManager::registerChecker() method, which gets them from the CheckerRegistry. Checkers that implement multiple checks have to store the names of each check in the respective registerXXXChecker method. Reviewers: jordan_rose, krememek Reviewed By: jordan_rose CC: cfe-commits Differential Revision: http://llvm-reviews.chandlerc.com/D2557 llvm-svn: 201186
* Switched FormatAttr to using an IdentifierArgument instead of a ↵Aaron Ballman2013-09-031-1/+2
| | | | | | StringArgument since that is a more accurate modeling. llvm-svn: 189851
* Include llvm::Optional in clang/Basic/LLVM.hDavid Blaikie2013-02-201-1/+1
| | | | | | Post-commit CR feedback from Jordan Rose regarding r175594. llvm-svn: 175679
* Replace SVal llvm::cast support to be well-defined.David Blaikie2013-02-201-1/+1
| | | | | | See r175462 for another example/more details. llvm-svn: 175594
* Remove useless 'llvm::' qualifier from names like StringRef and others that areDmitri Gribenko2013-01-121-1/+1
| | | | | | brought into 'clang' namespace by clang/Basic/LLVM.h llvm-svn: 172323
* Sort all of Clang's files under 'lib', and fix up the broken headersChandler Carruth2012-12-041-3/+3
| | | | | | | | | | | | | uncovered. This required manually correcting all of the incorrect main-module headers I could find, and running the new llvm/utils/sort_includes.py script over the files. I also manually added quite a few missing headers that were uncovered by shuffling the order or moving headers up to be main-module-headers. llvm-svn: 169237
* Pull the Attr iteration parts out of Attr.h, so including DeclBase.h doesn't ↵Benjamin Kramer2012-12-011-0/+1
| | | | | | | | | pull in all the generated Attr code. Required to pull some functions out of line, but this shouldn't have a perf impact. No functionality change. llvm-svn: 169092
* [analyzer] Use nice macros for the common ProgramStateTraits (map, set, list).Jordan Rose2012-11-021-8/+2
| | | | | | | | | Also, move the REGISTER_*_WITH_PROGRAMSTATE macros to ProgramStateTrait.h. This doesn't get rid of /all/ explicit uses of ProgramStatePartialTrait, but it does get a lot of them. llvm-svn: 167276
* [analyzer] Rename 'EmitReport' to 'emitReport'.Jordan Rose2012-11-021-1/+1
| | | | | | No functionality change. llvm-svn: 167275
* Remove trivial destructor from SVal.Benjamin Kramer2012-07-181-1/+0
| | | | | | | | | | This enables the faster SmallVector in clang and also allows clang's unused variable warnings to be more effective. Fix the two instances that popped up. The RetainCountChecker change actually changes functionality, it would be nice if someone from the StaticAnalyzer folks could look at it. llvm-svn: 160444
* [analyzer] Guard against C++ member functions that look like system functions.Jordan Rose2012-07-101-1/+11
| | | | | | | | | C++ method calls and C function calls both appear as CallExprs in the AST. This was causing crashes for an object that had a 'free' method. <rdar://problem/11822244> llvm-svn: 160029
* Fix typos found by http://github.com/lyda/misspell-checkBenjamin Kramer2012-06-021-1/+1
| | | | llvm-svn: 157886
* [analyzer] Don't crash even when the system functions are redefined.Anna Zaks2012-04-101-7/+13
| | | | | | | | | | (Applied changes to CStringAPI, Malloc, and Taint.) This might almost never happen, but we should not crash even if it does. This fixes a crash on the internal analyzer buildbot, where postgresql's configure was redefining memmove (radar://11219852). llvm-svn: 154451
* [analyzer] Change naming in bug reports "tainted" -> "untrusted"Anna Zaks2012-02-221-4/+5
| | | | llvm-svn: 151120
* Basic: import OwningPtr<> into clang namespaceDylan Noblesmith2012-02-051-1/+1
| | | | llvm-svn: 149798
* Change references to 'const ProgramState *' to typedef 'ProgramStateRef'.Ted Kremenek2012-01-261-22/+22
| | | | | | | | At this point this is largely cosmetic, but it opens the door to replace ProgramStateRef with a smart pointer that more eagerly acts in the role of reclaiming unused ProgramState objects. llvm-svn: 149081
* [analyzer] Add more C taint sources/sinks.Anna Zaks2012-01-241-22/+45
| | | | llvm-svn: 148844
* [analyzer] It's possible to have a non PointerType expression evaluate to a ↵Anna Zaks2012-01-211-2/+2
| | | | | | Loc value. When this happens, use the default type. llvm-svn: 148631
* More dead code removal (using -Wunreachable-code)David Blaikie2012-01-201-3/+0
| | | | llvm-svn: 148577
* [analyzer] Add socket API as a source of taint.Anna Zaks2012-01-201-0/+27
| | | | llvm-svn: 148518
* [analyzer] Refactor: prePropagateTaint ->Anna Zaks2012-01-181-43/+27
| | | | | | | | | TaintPropagationRule::process(). Also remove the "should be a pointer argument" warning - should be handled elsewhere. llvm-svn: 148372
* [analyzer] Taint: warn when tainted data is used to specify a bufferAnna Zaks2012-01-181-4/+62
| | | | | | | | | | size (Ex: in malloc, memcpy, strncpy..) (Maybe some of this could migrate to the CString checker. One issue with that is that we might want to separate security issues from regular API misuse.) llvm-svn: 148371
* [analyzer] Taint: add taint propagation rules for string and memory copyAnna Zaks2012-01-181-53/+111
| | | | | | functions. llvm-svn: 148370
* [analyzer] Taint: generalize taint propagation to simplify adding moreAnna Zaks2012-01-171-4/+128
| | | | | | taint propagation functions. llvm-svn: 148266
* [analyzer] Taint: add system and popen as undesirable sinks for taintAnna Zaks2012-01-141-20/+77
| | | | | | data. llvm-svn: 148176
* [analyzer] Taint: when looking up a binding, provide the type.Anna Zaks2012-01-131-1/+4
| | | | llvm-svn: 148080
* [analyzer] Add taint transfer by strcpy & others (part 1).Anna Zaks2012-01-121-89/+100
| | | | | | | | | | | | To simplify the process: Refactor taint generation checker to simplify passing the information on which arguments need to be tainted from pre to post visit. Todo: We need to factor out the code that sema is using to identify the string and memcpy functions and use it here and in the CString checker. llvm-svn: 148010
* Remove unused variable.Rafael Espindola2012-01-071-1/+0
| | | | llvm-svn: 147744
* [analyzer] Add basic format string vulnerability checking.Anna Zaks2012-01-071-6/+92
| | | | | | | | | We already have a more conservative check in the compiler (if the format string is not a literal, we warn). Still adding it here for completeness and since this check is stronger - only triggered if the format string is tainted. llvm-svn: 147714
* [analyzer] Make the entries in 'Environment' context-sensitive by making ↵Ted Kremenek2012-01-061-7/+9
| | | | | | | | | | | | | | | | | | entries map from (Stmt*,LocationContext*) pairs to SVals instead of Stmt* to SVals. This is needed to support basic IPA via inlining. Without this, we cannot tell if a Stmt* binding is part of the current analysis scope (StackFrameContext) or part of a parent context. This change introduces an uglification of the use of getSVal(), and thus takes two steps forward and one step back. There are also potential performance implications of enlarging the Environment. Both can be addressed going forward by refactoring the APIs and optimizing the internal representation of Environment. This patch mainly introduces the functionality upon when we want to build upon (and clean up). llvm-svn: 147688
* [analyzer] Add support for taint flowing through a function (atoi).Anna Zaks2011-12-171-43/+140
| | | | | | | | | | Check if the input parameters are tainted (or point to tainted data) on a checkPreStmt<CallExpr>. If the output should be tainted, record it in the state. On post visit (checkPostStmt<CallExpr>), use the state to make decisions (in addition to the existing logic). Use this logic for atoi and fscanf. llvm-svn: 146793
* [analyzer] Better stdin support.Anna Zaks2011-12-161-22/+28
| | | | llvm-svn: 146748
* [analyzer] Treat stdin as a source of taint.Anna Zaks2011-12-141-6/+44
| | | | | | | | Some of the test cases do not currently work because the analyzer core does not seem to call checkers for pre/post DeclRefExpr visits. (Opened radar://10573500. To be fixed later on.) llvm-svn: 146536
* [analyzer] Mark output of fscanf and fopen as tainted.Anna Zaks2011-12-141-1/+30
| | | | llvm-svn: 146533
* [analyzer] Mark getenv output as tainted.Anna Zaks2011-12-141-0/+1
| | | | | | Also, allow adding taint to a region (not only a symbolic value). llvm-svn: 146532
* [analyzer] CStringChecker should not rely on the analyzer generating ↵Anna Zaks2011-12-111-0/+5
| | | | | | | | | | | | | | UndefOrUnknown value when it cannot reason about the expression. We are now often generating expressions even if the solver is not known to be able to simplify it. This is another cleanup of the existing code, where the rest of the analyzer and checkers should not base their logic on knowing ahead of the time what the solver can reason about. In this case, CStringChecker is performing a check for overflow of 'left+right' operation. The overflow can be checked with either 'maxVal-left' or 'maxVal-right'. Previously, the decision was based on whether the expresion evaluated to undef or not. With this patch, we check if one of the arguments is a constant, in which case we know that 'maxVal-const' is easily simplified. (Another option is to use canReasonAbout() method of the solver here, however, it's currently is protected.) This patch also contains 2 small bug fixes: - swap the order of operators inside SValBuilder::makeGenericVal. - handle a case when AddeVal is unknown in GenericTaintChecker::getPointedToSymbol. llvm-svn: 146343
* [analyzer] Warn when non pointer arguments are passed to scanf (only when ↵Anna Zaks2011-11-181-4/+35
| | | | | | | | running taint checker). There is an open radar to implement better scanf checking as a Sema warning. However, a bit of redundancy is fine in this case. llvm-svn: 144964
* [analyzer] Adding generic taint checker.Anna Zaks2011-11-161-0/+97
The checker is responsible for defining attack surface and adding taint to symbols. llvm-svn: 144825
OpenPOWER on IntegriCloud