summaryrefslogtreecommitdiffstats
path: root/clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
Commit message (Collapse)AuthorAgeFilesLines
...
* [analyzer] It's possible to have a non PointerType expression evaluate to a ↵Anna Zaks2012-01-211-2/+2
| | | | | | Loc value. When this happens, use the default type. llvm-svn: 148631
* More dead code removal (using -Wunreachable-code)David Blaikie2012-01-201-3/+0
| | | | llvm-svn: 148577
* [analyzer] Add socket API as a source of taint.Anna Zaks2012-01-201-0/+27
| | | | llvm-svn: 148518
* [analyzer] Refactor: prePropagateTaint ->Anna Zaks2012-01-181-43/+27
| | | | | | | | | TaintPropagationRule::process(). Also remove the "should be a pointer argument" warning - should be handled elsewhere. llvm-svn: 148372
* [analyzer] Taint: warn when tainted data is used to specify a bufferAnna Zaks2012-01-181-4/+62
| | | | | | | | | | size (Ex: in malloc, memcpy, strncpy..) (Maybe some of this could migrate to the CString checker. One issue with that is that we might want to separate security issues from regular API misuse.) llvm-svn: 148371
* [analyzer] Taint: add taint propagation rules for string and memory copyAnna Zaks2012-01-181-53/+111
| | | | | | functions. llvm-svn: 148370
* [analyzer] Taint: generalize taint propagation to simplify adding moreAnna Zaks2012-01-171-4/+128
| | | | | | taint propagation functions. llvm-svn: 148266
* [analyzer] Taint: add system and popen as undesirable sinks for taintAnna Zaks2012-01-141-20/+77
| | | | | | data. llvm-svn: 148176
* [analyzer] Taint: when looking up a binding, provide the type.Anna Zaks2012-01-131-1/+4
| | | | llvm-svn: 148080
* [analyzer] Add taint transfer by strcpy & others (part 1).Anna Zaks2012-01-121-89/+100
| | | | | | | | | | | | To simplify the process: Refactor taint generation checker to simplify passing the information on which arguments need to be tainted from pre to post visit. Todo: We need to factor out the code that sema is using to identify the string and memcpy functions and use it here and in the CString checker. llvm-svn: 148010
* Remove unused variable.Rafael Espindola2012-01-071-1/+0
| | | | llvm-svn: 147744
* [analyzer] Add basic format string vulnerability checking.Anna Zaks2012-01-071-6/+92
| | | | | | | | | We already have a more conservative check in the compiler (if the format string is not a literal, we warn). Still adding it here for completeness and since this check is stronger - only triggered if the format string is tainted. llvm-svn: 147714
* [analyzer] Make the entries in 'Environment' context-sensitive by making ↵Ted Kremenek2012-01-061-7/+9
| | | | | | | | | | | | | | | | | | entries map from (Stmt*,LocationContext*) pairs to SVals instead of Stmt* to SVals. This is needed to support basic IPA via inlining. Without this, we cannot tell if a Stmt* binding is part of the current analysis scope (StackFrameContext) or part of a parent context. This change introduces an uglification of the use of getSVal(), and thus takes two steps forward and one step back. There are also potential performance implications of enlarging the Environment. Both can be addressed going forward by refactoring the APIs and optimizing the internal representation of Environment. This patch mainly introduces the functionality upon when we want to build upon (and clean up). llvm-svn: 147688
* [analyzer] Add support for taint flowing through a function (atoi).Anna Zaks2011-12-171-43/+140
| | | | | | | | | | Check if the input parameters are tainted (or point to tainted data) on a checkPreStmt<CallExpr>. If the output should be tainted, record it in the state. On post visit (checkPostStmt<CallExpr>), use the state to make decisions (in addition to the existing logic). Use this logic for atoi and fscanf. llvm-svn: 146793
* [analyzer] Better stdin support.Anna Zaks2011-12-161-22/+28
| | | | llvm-svn: 146748
* [analyzer] Treat stdin as a source of taint.Anna Zaks2011-12-141-6/+44
| | | | | | | | Some of the test cases do not currently work because the analyzer core does not seem to call checkers for pre/post DeclRefExpr visits. (Opened radar://10573500. To be fixed later on.) llvm-svn: 146536
* [analyzer] Mark output of fscanf and fopen as tainted.Anna Zaks2011-12-141-1/+30
| | | | llvm-svn: 146533
* [analyzer] Mark getenv output as tainted.Anna Zaks2011-12-141-0/+1
| | | | | | Also, allow adding taint to a region (not only a symbolic value). llvm-svn: 146532
* [analyzer] CStringChecker should not rely on the analyzer generating ↵Anna Zaks2011-12-111-0/+5
| | | | | | | | | | | | | | UndefOrUnknown value when it cannot reason about the expression. We are now often generating expressions even if the solver is not known to be able to simplify it. This is another cleanup of the existing code, where the rest of the analyzer and checkers should not base their logic on knowing ahead of the time what the solver can reason about. In this case, CStringChecker is performing a check for overflow of 'left+right' operation. The overflow can be checked with either 'maxVal-left' or 'maxVal-right'. Previously, the decision was based on whether the expresion evaluated to undef or not. With this patch, we check if one of the arguments is a constant, in which case we know that 'maxVal-const' is easily simplified. (Another option is to use canReasonAbout() method of the solver here, however, it's currently is protected.) This patch also contains 2 small bug fixes: - swap the order of operators inside SValBuilder::makeGenericVal. - handle a case when AddeVal is unknown in GenericTaintChecker::getPointedToSymbol. llvm-svn: 146343
* [analyzer] Warn when non pointer arguments are passed to scanf (only when ↵Anna Zaks2011-11-181-4/+35
| | | | | | | | running taint checker). There is an open radar to implement better scanf checking as a Sema warning. However, a bit of redundancy is fine in this case. llvm-svn: 144964
* [analyzer] Adding generic taint checker.Anna Zaks2011-11-161-0/+97
The checker is responsible for defining attack surface and adding taint to symbols. llvm-svn: 144825
OpenPOWER on IntegriCloud