summaryrefslogtreecommitdiffstats
path: root/clang/lib/StaticAnalyzer/Checkers
Commit message (Collapse)AuthorAgeFilesLines
...
* [analyzer] Add taint transfer by strcpy & others (part 1).Anna Zaks2012-01-121-89/+100
| | | | | | | | | | | | To simplify the process: Refactor taint generation checker to simplify passing the information on which arguments need to be tainted from pre to post visit. Todo: We need to factor out the code that sema is using to identify the string and memcpy functions and use it here and in the CString checker. llvm-svn: 148010
* "This change adds alloca/valloc checks to UnixAPIChecker. It includes a ↵Ted Kremenek2012-01-111-48/+61
| | | | | | | | | | | | small refactoring for the common *alloc functions as well as a few tiny wibbles (adds a note to CWE/CERT advisory numbers in the bug output, and fixes a couple 80-column-wide violations.)" Patch by Austin Seipp! llvm-svn: 147931
* Remove unused variable.Rafael Espindola2012-01-071-1/+0
| | | | llvm-svn: 147744
* [analyzer] Add basic format string vulnerability checking.Anna Zaks2012-01-071-6/+92
| | | | | | | | | We already have a more conservative check in the compiler (if the format string is not a literal, we warn). Still adding it here for completeness and since this check is stronger - only triggered if the format string is tainted. llvm-svn: 147714
* [analyzer] Make the entries in 'Environment' context-sensitive by making ↵Ted Kremenek2012-01-0636-167/+236
| | | | | | | | | | | | | | | | | | entries map from (Stmt*,LocationContext*) pairs to SVals instead of Stmt* to SVals. This is needed to support basic IPA via inlining. Without this, we cannot tell if a Stmt* binding is part of the current analysis scope (StackFrameContext) or part of a parent context. This change introduces an uglification of the use of getSVal(), and thus takes two steps forward and one step back. There are also potential performance implications of enlarging the Environment. Both can be addressed going forward by refactoring the APIs and optimizing the internal representation of Environment. This patch mainly introduces the functionality upon when we want to build upon (and clean up). llvm-svn: 147688
* [analyzer] Be less pessimistic about invalidation of global variablesAnna Zaks2012-01-041-8/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | as a result of a call. Problem: Global variables, which come in from system libraries should not be invalidated by all calls. Also, non-system globals should not be invalidated by system calls. Solution: The following solution to invalidation of globals seems flexible enough for taint (does not invalidate stdin) and should not lead to too many false positives. We split globals into 3 classes: * immutable - values are preserved by calls (unless the specific global is passed in as a parameter): A : Most system globals and const scalars * invalidated by functions defined in system headers: B: errno * invalidated by all other functions (note, these functions may in turn contain system calls): B: errno C: all other globals (which are not in A nor B) llvm-svn: 147569
* Fix 80 col violations.Ted Kremenek2012-01-041-13/+27
| | | | llvm-svn: 147566
* Minor code formatting cleanups.Ted Kremenek2012-01-041-17/+17
| | | | llvm-svn: 147505
* Enhance UnixAPIChecker to also warn about zero-sized allocations to calloc() ↵Ted Kremenek2012-01-031-25/+113
| | | | | | and realloc(). Patch by Cyril Roelandt! llvm-svn: 147500
* Add initial version of checker to check if virtual member functions are ↵Ted Kremenek2012-01-033-0/+243
| | | | | | | | called transitively from C++ constructors or destructors. Checker by Lei Zhang with a few tweaks by Ted Kremenek. llvm-svn: 147494
* Fix cmake build with -DBUILD_SHARED_LIBS=ON.Rafael Espindola2011-12-291-1/+1
| | | | llvm-svn: 147338
* Colorize and condense CFG pretty-printing.Ted Kremenek2011-12-221-1/+3
| | | | llvm-svn: 147203
* Fix typos in analyzer diagnostics pointed out by Matt Beaumont-Gay and ↵Ted Kremenek2011-12-221-2/+2
| | | | | | Robert Purves. llvm-svn: 147139
* [analyzer] Add support for taint flowing through a function (atoi).Anna Zaks2011-12-171-43/+140
| | | | | | | | | | Check if the input parameters are tainted (or point to tainted data) on a checkPreStmt<CallExpr>. If the output should be tainted, record it in the state. On post visit (checkPostStmt<CallExpr>), use the state to make decisions (in addition to the existing logic). Use this logic for atoi and fscanf. llvm-svn: 146793
* [analyzer] Better stdin support.Anna Zaks2011-12-161-22/+28
| | | | llvm-svn: 146748
* [analyzer] Treat stdin as a source of taint.Anna Zaks2011-12-141-6/+44
| | | | | | | | Some of the test cases do not currently work because the analyzer core does not seem to call checkers for pre/post DeclRefExpr visits. (Opened radar://10573500. To be fixed later on.) llvm-svn: 146536
* [analyzer] Mark output of fscanf and fopen as tainted.Anna Zaks2011-12-141-1/+30
| | | | llvm-svn: 146533
* [analyzer] Mark getenv output as tainted.Anna Zaks2011-12-141-0/+1
| | | | | | Also, allow adding taint to a region (not only a symbolic value). llvm-svn: 146532
* [analyzer] CStringChecker should not rely on the analyzer generating ↵Anna Zaks2011-12-112-4/+10
| | | | | | | | | | | | | | UndefOrUnknown value when it cannot reason about the expression. We are now often generating expressions even if the solver is not known to be able to simplify it. This is another cleanup of the existing code, where the rest of the analyzer and checkers should not base their logic on knowing ahead of the time what the solver can reason about. In this case, CStringChecker is performing a check for overflow of 'left+right' operation. The overflow can be checked with either 'maxVal-left' or 'maxVal-right'. Previously, the decision was based on whether the expresion evaluated to undef or not. With this patch, we check if one of the arguments is a constant, in which case we know that 'maxVal-const' is easily simplified. (Another option is to use canReasonAbout() method of the solver here, however, it's currently is protected.) This patch also contains 2 small bug fixes: - swap the order of operators inside SValBuilder::makeGenericVal. - handle a case when AddeVal is unknown in GenericTaintChecker::getPointedToSymbol. llvm-svn: 146343
* Unbreak MSVC build.Francois Pichet2011-12-081-1/+1
| | | | llvm-svn: 146146
* Add an experimental MallocSizeofChecker, which reports inconsistenciesPeter Collingbourne2011-12-083-0/+213
| | | | | | | | between the casted type of the return value of a malloc/calloc/realloc call and the operand of any sizeof expressions contained within its argument(s). llvm-svn: 146144
* DeadStoresChecker: when whitelisting dead initializations with constants, lookRichard Smith2011-12-061-1/+1
| | | | | | | for a foldable constant rather than an IR-level constant. This is still far too liberal, but is a step in the right direction. llvm-svn: 145990
* [analyzer] Refactor: Move symbol_iterator from SVal to SymExpr, use itAnna Zaks2011-12-061-2/+2
| | | | | | for finding dependent symbols for taint. llvm-svn: 145986
* [analyzer] Remove an unnecessary check.Anna Zaks2011-12-061-1/+1
| | | | llvm-svn: 145984
* [analyzer] Rely on LLVM Dominators in Clang dominator computation.Anna Zaks2011-12-051-2/+2
| | | | | | | | (Previously, Clang used it's implementation of dominators.) The patch is contributed by Guoping Long! llvm-svn: 145858
* [analyzer] Change RetainCountChecker to use symbol dump method insteadAnna Zaks2011-12-051-2/+3
| | | | | | | | of relying on SymbolID. This way any expression can be printed (not only SymbolData). llvm-svn: 145829
* [analyzer] Add a debug checker to test for tainted data.Anna Zaks2011-12-053-0/+67
| | | | llvm-svn: 145827
* [analyzer] Make KeychainAPI checker less aggressive. radar://10508828Anna Zaks2011-12-011-3/+5
| | | | | | We trigger an error if free is called after a possibly failed allocation. Do not trigger the error if we know that the buffer is not null. llvm-svn: 145584
* [analyzer] Refactor checkers to use helper function for getting callee Decl ↵Anna Zaks2011-12-0112-109/+44
| | | | | | | | and name. We are getting name of the called function or it's declaration in a few checkers. Refactor them to use the helper function in the CheckerContext. llvm-svn: 145576
* Further tweak -Wurneachable-code and templates by allowing the warning to run onTed Kremenek2011-12-011-2/+12
| | | | | | | | | explicit template specializations (which represent actual functions somebody wrote). Along the way, refactor some other code which similarly cares about whether or not they are looking at a template instantiation. llvm-svn: 145547
* Update CMake build.Benjamin Kramer2011-11-301-0/+1
| | | | llvm-svn: 145506
* [analyzer] Add checker callback documentation.Anna Zaks2011-11-301-0/+219
| | | | llvm-svn: 145495
* [analyzer] Warn when non pointer arguments are passed to scanf (only when ↵Anna Zaks2011-11-181-4/+35
| | | | | | | | running taint checker). There is an open radar to implement better scanf checking as a Sema warning. However, a bit of redundancy is fine in this case. llvm-svn: 144964
* Update CMake build.Benjamin Kramer2011-11-161-0/+1
| | | | llvm-svn: 144829
* [analyzer] Catch the first taint propagation implied buffer overflow.Anna Zaks2011-11-161-5/+13
| | | | | | | | | | | | | | Change the ArrayBoundCheckerV2 to be more aggressive in reporting buffer overflows when the offset is tainted. Previously, we did not report bugs when the state was underconstrained (not enough information about the bound to determine if there is an overflow) to avoid false positives. However, if we know that the buffer offset is tainted - comes in from the user space and can be anything, we should report it as a bug. + The very first example of us catching a taint related bug. This is the only example we can currently handle. More to come... llvm-svn: 144826
* [analyzer] Adding generic taint checker.Anna Zaks2011-11-162-0/+110
| | | | | | The checker is responsible for defining attack surface and adding taint to symbols. llvm-svn: 144825
* [analyzer] Factor getCalleeName to the checker context.Anna Zaks2011-11-161-10/+1
| | | | | | | many checkers are trying to get a name of the callee when visiting a CallExpr, so provide a convenience API. llvm-svn: 144820
* [static analyzer] Tweak RetainCountChecker's diagnostics to correctly ↵Ted Kremenek2011-11-141-4/+20
| | | | | | | | indicate if a message was due to a property access. This can potentially be refactored for other clients, and this is a regression from the refactoring of property acceses. llvm-svn: 144571
* Constant expression evaluation: support for evaluation of structs and unions ofRichard Smith2011-11-101-3/+1
| | | | | | | literal types, as well as derived-to-base casts for lvalues and derived-to-virtual-base casts. llvm-svn: 144265
* [analyzer] Remove redundant check from DivZeroCheckerAnna Zaks2011-11-081-1/+2
| | | | | | | | | | | | | | | | | | | | | | | Analysis by Ted: " if (stateZero && !stateNotZero) { is checking to see if: (A) "it is possible for the value to be zero" (stateZero) AND (B) "it is not possible for the value to be non-zero" (!stateNotZero) That said, the only way for both B to be true AND A to be false is if the path is completely infeasible by the time we reach the divide-by-zero check. For the most part (all cases?), such cases should automatically get pruned out at branches (i.e., an infeasible path gets dropped), which is the case in our tests. So the question is whether or not such an infeasible path might not get dropped earlier? I can't envision any right now. Indeed, the rest of the checker assumes that if the bug condition didn't fire then 'stateNotZero' is non-NULL: C.addTransition(stateNotZero); " llvm-svn: 144114
* [analyzer] There should be a space between "expect" and "only"Anna Zaks2011-11-051-1/+1
| | | | llvm-svn: 143787
* [analyzer] CheckerContext::getPredecessor() cleanupAnna Zaks2011-11-012-4/+3
| | | | | | Remove unnecessary calls to CheckerContext::getPredecessor() + Comments. llvm-svn: 143513
* [analyzer] ObjC message sends to nil receivers that return structs are now ↵Ted Kremenek2011-10-281-14/+4
| | | | | | okay (compiler zeroes out the data). Fixes <rdar://problem/9151319>. llvm-svn: 143215
* [analyzer] Add getLocationContext to CheckerContextAnna Zaks2011-10-268-15/+12
| | | | | | | CheckerContext::getPredecessor is only used to get to the LocationContext half of the times. llvm-svn: 143061
* [analyzer] Remove EmitBasicReport form CheckerContext.Anna Zaks2011-10-261-11/+17
| | | | | | | The path sensitive checkers should use EmitBasicReport, which provides the node information. llvm-svn: 143060
* [analyzer] Rename generateNode -> addTransition in CheckerContextAnna Zaks2011-10-2627-96/+96
| | | | | | Also document addTransition methods. llvm-svn: 143059
* [analyzer] Remove getEngine() form CheckerContextAnna Zaks2011-10-252-30/+26
| | | | | | | | A step toward making sure that diagnostics report should only be generated though the CheckerContext and not though BugReporter or ExprEngine directly. llvm-svn: 142947
* [analyzer] Simplify CheckerContextAnna Zaks2011-10-2519-58/+57
| | | | | | | | | Remove dead members/parameters: ProgramState, respondsToCallback, autoTransition. Remove addTransition method since it's the same as generateNode. Maybe we should rename generateNode to genTransition (since a transition is always automatically generated)? llvm-svn: 142946
* [analyzer] Make branch for condition callback use CheckerContextAnna Zaks2011-10-251-14/+5
| | | | | | Now, all the path sensitive checkers use CheckerContext! llvm-svn: 142944
* [analyze] Convert EndOfPath callback to use CheckerContextAnna Zaks2011-10-255-53/+38
| | | | | | | | Get rid of the EndOfPathBuilder completely. Use the generic NodeBuilder to generate nodes. Enqueue the end of path frontier explicitly. llvm-svn: 142943
OpenPOWER on IntegriCloud