summaryrefslogtreecommitdiffstats
path: root/clang/test/Analysis/taint-generic.c
Commit message (Collapse)AuthorAgeFilesLines
* [analyzer] Improves the logic of GenericTaintChecker identifying stdin.Henry Wong2018-03-051-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Summary: GenericTaintChecker can't recognize stdin in some cases. The reason is that `if (PtrTy->getPointeeType() == C.getASTContext().getFILEType()` does not hold when stdin is encountered. My platform is ubuntu16.04 64bit, gcc 5.4.0, glibc 2.23. The definition of stdin is as follows: ``` __BEGIN_NAMESPACE_STD /* The opaque type of streams. This is the definition used elsewhere. */ typedef struct _IO_FILE FILE; ___END_NAMESPACE_STD ... /* The opaque type of streams. This is the definition used elsewhere. */ typedef struct _IO_FILE __FILE; ... /* Standard streams. */ extern struct _IO_FILE *stdin; /* Standard input stream. */ extern struct _IO_FILE *stdout; /* Standard output stream. */ extern struct _IO_FILE *stderr; /* Standard error output stream. */ ``` The type of stdin is as follows AST: ``` ElaboratedType 0xc911170'struct _IO_FILE'sugar `-RecordType 0xc911150'struct _IO_FILE' `-CXXRecord 0xc923ff0'_IO_FILE' ``` `C.getASTContext().GetFILEType()` is as follows AST: ``` TypedefType 0xc932710 'FILE' sugar |-Typedef 0xc9111c0 'FILE' `-ElaboratedType 0xc911170 'struct _IO_FILE' sugar `-RecordType 0xc911150 'struct _IO_FILE' `-CXXRecord 0xc923ff0 '_IO_FILE' ``` So I think it's better to use `getCanonicalType()`. Reviewers: zaks.anna, NoQ, george.karpenkov, a.sidorin Reviewed By: zaks.anna, a.sidorin Subscribers: a.sidorin, cfe-commits, xazax.hun, szepet, MTC Differential Revision: https://reviews.llvm.org/D39159 llvm-svn: 326709
* [analyzer] Support partially tainted records.Artem Dergachev2017-05-291-10/+31
| | | | | | | | | | | | | | | | The analyzer's taint analysis can now reason about structures or arrays originating from taint sources in which only certain sections are tainted. In particular, it also benefits modeling functions like read(), which may read tainted data into a section of a structure, but RegionStore is incapable of expressing the fact that the rest of the structure remains intact, even if we try to model read() directly. Patch by Vlad Tsyrklevich! Differential revision: https://reviews.llvm.org/D28445 llvm-svn: 304162
* [analyzer] Extend taint propagation and checking to support LazyCompoundValAnna Zaks2017-03-091-0/+37
| | | | | | | | A patch by Vlad Tsyrklevich! Differential Revision: https://reviews.llvm.org/D28445 llvm-svn: 297326
* Reland 4: [analyzer] NFC: Update test infrastructure to support multiple ↵Dominic Chen2017-03-031-1/+1
| | | | | | | | | | | | | | constraint managers Summary: Replace calls to %clang/%clang_cc1 with %clang_analyze_cc1 when invoking static analyzer, and perform runtime substitution to select the appropriate constraint manager, per D28952. Reviewers: xazax.hun, NoQ, zaks.anna, dcoughlin Subscribers: mgorny, rgov, mikhail.ramalho, a.sidorin, cfe-commits Differential Revision: https://reviews.llvm.org/D30373 llvm-svn: 296895
* Revert "Reland 3: [analyzer] NFC: Update test infrastructure to support ↵Dominic Chen2017-03-021-1/+1
| | | | | | | | multiple constraint managers" This reverts commit ea36f1406e1f36bf456c3f3929839b024128e468. llvm-svn: 296841
* Reland 3: [analyzer] NFC: Update test infrastructure to support multiple ↵Dominic Chen2017-03-021-1/+1
| | | | | | | | | | | | | | constraint managers Summary: Replace calls to %clang/%clang_cc1 with %clang_analyze_cc1 when invoking static analyzer, and perform runtime substitution to select the appropriate constraint manager, per D28952. Reviewers: xazax.hun, NoQ, zaks.anna, dcoughlin Subscribers: mgorny, rgov, mikhail.ramalho, a.sidorin, cfe-commits Differential Revision: https://reviews.llvm.org/D30373 llvm-svn: 296837
* Revert "Reland 2: [analyzer] NFC: Update test infrastructure to support ↵Dominic Chen2017-03-021-1/+1
| | | | | | | | multiple constraint managers" This reverts commit f93343c099fff646a2314cc7f4925833708298b1. llvm-svn: 296836
* Reland 2: [analyzer] NFC: Update test infrastructure to support multiple ↵Dominic Chen2017-03-021-1/+1
| | | | | | | | | | | | | | constraint managers Summary: Replace calls to %clang/%clang_cc1 with %clang_analyze_cc1 when invoking static analyzer, and perform runtime substitution to select the appropriate constraint manager, per D28952. Reviewers: xazax.hun, NoQ, zaks.anna, dcoughlin Subscribers: mgorny, rgov, mikhail.ramalho, a.sidorin, cfe-commits Differential Revision: https://reviews.llvm.org/D30373 llvm-svn: 296835
* Revert "Reland: [analyzer] NFC: Update test infrastructure to support ↵Dominic Chen2017-02-281-1/+1
| | | | | | | | multiple constraint managers" This reverts commit 1b28d0b10e1c8feccb971abb6ef7a18bee589830. llvm-svn: 296422
* Reland: [analyzer] NFC: Update test infrastructure to support multiple ↵Dominic Chen2017-02-281-1/+1
| | | | | | | | | | | | | | constraint managers Summary: Replace calls to %clang/%clang_cc1 with %clang_analyze_cc1 when invoking static analyzer, and perform runtime substitution to select the appropriate constraint manager, per D28952. Reviewers: xazax.hun, NoQ, zaks.anna, dcoughlin Subscribers: mgorny, rgov, mikhail.ramalho, a.sidorin, cfe-commits Differential Revision: https://reviews.llvm.org/D30373 llvm-svn: 296414
* Revert "[analyzer] NFC: Update test infrastructure to support multiple ↵Dominic Chen2017-02-271-1/+1
| | | | | | | | constraint managers" This reverts commit 8e7780b9e59ddaad1800baf533058d2c064d4787. llvm-svn: 296317
* [analyzer] NFC: Update test infrastructure to support multiple constraint ↵Dominic Chen2017-02-271-1/+1
| | | | | | | | | | | | | | managers Summary: Replace calls to %clang/%clang_cc1 with %clang_analyze_cc1 when invoking static analyzer, and perform runtime substitution to select the appropriate constraint manager, per D28952. Reviewers: xazax.hun, NoQ, zaks.anna, dcoughlin Subscribers: mgorny, rgov, mikhail.ramalho, a.sidorin, cfe-commits Differential Revision: https://reviews.llvm.org/D30373 llvm-svn: 296312
* [analyzer] Teach ConstraintManager to ignore NonLoc <> NonLoc comparisons.Jordan Rose2013-03-241-0/+11
| | | | | | | | | These aren't generated by default, but they are needed when either side of the comparison is tainted. Should fix our internal buildbot. llvm-svn: 177846
* Fix analyzer tests.Ted Kremenek2012-08-241-1/+1
| | | | llvm-svn: 162588
* [analyzer] Do not assert on constructing SymSymExpr with diff types.Anna Zaks2012-05-031-0/+9
| | | | | | | The resulting type info is stored in the SymSymExpr, so no reason not to support construction of expression with different subexpression types. llvm-svn: 156051
* [analyzer] Add a complexity bound on history tracking.Anna Zaks2012-05-031-0/+20
| | | | | | (Currently, this is only relevant for tainted data.) llvm-svn: 156050
* [analyzer] Change naming in bug reports "tainted" -> "untrusted"Anna Zaks2012-02-221-10/+10
| | | | llvm-svn: 151120
* [analyzer] Make VLA checker taint aware. Anna Zaks2012-01-211-1/+8
| | | | | | Also, slightly modify the diagnostic message in ArrayBound and DivZero (still use 'taint', which might not mean much to the user, but plan on changing it later). llvm-svn: 148626
* Tighten format string diagnostic and make it a bit clearer (and a bit closer ↵Ted Kremenek2012-01-201-1/+1
| | | | | | to GCC's). llvm-svn: 148579
* [analyzer] Add taint awareness to DivZeroChecker.Anna Zaks2012-01-201-3/+8
| | | | llvm-svn: 148566
* [analyzer] Add socket API as a source of taint.Anna Zaks2012-01-201-0/+21
| | | | llvm-svn: 148518
* [analyzer] Taint: warn when tainted data is used to specify a bufferAnna Zaks2012-01-181-0/+22
| | | | | | | | | | size (Ex: in malloc, memcpy, strncpy..) (Maybe some of this could migrate to the CString checker. One issue with that is that we might want to separate security issues from regular API misuse.) llvm-svn: 148371
* [analyzer] Taint: add taint propagation rules for string and memory copyAnna Zaks2012-01-181-0/+30
| | | | | | functions. llvm-svn: 148370
* [analyzer] Taint: add system and popen as undesirable sinks for taintAnna Zaks2012-01-141-0/+8
| | | | | | data. llvm-svn: 148176
* [analyzer] Unwrap the pointers when ignoring the const cast.Anna Zaks2012-01-131-0/+3
| | | | | | radar://10686991 llvm-svn: 148081
* [analyzer] Add taint transfer by strcpy & others (part 1).Anna Zaks2012-01-121-7/+34
| | | | | | | | | | | | To simplify the process: Refactor taint generation checker to simplify passing the information on which arguments need to be tainted from pre to post visit. Todo: We need to factor out the code that sema is using to identify the string and memcpy functions and use it here and in the CString checker. llvm-svn: 148010
* [analyzer] Add basic format string vulnerability checking.Anna Zaks2012-01-071-1/+15
| | | | | | | | | We already have a more conservative check in the compiler (if the format string is not a literal, we warn). Still adding it here for completeness and since this check is stronger - only triggered if the format string is tainted. llvm-svn: 147714
* [analyzer] CStringChecker should not rely on the analyzer generating ↵Anna Zaks2011-12-111-2/+1
| | | | | | | | | | | | | | UndefOrUnknown value when it cannot reason about the expression. We are now often generating expressions even if the solver is not known to be able to simplify it. This is another cleanup of the existing code, where the rest of the analyzer and checkers should not base their logic on knowing ahead of the time what the solver can reason about. In this case, CStringChecker is performing a check for overflow of 'left+right' operation. The overflow can be checked with either 'maxVal-left' or 'maxVal-right'. Previously, the decision was based on whether the expresion evaluated to undef or not. With this patch, we check if one of the arguments is a constant, in which case we know that 'maxVal-const' is easily simplified. (Another option is to use canReasonAbout() method of the solver here, however, it's currently is protected.) This patch also contains 2 small bug fixes: - swap the order of operators inside SValBuilder::makeGenericVal. - handle a case when AddeVal is unknown in GenericTaintChecker::getPointedToSymbol. llvm-svn: 146343
* Check that arguments to a scanf call match the format specifier,Hans Wennborg2011-12-101-1/+2
| | | | | | and offer fixits when there is a mismatch. llvm-svn: 146326
* [analyzer] Add more simple taint tests.Anna Zaks2011-11-281-2/+17
| | | | llvm-svn: 145275
* [analyzer] Warn when non pointer arguments are passed to scanf (only when ↵Anna Zaks2011-11-181-0/+5
| | | | | | | | running taint checker). There is an open radar to implement better scanf checking as a Sema warning. However, a bit of redundancy is fine in this case. llvm-svn: 144964
* [analyzer] Do not conjure a symbol when we need to propagate taint.Anna Zaks2011-11-171-0/+14
| | | | | | | | | | When the solver and SValBuilder cannot reason about symbolic expressions (ex: (x+1)*y ), the analyzer conjures a new symbol with no ties to the past. This helps it to recover some path-sensitivity. However, this breaks the taint propagation. With this commit, we are going to construct the expression even if we cannot reason about it later on if an operand is tainted. Also added some comments and asserts. llvm-svn: 144932
* [analyzer] Catch the first taint propagation implied buffer overflow.Anna Zaks2011-11-161-0/+14
Change the ArrayBoundCheckerV2 to be more aggressive in reporting buffer overflows when the offset is tainted. Previously, we did not report bugs when the state was underconstrained (not enough information about the bound to determine if there is an overflow) to avoid false positives. However, if we know that the buffer offset is tainted - comes in from the user space and can be anything, we should report it as a bug. + The very first example of us catching a taint related bug. This is the only example we can currently handle. More to come... llvm-svn: 144826
OpenPOWER on IntegriCloud