taint-generic.c

Anna Zaks Fri, 20 Jan 2012 21:13:06 -0800

Author: zaks
Date: Fri Jan 20 23:07:33 2012
New Revision: 148626

URL: http://llvm.org/viewvc/llvm-project?rev=148626&view=rev
Log:
[analyzer] Make VLA checker taint aware.


Also, slightly modify the diagnostic message in ArrayBound and DivZero (still 
use 'taint', which might not mean much to the user, but plan on changing it 
later).

Modified:
    cfe/trunk/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp
    cfe/trunk/lib/StaticAnalyzer/Checkers/DivZeroChecker.cpp
    cfe/trunk/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp
    cfe/trunk/test/Analysis/taint-generic.c

Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp
URL: 
http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp?rev=148626&r1=148625&r2=148626&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp Fri Jan 20 
23:07:33 2012
@@ -28,7 +28,7 @@
     public Checker<check::Location> {
   mutable llvm::OwningPtr<BuiltinBug> BT;
       
-  enum OOB_Kind { OOB_Precedes, OOB_Excedes };
+  enum OOB_Kind { OOB_Precedes, OOB_Excedes, OOB_Tainted };
   
   void reportOOB(CheckerContext &C, const ProgramState *errorState,
                  OOB_Kind kind) const;
@@ -157,7 +157,7 @@
     // If we are under constrained and the index variables are tainted, report.
     if (state_exceedsUpperBound && state_withinUpperBound) {
       if (state->isTainted(rawOffset.getByteOffset()))
-        reportOOB(checkerContext, state_exceedsUpperBound, OOB_Excedes);
+        reportOOB(checkerContext, state_exceedsUpperBound, OOB_Tainted);
         return;
     }
   
@@ -193,9 +193,18 @@
 
   llvm::SmallString<256> buf;
   llvm::raw_svector_ostream os(buf);
-  os << "Out of bound memory access "
-     << (kind == OOB_Precedes ? "(accessed memory precedes memory block)"
-                              : "(access exceeds upper limit of memory 
block)");
+  os << "Out of bound memory access ";
+  switch (kind) {
+  case OOB_Precedes:
+    os << "(accessed memory precedes memory block)";
+    break;
+  case OOB_Excedes:
+    os << "(access exceeds upper limit of memory block)";
+    break;
+  case OOB_Tainted:
+    os << "(index is tainted)";
+    break;
+  }
 
   checkerContext.EmitReport(new BugReport(*BT, os.str(), errorNode));
 }

Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/DivZeroChecker.cpp
URL: 
http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/DivZeroChecker.cpp?rev=148626&r1=148625&r2=148626&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Checkers/DivZeroChecker.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Checkers/DivZeroChecker.cpp Fri Jan 20 
23:07:33 2012
@@ -37,10 +37,10 @@
                                CheckerContext &C) const {
   if (ExplodedNode *N = C.generateSink(StateZero)) {
     if (!BT)
-      BT.reset(new BuiltinBug(Msg));
+      BT.reset(new BuiltinBug("Division by zero"));
 
     BugReport *R =
-      new BugReport(*BT, BT->getDescription(), N);
+      new BugReport(*BT, Msg, N);
 
     R->addVisitor(bugreporter::getTrackNullOrUndefValueVisitor(N,
                                  bugreporter::GetDenomExpr(N)));

Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp
URL: 
http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp?rev=148626&r1=148625&r2=148626&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp Fri Jan 20 
23:07:33 2012
@@ -26,14 +26,52 @@
 
 namespace {
 class VLASizeChecker : public Checker< check::PreStmt<DeclStmt> > {
-  mutable llvm::OwningPtr<BugType> BT_zero;
-  mutable llvm::OwningPtr<BugType> BT_undef;
-  
+  mutable llvm::OwningPtr<BugType> BT;
+  enum VLASize_Kind { VLA_Garbage, VLA_Zero, VLA_Tainted };
+
+  void reportBug(VLASize_Kind Kind,
+                 const Expr *SizeE,
+                 const ProgramState *State,
+                 CheckerContext &C) const;
 public:
   void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const;
 };
 } // end anonymous namespace
 
+void VLASizeChecker::reportBug(VLASize_Kind Kind,
+                               const Expr *SizeE,
+                               const ProgramState *State,
+                               CheckerContext &C) const {
+  // Generate an error node.
+  ExplodedNode *N = C.generateSink(State);
+  if (!N)
+    return;
+
+  if (!BT)
+    BT.reset(new BuiltinBug("Dangerous variable-length array (VLA) 
declaration"));
+
+  llvm::SmallString<256> buf;
+  llvm::raw_svector_ostream os(buf);
+  os << "Declared variable-length array (VLA) ";
+  switch (Kind) {
+  case VLA_Garbage:
+    os << "uses a garbage value as its size";
+    break;
+  case VLA_Zero:
+    os << "has zero size";
+    break;
+  case VLA_Tainted:
+    os << "has tainted size";
+    break;
+  }
+
+  BugReport *report = new BugReport(*BT, os.str(), N);
+  report->addRange(SizeE->getSourceRange());
+  report->addVisitor(bugreporter::getTrackNullOrUndefValueVisitor(N, SizeE));
+  C.EmitReport(report);
+  return;
+}
+
 void VLASizeChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const 
{
   if (!DS->isSingleDecl())
     return;
@@ -53,20 +91,7 @@
   SVal sizeV = state->getSVal(SE, C.getLocationContext());
 
   if (sizeV.isUndef()) {
-    // Generate an error node.
-    ExplodedNode *N = C.generateSink();
-    if (!N)
-      return;
-    
-    if (!BT_undef)
-      BT_undef.reset(new BuiltinBug("Declared variable-length array (VLA) "
-                                    "uses a garbage value as its size"));
-
-    BugReport *report =
-      new BugReport(*BT_undef, BT_undef->getName(), N);
-    report->addRange(SE->getSourceRange());
-    report->addVisitor(bugreporter::getTrackNullOrUndefValueVisitor(N, SE));
-    C.EmitReport(report);
+    reportBug(VLA_Garbage, SE, state, C);
     return;
   }
 
@@ -75,6 +100,12 @@
   if (sizeV.isUnknown())
     return;
   
+  // Check if the size is tainted.
+  if (state->isTainted(sizeV)) {
+    reportBug(VLA_Tainted, SE, 0, C);
+    return;
+  }
+
   // Check if the size is zero.
   DefinedSVal sizeD = cast<DefinedSVal>(sizeV);
 
@@ -82,16 +113,7 @@
   llvm::tie(stateNotZero, stateZero) = state->assume(sizeD);
 
   if (stateZero && !stateNotZero) {
-    ExplodedNode *N = C.generateSink(stateZero);
-    if (!BT_zero)
-      BT_zero.reset(new BuiltinBug("Declared variable-length array (VLA) has "
-                                   "zero size"));
-
-    BugReport *report =
-      new BugReport(*BT_zero, BT_zero->getName(), N);
-    report->addRange(SE->getSourceRange());
-    report->addVisitor(bugreporter::getTrackNullOrUndefValueVisitor(N, SE));
-    C.EmitReport(report);
+    reportBug(VLA_Zero, SE, stateZero, C);
     return;
   }
  

Modified: cfe/trunk/test/Analysis/taint-generic.c
URL: 
http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/taint-generic.c?rev=148626&r1=148625&r2=148626&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/taint-generic.c (original)
+++ cfe/trunk/test/Analysis/taint-generic.c Fri Jan 20 23:07:33 2012
@@ -70,7 +70,7 @@
 
 void bufferGetchar(int x) {
   int m = getchar();
-  Buffer[m] = 1;  //expected-warning {{Out of bound memory access }}
+  Buffer[m] = 1;  //expected-warning {{Out of bound memory access (index is 
tainted)}}
 }
 
 void testUncontrolledFormatString(char **p) {
@@ -176,3 +176,10 @@
   scanf("%d", &x);
   return 5/x; // expected-warning {{Division by a tainted value, possibly 
zero}}
 }
+
+// Zero-sized VLAs.
+void testTaintedVLASize() {
+  int x;
+  scanf("%d", &x);
+  int vla[x]; // expected-warning{{Declared variable-length array (VLA) has 
tainted size}}
+}


_______________________________________________
cfe-commits mailing list
[email protected]
http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits

[cfe-commits] r148626 - in /cfe/trunk: lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp lib/StaticAnalyzer/Checkers/DivZeroChecker.cpp lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp test/Analysis/taint-generic.c

Reply via email to