[cfe-commits] r146199 - in /cfe/trunk: include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h lib/StaticAnalyzer/Core/ProgramState.cpp lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp test/Analysis/taint-tester.c

Anna Zaks ganna at apple.com
Thu Dec 8 14:38:43 PST 2011 

Author: zaks
Date: Thu Dec  8 16:38:43 2011
New Revision: 146199

URL: http://llvm.org/viewvc/llvm-project?rev=146199&view=rev
Log:
[analyzer] If memory region is tainted mark data as tainted.
+ random comments

Modified:
    cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h
    cfe/trunk/lib/StaticAnalyzer/Core/ProgramState.cpp
    cfe/trunk/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
    cfe/trunk/test/Analysis/taint-tester.c

Modified: cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h?rev=146199&r1=146198&r2=146199&view=diff
==============================================================================
--- cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h (original)
+++ cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h Thu Dec  8 16:38:43 2011
@@ -120,7 +120,7 @@
   }
 };
 
-/// A symbol representing the value of a MemRegion.
+///\brief A symbol representing the value stored at a MemRegion.
 class SymbolRegionValue : public SymbolData {
   const TypedValueRegion *R;
 

Modified: cfe/trunk/lib/StaticAnalyzer/Core/ProgramState.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/ProgramState.cpp?rev=146199&r1=146198&r2=146199&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/ProgramState.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Core/ProgramState.cpp Thu Dec  8 16:38:43 2011
@@ -709,6 +709,11 @@
     // If this is a SymbolDerived with a tainted parent, it's also tainted.
     if (const SymbolDerived *SD = dyn_cast<SymbolDerived>(*SI))
       Tainted = Tainted || isTainted(SD->getParentSymbol(), Kind);
+
+    // If memory region is tainted, data is also tainted.
+    if (const SymbolRegionValue *SRV = dyn_cast<SymbolRegionValue>(*SI))
+      Tainted = Tainted || isTainted(SRV->getRegion(), Kind);
+
     if (Tainted)
       return true;
   }

Modified: cfe/trunk/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp?rev=146199&r1=146198&r2=146199&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp Thu Dec  8 16:38:43 2011
@@ -97,10 +97,12 @@
     return UnknownVal();
   }
 
+  // If value is a non integer constant, produce unknown.
   if (!isa<nonloc::ConcreteInt>(val))
     return UnknownVal();
 
-  // Only handle casts from integers to integers.
+  // Only handle casts from integers to integers - if val is an integer constant
+  // being cast to a non integer type, produce unknown.
   if (!isLocType && !castTy->isIntegerType())
     return UnknownVal();
 

Modified: cfe/trunk/test/Analysis/taint-tester.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/taint-tester.c?rev=146199&r1=146198&r2=146199&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/taint-tester.c (original)
+++ cfe/trunk/test/Analysis/taint-tester.c Thu Dec  8 16:38:43 2011
@@ -8,7 +8,8 @@
 
 struct XYStruct {
   int x;
-  float y;
+  int y;
+  char z;
 };
 
 void taintTracking(int x) {
@@ -26,9 +27,31 @@
   // Tainted ptr arithmetic/array element address.
   int tprtarithmetic1 = *(addr+1); // expected-warning 2 {{tainted}}
 
+  // Dereference.
+  int *ptr;
+  scanf("%p", &ptr);
+  int ptrDeref = *ptr; // expected-warning 2 {{tainted}}
+  int _ptrDeref = ptrDeref + 13; // expected-warning 2 {{tainted}}
+
+  // Pointer arithmetic + dereferencing.
+  // FIXME: We fail to propagate the taint here because RegionStore does not
+  // handle ElementRegions with symbolic indexes.
+  int addrDeref = *addr; // expected-warning {{tainted}}
+  int _addrDeref = addrDeref;
+
   // Tainted struct address, casts.
   struct XYStruct *xyPtr = 0;
   scanf("%p", &xyPtr);
   void *tXYStructPtr = xyPtr; // expected-warning 2 {{tainted}}
   struct XYStruct *xyPtrCopy = tXYStructPtr; // expected-warning 2 {{tainted}}
+  int ptrtx = xyPtr->x;// expected-warning 2 {{tainted}}
+  int ptrty = xyPtr->y;// expected-warning 2 {{tainted}}
+
+  // Taint on fields of a struct.
+  struct XYStruct xy = {2, 3, 11};
+  scanf("%f", &xy.y);
+  scanf("%f", &xy.x);
+  int tx = xy.x; // expected-warning {{tainted}}
+  int ty = xy.y; // FIXME: This should be tainted as well.
+  char ntz = xy.z;// no warning
 }

More information about the cfe-commits mailing list