[cfe-commits] r144964 - in /cfe/trunk: lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp lib/StaticAnalyzer/Core/SValBuilder.cpp test/Analysis/taint-generic.c

Anna Zaks ganna at apple.com
Thu Nov 17 18:26:36 PST 2011 

Author: zaks
Date: Thu Nov 17 20:26:36 2011
New Revision: 144964

URL: http://llvm.org/viewvc/llvm-project?rev=144964&view=rev
Log:
[analyzer] Warn when non pointer arguments are passed to scanf (only when running taint checker).

There is an open radar to implement better scanf checking as a Sema warning. However, a bit of redundancy is fine in this case.

Modified:
    cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
    cfe/trunk/lib/StaticAnalyzer/Core/SValBuilder.cpp
    cfe/trunk/test/Analysis/taint-generic.c

Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp?rev=144964&r1=144963&r2=144964&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp Thu Nov 17 20:26:36 2011
@@ -26,7 +26,14 @@
 namespace {
 class GenericTaintChecker : public Checker< check::PostStmt<CallExpr> > {
 
-  mutable llvm::OwningPtr<BuiltinBug> BT;
+  mutable llvm::OwningPtr<BugType> BT;
+  void initBugType() const;
+
+  /// Given a pointer argument, get the symbol of the value it contains
+  /// (points to).
+  SymbolRef getPointedToSymbol(CheckerContext &C,
+                               const Expr* Arg,
+                               bool IssueWarning = true) const;
 
   /// Functions defining the attacke surface.
   typedef void (GenericTaintChecker::*FnCheck)(const CallExpr *,
@@ -39,6 +46,11 @@
 };
 }
 
+inline void GenericTaintChecker::initBugType() const {
+  if (!BT)
+    BT.reset(new BugType("Tainted data checking", "General"));
+}
+
 void GenericTaintChecker::checkPostStmt(const CallExpr *CE,
                                         CheckerContext &C) const {
   if (!C.getState())
@@ -59,10 +71,29 @@
     (this->*evalFunction)(CE, C);
 
 }
-static SymbolRef getPointedToSymbol(const ProgramState *State,
-                                    const Expr* Arg) {
+
+SymbolRef GenericTaintChecker::getPointedToSymbol(CheckerContext &C,
+                                                  const Expr* Arg,
+                                                  bool IssueWarning) const {
+  const ProgramState *State = C.getState();
   SVal AddrVal = State->getSVal(Arg->IgnoreParenCasts());
   Loc *AddrLoc = dyn_cast<Loc>(&AddrVal);
+
+  if (!AddrLoc && !IssueWarning)
+    return 0;
+
+  // If the Expr is not a location, issue a warning.
+  if (!AddrLoc) {
+    assert(IssueWarning);
+    if (ExplodedNode *N = C.generateSink(State)) {
+      initBugType();
+      BugReport *report = new BugReport(*BT, "Pointer argument is expected.",N);
+      report->addRange(Arg->getSourceRange());
+      C.EmitReport(report);
+    }
+    return 0;
+  }
+
   SVal Val = State->getSVal(*AddrLoc);
   return Val.getAsSymbol();
 }
@@ -78,7 +109,7 @@
     // The arguments are pointer arguments. The data they are pointing at is
     // tainted after the call.
     const Expr* Arg = CE->getArg(i);
-    SymbolRef Sym = getPointedToSymbol(State, Arg);
+    SymbolRef Sym = getPointedToSymbol(C, Arg);
     if (Sym)
       State = State->addTaint(Sym);
   }

Modified: cfe/trunk/lib/StaticAnalyzer/Core/SValBuilder.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/SValBuilder.cpp?rev=144964&r1=144963&r2=144964&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/SValBuilder.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Core/SValBuilder.cpp Thu Nov 17 20:26:36 2011
@@ -177,7 +177,6 @@
       symLHS = LHS.getAsSymExpr();
       return makeNonLoc(symLHS, Op, rInt->getValue(), ResultTy);
     }
-    // TODO: Handle the case when lhs is ConcreteInt.
 
     symLHS = LHS.getAsSymExpr();
     symRHS = RHS.getAsSymExpr();

Modified: cfe/trunk/test/Analysis/taint-generic.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/taint-generic.c?rev=144964&r1=144963&r2=144964&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/taint-generic.c (original)
+++ cfe/trunk/test/Analysis/taint-generic.c Thu Nov 17 20:26:36 2011
@@ -26,3 +26,8 @@
   int m = (n + 3) * x;
   Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
 }
+
+void scanfArg() {
+  int t;
+  scanf("%d", t); // expected-warning {{Pointer argument is expected}}
+}

More information about the cfe-commits mailing list