[cfe-commits] r145827 - in /cfe/trunk: lib/StaticAnalyzer/Checkers/CMakeLists.txt lib/StaticAnalyzer/Checkers/Checkers.td lib/StaticAnalyzer/Checkers/TaintTesterChecker.cpp test/Analysis/taint-tester.c

Anna Zaks ganna at apple.com
Mon Dec 5 10:58:01 PST 2011 

Author: zaks
Date: Mon Dec  5 12:58:01 2011
New Revision: 145827

URL: http://llvm.org/viewvc/llvm-project?rev=145827&view=rev
Log:
[analyzer] Add a debug checker to test for tainted data.

Added:
    cfe/trunk/lib/StaticAnalyzer/Checkers/TaintTesterChecker.cpp
    cfe/trunk/test/Analysis/taint-tester.c
Modified:
    cfe/trunk/lib/StaticAnalyzer/Checkers/CMakeLists.txt
    cfe/trunk/lib/StaticAnalyzer/Checkers/Checkers.td

Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/CMakeLists.txt
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/CMakeLists.txt?rev=145827&r1=145826&r2=145827&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Checkers/CMakeLists.txt (original)
+++ cfe/trunk/lib/StaticAnalyzer/Checkers/CMakeLists.txt Mon Dec  5 12:58:01 2011
@@ -52,6 +52,7 @@
   ReturnUndefChecker.cpp
   StackAddrEscapeChecker.cpp
   StreamChecker.cpp
+  TaintTesterChecker.cpp
   UndefBranchChecker.cpp
   UndefCapturedBlockVarChecker.cpp
   UndefResultChecker.cpp

Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/Checkers.td
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/Checkers.td?rev=145827&r1=145826&r2=145827&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Checkers/Checkers.td (original)
+++ cfe/trunk/lib/StaticAnalyzer/Checkers/Checkers.td Mon Dec  5 12:58:01 2011
@@ -392,5 +392,9 @@
   HelpText<"Emit warnings with analyzer statistics">,
   DescFile<"AnalyzerStatsChecker.cpp">;
 
+def TaintTesterChecker : Checker<"TaintTest">,
+  HelpText<"Mark tainted symbols as such.">,
+  DescFile<"TaintTesterChecker.cpp">;
+
 } // end "debug"
 

Added: cfe/trunk/lib/StaticAnalyzer/Checkers/TaintTesterChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/TaintTesterChecker.cpp?rev=145827&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Checkers/TaintTesterChecker.cpp (added)
+++ cfe/trunk/lib/StaticAnalyzer/Checkers/TaintTesterChecker.cpp Mon Dec  5 12:58:01 2011
@@ -0,0 +1,62 @@
+//== TaintTesterChecker.cpp ----------------------------------- -*- C++ -*--=//
+//
+//                     The LLVM Compiler Infrastructure
+//
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+//
+//===----------------------------------------------------------------------===//
+//
+// This checker can be used for testing how taint data is propagated.
+//
+//===----------------------------------------------------------------------===//
+#include "ClangSACheckers.h"
+#include "clang/StaticAnalyzer/Core/Checker.h"
+#include "clang/StaticAnalyzer/Core/CheckerManager.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
+#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
+
+using namespace clang;
+using namespace ento;
+
+namespace {
+class TaintTesterChecker : public Checker< check::PostStmt<Expr> > {
+
+  mutable llvm::OwningPtr<BugType> BT;
+  void initBugType() const;
+
+  /// Given a pointer argument, get the symbol of the value it contains
+  /// (points to).
+  SymbolRef getPointedToSymbol(CheckerContext &C,
+                               const Expr* Arg,
+                               bool IssueWarning = true) const;
+
+public:
+  void checkPostStmt(const Expr *E, CheckerContext &C) const;
+};
+}
+
+inline void TaintTesterChecker::initBugType() const {
+  if (!BT)
+    BT.reset(new BugType("Tainted data", "General"));
+}
+
+void TaintTesterChecker::checkPostStmt(const Expr *E,
+                                       CheckerContext &C) const {
+  const ProgramState *State = C.getState();
+  if (!State)
+    return;
+
+  if (E && State->isTainted(E)) {
+    if (ExplodedNode *N = C.addTransition()) {
+      initBugType();
+      BugReport *report = new BugReport(*BT, "tainted",N);
+      report->addRange(E->getSourceRange());
+      C.EmitReport(report);
+    }
+  }
+}
+
+void ento::registerTaintTesterChecker(CheckerManager &mgr) {
+  mgr.registerChecker<TaintTesterChecker>();
+}

Added: cfe/trunk/test/Analysis/taint-tester.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/taint-tester.c?rev=145827&view=auto
==============================================================================
--- cfe/trunk/test/Analysis/taint-tester.c (added)
+++ cfe/trunk/test/Analysis/taint-tester.c Mon Dec  5 12:58:01 2011
@@ -0,0 +1,15 @@
+// RUN: %clang_cc1  -analyze -analyzer-checker=experimental.security.taint,debug.TaintTest -verify %s
+
+int scanf(const char *restrict format, ...);
+int getchar(void);
+
+#define BUFSIZE 10
+int Buffer[BUFSIZE];
+
+void bufferScanfAssignment(int x) {
+  int n;
+  int *addr = &Buffer[0];
+  scanf("%d", &n);
+  addr += n;// expected-warning {{tainted}}
+  *addr = n; // expected-warning {{tainted}}
+}

More information about the cfe-commits mailing list