[cfe-commits] r156050 - in /cfe/trunk: include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h lib/StaticAnalyzer/Core/SValBuilder.cpp lib/StaticAnalyzer/Core/SymbolManager.cpp test/Analysis/taint-generic.c

Anna Zaks ganna at apple.com
Wed May 2 19:13:50 PDT 2012 

Author: zaks
Date: Wed May  2 21:13:50 2012
New Revision: 156050

URL: http://llvm.org/viewvc/llvm-project?rev=156050&view=rev
Log:
[analyzer] Add a complexity bound on history tracking.

(Currently, this is only relevant for tainted data.)

Modified:
    cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h
    cfe/trunk/lib/StaticAnalyzer/Core/SValBuilder.cpp
    cfe/trunk/lib/StaticAnalyzer/Core/SymbolManager.cpp
    cfe/trunk/test/Analysis/taint-generic.c

Modified: cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h?rev=156050&r1=156049&r2=156050&view=diff
==============================================================================
--- cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h (original)
+++ cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h Wed May  2 21:13:50 2012
@@ -94,6 +94,8 @@
     return symbol_iterator(this);
   }
   static symbol_iterator symbol_end() { return symbol_iterator(); }
+
+  unsigned computeComplexity() const;
 };
 
 typedef const SymExpr* SymbolRef;

Modified: cfe/trunk/lib/StaticAnalyzer/Core/SValBuilder.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/SValBuilder.cpp?rev=156050&r1=156049&r2=156050&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/SValBuilder.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Core/SValBuilder.cpp Wed May  2 21:13:50 2012
@@ -204,15 +204,19 @@
     
   const SymExpr *symLHS = LHS.getAsSymExpr();
   const SymExpr *symRHS = RHS.getAsSymExpr();
+  // TODO: When the Max Complexity is reached, we should conjure a symbol
+  // instead of generating an Unknown value and propagate the taint info to it.
+  const unsigned MaxComp = 10000; // 100000 28X
 
-  if (symLHS && symRHS)
+  if (symLHS && symRHS &&
+      (symLHS->computeComplexity() + symRHS->computeComplexity()) <  MaxComp)
     return makeNonLoc(symLHS, Op, symRHS, ResultTy);
 
-  if (symLHS)
+  if (symLHS && symLHS->computeComplexity() < MaxComp)
     if (const nonloc::ConcreteInt *rInt = dyn_cast<nonloc::ConcreteInt>(&RHS))
       return makeNonLoc(symLHS, Op, rInt->getValue(), ResultTy);
 
-  if (symRHS)
+  if (symRHS && symRHS->computeComplexity() < MaxComp)
     if (const nonloc::ConcreteInt *lInt = dyn_cast<nonloc::ConcreteInt>(&LHS))
       return makeNonLoc(lInt->getValue(), Op, symRHS, ResultTy);
 

Modified: cfe/trunk/lib/StaticAnalyzer/Core/SymbolManager.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/SymbolManager.cpp?rev=156050&r1=156049&r2=156050&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/SymbolManager.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Core/SymbolManager.cpp Wed May  2 21:13:50 2012
@@ -164,6 +164,13 @@
   llvm_unreachable("unhandled expansion case");
 }
 
+unsigned SymExpr::computeComplexity() const {
+  unsigned R = 0;
+  for (symbol_iterator I = symbol_begin(), E = symbol_end(); I != E; ++I)
+    R++;
+  return R;
+}
+
 const SymbolRegionValue*
 SymbolManager::getRegionValueSymbol(const TypedValueRegion* R) {
   llvm::FoldingSetNodeID profile;

Modified: cfe/trunk/test/Analysis/taint-generic.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/taint-generic.c?rev=156050&r1=156049&r2=156050&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/taint-generic.c (original)
+++ cfe/trunk/test/Analysis/taint-generic.c Wed May  2 21:13:50 2012
@@ -183,3 +183,23 @@
   scanf("%d", &x);
   int vla[x]; // expected-warning{{Declared variable-length array (VLA) has tainted size}}
 }
+
+// This computation used to take a very long time.
+#define longcmp(a,b,c) { \
+  a -= c;  a ^= c;  c += b; b -= a;  b ^= (a<<6) | (a >> (32-b));  a += c; c -= b;  c ^= b;  b += a; \
+  a -= c;  a ^= c;  c += b; b -= a;  b ^= a;  a += c; c -= b;  c ^= b;  b += a; }
+
+unsigned radar11369570_hanging(const unsigned char *arr, int l) {
+  unsigned a, b, c;
+  a = b = c = 0x9899e3 + l;
+  while (l >= 6) {
+    unsigned t;
+    scanf("%d", &t);
+    a += b;
+    a ^= a;
+    a += (arr[3] + ((unsigned) arr[2] << 8) + ((unsigned) arr[1] << 16) + ((unsigned) arr[0] << 24));
+    longcmp(a, t, c);
+    l -= 12;
+  }
+  return 5/a; // expected-warning {{Division by a tainted value, possibly zero}}
+}

More information about the cfe-commits mailing list