[PATCH] D114706: [analyzer] Fix sensitive argument logic in GenericTaintChecker

Bal√°zs Benics via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Mon Nov 29 10:50:33 PST 2021


steakhal requested changes to this revision.
steakhal added a comment.
This revision now requires changes to proceed.

E.g. `execl()` and `execlp` functions are actually variadic. You should also account for them.
I would rather map directly to a full-fledged Propagation rule instead of to a sensitive arg index list. That way you could express this property.
Demonstrate this in a test.

Actually, the `CallDescriptionFlags::CDF_MaybeBuiltin` CallDescriptions will use the `CCtx::isCLibraryFunction()` for matching the call.
By using that the code would get significantly shorter and more readable as well.



================
Comment at: clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp:951-957
+  // Find the first argument that receives a tainted value.
+  // The report is emitted as a side-effect.
+  return llvm::find_if(SensitiveArgs, [this, &C, &Call](unsigned Idx) {
+           return Idx < Call.getNumArgs() &&
+                  generateReportIfTainted(Call.getArgExpr(Idx), MsgCustomSink,
+                                          C);
+         }) != SensitiveArgs.end();
----------------
These algorithms are not supposed to have side-effects. Even though we technically could have side-effects, I would still apply it separately.
That being said, this seems to be a copy-paste version of the previous hunk, like 3rd time.


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D114706/new/

https://reviews.llvm.org/D114706



More information about the cfe-commits mailing list