[PATCH] D114706: [analyzer] Fix sensitive argument logic in GenericTaintChecker
Balázs Benics via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Mon Nov 29 10:50:33 PST 2021
steakhal requested changes to this revision.
steakhal added a comment.
This revision now requires changes to proceed.
E.g. `execl()` and `execlp` functions are actually variadic. You should also account for them.
I would rather map directly to a full-fledged Propagation rule instead of to a sensitive arg index list. That way you could express this property.
Demonstrate this in a test.
Actually, the `CallDescriptionFlags::CDF_MaybeBuiltin` CallDescriptions will use the `CCtx::isCLibraryFunction()` for matching the call.
By using that the code would get significantly shorter and more readable as well.
================
Comment at: clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp:951-957
+ // Find the first argument that receives a tainted value.
+ // The report is emitted as a side-effect.
+ return llvm::find_if(SensitiveArgs, [this, &C, &Call](unsigned Idx) {
+ return Idx < Call.getNumArgs() &&
+ generateReportIfTainted(Call.getArgExpr(Idx), MsgCustomSink,
+ C);
+ }) != SensitiveArgs.end();
----------------
These algorithms are not supposed to have side-effects. Even though we technically could have side-effects, I would still apply it separately.
That being said, this seems to be a copy-paste version of the previous hunk, like 3rd time.
Repository:
rG LLVM Github Monorepo
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D114706/new/
https://reviews.llvm.org/D114706
More information about the cfe-commits
mailing list