[clang] 438fc2c - [analyzer] Fix crash in GenericTaintChecker when propagatig taint to AllocaRegion

Tomasz Kamiński via cfe-commits cfe-commits at lists.llvm.org
Mon Jul 24 01:57:03 PDT 2023 

Author: Tomasz Kamiński
Date: 2023-07-24T10:52:35+02:00
New Revision: 438fc2c83b73e66f6dbae4f34e9a19f41302f825

URL: https://github.com/llvm/llvm-project/commit/438fc2c83b73e66f6dbae4f34e9a19f41302f825
DIFF: https://github.com/llvm/llvm-project/commit/438fc2c83b73e66f6dbae4f34e9a19f41302f825.diff

LOG: [analyzer] Fix crash in GenericTaintChecker when propagatig taint to AllocaRegion

The `GenericTaintChecker` checker was crashing, when the taint
was propagated to `AllocaRegion` region in following code:
```
  int x;
  void* p = alloca(10);
  mempcy(p, &x, sizeof(x));
```
This crash was caused by the fact that determining type of
`AllocaRegion` returns a null `QualType`.

This patch makes `AllocaRegion` expose its type as `void`,
making them consistent with results of `malloc` or `new`
that produce `SymRegion` with `void*` symbol.

Reviewed By: steakhal, xazax.hun

Differential Revision: https://reviews.llvm.org/D155847

Added: 
    

Modified: 
    clang/lib/StaticAnalyzer/Core/SVals.cpp
    clang/test/Analysis/taint-generic.c

Removed: 
    


################################################################################
diff  --git a/clang/lib/StaticAnalyzer/Core/SVals.cpp b/clang/lib/StaticAnalyzer/Core/SVals.cpp
index bc9c1e40d808a8..2a43a01ff88618 100644
--- a/clang/lib/StaticAnalyzer/Core/SVals.cpp
+++ b/clang/lib/StaticAnalyzer/Core/SVals.cpp
@@ -174,6 +174,9 @@ class TypeRetrievingVisitor
   QualType VisitSymbolicRegion(const SymbolicRegion *SR) {
     return Visit(SR->getSymbol());
   }
+  QualType VisitAllocaRegion(const AllocaRegion *) {
+    return QualType{Context.VoidPtrTy};
+  }
   QualType VisitTypedRegion(const TypedRegion *TR) {
     return TR->getLocationType();
   }

diff  --git a/clang/test/Analysis/taint-generic.c b/clang/test/Analysis/taint-generic.c
index 84b7cc51dd6df8..9199b3510516e0 100644
--- a/clang/test/Analysis/taint-generic.c
+++ b/clang/test/Analysis/taint-generic.c
@@ -359,6 +359,25 @@ void testTaintedVLASize(void) {
   int vla[x]; // expected-warning{{Declared variable-length array (VLA) has tainted size}}
 }
 
+int testTaintedAllocaMem() {
+  char x;
+  void * p;
+  scanf("%c", &x);
+  p = __builtin_alloca(1);
+  __builtin_memcpy(p, &x, 1);
+  return 5 / *(char*)p; // expected-warning {{Division by a tainted value, possibly zero}}
+}
+
+int testTaintedMallocMem() {
+  char x;
+  void * p;
+  scanf("%c", &x);
+  p = malloc(1);
+  __builtin_memcpy(p, &x, 1);
+  return 5 / *(char*)p; // expected-warning {{Division by a tainted value, possibly zero}}
+}
+
+
 // This computation used to take a very long time.
 #define longcmp(a,b,c) { \
   a -= c;  a ^= c;  c += b; b -= a;  b ^= (a<<6) | (a >> (32-b));  a += c; c -= b;  c ^= b;  b += a; \

More information about the cfe-commits mailing list