[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)
Balazs Benics via cfe-commits
cfe-commits at lists.llvm.org
Fri May 17 05:12:14 PDT 2024
================
@@ -1779,18 +1790,79 @@ ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
const CallEvent &Call,
const Expr *SizeEx, SVal Init,
ProgramStateRef State,
- AllocationFamily Family) {
+ AllocationFamily Family) const {
if (!State)
return nullptr;
assert(SizeEx);
return MallocMemAux(C, Call, C.getSVal(SizeEx), Init, State, Family);
}
+void MallocChecker::reportTaintBug(StringRef Msg, ProgramStateRef State,
+ CheckerContext &C,
+ llvm::ArrayRef<SymbolRef> TaintedSyms,
+ AllocationFamily Family,
+ const Expr *SizeEx) const {
+ if (ExplodedNode *N = C.generateErrorNode(State)) {
+
+ std::optional<MallocChecker::CheckKind> CheckKind =
+ getCheckIfTracked(Family);
+ if (!CheckKind)
+ return;
+ if (!BT_TaintedAlloc[*CheckKind])
+ BT_TaintedAlloc[*CheckKind].reset(new BugType(CheckNames[*CheckKind],
+ "Tainted Memory Allocation",
+ categories::MemoryError));
+ auto R = std::make_unique<PathSensitiveBugReport>(
+ *BT_TaintedAlloc[*CheckKind], Msg, N);
+
+ bugreporter::trackExpressionValue(N, SizeEx, *R);
+ for (auto Sym : TaintedSyms)
+ R->markInteresting(Sym);
+ C.emitReport(std::move(R));
+ }
+}
+
+void MallocChecker::CheckTaintedness(CheckerContext &C, const CallEvent &Call,
+ const SVal SizeSVal, ProgramStateRef State,
+ AllocationFamily Family) const {
+ std::vector<SymbolRef> TaintedSyms =
+ clang::ento::taint::getTaintedSymbols(State, SizeSVal);
+ if (!TaintedSyms.empty()) {
----------------
steakhal wrote:
Transform this into an early-return to reduce indentation.
https://github.com/llvm/llvm-project/pull/92420
More information about the cfe-commits
mailing list