[clang] [analyzer] New optin.taint.TaintAlloc checker for catching unbounded memory allocation calls (PR #92420)
DonĂ¡t Nagy via cfe-commits
cfe-commits at lists.llvm.org
Wed May 29 01:44:35 PDT 2024
================
@@ -1779,18 +1797,76 @@ ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
const CallEvent &Call,
const Expr *SizeEx, SVal Init,
ProgramStateRef State,
- AllocationFamily Family) {
+ AllocationFamily Family) const {
if (!State)
return nullptr;
assert(SizeEx);
return MallocMemAux(C, Call, C.getSVal(SizeEx), Init, State, Family);
}
+void MallocChecker::reportTaintBug(StringRef Msg, ProgramStateRef State,
+ CheckerContext &C,
+ llvm::ArrayRef<SymbolRef> TaintedSyms,
+ AllocationFamily Family) const {
+
+ if (!ChecksEnabled[CK_TaintAllocChecker])
+ return;
+
+ if (ExplodedNode *N = C.generateNonFatalErrorNode(State, this)) {
+ if (!BT_TaintedAlloc)
+ BT_TaintedAlloc.reset(new BugType(CheckNames[CK_TaintAllocChecker],
+ "Tainted Memory Allocation",
+ categories::TaintedData));
+ auto R = std::make_unique<PathSensitiveBugReport>(*BT_TaintedAlloc, Msg, N);
+ for (auto TaintedSym : TaintedSyms) {
+ R->markInteresting(TaintedSym);
+ }
+ C.emitReport(std::move(R));
+ }
+}
+
+void MallocChecker::CheckTaintedness(CheckerContext &C, const CallEvent &Call,
----------------
NagyDonat wrote:
Rename this to `checkTaintedness` with a lowercase 'c' to follow the global coding guidelines. I know that MallocChecker has lots of functions whose name start with an uppercase letter, but I think it's better to introduce new functions with conforming names and eventually switch to the standard naming scheme when there is a refactoring that already touches many functions.
(This is how I standardized the variable names in ArrayBoundV2.)
https://github.com/llvm/llvm-project/pull/92420
More information about the cfe-commits
mailing list