tomasz-kaminski-sonarsource created this revision.
Herald added subscribers: steakhal, manas, ASDenysPetrov, martong, dkrupp,
donat.nagy, Szelethus, mikhail.ramalho, a.sidorin, szepet, baloghadamsoftware,
xazax.hun.
Herald added a reviewer: NoQ.
Herald added a project: All.
tomasz-kaminski-sonarsource requested review of this revision.
Herald added a project: clang.
Herald added a subscriber: cfe-commits.
The `GenericTaintChecker` checker was crashing, when the taint
was propagated to `AllocaRegion` region in following code:
int x;
void* p = alloca(10);
mempcy(p, &x, sizeof(x));
This crash was caused by the fact that determining type of
`AllocaRegion` returns a null `QualType`.
This patch makes `AllocaRegion` expose is type as `void`,
making them consitient with results of `malloc` or `new`
that produce `SymRegion` with `void*`.
Repository:
rG LLVM Github Monorepo
https://reviews.llvm.org/D155847
Files:
clang/lib/StaticAnalyzer/Core/SVals.cpp
clang/test/Analysis/taint-generic.c
Index: clang/test/Analysis/taint-generic.c
===================================================================
--- clang/test/Analysis/taint-generic.c
+++ clang/test/Analysis/taint-generic.c
@@ -359,6 +359,25 @@
int vla[x]; // expected-warning{{Declared variable-length array (VLA) has
tainted size}}
}
+int testTaintedAllocaMem() {
+ char x;
+ void * p;
+ scanf("%c", &x);
+ p = __builtin_alloca(1);
+ __builtin_memcpy(p, &x, 1);
+ return 5 / *(char*)p; // expected-warning {{Division by a tainted value,
possibly zero}}
+}
+
+int testTaintedMallocMem() {
+ char x;
+ void * p;
+ scanf("%c", &x);
+ p = malloc(1);
+ __builtin_memcpy(p, &x, 1);
+ return 5 / *(char*)p; // expected-warning {{Division by a tainted value,
possibly zero}}
+}
+
+
// This computation used to take a very long time.
#define longcmp(a,b,c) { \
a -= c; a ^= c; c += b; b -= a; b ^= (a<<6) | (a >> (32-b)); a += c; c
-= b; c ^= b; b += a; \
Index: clang/lib/StaticAnalyzer/Core/SVals.cpp
===================================================================
--- clang/lib/StaticAnalyzer/Core/SVals.cpp
+++ clang/lib/StaticAnalyzer/Core/SVals.cpp
@@ -174,6 +174,9 @@
QualType VisitSymbolicRegion(const SymbolicRegion *SR) {
return Visit(SR->getSymbol());
}
+ QualType VisitAllocaRegion(const AllocaRegion *) {
+ return QualType{Context.VoidPtrTy};
+ }
QualType VisitTypedRegion(const TypedRegion *TR) {
return TR->getLocationType();
}
Index: clang/test/Analysis/taint-generic.c
===================================================================
--- clang/test/Analysis/taint-generic.c
+++ clang/test/Analysis/taint-generic.c
@@ -359,6 +359,25 @@
int vla[x]; // expected-warning{{Declared variable-length array (VLA) has tainted size}}
}
+int testTaintedAllocaMem() {
+ char x;
+ void * p;
+ scanf("%c", &x);
+ p = __builtin_alloca(1);
+ __builtin_memcpy(p, &x, 1);
+ return 5 / *(char*)p; // expected-warning {{Division by a tainted value, possibly zero}}
+}
+
+int testTaintedMallocMem() {
+ char x;
+ void * p;
+ scanf("%c", &x);
+ p = malloc(1);
+ __builtin_memcpy(p, &x, 1);
+ return 5 / *(char*)p; // expected-warning {{Division by a tainted value, possibly zero}}
+}
+
+
// This computation used to take a very long time.
#define longcmp(a,b,c) { \
a -= c; a ^= c; c += b; b -= a; b ^= (a<<6) | (a >> (32-b)); a += c; c -= b; c ^= b; b += a; \
Index: clang/lib/StaticAnalyzer/Core/SVals.cpp
===================================================================
--- clang/lib/StaticAnalyzer/Core/SVals.cpp
+++ clang/lib/StaticAnalyzer/Core/SVals.cpp
@@ -174,6 +174,9 @@
QualType VisitSymbolicRegion(const SymbolicRegion *SR) {
return Visit(SR->getSymbol());
}
+ QualType VisitAllocaRegion(const AllocaRegion *) {
+ return QualType{Context.VoidPtrTy};
+ }
QualType VisitTypedRegion(const TypedRegion *TR) {
return TR->getLocationType();
}
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
