This revision was landed with ongoing or failed builds.
This revision was automatically updated to reflect the committed changes.
Closed by commit rG438fc2c83b73: [analyzer] Fix crash in GenericTaintChecker
when propagatig taint to… (authored by tomasz-kaminski-sonarsource).
Repository:
rG LLVM Github Monorepo
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D155847/new/
https://reviews.llvm.org/D155847
Files:
clang/lib/StaticAnalyzer/Core/SVals.cpp
clang/test/Analysis/taint-generic.c
Index: clang/test/Analysis/taint-generic.c
===================================================================
--- clang/test/Analysis/taint-generic.c
+++ clang/test/Analysis/taint-generic.c
@@ -359,6 +359,25 @@
int vla[x]; // expected-warning{{Declared variable-length array (VLA) has
tainted size}}
}
+int testTaintedAllocaMem() {
+ char x;
+ void * p;
+ scanf("%c", &x);
+ p = __builtin_alloca(1);
+ __builtin_memcpy(p, &x, 1);
+ return 5 / *(char*)p; // expected-warning {{Division by a tainted value,
possibly zero}}
+}
+
+int testTaintedMallocMem() {
+ char x;
+ void * p;
+ scanf("%c", &x);
+ p = malloc(1);
+ __builtin_memcpy(p, &x, 1);
+ return 5 / *(char*)p; // expected-warning {{Division by a tainted value,
possibly zero}}
+}
+
+
// This computation used to take a very long time.
#define longcmp(a,b,c) { \
a -= c; a ^= c; c += b; b -= a; b ^= (a<<6) | (a >> (32-b)); a += c; c
-= b; c ^= b; b += a; \
Index: clang/lib/StaticAnalyzer/Core/SVals.cpp
===================================================================
--- clang/lib/StaticAnalyzer/Core/SVals.cpp
+++ clang/lib/StaticAnalyzer/Core/SVals.cpp
@@ -174,6 +174,9 @@
QualType VisitSymbolicRegion(const SymbolicRegion *SR) {
return Visit(SR->getSymbol());
}
+ QualType VisitAllocaRegion(const AllocaRegion *) {
+ return QualType{Context.VoidPtrTy};
+ }
QualType VisitTypedRegion(const TypedRegion *TR) {
return TR->getLocationType();
}
Index: clang/test/Analysis/taint-generic.c
===================================================================
--- clang/test/Analysis/taint-generic.c
+++ clang/test/Analysis/taint-generic.c
@@ -359,6 +359,25 @@
int vla[x]; // expected-warning{{Declared variable-length array (VLA) has tainted size}}
}
+int testTaintedAllocaMem() {
+ char x;
+ void * p;
+ scanf("%c", &x);
+ p = __builtin_alloca(1);
+ __builtin_memcpy(p, &x, 1);
+ return 5 / *(char*)p; // expected-warning {{Division by a tainted value, possibly zero}}
+}
+
+int testTaintedMallocMem() {
+ char x;
+ void * p;
+ scanf("%c", &x);
+ p = malloc(1);
+ __builtin_memcpy(p, &x, 1);
+ return 5 / *(char*)p; // expected-warning {{Division by a tainted value, possibly zero}}
+}
+
+
// This computation used to take a very long time.
#define longcmp(a,b,c) { \
a -= c; a ^= c; c += b; b -= a; b ^= (a<<6) | (a >> (32-b)); a += c; c -= b; c ^= b; b += a; \
Index: clang/lib/StaticAnalyzer/Core/SVals.cpp
===================================================================
--- clang/lib/StaticAnalyzer/Core/SVals.cpp
+++ clang/lib/StaticAnalyzer/Core/SVals.cpp
@@ -174,6 +174,9 @@
QualType VisitSymbolicRegion(const SymbolicRegion *SR) {
return Visit(SR->getSymbol());
}
+ QualType VisitAllocaRegion(const AllocaRegion *) {
+ return QualType{Context.VoidPtrTy};
+ }
QualType VisitTypedRegion(const TypedRegion *TR) {
return TR->getLocationType();
}
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
