https://github.com/NagyDonat created https://github.com/llvm/llvm-project/pull/132765
Currently `optin.taint.GenericTaint` can produce false positives if a [format attribute](https://clang.llvm.org/docs/AttributeReference.html#format) is applied on a non-static method. This commit adds a testcase that highlights this buggy behavior. ----- I will probably extend this PR with a fix that resolves this bug. From f0ac1f6c223b3bfce25ba0183ba1aa2825c455ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Don=C3=A1t=20Nagy?= <donat.n...@ericsson.com> Date: Mon, 24 Mar 2025 16:58:31 +0100 Subject: [PATCH] [NFC][analyzer] Add testcase to highlight GenericTaint bug Currently `optin.taint.GenericTaint` can produce false positives if a [format attribute](https://clang.llvm.org/docs/AttributeReference.html#format) is applied on a non-static method. This commit adds a testcase that highlights this buggy behavior. --- clang/test/Analysis/taint-generic.cpp | 43 +++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/clang/test/Analysis/taint-generic.cpp b/clang/test/Analysis/taint-generic.cpp index 8836e1d3d2d98..41fbe313d2b44 100644 --- a/clang/test/Analysis/taint-generic.cpp +++ b/clang/test/Analysis/taint-generic.cpp @@ -161,3 +161,46 @@ void top() { clang_analyzer_isTainted(A.data); // expected-warning {{YES}} } } // namespace gh114270 + + +namespace format_attribute { +__attribute__((__format__ (__printf__, 1, 2))) +void log_nonmethod(const char *fmt, ...); + +void test_format_attribute_nonmethod() { + int n; + fscanf(stdin, "%d", &n); // Get a tainted value. + + log_nonmethod("This number is suspicious: %d\n", n); // no-warning +} + +struct Foo { + // When the format attribute is applied to a method, argumet '1' is the + // implicit `this`, so e.g. in this case argument '2' specifies `fmt`. + // Specifying '1' instead of '2' would produce a compilation error: + // "format attribute cannot specify the implicit this argument as the format string" + __attribute__((__format__ (__printf__, 2, 3))) + void log_method(const char *fmt, ...); + + void test_format_attribute_method() { + int n; + fscanf(stdin, "%d", &n); // Get a tainted value. + + // FIXME: The analyzer misinterprets the parameter indices in the format + // attribute when the format attribute is applied to a method. + log_method("This number is suspicious: %d\n", n); + // expected-warning@-1 {{Untrusted data is used as a format string}} + } + + __attribute__((__format__ (__printf__, 1, 2))) + static void log_static_method(const char *fmt, ...); + + void test_format_attribute_static_method() { + int n; + fscanf(stdin, "%d", &n); // Get a tainted value. + + log_static_method("This number is suspicious: %d\n", n); // no-warning + } +}; + +} // namespace format_attribute _______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
