[clang] [analyzer] Moving TaintPropagation checker out of alpha (PR #67352)

https://github.com/dkrupp closed https://github.com/llvm/llvm-project/pull/67352 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer] Moving TaintPropagation checker out of alpha (PR #67352)

https://github.com/dkrupp edited https://github.com/llvm/llvm-project/pull/67352 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer] Moving TaintPropagation checker out of alpha (PR #67352)

dkrupp wrote: @haoNoQ gentle ping. Could you please check if this would be good to be merged now? thanks. https://github.com/llvm/llvm-project/pull/67352 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/li

[clang] [analyzer] Moving TaintPropagation checker out of alpha (PR #67352)

Xazax-hun wrote: I have no concerns with moving forward here, my understanding is that the blockers have been resolved. Moreover, we are early in the development cycle for the next release so we still have a lot of time to get more experience with this check once it is move out of alpha. But I

[clang] [analyzer] Moving TaintPropagation checker out of alpha (PR #67352)

steakhal wrote: I'm good now with the change, but I want both @Xazax-hun and @haoNoQ to accept this PR before landing. https://github.com/llvm/llvm-project/pull/67352 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-b

[clang] [analyzer] Moving TaintPropagation checker out of alpha (PR #67352)

dkrupp wrote: @steakhal now the commit is rebased and the results in the description are also refreshed (not broken). All the earlier problematic reports related to tainted integers (memset, malloc, memcpy ...) are not present now as these were removed from this checker as generic sinks by ea

[clang] [analyzer] Moving TaintPropagation checker out of alpha (PR #67352)

https://github.com/dkrupp updated https://github.com/llvm/llvm-project/pull/67352 >From 11b85a494bfc844d9474efd2c9679cc5c0f4f889 Mon Sep 17 00:00:00 2001 From: Daniel Krupp Date: Thu, 15 Aug 2024 14:24:35 +0200 Subject: [PATCH 1/2] [analyzer] Moving TaintPropagation and GenericTaint checkers o

[clang] [analyzer] Moving TaintPropagation checker out of alpha (PR #67352)

https://github.com/dkrupp edited https://github.com/llvm/llvm-project/pull/67352 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer] Moving TaintPropagation checker out of alpha (PR #67352)

https://github.com/dkrupp edited https://github.com/llvm/llvm-project/pull/67352 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer] Moving TaintPropagation checker out of alpha (PR #67352)

@@ -992,6 +992,241 @@ optin.portability.UnixAPI " Finds implementation-defined behavior in UNIX/Posix functions. + +optin.taint + + +Checkers implementing +`taint analysis `_. + +.. _opti

[clang] [analyzer] Moving TaintPropagation checker out of alpha (PR #67352)

@@ -992,6 +992,241 @@ optin.portability.UnixAPI " Finds implementation-defined behavior in UNIX/Posix functions. + +optin.taint + steakhal wrote: ```suggestion optin.taint ^^^ ``` https://github.com/llvm/ll

[clang] [analyzer] Moving TaintPropagation checker out of alpha (PR #67352)

https://github.com/steakhal commented: I tried to look at the mentioned 3 TPs, but the links appear to be broken. Contentwise, I assume its a pure cut-and-paste modulo replacement of `alpha` to `optin`. I have no objection from moving this checker out of alpha. https://github.com/llvm/llvm-pro

[clang] [analyzer] Moving TaintPropagation checker out of alpha (PR #67352)

https://github.com/steakhal edited https://github.com/llvm/llvm-project/pull/67352 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer] Moving TaintPropagation checker out of alpha (PR #67352)

https://github.com/dkrupp updated https://github.com/llvm/llvm-project/pull/67352 >From 11b85a494bfc844d9474efd2c9679cc5c0f4f889 Mon Sep 17 00:00:00 2001 From: Daniel Krupp Date: Thu, 15 Aug 2024 14:24:35 +0200 Subject: [PATCH] [analyzer] Moving TaintPropagation and GenericTaint checkers out o

[clang] [analyzer] Moving TaintPropagation checker out of alpha (PR #67352)

https://github.com/dkrupp updated https://github.com/llvm/llvm-project/pull/67352 >From 21a917403c180d74ec7ac4cf9f15b3c5a8de8b7d Mon Sep 17 00:00:00 2001 From: Daniel Krupp Date: Thu, 15 Aug 2024 14:24:35 +0200 Subject: [PATCH] [analyzer] Moving TaintPropagation and GenericTaint checkers out o

[clang] [analyzer] Moving TaintPropagation checker out of alpha (PR #67352)

dkrupp wrote: @haoNoQ thanks for pointing out #61826 umbrella issue, I somehow missed that. I see this TaintPropagation checker as a generic flexible tool to find potential vulnerable data flows between any taint source and taint sink. The user should be configure sources and sinks in the yam

[clang] [analyzer] Moving TaintPropagation checker out of alpha (PR #67352)

DonatNagyE wrote: > No-no, I mean whatever I said in the next sentence, like literally the same > buffer, not the same allocation site, not the same variable, but literally > the same allocation, except it has multiple size-aware operations performed > on it, [...] Thanks for the clarificati

[clang] [analyzer] Moving TaintPropagation checker out of alpha (PR #67352)

haoNoQ wrote: > @haoNoQ I don't really understand your remark that > > > The report may be technically correct but I think the entire idea of the > > checker never made sense in the first place. It doesn't matter that > > untrusted data is used to specify buffer size once; it matters that data

[clang] [analyzer] Moving TaintPropagation checker out of alpha (PR #67352)

DonatNagyE wrote: I agree that it's a blocking issue that some numerical arguments act as taint sinks unconditionally (even if the analyzer knows about constraints that show that the actual value is valid). I'd suggest that those concrete issues should be addressed by separate improvement comm

[clang] [analyzer] Moving TaintPropagation checker out of alpha (PR #67352)

haoNoQ wrote: (Yeah we still have those false positives, though `memset` isn't actually covered yet as a potential sink: https://godbolt.org/z/6h5x87vMc) https://github.com/llvm/llvm-project/pull/67352 ___ cfe-commits mailing list cfe-commits@lists.ll

[clang] [analyzer] Moving TaintPropagation checker out of alpha (PR #67352)

haoNoQ wrote: #61826 has my data (which I unfortunately couldn't publish as-is, but the order of magnitude is, around 300 reports). My main problem with the tainted-number checkers is that they don't consider at constraints at all. Eg., this is clearly a false positive: ``` char buf[100]; size

[clang] [analyzer] Moving TaintPropagation checker out of alpha (PR #67352)

llvmbot wrote: @llvm/pr-subscribers-clang Changes This commit renames alpha.security.taint.TaintPropagation checker to optin.security.taint.TaintPropagation. This checker was stabilized and improved by recent commits thus it's ready for production use. The checker is placed in the optin

[clang] [analyzer] Moving TaintPropagation checker out of alpha (PR #67352)

https://github.com/dkrupp created https://github.com/llvm/llvm-project/pull/67352 This commit renames alpha.security.taint.TaintPropagation checker to optin.security.taint.TaintPropagation. This checker was stabilized and improved by recent commits thus it's ready for production use. The che