Revert "[analyzer] Add failing test case demonstrating buggy taint propagation"
This reverts commit 744745ae19
.
I'm reverting this since this patch caused a build breakage.
https://lab.llvm.org/buildbot/#/builders/91/builds/3818
This commit is contained in:
parent
d16c5f4192
commit
b8ae323cca
|
@ -32,8 +32,6 @@
|
||||||
#include <memory>
|
#include <memory>
|
||||||
#include <utility>
|
#include <utility>
|
||||||
|
|
||||||
#define DEBUG_TYPE "taint-checker"
|
|
||||||
|
|
||||||
using namespace clang;
|
using namespace clang;
|
||||||
using namespace ento;
|
using namespace ento;
|
||||||
using namespace taint;
|
using namespace taint;
|
||||||
|
@ -693,13 +691,6 @@ void GenericTaintChecker::checkPostCall(const CallEvent &Call,
|
||||||
if (TaintArgs.isEmpty())
|
if (TaintArgs.isEmpty())
|
||||||
return;
|
return;
|
||||||
|
|
||||||
LLVM_DEBUG(for (ArgIdxTy I
|
|
||||||
: TaintArgs) {
|
|
||||||
llvm::dbgs() << "PostCall<";
|
|
||||||
Call.dump(llvm::dbgs());
|
|
||||||
llvm::dbgs() << "> actually wants to taint arg index: " << I << '\n';
|
|
||||||
});
|
|
||||||
|
|
||||||
for (ArgIdxTy ArgNum : TaintArgs) {
|
for (ArgIdxTy ArgNum : TaintArgs) {
|
||||||
// Special handling for the tainted return value.
|
// Special handling for the tainted return value.
|
||||||
if (ArgNum == ReturnValueIndex) {
|
if (ArgNum == ReturnValueIndex) {
|
||||||
|
@ -777,25 +768,15 @@ void GenericTaintRule::process(const GenericTaintChecker &Checker,
|
||||||
|
|
||||||
/// Propagate taint where it is necessary.
|
/// Propagate taint where it is necessary.
|
||||||
ForEachCallArg(
|
ForEachCallArg(
|
||||||
[this, &State, WouldEscape, &Call](ArgIdxTy I, const Expr *E, SVal V) {
|
[this, &State, WouldEscape](ArgIdxTy I, const Expr *E, SVal V) {
|
||||||
if (PropDstArgs.contains(I)) {
|
if (PropDstArgs.contains(I))
|
||||||
LLVM_DEBUG(llvm::dbgs() << "PreCall<"; Call.dump(llvm::dbgs());
|
|
||||||
llvm::dbgs()
|
|
||||||
<< "> prepares tainting arg index: " << I << '\n';);
|
|
||||||
State = State->add<TaintArgsOnPostVisit>(I);
|
State = State->add<TaintArgsOnPostVisit>(I);
|
||||||
}
|
|
||||||
|
|
||||||
// TODO: We should traverse all reachable memory regions via the
|
// TODO: We should traverse all reachable memory regions via the
|
||||||
// escaping parameter. Instead of doing that we simply mark only the
|
// escaping parameter. Instead of doing that we simply mark only the
|
||||||
// referred memory region as tainted.
|
// referred memory region as tainted.
|
||||||
if (WouldEscape(V, E->getType())) {
|
if (WouldEscape(V, E->getType()))
|
||||||
LLVM_DEBUG(if (!State->contains<TaintArgsOnPostVisit>(I)) {
|
|
||||||
llvm::dbgs() << "PreCall<";
|
|
||||||
Call.dump(llvm::dbgs());
|
|
||||||
llvm::dbgs() << "> prepares tainting arg index: " << I << '\n';
|
|
||||||
});
|
|
||||||
State = State->add<TaintArgsOnPostVisit>(I);
|
State = State->add<TaintArgsOnPostVisit>(I);
|
||||||
}
|
|
||||||
});
|
});
|
||||||
|
|
||||||
C.addTransition(State);
|
C.addTransition(State);
|
||||||
|
|
|
@ -1,42 +0,0 @@
|
||||||
// RUN: %clang_analyze_cc1 %s \
|
|
||||||
// RUN: -analyzer-checker=core,alpha.security.taint \
|
|
||||||
// RUN: -mllvm -debug-only=taint-checker \
|
|
||||||
// RUN: 2>&1 | FileCheck %s
|
|
||||||
|
|
||||||
// FIXME: We should not crash.
|
|
||||||
// XFAIL: *
|
|
||||||
|
|
||||||
struct _IO_FILE;
|
|
||||||
typedef struct _IO_FILE FILE;
|
|
||||||
FILE *fopen(const char *fname, const char *mode);
|
|
||||||
|
|
||||||
void nested_call(void) {}
|
|
||||||
|
|
||||||
char *fgets(char *s, int n, FILE *fp) {
|
|
||||||
nested_call(); // no-crash: we should not try adding taint to a non-existent argument.
|
|
||||||
return (char *)0;
|
|
||||||
}
|
|
||||||
|
|
||||||
void top(const char *fname, char *buf) {
|
|
||||||
FILE *fp = fopen(fname, "r");
|
|
||||||
// CHECK: PreCall<fopen(fname, "r")> prepares tainting arg index: -1
|
|
||||||
// CHECK-NEXT: PostCall<fopen(fname, "r")> actually wants to taint arg index: -1
|
|
||||||
|
|
||||||
if (!fp)
|
|
||||||
return;
|
|
||||||
|
|
||||||
(void)fgets(buf, 42, fp); // Trigger taint propagation.
|
|
||||||
// CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: -1
|
|
||||||
// CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: 0
|
|
||||||
// CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: 1
|
|
||||||
// CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: 2
|
|
||||||
|
|
||||||
// FIXME: We should propagate taint from PreCall<fgets> -> PostCall<fgets>.
|
|
||||||
// CHECK-NEXT: PostCall<nested_call()> actually wants to taint arg index: -1
|
|
||||||
// CHECK-NEXT: PostCall<nested_call()> actually wants to taint arg index: 0
|
|
||||||
// CHECK-NEXT: PostCall<nested_call()> actually wants to taint arg index: 1
|
|
||||||
// CHECK-NEXT: PostCall<nested_call()> actually wants to taint arg index: 2
|
|
||||||
|
|
||||||
// FIXME: We should not crash.
|
|
||||||
// CHECK: PLEASE submit a bug report
|
|
||||||
}
|
|
|
@ -1,34 +0,0 @@
|
||||||
// RUN: %clang_analyze_cc1 %s \
|
|
||||||
// RUN: -analyzer-checker=core,alpha.security.taint \
|
|
||||||
// RUN: -mllvm -debug-only=taint-checker \
|
|
||||||
// RUN: 2>&1 | FileCheck %s
|
|
||||||
|
|
||||||
struct _IO_FILE;
|
|
||||||
typedef struct _IO_FILE FILE;
|
|
||||||
FILE *fopen(const char *fname, const char *mode);
|
|
||||||
|
|
||||||
char *fgets(char *s, int n, FILE *fp); // no-definition
|
|
||||||
|
|
||||||
void top(const char *fname, char *buf) {
|
|
||||||
FILE *fp = fopen(fname, "r"); // Introduce taint.
|
|
||||||
// CHECK: PreCall<fopen(fname, "r")> prepares tainting arg index: -1
|
|
||||||
// CHECK-NEXT: PostCall<fopen(fname, "r")> actually wants to taint arg index: -1
|
|
||||||
|
|
||||||
if (!fp)
|
|
||||||
return;
|
|
||||||
|
|
||||||
(void)fgets(buf, 42, fp); // Trigger taint propagation.
|
|
||||||
|
|
||||||
// FIXME: Why is the arg index 1 prepared for taint?
|
|
||||||
// Before the call it wasn't tainted, and it also shouldn't be tainted after the call.
|
|
||||||
|
|
||||||
// CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: -1
|
|
||||||
// CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: 0
|
|
||||||
// CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: 1
|
|
||||||
// CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: 2
|
|
||||||
//
|
|
||||||
// CHECK-NEXT: PostCall<fgets(buf, 42, fp)> actually wants to taint arg index: -1
|
|
||||||
// CHECK-NEXT: PostCall<fgets(buf, 42, fp)> actually wants to taint arg index: 0
|
|
||||||
// CHECK-NEXT: PostCall<fgets(buf, 42, fp)> actually wants to taint arg index: 1
|
|
||||||
// CHECK-NEXT: PostCall<fgets(buf, 42, fp)> actually wants to taint arg index: 2
|
|
||||||
}
|
|
Loading…
Reference in a new issue