squiid/llvm
1
0
Fork 0
Code Issues Pull requests Activity

Revert "[analyzer] Add failing test case demonstrating buggy taint propagation"

Browse source 
This reverts commit 744745ae19.

I'm reverting this since this patch caused a build breakage.

https://lab.llvm.org/buildbot/#/builders/91/builds/3818
This commit is contained in:
Balazs Benics 2022-02-14 18:44:30 +01:00
parent d16c5f4192
commit b8ae323cca
3 changed files with 3 additions and 98 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
View file

@ -32,8 +32,6 @@
#include <memory> #include <memory>
#include <utility> #include <utility>
#define DEBUG_TYPE "taint-checker"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
using namespace taint; using namespace taint;
@ -693,13 +691,6 @@ void GenericTaintChecker::checkPostCall(const CallEvent &Call,
if (TaintArgs.isEmpty()) if (TaintArgs.isEmpty())
return; return;
LLVM_DEBUG(for (ArgIdxTy I
: TaintArgs) {
llvm::dbgs() << "PostCall<";
Call.dump(llvm::dbgs());
llvm::dbgs() << "> actually wants to taint arg index: " << I << '\n';
});
for (ArgIdxTy ArgNum : TaintArgs) { for (ArgIdxTy ArgNum : TaintArgs) {
// Special handling for the tainted return value. // Special handling for the tainted return value.
if (ArgNum == ReturnValueIndex) { if (ArgNum == ReturnValueIndex) {
@ -777,25 +768,15 @@ void GenericTaintRule::process(const GenericTaintChecker &Checker,
/// Propagate taint where it is necessary. /// Propagate taint where it is necessary.
ForEachCallArg( ForEachCallArg(
[this, &State, WouldEscape, &Call](ArgIdxTy I, const Expr *E, SVal V) { [this, &State, WouldEscape](ArgIdxTy I, const Expr *E, SVal V) {
if (PropDstArgs.contains(I)) { if (PropDstArgs.contains(I))
LLVM_DEBUG(llvm::dbgs() << "PreCall<"; Call.dump(llvm::dbgs());
llvm::dbgs()
<< "> prepares tainting arg index: " << I << '\n';);
State = State->add<TaintArgsOnPostVisit>(I); State = State->add<TaintArgsOnPostVisit>(I);
}
// TODO: We should traverse all reachable memory regions via the // TODO: We should traverse all reachable memory regions via the
// escaping parameter. Instead of doing that we simply mark only the // escaping parameter. Instead of doing that we simply mark only the
// referred memory region as tainted. // referred memory region as tainted.
if (WouldEscape(V, E->getType())) { if (WouldEscape(V, E->getType()))
LLVM_DEBUG(if (!State->contains<TaintArgsOnPostVisit>(I)) {
llvm::dbgs() << "PreCall<";
Call.dump(llvm::dbgs());
llvm::dbgs() << "> prepares tainting arg index: " << I << '\n';
});
State = State->add<TaintArgsOnPostVisit>(I); State = State->add<TaintArgsOnPostVisit>(I);
}
}); });
C.addTransition(State); C.addTransition(State);

42
clang/test/Analysis/taint-checker-callback-order-has-definition.c
View file

@ -1,42 +0,0 @@
// RUN: %clang_analyze_cc1 %s \
// RUN: -analyzer-checker=core,alpha.security.taint \
// RUN: -mllvm -debug-only=taint-checker \
// RUN: 2>&1 | FileCheck %s
// FIXME: We should not crash.
// XFAIL: *
struct _IO_FILE;
typedef struct _IO_FILE FILE;
FILE *fopen(const char *fname, const char *mode);
void nested_call(void) {}
char *fgets(char *s, int n, FILE *fp) {
nested_call(); // no-crash: we should not try adding taint to a non-existent argument.
return (char *)0;
}
void top(const char *fname, char *buf) {
FILE *fp = fopen(fname, "r");
// CHECK: PreCall<fopen(fname, "r")> prepares tainting arg index: -1
// CHECK-NEXT: PostCall<fopen(fname, "r")> actually wants to taint arg index: -1
if (!fp)
return;
(void)fgets(buf, 42, fp); // Trigger taint propagation.
// CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: -1
// CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: 0
// CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: 1
// CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: 2
// FIXME: We should propagate taint from PreCall<fgets> -> PostCall<fgets>.
// CHECK-NEXT: PostCall<nested_call()> actually wants to taint arg index: -1
// CHECK-NEXT: PostCall<nested_call()> actually wants to taint arg index: 0
// CHECK-NEXT: PostCall<nested_call()> actually wants to taint arg index: 1
// CHECK-NEXT: PostCall<nested_call()> actually wants to taint arg index: 2
// FIXME: We should not crash.
// CHECK: PLEASE submit a bug report
}

34
clang/test/Analysis/taint-checker-callback-order-without-definition.c
View file

@ -1,34 +0,0 @@
// RUN: %clang_analyze_cc1 %s \
// RUN: -analyzer-checker=core,alpha.security.taint \
// RUN: -mllvm -debug-only=taint-checker \
// RUN: 2>&1 | FileCheck %s
struct _IO_FILE;
typedef struct _IO_FILE FILE;
FILE *fopen(const char *fname, const char *mode);
char *fgets(char *s, int n, FILE *fp); // no-definition
void top(const char *fname, char *buf) {
FILE *fp = fopen(fname, "r"); // Introduce taint.
// CHECK: PreCall<fopen(fname, "r")> prepares tainting arg index: -1
// CHECK-NEXT: PostCall<fopen(fname, "r")> actually wants to taint arg index: -1
if (!fp)
return;
(void)fgets(buf, 42, fp); // Trigger taint propagation.
// FIXME: Why is the arg index 1 prepared for taint?
// Before the call it wasn't tainted, and it also shouldn't be tainted after the call.
// CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: -1
// CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: 0
// CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: 1
// CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: 2
//
// CHECK-NEXT: PostCall<fgets(buf, 42, fp)> actually wants to taint arg index: -1
// CHECK-NEXT: PostCall<fgets(buf, 42, fp)> actually wants to taint arg index: 0
// CHECK-NEXT: PostCall<fgets(buf, 42, fp)> actually wants to taint arg index: 1
// CHECK-NEXT: PostCall<fgets(buf, 42, fp)> actually wants to taint arg index: 2
}