diff options
| -rw-r--r-- | lib/StaticAnalyzer/Checkers/CStringChecker.cpp | 9 | ||||
| -rw-r--r-- | lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp | 5 | ||||
| -rw-r--r-- | lib/StaticAnalyzer/Core/SValBuilder.cpp | 2 | ||||
| -rw-r--r-- | test/Analysis/string.c | 10 | ||||
| -rw-r--r-- | test/Analysis/taint-generic.c | 3 |
5 files changed, 21 insertions, 8 deletions
diff --git a/lib/StaticAnalyzer/Checkers/CStringChecker.cpp b/lib/StaticAnalyzer/Checkers/CStringChecker.cpp index ff9d8689f6..49d8bf5388 100644 --- a/lib/StaticAnalyzer/Checkers/CStringChecker.cpp +++ b/lib/StaticAnalyzer/Checkers/CStringChecker.cpp @@ -532,10 +532,11 @@ const ProgramState *CStringChecker::checkAdditionOverflow(CheckerContext &C, const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy); NonLoc maxVal = svalBuilder.makeIntVal(maxValInt); - SVal maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, right, - sizeTy); - - if (maxMinusRight.isUnknownOrUndef()) { + SVal maxMinusRight; + if (isa<nonloc::ConcreteInt>(right)) { + maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, right, + sizeTy); + } else { // Try switching the operands. (The order of these two assignments is // important!) maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, left, diff --git a/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp b/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp index c8e54efb67..76405a2db2 100644 --- a/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp +++ b/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp @@ -77,6 +77,11 @@ SymbolRef GenericTaintChecker::getPointedToSymbol(CheckerContext &C, bool IssueWarning) const { const ProgramState *State = C.getState(); SVal AddrVal = State->getSVal(Arg->IgnoreParenCasts()); + + // TODO: Taint is not going to propagate? + if (AddrVal.isUnknownOrUndef()) + return 0; + Loc *AddrLoc = dyn_cast<Loc>(&AddrVal); if (!AddrLoc && !IssueWarning) diff --git a/lib/StaticAnalyzer/Core/SValBuilder.cpp b/lib/StaticAnalyzer/Core/SValBuilder.cpp index cc2a8cb4d6..5eabbbeaaa 100644 --- a/lib/StaticAnalyzer/Core/SValBuilder.cpp +++ b/lib/StaticAnalyzer/Core/SValBuilder.cpp @@ -183,7 +183,7 @@ SVal SValBuilder::makeGenericVal(const ProgramState *State, if (const nonloc::ConcreteInt *lInt = dyn_cast<nonloc::ConcreteInt>(&LHS)) { symRHS = RHS.getAsSymExpr(); - return makeNonLoc(symRHS, Op, lInt->getValue(), ResultTy); + return makeNonLoc(lInt->getValue(), Op, symRHS, ResultTy); } symLHS = LHS.getAsSymExpr(); diff --git a/test/Analysis/string.c b/test/Analysis/string.c index a71e1f0088..89283befad 100644 --- a/test/Analysis/string.c +++ b/test/Analysis/string.c @@ -1,7 +1,7 @@ // RUN: %clang_cc1 -analyze -analyzer-checker=core,experimental.unix.CString,experimental.deadcode.UnreachableCode -analyzer-store=region -Wno-null-dereference -verify %s // RUN: %clang_cc1 -analyze -DUSE_BUILTINS -analyzer-checker=core,experimental.unix.CString,experimental.deadcode.UnreachableCode -analyzer-store=region -Wno-null-dereference -verify %s // RUN: %clang_cc1 -analyze -DVARIANT -analyzer-checker=core,experimental.unix.CString,experimental.deadcode.UnreachableCode -analyzer-store=region -Wno-null-dereference -verify %s -// RUN: %clang_cc1 -analyze -DUSE_BUILTINS -DVARIANT -analyzer-checker=core,experimental.unix.CString,experimental.deadcode.UnreachableCode -analyzer-store=region -Wno-null-dereference -verify %s +// RUN: %clang_cc1 -analyze -DUSE_BUILTINS -DVARIANT -analyzer-checker=experimental.security.taint,core,experimental.unix.CString,experimental.deadcode.UnreachableCode -analyzer-store=region -Wno-null-dereference -verify %s //===----------------------------------------------------------------------=== // Declarations @@ -26,6 +26,7 @@ #define NULL 0 typedef typeof(sizeof(int)) size_t; +int scanf(const char *restrict format, ...); //===----------------------------------------------------------------------=== // strlen() @@ -436,6 +437,13 @@ void strcat_symbolic_src_length(char *src) { (void)*(char*)0; // no-warning } +void strcat_symbolic_dst_length_taint(char *dst) { + scanf("%s", dst); // Taint data. + strcat(dst, "1234"); + if (strlen(dst) < 4) + (void)*(char*)0; // no-warning +} + void strcat_unknown_src_length(char *src, int offset) { char dst[8] = "1234"; strcat(dst, &src[offset]); diff --git a/test/Analysis/taint-generic.c b/test/Analysis/taint-generic.c index 9c99f908a8..431fad4fe7 100644 --- a/test/Analysis/taint-generic.c +++ b/test/Analysis/taint-generic.c @@ -39,8 +39,7 @@ void bufferScanfAssignment(int x) { void scanfArg() { int t; - scanf("%d", t); // expected-warning {{Pointer argument is expected}} \ - // expected-warning {{conversion specifies type 'int *' but the argument has type 'int'}} + scanf("%d", t); // expected-warning {{conversion specifies type 'int *' but the argument has type 'int'}} } void bufferGetchar(int x) { |