| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
data.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148176 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
| |
radar://10686991
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148081 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
| |
looking up value at a CodeTextRegion even when the type is not provided.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148079 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
| |
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148055 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
| |
limit the call stack depth. The analyzer can now accurately simulate factorial for limited depths.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148036 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
|
|
|
|
|
|
| |
To simplify the process:
Refactor taint generation checker to simplify passing the
information on which arguments need to be tainted from pre to post
visit.
Todo: We need to factor out the code that sema is using to identify the
string and memcpy functions and use it here and in the CString checker.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148010 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
|
|
|
|
|
|
| |
small refactoring for
the common *alloc functions as well as a few tiny wibbles (adds a note
to CWE/CERT advisory numbers in the bug output, and fixes a couple
80-column-wide violations.)"
Patch by Austin Seipp!
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147931 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
| |
a rvalue, which is a useful step during AST evaluation.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147918 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
|
|
|
|
| |
inlining for straight C calls.
My hope is to reimplement this from first principles based on the simplifications of removing unneeded node builders
and re-evaluating how C++ calls are handled in the CFG. The hope is to turn inlining "on-by-default" as soon as possible
with a core set of things working well, and then expand over time.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147904 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
|
|
|
| |
We already have a more conservative check in the compiler (if the
format string is not a literal, we warn). Still adding it here for
completeness and since this check is stronger - only triggered if the
format string is tainted.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147714 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
| |
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147570 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
as a result of a call.
Problem:
Global variables, which come in from system libraries should not be
invalidated by all calls. Also, non-system globals should not be
invalidated by system calls.
Solution:
The following solution to invalidation of globals seems flexible enough
for taint (does not invalidate stdin) and should not lead to too
many false positives. We split globals into 3 classes:
* immutable - values are preserved by calls (unless the specific
global is passed in as a parameter):
A : Most system globals and const scalars
* invalidated by functions defined in system headers:
B: errno
* invalidated by all other functions (note, these functions may in
turn contain system calls):
B: errno
C: all other globals (which are not in A nor B)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147569 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
| |
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147526 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
| |
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147506 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
| |
and realloc(). Patch by Cyril Roelandt!
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147500 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
|
|
| |
called transitively
from C++ constructors or destructors. Checker by Lei Zhang with a few tweaks by Ted Kremenek.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147494 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
| |
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147203 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
| |
Robert Purves.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147139 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
| |
blocks.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147116 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
type is a pointer to const. (radar://10595327)
The regions corresponding to the pointer and reference arguments to
a function get invalidated by the calls since a function call can
possibly modify the pointed to data. With this change, we are not going
to invalidate the data if the argument is a pointer to const. This
change makes the analyzer more optimistic in reporting errors.
(Support for C, C++ and Obj C)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147002 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
| |
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146993 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
| |
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146848 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
| |
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146794 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
|
|
|
|
| |
Check if the input parameters are tainted (or point to tainted data) on
a checkPreStmt<CallExpr>. If the output should be tainted, record it in
the state. On post visit (checkPostStmt<CallExpr>), use the state to
make decisions (in addition to the existing logic). Use this logic for
atoi and fscanf.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146793 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
| |
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146748 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
|
|
|
| |
-verify.
Ex:
// expected-warning + {{tainted}
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146633 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
|
|
|
| |
is deterministic.
Non-determinism was the reason for the test which caused the earlier
buildbot failures, so re-enable the test.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146628 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
diagnostic message are compared. If either is a substring of the other, then
no error is given. This gives rise to an unexpected case:
// expect-error{{candidate function has different number of parameters}}
will match the following error messages from Clang:
candidate function has different number of parameters (expected 1 but has 2)
candidate function has different number of parameters
It will also match these other error messages:
candidate function
function has different number of parameters
number of parameters
This patch will change so that the verification string must be a substring of
the diagnostic message before accepting. Also, all the failing tests from this
change have been corrected. Some stats from this cleanup:
87 - removed extra spaces around verification strings
70 - wording updates to diagnostics
40 - extra leading or trailing characters (typos, unmatched parens or quotes)
35 - diagnostic level was included (error:, warning:, or note:)
18 - flag name put in the warning (-Wprotocol)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146619 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
| |
I need to keep the test itself in the repository since it's the only way I can currently reproduce the issue.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146582 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
| |
I cannot reproduce the failures neither on my machine nor on the same buildbot machine (with the clang binary built on it). Let's see if it fails again..
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146574 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
| |
time being.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146541 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
|
|
| |
Some of the test cases do not currently work because the analyzer core
does not seem to call checkers for pre/post DeclRefExpr visits.
(Opened radar://10573500. To be fixed later on.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146536 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
| |
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146533 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
| |
Also, allow adding taint to a region (not only a symbolic value).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146532 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
UndefOrUnknown value when it cannot reason about the expression.
We are now often generating expressions even if the solver is not known to be able to simplify it. This is another cleanup of the existing code, where the rest of the analyzer and checkers should not base their logic on knowing ahead of the time what the solver can reason about.
In this case, CStringChecker is performing a check for overflow of 'left+right' operation. The overflow can be checked with either 'maxVal-left' or 'maxVal-right'. Previously, the decision was based on whether the expresion evaluated to undef or not. With this patch, we check if one of the arguments is a constant, in which case we know that 'maxVal-const' is easily simplified. (Another option is to use canReasonAbout() method of the solver here, however, it's currently is protected.)
This patch also contains 2 small bug fixes:
- swap the order of operators inside SValBuilder::makeGenericVal.
- handle a case when AddeVal is unknown in GenericTaintChecker::getPointedToSymbol.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146343 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
| |
and offer fixits when there is a mismatch.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146326 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
|
|
|
| |
types are equivalent.
+ A taint test which tests bitwise operations and which was
triggering an assertion due to presence of the integer to integer cast.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146240 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
| |
+ random comments
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146199 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
|
|
| |
between the casted type of the return value of a malloc/calloc/realloc
call and the operand of any sizeof expressions contained within
its argument(s).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146144 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
|
| |
SVal can be not only a symbol, but a MemRegion. Add support for such
cases.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146006 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
|
|
|
|
|
| |
- Created a new SymExpr type - SymbolCast.
- SymbolCast is created when we don't know how to simplify a NonLoc to
NonLoc casts.
- A bit of code refactoring: introduced dispatchCast to have better
code reuse, remove a goto.
- Updated the test case to showcase the new taint flow.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@145985 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
| |
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@145855 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
| |
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@145834 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
|
|
|
|
|
|
| |
ExprEngine.
Teach SimpleConstraintManager::assumeSymRel() to propagate constraints
to symbolic expressions.
+ One extra warning (real bug) is now generated due to enhanced
assumeSymRel().
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@145832 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
| |
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@145827 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
| |
We trigger an error if free is called after a possibly failed allocation. Do not trigger the error if we know that the buffer is not null.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@145584 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
| |
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@145577 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
| |
non-null. Fixes <rdar://problem/10508787>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@145575 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
| |
print out the source expression for OpaqueValueExpr.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@145524 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
|
|
|
|
| |
actually write code that does this. This seems worthy of a checker, but the StoreManager should handle the memory abstraction without crashing. Fixes PR 11450.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@145424 91177308-0d34-0410-b5e6-96231b3b80d8
|