Skip to content
  1. Feb 22, 2012
  3. Feb 05, 2012
  5. Jan 26, 2012
  7. Jan 24, 2012
  9. Jan 21, 2012
  11. Jan 20, 2012
  13. Jan 18, 2012
  15. Jan 17, 2012
  17. Jan 14, 2012
  19. Jan 13, 2012
  21. Jan 12, 2012
    • Anna Zaks's avatar
      [analyzer] Add taint transfer by strcpy & others (part 1). · b3fa8d7d
      Anna Zaks authored 
      To simplify the process:
Refactor taint generation checker to simplify passing the
information on which arguments need to be tainted from pre to post
visit.

Todo: We need to factor out the code that sema is using to identify the
string and memcpy functions and use it here and in the CString checker.

llvm-svn: 148010
      b3fa8d7d
  23. Jan 07, 2012
  25. Jan 06, 2012
    • Ted Kremenek's avatar
      [analyzer] Make the entries in 'Environment' context-sensitive by making entries map from · 632e3b7e
      Ted Kremenek authored 
      (Stmt*,LocationContext*) pairs to SVals instead of Stmt* to SVals.

This is needed to support basic IPA via inlining.  Without this, we cannot tell
if a Stmt* binding is part of the current analysis scope (StackFrameContext) or
part of a parent context.

This change introduces an uglification of the use of getSVal(), and thus takes
two steps forward and one step back.  There are also potential performance implications
of enlarging the Environment.  Both can be addressed going forward by refactoring the
APIs and optimizing the internal representation of Environment.  This patch
mainly introduces the functionality upon when we want to build upon (and clean up).

llvm-svn: 147688
      632e3b7e
  27. Dec 17, 2011
    • Anna Zaks's avatar
      [analyzer] Add support for taint flowing through a function (atoi). · 3b0ab206
      Anna Zaks authored 
      Check if the input parameters are tainted (or point to tainted data) on
a checkPreStmt<CallExpr>. If the output should be tainted, record it in
the state. On post visit (checkPostStmt<CallExpr>), use the state to
make decisions (in addition to the existing logic). Use this logic for
atoi and fscanf.

llvm-svn: 146793
      3b0ab206
  29. Dec 16, 2011
  31. Dec 14, 2011
  33. Dec 11, 2011
    • Anna Zaks's avatar
      [analyzer] CStringChecker should not rely on the analyzer generating... · 7c96b7db
      Anna Zaks authored 
      [analyzer] CStringChecker should not rely on the analyzer generating UndefOrUnknown value when it cannot reason about the expression.

We are now often generating expressions even if the solver is not known to be able to simplify it. This is another cleanup of the existing code, where the rest of the analyzer and checkers should not base their logic on knowing ahead of the time what the solver can reason about. 

In this case, CStringChecker is performing a check for overflow of 'left+right' operation. The overflow can be checked with either 'maxVal-left' or 'maxVal-right'. Previously, the decision was based on whether the expresion evaluated to undef or not. With this patch, we check if one of the arguments is a constant, in which case we know that 'maxVal-const' is easily simplified. (Another option is to use canReasonAbout() method of the solver here, however, it's currently is protected.)

This patch also contains 2 small bug fixes:
 - swap the order of operators inside SValBuilder::makeGenericVal.
 - handle a case when AddeVal is unknown in GenericTaintChecker::getPointedToSymbol.

llvm-svn: 146343
      7c96b7db
  35. Nov 18, 2011
  37. Nov 16, 2011