| 8f7bfb40b72f478d83b018a280f99c0386576ae3 |
|
24-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Teach ConstraintManager to ignore NonLoc <> NonLoc comparisons.
These aren't generated by default, but they are needed when either side of
the comparison is tainted.
Should fix our internal buildbot.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177846 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/taint-generic.c
|
| cdc3a89d5de90b2299c56f4a46c3de590c5184d1 |
|
24-Aug-2012 |
Ted Kremenek <kremenek@apple.com> |
Fix analyzer tests.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162588 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/taint-generic.c
|
| da3960347a5d563d6746cb363b25466282a09ce3 |
|
03-May-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Do not assert on constructing SymSymExpr with diff types.
The resulting type info is stored in the SymSymExpr, so no reason not to
support construction of expression with different subexpression types.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156051 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/taint-generic.c
|
| baeaa9ad120f60b1c5b6f1a84286b507dbe2b55d |
|
03-May-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Add a complexity bound on history tracking.
(Currently, this is only relevant for tainted data.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156050 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/taint-generic.c
|
| 5fdadf4b643dd2f7a467244946dc1587b2f9ed1f |
|
22-Feb-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Change naming in bug reports "tainted" -> "untrusted"
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151120 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/taint-generic.c
|
| 3bfd6d701ee297bd062967e11400daae51b36eb2 |
|
21-Jan-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Make VLA checker taint aware.
Also, slightly modify the diagnostic message in ArrayBound and DivZero (still use 'taint', which might not mean much to the user, but plan on changing it later).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148626 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/taint-generic.c
|
| ce506ae231703a23ea95335cd4de19c60082f361 |
|
20-Jan-2012 |
Ted Kremenek <kremenek@apple.com> |
Tighten format string diagnostic and make it a bit clearer (and a bit closer to GCC's).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148579 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/taint-generic.c
|
| 02019f7134e69e39e33c5a938183fd492410464c |
|
20-Jan-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Add taint awareness to DivZeroChecker.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148566 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/taint-generic.c
|
| 2bf8fd84087231fd92dfdebe18895e01a6ae405c |
|
20-Jan-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Add socket API as a source of taint.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148518 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/taint-generic.c
|
| 4e46221e38b7d434fbecb1cd56b259437206d246 |
|
18-Jan-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Taint: warn when tainted data is used to specify a buffer
size (Ex: in malloc, memcpy, strncpy..)
(Maybe some of this could migrate to the CString checker. One issue
with that is that we might want to separate security issues from
regular API misuse.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148371 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/taint-generic.c
|
| 9b0c749a20d0f7d0e63441d76baa15def3f37fdb |
|
18-Jan-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Taint: add taint propagation rules for string and memory copy
functions.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148370 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/taint-generic.c
|
| 8568ee743406ac4bb23c9768a0dffd627fdbc579 |
|
14-Jan-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Taint: add system and popen as undesirable sinks for taint
data.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148176 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/taint-generic.c
|
| b71d1570417d81de7b064ad788bea690e2c89111 |
|
13-Jan-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Unwrap the pointers when ignoring the const cast.
radar://10686991
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148081 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/taint-generic.c
|
| 1fb826a6fd893234f32b0b91bb92ea4d127788ad |
|
12-Jan-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Add taint transfer by strcpy & others (part 1).
To simplify the process:
Refactor taint generation checker to simplify passing the
information on which arguments need to be tainted from pre to post
visit.
Todo: We need to factor out the code that sema is using to identify the
string and memcpy functions and use it here and in the CString checker.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148010 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/taint-generic.c
|
| 9f03b62036a7abc0a227b17f4a49b9eefced9450 |
|
07-Jan-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Add basic format string vulnerability checking.
We already have a more conservative check in the compiler (if the
format string is not a literal, we warn). Still adding it here for
completeness and since this check is stronger - only triggered if the
format string is tainted.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147714 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/taint-generic.c
|
| e3d250e488241cbfe71a592df4d07d03ad89434a |
|
11-Dec-2011 |
Anna Zaks <ganna@apple.com> |
[analyzer] CStringChecker should not rely on the analyzer generating UndefOrUnknown value when it cannot reason about the expression.
We are now often generating expressions even if the solver is not known to be able to simplify it. This is another cleanup of the existing code, where the rest of the analyzer and checkers should not base their logic on knowing ahead of the time what the solver can reason about.
In this case, CStringChecker is performing a check for overflow of 'left+right' operation. The overflow can be checked with either 'maxVal-left' or 'maxVal-right'. Previously, the decision was based on whether the expresion evaluated to undef or not. With this patch, we check if one of the arguments is a constant, in which case we know that 'maxVal-const' is easily simplified. (Another option is to use canReasonAbout() method of the solver here, however, it's currently is protected.)
This patch also contains 2 small bug fixes:
- swap the order of operators inside SValBuilder::makeGenericVal.
- handle a case when AddeVal is unknown in GenericTaintChecker::getPointedToSymbol.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146343 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/taint-generic.c
|
| 6fcd932dfd6835f70cc00d6f7c6789793f6d7b66 |
|
10-Dec-2011 |
Hans Wennborg <hans@hanshq.net> |
Check that arguments to a scanf call match the format specifier,
and offer fixits when there is a mismatch.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146326 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/taint-generic.c
|
| 3881c6907e3a18dca7878e06ef915e64021156b0 |
|
28-Nov-2011 |
Anna Zaks <ganna@apple.com> |
[analyzer] Add more simple taint tests.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@145275 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/taint-generic.c
|
| 8f4caf5fec2de9b18f9c5fc69696d9f6cf66bcc5 |
|
18-Nov-2011 |
Anna Zaks <ganna@apple.com> |
[analyzer] Warn when non pointer arguments are passed to scanf (only when running taint checker).
There is an open radar to implement better scanf checking as a Sema warning. However, a bit of redundancy is fine in this case.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@144964 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/taint-generic.c
|
| 0d339d06f8721d14befd6311bd306ac485772188 |
|
18-Nov-2011 |
Anna Zaks <ganna@apple.com> |
[analyzer] Do not conjure a symbol when we need to propagate taint.
When the solver and SValBuilder cannot reason about symbolic expressions (ex: (x+1)*y ), the analyzer conjures a new symbol with no ties to the past. This helps it to recover some path-sensitivity. However, this breaks the taint propagation.
With this commit, we are going to construct the expression even if we cannot reason about it later on if an operand is tainted.
Also added some comments and asserts.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@144932 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/taint-generic.c
|
| 9b0970f2c7fdc070b18e113f0bbd96e7f77b4f54 |
|
16-Nov-2011 |
Anna Zaks <ganna@apple.com> |
[analyzer] Catch the first taint propagation implied buffer overflow.
Change the ArrayBoundCheckerV2 to be more aggressive in reporting buffer overflows
when the offset is tainted. Previously, we did not report bugs when the state was
underconstrained (not enough information about the bound to determine if there is
an overflow) to avoid false positives. However, if we know that the buffer
offset is tainted - comes in from the user space and can be anything, we should
report it as a bug.
+ The very first example of us catching a taint related bug.
This is the only example we can currently handle. More to come...
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@144826 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/taint-generic.c
|