proposed new code for added functionality and improvement in Checker GenericTaintChecker and CStringChecker

[Quuxplusone]

Bugzilla Link	PR13886
Status	NEW
Importance	P normal
Reported by	lionel (lionel.prat9@gmail.com)
Reported on	2012-09-20 08:46:51 -0700
Last modified on	2012-09-20 11:50:18 -0700
Version	trunk
Hardware	PC Linux
CC	ganna@apple.com, llvm-bugs@lists.llvm.org
Fixed by commit(s)
Attachments	patch.diff (7698 bytes, text/plain)
Blocks
Blocked by
See also

Created attachment 9240
Patch on version trunk

CStringChecker:
Added functionality to detect the memory overflow (src tainted sizeof > dst
sizeof) during a memory copy from an input tainted

GenericTaintChecker:
Adding functions propagation: strlen, strtok, fgets
Improvement detect stdin and adding on entry "0"

Removing the removal of the tag propagation on the old element or propagated
source...
exemple:
fgets(addr, sizeof(addr), stdin); stdin -> addr(tainted)
sprintf(buffer, "test 1 %s", addr); addr -> buffer(tainted) but with old
version, addr no longer had the tag propagation, if it was reused by another
copy function then we would not see the spread.

Sorry for my english...

cordially,
Lionel

[Quuxplusone]

Attached patch.diff (7698 bytes, text/plain): Patch on version trunk

[Quuxplusone]

Please, submit your patch by sending an email to cfe-dev mailing list.

I only briefly looked at the patch. It needs some cleanup:
 - add test cases to ./test/Analysis
 - only comments in English
 - remove '//printf()' and other commented out code.
 - if getPointedToSymbol needs to be copied from GenericTaintChecker, it probably needs to be factored out into the CheckerContext.

[Quuxplusone]

Also, please, make sure that the regression tests pass:
http://clang-analyzer.llvm.org/checker_dev_manual.html