[clang] [clang][StaticAnalyzer] Adding getentropy to CStringChecker. (PR #83675)

Fri, 22 Mar 2024 06:18:26 -0700 

================
@@ -2515,6 +2517,53 @@ void CStringChecker::evalSprintfCommon(CheckerContext 
&C, const CallEvent &Call,
   C.addTransition(State);
 }
 
+void CStringChecker::evalGetentropy(CheckerContext &C, const CallEvent &Call) 
const {
+  DestinationArgExpr Buffer = {{Call.getArgExpr(0), 0}};
+  SizeArgExpr Size = {{Call.getArgExpr(1), 1}};
+  ProgramStateRef State = C.getState();
+  SValBuilder &SVB = C.getSValBuilder();
+  SVal MaxLength = SVB.makeIntVal(256, C.getASTContext().IntTy);
+
+  SVal SizeVal = C.getSVal(Size.Expression);
+  QualType SizeTy = Size.Expression->getType();
+
+  ProgramStateRef StateZeroSize, StateNonZeroSize;
+  std::tie(StateZeroSize, StateNonZeroSize) =
+      assumeZero(C, State, SizeVal, SizeTy);
+
+  if (StateZeroSize) {
+    StateZeroSize = State->BindExpr(Call.getOriginExpr(), 
C.getLocationContext(),
+                              SVB.makeZeroVal(C.getASTContext().IntTy));
+    C.addTransition(StateZeroSize);
+    return;
+  }
+
+  SVal Buff = C.getSVal(Buffer.Expression);
+  State = checkNonNull(C, StateNonZeroSize, Buffer, Buff);
+  if (!State)
+    return;
+
+  QualType cmpTy = C.getSValBuilder().getConditionType();
+  ProgramStateRef sizeAboveLimit, sizeNotAboveLimit;
+  std::tie(sizeAboveLimit, sizeNotAboveLimit) = State->assume(
+        SVB
+       .evalBinOpNN(State, BO_GT, *SizeVal.getAs<NonLoc>(), 
*MaxLength.getAs<NonLoc>(), cmpTy)
+       .castAs<DefinedOrUnknownSVal>());
+  if (sizeAboveLimit) {
----------------
NagyDonat wrote:

```suggestion
  if (sizeAboveLimit && !sizeNotAboveLimit) {
```
In ambiguous situations (when both situations may be possible) the checkers 
must be lenient -- they should report errors only when they're certain that the 
error will happen. (Otherwise we'd get an overwhelming amount of false 
positives from the code parts where the analyzer doesn't know the values of the 
variables.)

The only exception is that if a value is marked as "tainted" (attacker 
controlled, see the GenericTaint checker which can mark values as tainted), 
then we assume the worst about it (if the situation is ambiguous and a tainted 
variable is involved, then we report an error). Some checkers are "taint aware" 
and incorporate this check into their logic, but it's perfectly fine if a 
checker is not (yet) taint aware, so you shouldn't bother with this (in this 
commit).

https://github.com/llvm/llvm-project/pull/83675
_______________________________________________
cfe-commits mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

Reply via email to