{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":184234940,"defaultBranch":"master","name":"llvm-project","ownerLogin":"Ericsson","currentUserCanPush":false,"isFork":true,"isEmpty":false,"createdAt":"2019-04-30T09:40:29.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/4161311?v=4","public":true,"private":false,"isOrgOwned":true},"refInfo":{"name":"","listCacheKey":"v0:1720785671.0","currentOid":""},"activityList":{"items":[{"before":"2765bc97d3242d50fd73aedb9e9d38dfdcef814c","after":"d7b71a21368c70da21b2ca6e7d02c7022ec21dde","ref":"refs/heads/arrayboundv2_simplify_underflow_report","pushedAt":"2024-07-12T19:39:50.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"NagyDonat","name":"Donát Nagy","path":"/NagyDonat","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/43410265?s=80&v=4"},"commit":{"message":"Alternative approach: tweak the `Profile()`` method of `BugReport`s\n\nThis commit re-adds the concrete offset value at the end of the (long)\n`Description` of the underflow report, but ensures that the `Profile()`\nmethod of `PathSensitiveBugReport` only uses the _short_ description (as\nreturned by `getShortDescription()`) instead of the the `Description`\nfield.\n\nFor the sake of consistency, the same modification is also applied to\n`BasicBugReport::Profile()`.\n\nThis modification of `Profile()` is a no-op for most of the checkers,\nbecause there are very few checkers that set a separate short\ndescription for their bug reports and `getShortDescription()` defaults\nto returning the long `Description` when the field `ShortDescription` is\nan empty string (i.e. unspecified).\n\nI'd say that it was a bug that the short description (which is arguably\n_the_ human-readable \"hash\" of the report) wasn't included in the hash\ncalculations performed by `Profile()`.\n\nOn the other hand, I think it'll be useful that `Profile()` ignores the\nlong description, because then we'll have a nice place where we can\nprint the \"nice to mention, but not enough to create a fundamentally\ndifferent report\" secondary information.\n\n(Note that the long description is essentially the \"final note on the\nbug path\" and the other notes are also ignored by `Profile()` -- because\nthey are calculated later by the visitors.)","shortMessageHtmlLink":"Alternative approach: tweak the <code>Profile()</code><code> method of </code>BugReport`s"}},{"before":null,"after":"2765bc97d3242d50fd73aedb9e9d38dfdcef814c","ref":"refs/heads/arrayboundv2_simplify_underflow_report","pushedAt":"2024-07-12T12:01:11.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"NagyDonat","name":"Donát Nagy","path":"/NagyDonat","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/43410265?s=80&v=4"},"commit":{"message":"[analyzer] Don't display the offset value in underflows\n\nPreviously alpha.security.ArrayBoundV2 displayed the (negative) offset\nvalue when it reported an underflow, but this produced lots of very\nsimilar and redundant reports in certain situations.\n\nAfter this commit the offset won't be printed so the usual deduplication\nwill handle these reports as equivalent (and print only one of them).\n\nSee https://github.com/llvm/llvm-project/issues/86969 for background.","shortMessageHtmlLink":"[analyzer] Don't display the offset value in underflows"}},{"before":"a3ced148179b1082f755c54b9e0307025b7f7daf","after":null,"ref":"refs/heads/fix-sizeof-expression-diag","pushedAt":"2024-07-02T08:27:54.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"NagyDonat","name":"Donát Nagy","path":"/NagyDonat","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/43410265?s=80&v=4"}},{"before":"dd18d9f8daef7fc312ccd0113ad571a3d69ac131","after":"a3ced148179b1082f755c54b9e0307025b7f7daf","ref":"refs/heads/fix-sizeof-expression-diag","pushedAt":"2024-07-02T08:25:10.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"NagyDonat","name":"Donát Nagy","path":"/NagyDonat","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/43410265?s=80&v=4"},"commit":{"message":"Improve the release notes","shortMessageHtmlLink":"Improve the release notes"}},{"before":null,"after":"cbab23fbbd4698033563b5c5ef224a9161a00eda","ref":"refs/heads/EXPERIMENTAL-limit-loops-to-2-iter","pushedAt":"2024-06-24T14:02:51.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"NagyDonat","name":"Donát Nagy","path":"/NagyDonat","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/43410265?s=80&v=4"},"commit":{"message":"[EXPERIMENTAL][analyzer] Limit loop modeling to two iterations\n\nDO NOT MERGE; this is just a proof-of-concept patch.\n\nBecause it is justified to assume that a loop can run for two iterations\n(otherwise the user wouldn't have written a loop), but it's not\njustified to assume that the loop condition can be satisfied three times\n(because there are examples where e.g. the developer knows that a data\nstructure may have <= 2 elements, and then the analyzer shouldn't\n\"hallucinate\" an execution path where three iterations are executed).\n\nMoreover, it's unlikely that a bug will be detectable in the third\niteration (after two iterations where it didn't appear), so it's\nplausible that this could become the new default behavior of CSA.","shortMessageHtmlLink":"[EXPERIMENTAL][analyzer] Limit loop modeling to two iterations"}},{"before":"51373e4d0d88865ab262094f8af2a2e7cd2f0f9e","after":"dd18d9f8daef7fc312ccd0113ad571a3d69ac131","ref":"refs/heads/fix-sizeof-expression-diag","pushedAt":"2024-06-20T14:35:56.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"NagyDonat","name":"Donát Nagy","path":"/NagyDonat","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/43410265?s=80&v=4"},"commit":{"message":"Add a FIXME","shortMessageHtmlLink":"Add a FIXME"}},{"before":"06adc063c2388ea534537f5a417751fdf64b22cd","after":"51373e4d0d88865ab262094f8af2a2e7cd2f0f9e","ref":"refs/heads/fix-sizeof-expression-diag","pushedAt":"2024-06-20T14:33:51.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"NagyDonat","name":"Donát Nagy","path":"/NagyDonat","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/43410265?s=80&v=4"},"commit":{"message":"Return to using semicolons in the messages","shortMessageHtmlLink":"Return to using semicolons in the messages"}},{"before":"af5c7a774e64bc1ff9deed0d2ab602f5593a2b88","after":"06adc063c2388ea534537f5a417751fdf64b22cd","ref":"refs/heads/fix-sizeof-expression-diag","pushedAt":"2024-06-14T14:20:55.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"NagyDonat","name":"Donát Nagy","path":"/NagyDonat","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/43410265?s=80&v=4"},"commit":{"message":"[clang-tidy] Clarify diagnostics of bugprone-sizeof-expression\n\n...becasue they were strangely worded and in a few cases outright\nincorrect.","shortMessageHtmlLink":"[clang-tidy] Clarify diagnostics of bugprone-sizeof-expression"}},{"before":"0195a7b666d4214470e5cb6b1e0a435c63ff4d05","after":null,"ref":"refs/heads/SizeofExpression-only-msg-updates","pushedAt":"2024-06-12T12:28:56.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"NagyDonat","name":"Donát Nagy","path":"/NagyDonat","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/43410265?s=80&v=4"}},{"before":"59bd1b83e4fa89b371f4d1a96c51fc7a1b4ad170","after":null,"ref":"refs/heads/SizeofPointer-move-to-tidy","pushedAt":"2024-06-12T12:27:23.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"NagyDonat","name":"Donát Nagy","path":"/NagyDonat","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/43410265?s=80&v=4"}},{"before":"a168ee43267c83c2f59e3d8e8db746ecf62eb2ce","after":null,"ref":"refs/heads/SizeofPointer-remove","pushedAt":"2024-06-12T12:26:55.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"NagyDonat","name":"Donát Nagy","path":"/NagyDonat","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/43410265?s=80&v=4"}},{"before":null,"after":"a168ee43267c83c2f59e3d8e8db746ecf62eb2ce","ref":"refs/heads/SizeofPointer-remove","pushedAt":"2024-06-11T13:57:39.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"NagyDonat","name":"Donát Nagy","path":"/NagyDonat","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/43410265?s=80&v=4"},"commit":{"message":"[analyzer] Finish moving alpha.core.SizeofPtr to clang-tidy\n\nThe checker `alpha.core.SizeofPtr` was a very simple checker that did\nnot rely on path sensitive analysis and was very similar to the (more\ncomplex and refined) clang-tidy check `bugprone-sizeof-expression`.\n\nAs there is no reason to maintain two separate implementations for the\nsame goal (and clang-tidy is more lightweight and accessible than the\nAnalyzer) I decided to move this functionality from the Static Analyzer\nto clang-tidy.\n\nRecently my commit 546c816a529835a4cf89deecff957ea336a94fa2\nreimplemented the advantageous parts of `alpha.core.SizeofPtr` within\nclang-tidy; now this commit finishes the transfer by deleting\n`alpha.core.SizeofPtr`.","shortMessageHtmlLink":"[analyzer] Finish moving alpha.core.SizeofPtr to clang-tidy"}},{"before":"ae8123ad4a82339e8c1b0f3c9870a2392c5e0458","after":"59bd1b83e4fa89b371f4d1a96c51fc7a1b4ad170","ref":"refs/heads/SizeofPointer-move-to-tidy","pushedAt":"2024-06-10T08:04:00.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"NagyDonat","name":"Donát Nagy","path":"/NagyDonat","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/43410265?s=80&v=4"},"commit":{"message":"Extend `GenericFunctionTest`, document a class of FPs with a FIXME","shortMessageHtmlLink":"Extend <code>GenericFunctionTest</code>, document a class of FPs with a FIXME"}},{"before":"b3a7f8b7ae48360341ca8f72c1d38352b82dcc93","after":"ae8123ad4a82339e8c1b0f3c9870a2392c5e0458","ref":"refs/heads/SizeofPointer-move-to-tidy","pushedAt":"2024-06-07T18:22:52.000Z","pushType":"push","commitsCount":3,"pusher":{"login":"NagyDonat","name":"Donát Nagy","path":"/NagyDonat","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/43410265?s=80&v=4"},"commit":{"message":"Satisfy git-clang-format","shortMessageHtmlLink":"Satisfy git-clang-format"}},{"before":null,"after":"0195a7b666d4214470e5cb6b1e0a435c63ff4d05","ref":"refs/heads/SizeofExpression-only-msg-updates","pushedAt":"2024-06-06T14:59:36.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"NagyDonat","name":"Donát Nagy","path":"/NagyDonat","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/43410265?s=80&v=4"}},{"before":"4de254de01d844b5a2b827946ac9073151a8d964","after":"b3a7f8b7ae48360341ca8f72c1d38352b82dcc93","ref":"refs/heads/SizeofPointer-move-to-tidy","pushedAt":"2024-06-06T14:22:11.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"NagyDonat","name":"Donát Nagy","path":"/NagyDonat","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/43410265?s=80&v=4"},"commit":{"message":"Use single back-ticks for option name\n\nCo-authored-by: EugeneZelenko <eugene.zelenko@gmail.com>","shortMessageHtmlLink":"Use single back-ticks for option name"}},{"before":"c94feff726b48e7e3b5a46d5028cc5a6d0ac9beb","after":"4de254de01d844b5a2b827946ac9073151a8d964","ref":"refs/heads/SizeofPointer-move-to-tidy","pushedAt":"2024-06-06T14:17:38.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"NagyDonat","name":"Donát Nagy","path":"/NagyDonat","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/43410265?s=80&v=4"},"commit":{"message":"Update the documentation and release notes","shortMessageHtmlLink":"Update the documentation and release notes"}},{"before":null,"after":"c94feff726b48e7e3b5a46d5028cc5a6d0ac9beb","ref":"refs/heads/SizeofPointer-move-to-tidy","pushedAt":"2024-06-04T14:05:12.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"NagyDonat","name":"Donát Nagy","path":"/NagyDonat","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/43410265?s=80&v=4"},"commit":{"message":"[clang-tidy] Add WarnOnSizeOfPointer mode to bugprone-sizeof-expression\n\nThis commit reimplements the functionality of the Clang Static Analyzer\nchecker `alpha.core.SizeofPointer` within clang-tidy by adding a new\n(off-by-default) option to bugprone-sizeof-expression which activates\nreporting all the `sizeof(ptr)` expressions (where ptr is an expression\nthat produces a pointer).\n\nThe main motivation for this change is that `alpha.core.SizeofPointer`\nwas an AST-based checker, which did not rely on the path sensitive\ncapabilities of the Static Analyzer, so there was no reason to keep it\nin the Static Analyzer instead of the more lightweight clang-tidy.\n\nAfter this commit I'm planning to create a separate commit that deletes\n`alpha.core.SizeofPointer` from Clang Static Analyzer.\n\nIt was natural to place this moved logic in bugprone-sizeof-expression,\nbecause that check already provided several heuristics that reported\nvarious especially suspicious classes of `sizeof(ptr)` expressions.\n\nThe new mode `WarnOnSizeOfPointer` is off-by-default, so it won't\nsurprise the existing users; but it can provide a more through coverage\nfor the vulnerability CWE-467 (\"Use of sizeof() on a Pointer Type\") than\nthe existing partial heuristics.\n\nI preserved the exception that the RHS of an expression that looks like\n`sizeof(array) / sizeof(array[0])` is not reported; and I added another\nexception which ensures that `sizeof(*pp)` is not reported when `pp` is\na pointer-to-pointer expression.\n\nThis second exception (which I also apply in the \"old\" on-by-default mode\n`WarnOnSizeOfPointerToAggregate`) was present in the CSA checker\n`alpha.core.SizeofPoionter` and I decided to copy it because it helped\nto avoid several false positives on open-source code.\n\nThis commit also replaces the old message \"suspicious usage of\n'sizeof(A*)'; pointer to aggregate\" with two more concrete messages; but\nI feel that this tidy check would deserve a through cleanup of all the\ndiagnostic messages that it can produce. (I added a FIXME to mark one\noutright misleading message.)","shortMessageHtmlLink":"[clang-tidy] Add WarnOnSizeOfPointer mode to bugprone-sizeof-expression"}},{"before":"b7fb1707601c73bd53b6ac810cd39a94f5b3cd53","after":"c6dcbd59d287f0238fbddeb51633228fba6099a4","ref":"refs/heads/sizeof-expression-NFCI","pushedAt":"2024-05-22T12:31:19.000Z","pushType":"push","commitsCount":2,"pusher":{"login":"NagyDonat","name":"Donát Nagy","path":"/NagyDonat","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/43410265?s=80&v=4"},"commit":{"message":"Remove another useless ignoringParenImpCasts() call\n\nThe traversal matcher `hasParent` moves a single layer outwards, so it\ncannot skip over paren or implicit cast layers that could be ignored at\nthat point.","shortMessageHtmlLink":"Remove another useless ignoringParenImpCasts() call"}},{"before":null,"after":"b7fb1707601c73bd53b6ac810cd39a94f5b3cd53","ref":"refs/heads/sizeof-expression-NFCI","pushedAt":"2024-05-22T11:57:17.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"NagyDonat","name":"Donát Nagy","path":"/NagyDonat","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/43410265?s=80&v=4"},"commit":{"message":"[clang-tidy][NFCI] Simplify bugprone-sizeof-expression\n\nThis commit eliminates a redundant matcher subexpression from the\nimplementation of the \"sizeof-pointer-to-aggregate\" part of the\nclang-tidy check `bugprone-sizeof-expression`.\n\nI'm fairly certain that anything that was previously matched by the\ndeleted matcher `StructAddrOfExpr` is also covered by the more general\n`PointerToStructExpr` (which remains in the same `anyOf`).\n\nThis commit is made to \"prepare the ground\" for a followup change that\nwould merge the functionality of the Clang Static Analyzer checker\n`alpha.core.SizeofPtr` into this clang-tidy check.","shortMessageHtmlLink":"[clang-tidy][NFCI] Simplify bugprone-sizeof-expression"}},{"before":"e0ecd342d58f75e874a01b947bc064008f881ad6","after":"489376e05437e494dd86e84daae037337e16d7bc","ref":"refs/heads/CallDescription-require-match-mode","pushedAt":"2024-05-16T20:54:10.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"NagyDonat","name":"Donát Nagy","path":"/NagyDonat","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/43410265?s=80&v=4"},"commit":{"message":"Satisfy git-clang-format","shortMessageHtmlLink":"Satisfy git-clang-format"}},{"before":null,"after":"e0ecd342d58f75e874a01b947bc064008f881ad6","ref":"refs/heads/CallDescription-require-match-mode","pushedAt":"2024-05-16T20:52:44.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"NagyDonat","name":"Donát Nagy","path":"/NagyDonat","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/43410265?s=80&v=4"},"commit":{"message":"[analyzer][NFC] Require explicit matching mode for `CallDescription`s\n\nThis commit deletes the \"simple\" constructor of `CallDescription` which\ndid not require a `CallDescription::Mode` argument and always used the\n\"wildcard\" mode `CDM::Unspecified`.\n\nA few months ago, this vague matching mode was used by many checkers,\nwhich caused bugs like #81597 and #88181. Since then, my commits\nimproved the available matching modes and ensured that all checkers\nexplicitly specify the right matching mode.\n\nAfter those commits, the only remaining references to the \"simple\"\nconstructor were some unit tests; this commit updates them to use an\nexplicitly specified matching mode (often `CDM::SimpleFunc`).\n\nThe mode `CDM::Unspecified` was not deleted in this commit because it's\nstill a reasonable choice in `GenericTaintChecker` and a few unit tests.","shortMessageHtmlLink":"[analyzer][NFC] Require explicit matching mode for <code>CallDescription</code>s"}},{"before":"fdaa6b919588095836c7513e032c0bffbed90170","after":null,"ref":"refs/heads/CallDescription-GenericTaintChecker","pushedAt":"2024-05-16T10:11:06.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"NagyDonat","name":"Donát Nagy","path":"/NagyDonat","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/43410265?s=80&v=4"}},{"before":"57ad704c30866a7d85f43b016583675e70de8531","after":"fdaa6b919588095836c7513e032c0bffbed90170","ref":"refs/heads/CallDescription-GenericTaintChecker","pushedAt":"2024-05-14T12:01:09.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"NagyDonat","name":"Donát Nagy","path":"/NagyDonat","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/43410265?s=80&v=4"},"commit":{"message":"Fix a typo\n\nCo-authored-by: Balazs Benics <benicsbalazs@gmail.com>","shortMessageHtmlLink":"Fix a typo"}},{"before":"9cbf31710e4fab686c46efac426bee1d700b0578","after":"ea86e7dbb14d856352f2e098370c77f41ae4689c","ref":"refs/heads/CallDescription-ErrnoModeling","pushedAt":"2024-05-14T11:31:10.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"NagyDonat","name":"Donát Nagy","path":"/NagyDonat","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/43410265?s=80&v=4"},"commit":{"message":"A little paranoia never hurts\n\nCo-authored-by: Balazs Benics <benicsbalazs@gmail.com>","shortMessageHtmlLink":"A little paranoia never hurts"}},{"before":"c18e8857611fbd4651e48bbaee9580e805d5e0ee","after":"9cbf31710e4fab686c46efac426bee1d700b0578","ref":"refs/heads/CallDescription-ErrnoModeling","pushedAt":"2024-05-13T15:50:31.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"NagyDonat","name":"Donát Nagy","path":"/NagyDonat","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/43410265?s=80&v=4"},"commit":{"message":"Extend a comment","shortMessageHtmlLink":"Extend a comment"}},{"before":"46d0f8ad3bd7d1b8e90f5f7f5f74cd653268ae92","after":"c18e8857611fbd4651e48bbaee9580e805d5e0ee","ref":"refs/heads/CallDescription-ErrnoModeling","pushedAt":"2024-05-10T11:25:23.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"NagyDonat","name":"Donát Nagy","path":"/NagyDonat","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/43410265?s=80&v=4"},"commit":{"message":"Clarify an incorrect comment","shortMessageHtmlLink":"Clarify an incorrect comment"}},{"before":"f8ddda055d33a6c0b7266f33b1fe14a1b343d5b2","after":"46d0f8ad3bd7d1b8e90f5f7f5f74cd653268ae92","ref":"refs/heads/CallDescription-ErrnoModeling","pushedAt":"2024-05-10T11:16:45.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"NagyDonat","name":"Donát Nagy","path":"/NagyDonat","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/43410265?s=80&v=4"},"commit":{"message":"Tweak a comment\n\nCo-authored-by: Balázs Kéri <1.int32@gmail.com>","shortMessageHtmlLink":"Tweak a comment"}},{"before":"07dc4dd5c60c8a04637cce686b379e195deb5b67","after":"f8ddda055d33a6c0b7266f33b1fe14a1b343d5b2","ref":"refs/heads/CallDescription-ErrnoModeling","pushedAt":"2024-05-10T09:28:39.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"NagyDonat","name":"Donát Nagy","path":"/NagyDonat","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/43410265?s=80&v=4"},"commit":{"message":"Apply review suggestions","shortMessageHtmlLink":"Apply review suggestions"}},{"before":null,"after":"57ad704c30866a7d85f43b016583675e70de8531","ref":"refs/heads/CallDescription-GenericTaintChecker","pushedAt":"2024-05-09T17:56:17.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"NagyDonat","name":"Donát Nagy","path":"/NagyDonat","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/43410265?s=80&v=4"},"commit":{"message":"[analyzer] Clean up list of taint propagation functions\n\nThis commit refactors GenericTaintChecker and performs various\nimprovements in the list of taint propagation functions:\n\n(1) The matching mode (usually `CDM::CLibrary` or\n    `CDM::CLibraryMaybeHardened`) was specified to avoid matching e.g.\n    C++ methods or functions from a user-defined namespace that happen\n    to share the name of a well-known library function.\n(2) With these matching modes, a `CallDescription` can automatically\n    match builtin variants of the functions, so entries that explicitly\n    specified a builtin function were removed. This eliminated\n    inconsistencies where the \"normal\" and the builtin variant of the\n    same function was handled differently (e.g. `__builtin_strlcat` was\n    covered, while plain `strlcat` wasn't; while `__builtin_memcpy` and\n    `memcpy` were both on the list with different propagation rules).\n(3) The modeling of the functions `strlcat` and `strncat` was updated to\n    propagate taint from the first argument (index 0), because a tainted\n    string should remain tainted even if we append something else to it.\n    Note that this was already applied to `strcat` and `wcsncat` by\n    commit 6ceb1c0ef9f544be0eed65e46cc7d99941a001bf.\n(4) Some functions were updated to propagate taint from a size/length\n    argument to the result: e.g. `memcmp(p, q, get_tainted_int())` will\n    now return a tainted value (because the attacker can manipulate it).\n    This principle was already present in some propagation rules (e.g.\n    `__builtin_memcpy` was handled this way), and even after this commit\n    there are still some functions where it isn't applied. (I only aimed\n    for consistency within the same function family.)\n(5) Functions that have hardened `__FOO_chk()` variants are matched in\n    `CDM:CLibraryMaybeHardened` to ensure consitent handling of the\n    \"normal\" and the hardened variant. I added special handling for the\n    hardened variants of \"sprintf\" and \"snprintf\" because there the\n    extra parameters are inserted into the middle of the parameter list.\n(6) Modeling of `sscanf_s` was added, to complete the group of `fscanf`,\n    fscanf_s` and `sscanf`.\n(7) The `Source()` specifications for `gets`, `gets_s` and `wgetch` were\n    ill-formed: they were specifying variadic arguments starting at\n    argument index `ReturnValueIndex`. (That is, in addition to the\n    return value they were propagating taint to all arguments.)\n(8) Functions that were related to each other were grouped together. (I\n    know that this makes the diff harder to read, but I felt that the\n    full list is unreadable without some reorganization.)\n(9) I spotted and removed some redundant curly braces. Perhaps would be\n    good to switch to a cleaner layout with less nested braces...\n(10) I updated some obsolete comments and added two TODOs for issues\n    that should be fixed in followup commits.","shortMessageHtmlLink":"[analyzer] Clean up list of taint propagation functions"}}],"hasNextPage":true,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"djE6ks8AAAAEfi0wVwA","startCursor":null,"endCursor":null}},"title":"Activity · Ericsson/llvm-project"}