-
Notifications
You must be signed in to change notification settings - Fork 11k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Taint not being applied across class heirarchies #62663
Comments
@llvm/issue-subscribers-clang-static-analyzer |
If I'm not mistaken, the only question here is: Well, it turns out it's because we didn't inline it, so taint could not propagate to its body. I'll level the details at the end of this comment for describing what actually happened in your specific case, but let's have a look at a simplified example: void clang_analyzer_warnIfReached();
class HandlerBase {
public:
virtual void onAction() {
clang_analyzer_warnIfReached(); // lol, we inlined this instead!
}
};
class Handler final : public HandlerBase {
public:
void onAction() override {
clang_analyzer_warnIfReached(); // Hmm, why didn't we inline this?
}
};
void top(HandlerBase *p) {
Handler *q = static_cast<Handler*>(p);
q->onAction();
clang_analyzer_warnIfReached();
} We can see that the call to Unfortunately, I don't have the time to fix this, but at least we now know about this. Details of this bugreport:
Later, when we will eventually schedule the The problem is within The |
Should the analyzer trust a static down-cast? I think the analyzer already has the tendency of trusting the source code, e.g., it trusts assertions. So, I believe @steakhal is right, the analyzer in this particular case should inline the method from the derived class. |
Yeah I think I agree with @Xazax-hun, this is a dynamic type info problem. Just because the program performed However, for static analysis purposes, So in such cases developer's assumption has to be explicitly encoded in There's another way to look at this: I'm not a lawyer but it might be that according to the C++ Standard the behavior is undefined if the method is invoked through a wrong-type pointer. In this case the inliner machine should have trusted the pointer type, and we could handle this syntactically (region types might have been a mistake, but AST expression types certainly weren't). This also means we can develop a checker that emits a warning when the pointer actually points to the wrong type. But regardless of how we're establishing that the region has an object of type |
I applied this patch and it failed the following tests:
|
I've found a few places where the Static Analysis Engine can't apply taint in different scenarios based on the class inheritance. I'm not sure quite how to describe it, other than it doesn't seem to be considering all the possible implementations behind a pointer, and this results in taint not being applied at the correct place.
I've minified this reproducer heavily, but this was encountered while trying to get taint tracking working on Firefox, so it originally came from a real use case, using CTU, across a few object files and a lot of source/header files. If this is considered 'not a bug' I would welcome recommendations on how we can annotate or restructure things so that the taint tracking can actually work.
In the example below Statements 1A and 2A show the behavior as I would expect/hope it to work. Statements 1B and 2B show scenarios where it doesn't do the expected thing; these represent how Firefox's code is actually structured; I needed to modify both of those places to get it to behave the way I expected.
Command:
I'm using a version of Clang trunk built a few days ago; it should be revision 4c457e8
Statements 1A & 2A
Statements 1A & 2B
Statements 1B and 2A
The text was updated successfully, but these errors were encountered: