From baeaa9ad120f60b1c5b6f1a84286b507dbe2b55d Mon Sep 17 00:00:00 2001
From: Anna Zaks <ganna@apple.com>
Date: Thu, 3 May 2012 02:13:50 +0000
Subject: [PATCH] [analyzer] Add a complexity bound on history tracking.
(Currently, this is only relevant for tainted data.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156050 91177308-0d34-0410-b5e6-96231b3b80d8
---
.../Core/PathSensitive/SymbolManager.h | 2 ++
lib/StaticAnalyzer/Core/SValBuilder.cpp | 10 +++++++---
lib/StaticAnalyzer/Core/SymbolManager.cpp | 7 +++++++
test/Analysis/taint-generic.c | 20 +++++++++++++++++++
4 files changed, 36 insertions(+), 3 deletions(-)
diff --git a/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h b/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h
index ad76f391879..8431b0e7395 100644
--- a/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h
+++ b/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h
@@ -94,6 +94,8 @@ public:
return symbol_iterator(this);
}
static symbol_iterator symbol_end() { return symbol_iterator(); }
+
+ unsigned computeComplexity() const;
};
typedef const SymExpr* SymbolRef;
diff --git a/lib/StaticAnalyzer/Core/SValBuilder.cpp b/lib/StaticAnalyzer/Core/SValBuilder.cpp
index a61cbe87614..d286f495cd7 100644
--- a/lib/StaticAnalyzer/Core/SValBuilder.cpp
+++ b/lib/StaticAnalyzer/Core/SValBuilder.cpp
@@ -204,15 +204,19 @@ SVal SValBuilder::makeSymExprValNN(ProgramStateRef State,
const SymExpr *symLHS = LHS.getAsSymExpr();
const SymExpr *symRHS = RHS.getAsSymExpr();
+ // TODO: When the Max Complexity is reached, we should conjure a symbol
+ // instead of generating an Unknown value and propagate the taint info to it.
+ const unsigned MaxComp = 10000; // 100000 28X
- if (symLHS && symRHS)
+ if (symLHS && symRHS &&
+ (symLHS->computeComplexity() + symRHS->computeComplexity()) < MaxComp)
return makeNonLoc(symLHS, Op, symRHS, ResultTy);
- if (symLHS)
+ if (symLHS && symLHS->computeComplexity() < MaxComp)
if (const nonloc::ConcreteInt *rInt = dyn_cast<nonloc::ConcreteInt>(&RHS))
return makeNonLoc(symLHS, Op, rInt->getValue(), ResultTy);
- if (symRHS)
+ if (symRHS && symRHS->computeComplexity() < MaxComp)
if (const nonloc::ConcreteInt *lInt = dyn_cast<nonloc::ConcreteInt>(&LHS))
return makeNonLoc(lInt->getValue(), Op, symRHS, ResultTy);
diff --git a/lib/StaticAnalyzer/Core/SymbolManager.cpp b/lib/StaticAnalyzer/Core/SymbolManager.cpp
index 5fee9afc08d..0bc192d6457 100644
--- a/lib/StaticAnalyzer/Core/SymbolManager.cpp
+++ b/lib/StaticAnalyzer/Core/SymbolManager.cpp
@@ -164,6 +164,13 @@ void SymExpr::symbol_iterator::expand() {
llvm_unreachable("unhandled expansion case");
}
+unsigned SymExpr::computeComplexity() const {
+ unsigned R = 0;
+ for (symbol_iterator I = symbol_begin(), E = symbol_end(); I != E; ++I)
+ R++;
+ return R;
+}
+
const SymbolRegionValue*
SymbolManager::getRegionValueSymbol(const TypedValueRegion* R) {
llvm::FoldingSetNodeID profile;
diff --git a/test/Analysis/taint-generic.c b/test/Analysis/taint-generic.c
index b00372a3ffb..1cfdfead64f 100644
--- a/test/Analysis/taint-generic.c
+++ b/test/Analysis/taint-generic.c
@@ -183,3 +183,23 @@ void testTaintedVLASize() {
scanf("%d", &x);
int vla[x]; // expected-warning{{Declared variable-length array (VLA) has tainted size}}
}
+
+// This computation used to take a very long time.
+#define longcmp(a,b,c) { \
+ a -= c; a ^= c; c += b; b -= a; b ^= (a<<6) | (a >> (32-b)); a += c; c -= b; c ^= b; b += a; \
+ a -= c; a ^= c; c += b; b -= a; b ^= a; a += c; c -= b; c ^= b; b += a; }
+
+unsigned radar11369570_hanging(const unsigned char *arr, int l) {
+ unsigned a, b, c;
+ a = b = c = 0x9899e3 + l;
+ while (l >= 6) {
+ unsigned t;
+ scanf("%d", &t);
+ a += b;
+ a ^= a;
+ a += (arr[3] + ((unsigned) arr[2] << 8) + ((unsigned) arr[1] << 16) + ((unsigned) arr[0] << 24));
+ longcmp(a, t, c);
+ l -= 12;
+ }
+ return 5/a; // expected-warning {{Division by a tainted value, possibly zero}}
+}
--
GitLab