enumerate the checkers

Author: hongxuchen

plugin/CMakeLists.txt

@@ -5,13 +5,3 @@ project(${PROJECTID})
 set(EXECUTABLE_NAME "${PROJECTID}")
 add_library(${EXECUTABLE_NAME} SHARED MyCheckers.cc)
 target_link_libraries(${EXECUTABLE_NAME} ${FULL_LLVM_LIBS})
-
-# set(LLVM_ROOT_DIRECTORY "/home/hongxu/marple-llvm/llvm/cmake")
-# set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} "${LLVM_ROOT_DIRECTORY}")
-# set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} "${LLVM_ROOT_DIRECTORY}/modules")
-# find_package(LLVM)
-# include(AddLLVM)
-# add_definitions(${LLVM_DEFINITIONS})
-# include_directories(${LLVM_INCLUDE_DIRS})
-# link_directories(${LLVM_LIBRARY_DIRS})
-# add_llvm_loadable_module(${EXECUTABLE_NAME} SHARED MyCheckers.cc)

plugin/DBZ.cc

@@ -9,7 +9,7 @@
 using namespace clang;
 using namespace ento;
 
-namespace {
+namespace chx {
 class MyDZChecker
     : public Checker<check::PreStmt<BinaryOperator>, check::PostCall> {
   mutable std::unique_ptr<BugType> BT;
@@ -23,7 +23,6 @@ class MyDZChecker
                                      categories::LogicError)) {}
   void checkPostCall(CallEvent const &, CheckerContext &) const;
 };
-}  // end anonymous namespace
 
 void MyDZChecker::reportBug(const char *Msg, ProgramStateRef StateZero,
                             CheckerContext &C) const {
@@ -93,3 +92,5 @@ void MyDZChecker::checkPostCall(CallEvent const &call,
     }
   }
 }
+
+}  // end namespace

plugin/MyCheckers.cc

@@ -2,8 +2,8 @@
 #include "heartbleed.cc"
 
 extern "C" void clang_registerCheckers(CheckerRegistry &registry) {
-  registry.addChecker<MyDZChecker>("chx.DZChecker", "DZChecker");
-  registry.addChecker<NetworkTaintChecker>("chx.NetChecker", "NetChecker");
+  registry.addChecker<chx::MyDZChecker>("chx.DZChecker", "DZChecker");
+  registry.addChecker<chx::NetworkTaintChecker>("chx.NetChecker", "NetChecker");
 }
 
 extern "C" const char clang_analyzerAPIVersionString[] =

plugin/heartbleed.cc

@@ -7,30 +7,73 @@
 
 #include "llvm/Support/raw_ostream.h"
 
+#include <iostream>
+
 /// http://blog.trailofbits.com/2014/04/27/using-static-analysis-and-clang-to-find-heartbleed/
 
 using namespace clang;
 using namespace ento;
 
-namespace {
+namespace chx {
 
+// check::ASTDecl,check::PreStmt, check::PostStmt, check::Event,
 class NetworkTaintChecker
-    : public Checker<check::PreCall, check::PostCall, check::Location> {
+    : public Checker<check::PreCall, check::PostCall, check::Location,
+                     check::ASTCodeBody, check::EndOfTranslationUnit,
+                     check::Bind, check::EndAnalysis, check::EndFunction,
+                     check::BranchCondition, check::DeadSymbols
+                     // check::RegionChanges,
+                     // check::PointerEscape,
+                     // check::ConstPointerEscape
+                     > {
   mutable std::unique_ptr<BugType> BT;
 
-  bool isArgUnConstrained(Optional<NonLoc>, SValBuilder &,
+  bool isArgUnConstrained(llvm::Optional<NonLoc>, SValBuilder &,
                           ProgramStateRef) const;
 
  public:
   NetworkTaintChecker(void)
-      : BT(std::make_unique<BugType>(this, "Tainted dereference",
-                                     "AWR Custom Analyzer")) {}
+      : BT(std::make_unique<BugType>(this, "My Tainted dereference",
+                                     "MY Custom Analyzer")) {}
 
   void checkPreCall(const CallEvent &, CheckerContext &) const;
   void checkPostCall(const CallEvent &, CheckerContext &) const;
   void checkLocation(SVal, bool, const Stmt *, CheckerContext &) const;
+  // unimplemented
+  void checkASTCodeBody(const Decl *D, AnalysisManager &mgr,
+                        BugReporter &BR) const {}
+
+  void checkEndOfTranslationUnit(const TranslationUnitDecl *TU,
+                                 AnalysisManager &mgr, BugReporter &BR) const {}
+  void checkBind(const SVal &location, const SVal &val, const Stmt *S,
+                 CheckerContext &C) const {}
+  void checkEndAnalysis(ExplodedGraph &G, BugReporter &BR,
+                        ExprEngine &Eng) const {}
+  void checkEndFunction(CheckerContext &C) const {}
+  void checkBranchCondition(const Stmt *Condition, CheckerContext &C) const {}
+  void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const {}
+
+  // bool wantsRegionChangeUpdate(ProgramStateRef state) const { return false; }
+  // ProgramStateRef checkRegionChanges(ProgramStateRef state,
+  //                                    const InvalidatedSymbols *invalidated,
+  //                                    ArrayRef<const MemRegion *> Explicits,
+  //                                    ArrayRef<const MemRegion *> Regions,
+  //                                    const CallEvent *Call) const {
+  //   return nullptr;
+  // }
+  // ProgramStateRef checkPointerEscape(
+  //     ProgramStateRef State, const InvalidatedSymbols &Escaped,
+  //     const CallEvent *Call, PointerEscapeKind Kind,
+  //     RegionAndSymbolInvalidationTraits *ETraits) const {
+  //   return nullptr;
+  // }
+  // ProgramStateRef checkConstPointerEscape(
+  //     ProgramStateRef State, const InvalidatedSymbols &Escaped,
+  //     const CallEvent *Call, PointerEscapeKind Kind,
+  //     RegionAndSymbolInvalidationTraits *ETraits) const {
+  //   return nullptr;
+  // }
 };
-}
 
 // checker logic
 bool NetworkTaintChecker::isArgUnConstrained(Optional<NonLoc> Arg,
@@ -40,29 +83,24 @@ bool NetworkTaintChecker::isArgUnConstrained(Optional<NonLoc> Arg,
 
   if (Arg) {
     // so 5000 is chosen as an arbitrary value. reall what we should do is
-    // compare
-    // the range on the value with the range of the memory object pointed to by
-    // either the base pointer, in an array dereference, or the first and second
-    // parameters to memcpy, in a call to memcpy. however, frequently this
-    // information
-    // is opaque to the analyzer. what I mostly wanted to answer was, show me
-    // locations
-    // in the code where NO constraints, practically, had been applied to the
-    // size.
-    // this would still permit technically incorrect constraints to be passed,
-    // so
-    // there is room for improvement, but I think that generally, something
-    // sound is
-    // unattainable here so we just do what we can in the time allotted
+    // compare the range on the value with the range of the memory object
+    // pointed to by either the base pointer, in an array dereference, or the
+    // first and second parameters to memcpy, in a call to memcpy. however,
+    // frequently this information is opaque to the analyzer. what I mostly
+    // wanted to answer was, show me locations in the code where NO constraints,
+    // practically, had been applied to the size. this would still permit
+    // technically incorrect constraints to be passed, so there is room for
+    // improvement, but I think that generally, something sound is unattainable
+    // here so we just do what we can in the time allotted
     llvm::APInt V(32, 5000);
     SVal Val = builder.makeIntVal(V, false);
 
     Optional<NonLoc> NLVal = Val.getAs<NonLoc>();
 
     if (NLVal.hasValue() == false) return result;
 
-    SVal cmprLT = builder.evalBinOpNN(state, BO_GT, *Arg, *NLVal,
-                                      builder.getConditionType());
+    SVal cmprLT = builder.evalBinOpNN(state, BinaryOperatorKind::BO_GT, *Arg,
+                                      *NLVal, builder.getConditionType());
 
     Optional<NonLoc> NLcmprLT = cmprLT.getAs<NonLoc>();
 
@@ -81,8 +119,9 @@ bool NetworkTaintChecker::isArgUnConstrained(Optional<NonLoc> Arg,
 // check memcpy / memset calls
 void NetworkTaintChecker::checkPreCall(const CallEvent &call,
                                        CheckerContext &C) const {
-  ProgramStateRef state = C.getState();
+  // ProgramStateRef state = C.getState();
   const IdentifierInfo *ID = call.getCalleeIdentifier();
+  std::cerr << " [checkPreCall]: " << ID->getName().data() << "\n";
 
   if (ID == nullptr) {
     return;
@@ -150,15 +189,13 @@ void NetworkTaintChecker::checkLocation(SVal l, bool isLoad, const Stmt *LoadS,
 // check for htonl/htons
 void NetworkTaintChecker::checkPostCall(const CallEvent &Call,
                                         CheckerContext &C) const {
-  // is htons or htonl?
   const IdentifierInfo *ID = Call.getCalleeIdentifier();
 
   if (ID == nullptr) {
     return;
   }
 
-  if (ID->getName() == "ntohl" || ID->getName() == "xyzzy" ||
-      ID->getName() == "ntohs") {
+  if (ID->getName() == "ntohl" || ID->getName() == "ntohs") {
     ProgramStateRef State = C.getState();
     // taint the value written to by this call
     SymbolRef Sym = Call.getReturnValue().getAsSymbol();
@@ -171,3 +208,4 @@ void NetworkTaintChecker::checkPostCall(const CallEvent &Call,
 
   return;
 }
+}  // end namespace

tests/plugin/e1/Makefile

@@ -1,7 +1,7 @@
 all: demo1.out
 
 demo1.out: demo1.c
-	$(CC) -o demo1.out demo1.c
+	$(CC) -o demo1.out demo1.c -g
 
 clean:
 	rm -f demo1.out

tests/plugin/e2/demo2.c

@@ -24,6 +24,7 @@ int main(int argc, char *argv[]) {
       size = ntohl(size);
 
       if (size < sizeof(data_array)) {
+        // limited to size, no bug
         memcpy(buf, data_array, size);
       }
 

tests/plugin/e3/dbz.c

@@ -0,0 +1,7 @@
+#include <stdio.h>
+
+int a = 0;
+
+int main(void){
+ return 3 / a;
+}