pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[quandaryBO] delete :(

Browse Source 
Summary:
This was never quite finished and inferbo has a new way to do sort of
the same thing.

Reviewed By: skcho, ngorogiannis

Differential Revision: D20362619

fbshipit-source-id: 7c7935d47
master
Jules Villard 5 years ago committed by Facebook GitHub Bot
parent 1faf00e58e
commit e5b50d7d46
26 changed files with 4 additions and 501 deletions
Show Stats Download Patch File Download Diff File

2
Makefile
Unescape View File

@ -68,7 +68,7 @@ DIRECT_TESTS += \
cpp_linters-for-test-only \
cpp_liveness \
cpp_pulse \
cpp_quandary cpp_quandaryBO \
cpp_quandary \
cpp_racerd \
cpp_siof \
cpp_starvation \

8
infer/man/man1/infer-analyze.txt
Unescape View File

@ -251,14 +251,6 @@ OPTIONS
Activates: Enable --quandary and disable all other checkers
(Conversely: --no-quandary-only)
--quandaryBO
Activates: [EXPERIMENTAL] The quandaryBO tainted buffer access
analysis (Conversely: --no-quandaryBO)
--quandaryBO-only
Activates: Enable --quandaryBO and disable all other checkers
(Conversely: --no-quandaryBO-only)
--quiet,-q
Activates: Do not print specs on standard output (default: only
print for the report command) (Conversely: --no-quiet | -Q)

10
infer/man/man1/infer-full.txt
Unescape View File

@ -488,8 +488,6 @@ OPTIONS
STRICT_MODE_VIOLATION (enabled by default),
STRONG_SELF_NOT_CHECKED (enabled by default),
Symexec_memory_error (enabled by default),
TAINTED_BUFFER_ACCESS (enabled by default),
TAINTED_MEMORY_ALLOCATION (enabled by default),
THREAD_SAFETY_VIOLATION (enabled by default),
TOPL_ERROR (enabled by default),
UNARY_MINUS_APPLIED_TO_UNSIGNED_EXPRESSION (disabled by
@ -891,14 +889,6 @@ OPTIONS
--quandary-sources json
Specify custom sources for Quandary See also infer-analyze(1).
--quandaryBO
Activates: [EXPERIMENTAL] The quandaryBO tainted buffer access
analysis (Conversely: --no-quandaryBO) See also infer-analyze(1).
--quandaryBO-only
Activates: Enable --quandaryBO and disable all other checkers
(Conversely: --no-quandaryBO-only) See also infer-analyze(1).
--quiet,-q
Activates: Do not print specs on standard output (default: only
print for the report command) (Conversely: --no-quiet | -Q)

2
infer/man/man1/infer-report.txt
Unescape View File

@ -219,8 +219,6 @@ OPTIONS
STRICT_MODE_VIOLATION (enabled by default),
STRONG_SELF_NOT_CHECKED (enabled by default),
Symexec_memory_error (enabled by default),
TAINTED_BUFFER_ACCESS (enabled by default),
TAINTED_MEMORY_ALLOCATION (enabled by default),
THREAD_SAFETY_VIOLATION (enabled by default),
TOPL_ERROR (enabled by default),
UNARY_MINUS_APPLIED_TO_UNSIGNED_EXPRESSION (disabled by

10
infer/man/man1/infer.txt
Unescape View File

@ -488,8 +488,6 @@ OPTIONS
STRICT_MODE_VIOLATION (enabled by default),
STRONG_SELF_NOT_CHECKED (enabled by default),
Symexec_memory_error (enabled by default),
TAINTED_BUFFER_ACCESS (enabled by default),
TAINTED_MEMORY_ALLOCATION (enabled by default),
THREAD_SAFETY_VIOLATION (enabled by default),
TOPL_ERROR (enabled by default),
UNARY_MINUS_APPLIED_TO_UNSIGNED_EXPRESSION (disabled by
@ -891,14 +889,6 @@ OPTIONS
--quandary-sources json
Specify custom sources for Quandary See also infer-analyze(1).
--quandaryBO
Activates: [EXPERIMENTAL] The quandaryBO tainted buffer access
analysis (Conversely: --no-quandaryBO) See also infer-analyze(1).
--quandaryBO-only
Activates: Enable --quandaryBO and disable all other checkers
(Conversely: --no-quandaryBO-only) See also infer-analyze(1).
--quiet,-q
Activates: Do not print specs on standard output (default: only
print for the report command) (Conversely: --no-quiet | -Q)

24
infer/src/IR/Errlog.ml
Unescape View File

@ -75,15 +75,6 @@ type node =
type err_key = {severity: Exceptions.severity; err_name: IssueType.t; err_desc: Localise.error_desc}
[@@deriving compare]
let merge_err_key err_key1 err_key2 ~merge_issues ~merge_descriptions =
let max_sev sev1 sev2 = if Exceptions.compare_severity sev1 sev2 >= 0 then sev1 else sev2 in
{ severity= max_sev err_key1.severity err_key2.severity
; err_name= merge_issues err_key1.err_name err_key2.err_name
; err_desc=
Localise.verbatim_desc
(merge_descriptions err_key1.err_desc.descriptions err_key2.err_desc.descriptions) }
(** Data associated to a specific error *)
type err_data =
{ node_id: int
@ -102,21 +93,6 @@ type err_data =
let compare_err_data err_data1 err_data2 = Location.compare err_data1.loc err_data2.loc
let merge_err_data err_data1 err_data2 =
{ node_id= 0
; node_key= None
; session= 0
; loc= {err_data1.loc with col= -1}
; loc_in_ml_source= None
; loc_trace= concat_traces [("", err_data1.loc_trace); ("-----------", err_data2.loc_trace)]
; err_class= Exceptions.Checker
; visibility= Exceptions.Exn_user
; linters_def_file= None
; doc_url= None
; access= None
; extras= None }
module ErrDataSet = (* set err_data with no repeated loc *)
Caml.Set.Make (struct
type t = err_data

15
infer/src/IR/Errlog.mli
Unescape View File

@ -44,16 +44,6 @@ type err_key = private
{severity: Exceptions.severity; err_name: IssueType.t; err_desc: Localise.error_desc}
[@@deriving compare]
val merge_err_key :
err_key
-> err_key
-> merge_issues:(IssueType.t -> IssueType.t -> IssueType.t)
-> merge_descriptions:(string list -> string list -> string)
-> err_key
(** Merges two error keys, setting the result's severity to the maximum of that of the two arguments
and giving the user the opportunity to pass a function to merge the IssueTypes and descriptions
of the two. *)
(** Data associated to a specific error *)
type err_data = private
{ node_id: int
@ -70,11 +60,6 @@ type err_data = private
; extras: Jsonbug_t.extra option }
[@@deriving compare]
val merge_err_data : err_data -> err_data -> err_data
(** Merges two err_datas, throwing out most information and setting the trace of the result to the
concatenation of the traces of the two arguments with a separator in between. Used specifically
for QuandaryBO. *)
(** Type of the error log *)
type t

8
infer/src/base/Checker.ml
Unescape View File

@ -27,7 +27,6 @@ type t =
| Pulse
| Purity
| Quandary
| QuandaryBO
| RacerD
| ResourceLeak
| SIOF
@ -207,13 +206,6 @@ let config checker =
; cli_flag= "quandary"
; enabled_by_default= false
; cli_deprecated_flags= [] }
| QuandaryBO ->
{ support= supports_clang_and_java_experimental
; short_documentation= "[EXPERIMENTAL] The quandaryBO tainted buffer access analysis"
; show_in_help= true
; cli_flag= "quandaryBO"
; enabled_by_default= false
; cli_deprecated_flags= [] }
| RacerD ->
{ support= supports_clang_and_java
; short_documentation= "the RacerD thread safety analysis"

1
infer/src/base/Checker.mli
Unescape View File

@ -27,7 +27,6 @@ type t =
| Pulse
| Purity
| Quandary
| QuandaryBO
| RacerD
| ResourceLeak
| SIOF

14
infer/src/base/Config.ml
Unescape View File

@ -3117,20 +3117,6 @@ let procnames_locks_dir = results_dir ^/ procnames_locks_dir_name
information found in the abstract state *)
let dynamic_dispatch = is_checker_enabled Biabduction
let quandaryBO_filtered_issues =
if is_checker_enabled QuandaryBO then
IssueType.
[ buffer_overrun_u5
; buffer_overrun_l5
; buffer_overrun_l4
; untrusted_buffer_access
; untrusted_heap_allocation ]
|> List.filter ~f:(fun issue ->
let enabled = issue.IssueType.enabled || not filtering in
IssueType.set_enabled issue true ; not enabled )
else []
(** Check if a Java package is external to the repository *)
let java_package_is_external package =
match external_java_packages with

3
infer/src/base/Config.mli
Unescape View File

@ -679,7 +679,4 @@ val is_in_custom_symbols : string -> string -> bool
val java_package_is_external : string -> bool
(** Check if a Java package is external to the repository *)
val quandaryBO_filtered_issues : IssueType.t list
(** List of issues that are enabled by QuandaryBO but should not be in the final report.json *)
val execution_id : Int64.t

4
infer/src/base/IssueType.ml
Unescape View File

@ -438,10 +438,6 @@ let symexec_memory_error =
register_from_string "Symexec_memory_error" ~hum:"Symbolic Execution Memory Error"
let tainted_buffer_access = register_from_string "TAINTED_BUFFER_ACCESS"
let tainted_memory_allocation = register_from_string "TAINTED_MEMORY_ALLOCATION"
let thread_safety_violation = register_from_string "THREAD_SAFETY_VIOLATION"
let complexity_increase ~kind ~is_on_cold_start ~is_on_ui_thread =

4
infer/src/base/IssueType.mli
Unescape View File

@ -300,10 +300,6 @@ val strong_self_not_checked : t
val symexec_memory_error : t
val tainted_buffer_access : t
val tainted_memory_allocation : t
val thread_safety_violation : t
val topl_error : t

7
infer/src/checkers/registerCheckers.ml
Unescape View File

@ -44,13 +44,12 @@ let all_checkers =
; active=
Config.(
is_checker_enabled BufferOverrun || is_checker_enabled Cost
|| is_checker_enabled LoopHoisting || is_checker_enabled Purity
|| is_checker_enabled QuandaryBO)
|| is_checker_enabled LoopHoisting || is_checker_enabled Purity)
; callbacks=
[ (Procedure BufferOverrunAnalysis.do_analysis, Language.Clang)
; (Procedure BufferOverrunAnalysis.do_analysis, Language.Java) ] }
; { name= "buffer overrun checker"
; active= Config.(is_checker_enabled BufferOverrun || is_checker_enabled QuandaryBO)
; active= Config.(is_checker_enabled BufferOverrun)
; callbacks=
[ (Procedure BufferOverrunChecker.checker, Language.Clang)
; (Procedure BufferOverrunChecker.checker, Language.Java) ] }
@ -86,7 +85,7 @@ let all_checkers =
( if Config.is_checker_enabled Impurity then [(Procedure Pulse.checker, Language.Java)]
else [] ) }
; { name= "quandary"
; active= Config.(is_checker_enabled Quandary || is_checker_enabled QuandaryBO)
; active= Config.(is_checker_enabled Quandary)
; callbacks=
[ (Procedure JavaTaintAnalysis.checker, Language.Java)
; (Procedure ClangTaintAnalysis.checker, Language.Clang) ] }

1
infer/src/integration/JsonReports.ml
Unescape View File

@ -318,7 +318,6 @@ let process_all_summaries_and_issues ~issues_outf ~costs_outf =
SpecsFiles.iter_from_config ~f:(fun summary ->
all_issues := process_summary ~costs_outf summary !all_issues ) ;
all_issues := Issue.sort_filter_issues !all_issues ;
if Config.is_checker_enabled QuandaryBO then all_issues := QuandaryBO.update_issues !all_issues ;
List.iter
~f:(fun {Issue.proc_name; proc_location; err_key; err_data} ->
let error_filter = mk_error_filter filters proc_name in

127
infer/src/quandary/quandaryBO.ml
Unescape View File

@ -1,127 +0,0 @@
(*
* Copyright (c) Facebook, Inc. and its affiliates.
*
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*)
open! IStd
let update_issues all_issues =
let quandary_access_issues = [IssueType.untrusted_buffer_access] in
let quandary_alloc_issues =
IssueType.[untrusted_heap_allocation; untrusted_variable_length_array]
in
let inferbo_access_issues =
IssueType.
[ buffer_overrun_l1
; buffer_overrun_l2
; buffer_overrun_l3
; buffer_overrun_l4
; buffer_overrun_l5
; buffer_overrun_s2
; buffer_overrun_u5 ]
in
let inferbo_alloc_issues =
IssueType.
[ inferbo_alloc_is_big
; inferbo_alloc_is_zero
; inferbo_alloc_is_negative
; inferbo_alloc_may_be_big
; inferbo_alloc_may_be_negative ]
in
let is_quandary_access_issue issue =
List.mem quandary_access_issues issue.Issue.err_key.err_name ~equal:IssueType.equal
in
let is_quandary_alloc_issue issue =
List.mem quandary_alloc_issues issue.Issue.err_key.err_name ~equal:IssueType.equal
in
let is_relevant_quandary_issue issue =
is_quandary_access_issue issue || is_quandary_alloc_issue issue
in
let is_inferbo_access_issue issue =
List.mem inferbo_access_issues issue.Issue.err_key.err_name ~equal:IssueType.equal
in
let is_inferbo_alloc_issue issue =
List.mem inferbo_alloc_issues issue.Issue.err_key.err_name ~equal:IssueType.equal
in
let is_relevant_inferbo_issue issue =
is_inferbo_access_issue issue || is_inferbo_alloc_issue issue
in
let quandary_issues, inferBO_issues =
List.fold all_issues ~init:([], []) ~f:(fun (q_issues, iBO_issues) issue ->
if is_relevant_quandary_issue issue then (issue :: q_issues, iBO_issues)
else if is_relevant_inferbo_issue issue then (q_issues, issue :: iBO_issues)
else (q_issues, iBO_issues) )
in
let matching_issues quandary_issue inferbo_issue =
let trace_end_match () =
let quandary_trace_end = List.last quandary_issue.Issue.err_data.loc_trace in
let inferbo_trace_end = List.last inferbo_issue.Issue.err_data.loc_trace in
match (quandary_trace_end, inferbo_trace_end) with
| Some quandary_trace_elem, Some inferbo_trace_elem ->
let q_loc = quandary_trace_elem.lt_loc in
let i_loc = inferbo_trace_elem.lt_loc in
SourceFile.equal q_loc.file i_loc.file && Int.equal q_loc.line i_loc.line
| _ ->
false
in
SourceFile.equal quandary_issue.Issue.proc_location.file inferbo_issue.Issue.proc_location.file
&& Int.equal quandary_issue.Issue.proc_location.line inferbo_issue.Issue.proc_location.line
&& trace_end_match ()
&& ( (is_quandary_alloc_issue quandary_issue && is_inferbo_alloc_issue inferbo_issue)
|| (is_quandary_access_issue quandary_issue && is_inferbo_access_issue inferbo_issue) )
in
let paired_issues =
(* Can be computed more efficiently (in n*log(n)) by using a Map mapping
file name + line number to quandary_issues to match with inferbo_issues *)
List.concat_map quandary_issues ~f:(fun quandary_issue ->
List.filter_map inferBO_issues ~f:(fun inferbo_issue ->
if matching_issues quandary_issue inferbo_issue then Some (quandary_issue, inferbo_issue)
else None ) )
in
let merge_issues (issue1, issue2) =
{ Issue.proc_name= issue1.Issue.proc_name
; proc_location= {issue1.Issue.proc_location with col= -1}
; err_key=
Errlog.merge_err_key issue1.Issue.err_key issue2.Issue.err_key
~merge_issues:(fun issue1 _ ->
if IssueType.equal issue1 IssueType.untrusted_buffer_access then
IssueType.tainted_buffer_access
else IssueType.tainted_memory_allocation )
~merge_descriptions:(fun descs1 descs2 ->
String.concat
( "QuandaryBO error. Quandary error(s): \""
:: (descs1 @ ("\". InferBO error(s):\"" :: (descs2 @ ["\"."]))) ) )
; err_data= Errlog.merge_err_data issue1.Issue.err_data issue2.Issue.err_data }
in
(* Can merge List.map, List.concat_map and List.filter_map into a single fold. *)
let quandaryBO_issues = List.map ~f:merge_issues paired_issues in
let quandary_issues =
IssueType.
[ quandary_taint_error
; shell_injection
; shell_injection_risk
; sql_injection
; sql_injection_risk
; untrusted_buffer_access
; untrusted_file_risk
; untrusted_heap_allocation
; untrusted_url_risk
; untrusted_variable_length_array
; user_controlled_sql_risk ]
in
let inferbo_issues =
inferbo_alloc_issues @ inferbo_access_issues @ [IssueType.unreachable_code_after]
in
let filtered_issues = Config.quandaryBO_filtered_issues in
let all_issues_filtered =
List.filter
~f:(fun issue ->
let issue_in ls = List.mem ls issue.Issue.err_key.err_name ~equal:IssueType.equal in
(Config.is_checker_enabled Quandary || not (issue_in quandary_issues))
&& (Config.is_checker_enabled BufferOverrun || not (issue_in inferbo_issues))
&& not (issue_in filtered_issues) )
all_issues
in
List.rev_append all_issues_filtered quandaryBO_issues

10
infer/src/quandary/quandaryBO.mli
Unescape View File

@ -1,10 +0,0 @@
(*
* Copyright (c) Facebook, Inc. and its affiliates.
*
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*)
open! IStd
val update_issues : Issue.t list -> Issue.t list

8
infer/tests/codetoanalyze/cpp/quandaryBO/.inferconfig
Unescape View File

@ -1,8 +0,0 @@
{
"quandary-sources": [
{
"procedure": "__infer_taint_source",
"kind": "Other"
}
]
}

57
infer/tests/codetoanalyze/cpp/quandaryBO/Makefile
Unescape View File

@ -1,57 +0,0 @@
# Copyright (c) Facebook, Inc. and its affiliates.
#
# This source code is licensed under the MIT license found in the
# LICENSE file in the root directory of this source tree.
TESTS_DIR = ../../..
OPTIONS_1 = \
--quandaryBO-only --passthroughs --debug-exceptions --filtering \
--project-root $(TESTS_DIR) \
OPTIONS_2 = \
--quandaryBO-only --quandary --enable-issue-type UNTRUSTED_BUFFER_ACCESS \
--passthroughs --debug-exceptions --filtering \
--project-root $(TESTS_DIR) \
OPTIONS_3 = \
--quandaryBO-only --bufferoverrun --enable-issue-type BUFFER_OVERRUN_U5 \
--passthroughs --debug-exceptions --filtering \
--project-root $(TESTS_DIR) \
OPTIONS_4 = \
--quandaryBO-only --bufferoverrun --debug-exceptions --no-filtering \
--project-root $(TESTS_DIR) \
test: test1 test2 test3 test4
test1:
$(MAKE) -f multitest.make test TEST_SUFFIX=-t1 TEST_RESULT_SUFFIX=-t1 INFER_OPTIONS="$(OPTIONS_1)"
test2:
$(MAKE) -f multitest.make test TEST_SUFFIX=-t2 TEST_RESULT_SUFFIX=-t2 INFER_OPTIONS="$(OPTIONS_2)"
test3:
$(MAKE) -f multitest.make test TEST_SUFFIX=-t3 TEST_RESULT_SUFFIX=-t3 INFER_OPTIONS="$(OPTIONS_3)"
test4:
$(MAKE) -f multitest.make test TEST_SUFFIX=-t4 TEST_RESULT_SUFFIX=-t4 INFER_OPTIONS="$(OPTIONS_4)"
replace: replace1 replace2 replace3 replace4
replace1:
$(MAKE) -f multitest.make replace TEST_SUFFIX=-t1 TEST_RESULT_SUFFIX=-t1 INFER_OPTIONS="$(OPTIONS_1)"
replace2:
$(MAKE) -f multitest.make replace TEST_SUFFIX=-t2 TEST_RESULT_SUFFIX=-t2 INFER_OPTIONS="$(OPTIONS_2)"
replace3:
$(MAKE) -f multitest.make replace TEST_SUFFIX=-t3 TEST_RESULT_SUFFIX=-t3 INFER_OPTIONS="$(OPTIONS_3)"
replace4:
$(MAKE) -f multitest.make replace TEST_SUFFIX=-t4 TEST_RESULT_SUFFIX=-t4 INFER_OPTIONS="$(OPTIONS_4)"
clean:
$(MAKE) -f multitest.make clean TEST_SUFFIX=-t1
$(MAKE) -f multitest.make clean TEST_SUFFIX=-t2
$(MAKE) -f multitest.make clean TEST_SUFFIX=-t3
$(MAKE) -f multitest.make clean TEST_SUFFIX=-t4

64
infer/tests/codetoanalyze/cpp/quandaryBO/codec.cpp
Unescape View File

@ -1,64 +0,0 @@
/*
* Copyright (c) Facebook, Inc. and its affiliates.
*
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*/
#include <cstdint>
#include <memory>
#include <stdexcept>
extern int __infer_taint_source();
namespace std {
template <class T>
unique_ptr<T> make_unique(size_t n) {
typedef typename remove_extent<T>::type U;
return unique_ptr<T>(new U[n]());
}
} // namespace std
namespace Codec_Bad {
uint32_t getP_Bad(uint32_t w) {
auto w4 = w * 4; // BUG: can overflow
auto w4m1 = w4 - 1; // BUG: can underflow (if w = 0)
auto w4m1o15 = w4m1 | 15; // ALWAYS OK
auto w4m1o15p1 = w4m1o15 + 1; // BUG: can overflow
return w4m1o15p1;
}
void foo_Bad_FN() {
int w = __infer_taint_source();
int h = __infer_taint_source();
auto p =
getP_Bad(w); // MISSED BUG: downcasting signed int64 -> unsigned int32
auto s = h * p; // BUG: multiplication can overflow
auto d = std::make_unique<uint8_t[]>(s); // MISSED BUG: casting signed int64
// -> unsigned int64,
}
} // namespace Codec_Bad
namespace Codec_Bad2 {
uint64_t getP_Bad(uint64_t w) {
auto w4 = w * 4; // BUG: can overflow
auto w4m1 = w4 - 1; // BUG: can underflow (if w = 0)
auto w4m1o15 = w4m1 | 15; // ALWAYS OK
auto w4m1o15p1 = w4m1o15 + 1; // BUG: can overflow
return w4m1o15p1;
}
uint64_t checkedMultiply_Good(uint64_t a, uint64_t b) {
__uint128_t mul = ((__uint128_t)a) * b; // OK: no overflow
if ((mul >> 64) != 0) {
throw std::runtime_error("Detected overflow in checked multiplcation");
}
auto result = (uint64_t)mul; // OK: within the bounds
return result;
}
void foo_Bad_FN_FP() {
int w = __infer_taint_source();
int h = __infer_taint_source();
auto p = getP_Bad(w); // MISSED BUG: casting signed int64 -> unsigned int64
auto s = checkedMultiply_Good(h, p); // OK, FP
auto d = std::make_unique<uint8_t[]>(s); // OK
}
} // namespace Codec_Bad2

5
infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp-t1
Unescape View File

@ -1,5 +0,0 @@
codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad2::foo_Bad_FN_FP, 3, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,<LHS trace>,Parameter `w`,Assignment,Binary operation: ([0, +oo] - 1):unsigned64 by call to `Codec_Bad2::getP_Bad` ]
codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad::foo_Bad_FN, 4, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,<LHS trace>,Parameter `w`,Assignment,Binary operation: ([0, +oo] - 1):unsigned32 by call to `Codec_Bad::getP_Bad` ]
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0,-----------,<Offset trace>,Unknown value from: __infer_taint_source,Assignment,<Length trace>,Array declaration,Array access: Offset: [-oo, +oo] Size: 10]
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad2, 3, TAINTED_MEMORY_ALLOCATION, no_bucket, ERROR, [Return from __infer_taint_source,Call to __set_array_length with tainted index 1,-----------,Unknown value from: __infer_taint_source,Assignment,Allocation: Length: [-oo, 2147483647]]
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source with tainted data return*,Return from multi_level_source_bad,Call to multi_level_sink_bad with tainted index 0,Call to __array_access with tainted index 0,-----------,Call,Unknown value from: __infer_taint_source,Assignment,Assignment,Call,<Offset trace>,Parameter `i`,<Length trace>,Array declaration,Array access: Offset: [1, +oo] Size: 10 by call to `multi_level_sink_bad` ]

10
infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp-t2
Unescape View File

@ -1,10 +0,0 @@
codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad2::foo_Bad_FN_FP, 3, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,<LHS trace>,Parameter `w`,Assignment,Binary operation: ([0, +oo] - 1):unsigned64 by call to `Codec_Bad2::getP_Bad` ]
codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad::foo_Bad_FN, 4, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,<LHS trace>,Parameter `w`,Assignment,Binary operation: ([0, +oo] - 1):unsigned32 by call to `Codec_Bad::getP_Bad` ]
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0,-----------,<Offset trace>,Unknown value from: __infer_taint_source,Assignment,<Length trace>,Array declaration,Array access: Offset: [-oo, +oo] Size: 10]
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0]
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad1_FN, 0, UNTRUSTED_VARIABLE_LENGTH_ARRAY, no_bucket, ERROR, [Return from __infer_taint_source,Call to __set_array_length with tainted index 1]
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad2, 3, TAINTED_MEMORY_ALLOCATION, no_bucket, ERROR, [Return from __infer_taint_source,Call to __set_array_length with tainted index 1,-----------,Unknown value from: __infer_taint_source,Assignment,Allocation: Length: [-oo, 2147483647]]
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad2, 3, UNTRUSTED_VARIABLE_LENGTH_ARRAY, no_bucket, ERROR, [Return from __infer_taint_source,Call to __set_array_length with tainted index 1]
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source with tainted data return*,Return from multi_level_source_bad,Call to multi_level_sink_bad with tainted index 0,Call to __array_access with tainted index 0,-----------,Call,Unknown value from: __infer_taint_source,Assignment,Assignment,Call,<Offset trace>,Parameter `i`,<Length trace>,Array declaration,Array access: Offset: [1, +oo] Size: 10 by call to `multi_level_sink_bad` ]
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source with tainted data return*,Return from multi_level_source_bad,Call to multi_level_sink_bad with tainted index 0,Call to __array_access with tainted index 0]
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, overlapping_issues_good, 1, UNTRUSTED_VARIABLE_LENGTH_ARRAY, no_bucket, ERROR, [Return from __infer_taint_source with tainted data @val$0.size*,Return from overlapping_issues_source_good,Call to overlapping_issues_sink_good with tainted index 0,Call to __set_array_length with tainted index 1]

8
infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp-t3
Unescape View File

@ -1,8 +0,0 @@
codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad2::foo_Bad_FN_FP, 3, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,<LHS trace>,Parameter `w`,Assignment,Binary operation: ([0, +oo] - 1):unsigned64 by call to `Codec_Bad2::getP_Bad` ]
codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad::foo_Bad_FN, 4, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,<LHS trace>,Parameter `w`,Assignment,Binary operation: ([0, +oo] - 1):unsigned32 by call to `Codec_Bad::getP_Bad` ]
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, BUFFER_OVERRUN_U5, no_bucket, ERROR, [<Offset trace>,Unknown value from: __infer_taint_source,Assignment,<Length trace>,Array declaration,Array access: Offset: [-oo, +oo] Size: 10]
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0,-----------,<Offset trace>,Unknown value from: __infer_taint_source,Assignment,<Length trace>,Array declaration,Array access: Offset: [-oo, +oo] Size: 10]
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad2, 3, INFERBO_ALLOC_MAY_BE_BIG, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Allocation: Length: [-oo, 2147483647]]
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad2, 3, TAINTED_MEMORY_ALLOCATION, no_bucket, ERROR, [Return from __infer_taint_source,Call to __set_array_length with tainted index 1,-----------,Unknown value from: __infer_taint_source,Assignment,Allocation: Length: [-oo, 2147483647]]
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, BUFFER_OVERRUN_U5, no_bucket, ERROR, [Call,Unknown value from: __infer_taint_source,Assignment,Assignment,Call,<Offset trace>,Parameter `i`,<Length trace>,Array declaration,Array access: Offset: [1, +oo] Size: 10 by call to `multi_level_sink_bad` ]
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source with tainted data return*,Return from multi_level_source_bad,Call to multi_level_sink_bad with tainted index 0,Call to __array_access with tainted index 0,-----------,Call,Unknown value from: __infer_taint_source,Assignment,Assignment,Call,<Offset trace>,Parameter `i`,<Length trace>,Array declaration,Array access: Offset: [1, +oo] Size: 10 by call to `multi_level_sink_bad` ]

15
infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp-t4
Unescape View File

@ -1,15 +0,0 @@
codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad2::checkedMultiply_Good, 2, CONDITION_ALWAYS_FALSE, no_bucket, WARNING, [Here]
codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad2::foo_Bad_FN_FP, 3, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,<LHS trace>,Parameter `w`,Assignment,Binary operation: ([0, +oo] - 1):unsigned64 by call to `Codec_Bad2::getP_Bad` ]
codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad2::foo_Bad_FN_FP, 3, INTEGER_OVERFLOW_U5, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,<LHS trace>,Parameter `w`,Binary operation: ([0, +oo] × 4):unsigned64 by call to `Codec_Bad2::getP_Bad` ]
codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad2::foo_Bad_FN_FP, 4, INTEGER_OVERFLOW_U5, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,<LHS trace>,Parameter `a`,<RHS trace>,Parameter `b`,Binary operation: ([0, +oo] × [0, +oo]):unsigned32 by call to `Codec_Bad2::checkedMultiply_Good` ]
codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad2::getP_Bad, 4, INTEGER_OVERFLOW_L5, no_bucket, ERROR, [<LHS trace>,Parameter `w`,Assignment,Assignment,Assignment,Binary operation: ([-oo, +oo] + 1):unsigned64]
codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad::foo_Bad_FN, 4, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,<LHS trace>,Parameter `w`,Assignment,Binary operation: ([0, +oo] - 1):unsigned32 by call to `Codec_Bad::getP_Bad` ]
codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad::foo_Bad_FN, 5, INTEGER_OVERFLOW_U5, no_bucket, ERROR, [<LHS trace>,Unknown value from: __infer_taint_source,Assignment,<RHS trace>,Call,Parameter `w`,Assignment,Assignment,Assignment,Assignment,Assignment,Assignment,Binary operation: ([-oo, +oo] × [-oo, +oo]):unsigned32]
codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad::getP_Bad, 4, INTEGER_OVERFLOW_L5, no_bucket, ERROR, [<LHS trace>,Parameter `w`,Assignment,Assignment,Assignment,Binary operation: ([-oo, +oo] + 1):unsigned32]
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, BUFFER_OVERRUN_U5, no_bucket, ERROR, [<Offset trace>,Unknown value from: __infer_taint_source,Assignment,<Length trace>,Array declaration,Array access: Offset: [-oo, +oo] Size: 10]
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0,-----------,<Offset trace>,Unknown value from: __infer_taint_source,Assignment,<Length trace>,Array declaration,Array access: Offset: [-oo, +oo] Size: 10]
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad2, 3, INFERBO_ALLOC_MAY_BE_BIG, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Allocation: Length: [-oo, 2147483647]]
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad2, 3, TAINTED_MEMORY_ALLOCATION, no_bucket, ERROR, [Return from __infer_taint_source,Call to __set_array_length with tainted index 1,-----------,Unknown value from: __infer_taint_source,Assignment,Allocation: Length: [-oo, 2147483647]]
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, BUFFER_OVERRUN_U5, no_bucket, ERROR, [Call,Unknown value from: __infer_taint_source,Assignment,Assignment,Call,<Offset trace>,Parameter `i`,<Length trace>,Array declaration,Array access: Offset: [1, +oo] Size: 10 by call to `multi_level_sink_bad` ]
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source with tainted data return*,Return from multi_level_source_bad,Call to multi_level_sink_bad with tainted index 0,Call to __array_access with tainted index 0,-----------,Call,Unknown value from: __infer_taint_source,Assignment,Assignment,Call,<Offset trace>,Parameter `i`,<Length trace>,Array declaration,Array access: Offset: [1, +oo] Size: 10 by call to `multi_level_sink_bad` ]
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, overlapping_issues_good, 1, BUFFER_OVERRUN_L5, no_bucket, ERROR, [Call,Assignment,Call,Parameter `__param_0->ind`,Assignment,Call,<Offset trace>,Parameter `info->ind`,<Length trace>,Parameter `info->size`,Array declaration,Array access: Offset: 10 Size: [0, +oo] by call to `overlapping_issues_sink_good` ]

15
infer/tests/codetoanalyze/cpp/quandaryBO/multitest.make
Unescape View File

@ -1,15 +0,0 @@
# Copyright (c) Facebook, Inc. and its affiliates.
#
# This source code is licensed under the MIT license found in the
# LICENSE file in the root directory of this source tree.
TESTS_DIR = ../../..
# see explanations in cpp/errors/Makefile for the custom isystem
CLANG_OPTIONS = -x c++ -std=c++11 -nostdinc++ -isystem$(ROOT_DIR) -isystem$(CLANG_INCLUDES)/c++/v1/ -c
INFERPRINT_OPTIONS = --issues-tests
SOURCES = $(wildcard *.cpp)
include $(TESTS_DIR)/clang.make

73
infer/tests/codetoanalyze/cpp/quandaryBO/tainted_index.cpp
Unescape View File

@ -1,73 +0,0 @@
/*
* Copyright (c) Facebook, Inc. and its affiliates.
*
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*/
#include <stdlib.h>
extern int __infer_taint_source();
extern void __infer_taint_sink(int i);
void basic_bad() {
int arr[10];
int source = __infer_taint_source();
arr[source] = 2;
}
int multi_level_source_bad() { return __infer_taint_source(); }
void multi_level_sink_bad(int i) {
int arr[10];
if (i > 0)
arr[i] = 2;
}
struct arg {
int taint;
int bo;
};
arg multi_level_source_ok() {
return {.taint = __infer_taint_source(), .bo = 12};
}
void multi_level_sink_ok(int taint, int bo) {
__infer_taint_sink(taint);
int arr[10];
arr[bo] = 0;
}
void multi_level_bad() {
int i = multi_level_source_bad();
multi_level_sink_bad(i);
}
void multi_level_good() { int i = multi_level_source_bad(); }
void memory_alloc_bad1_FN() { int arr[__infer_taint_source()]; }
void memory_alloc_bad2() {
int s = __infer_taint_source();
if (s <= 2147483647) {
int arr[s];
}
}
struct st {
int size;
int ind;
};
st overlapping_issues_source_good() {
return {.size = __infer_taint_source(), .ind = 10};
}
void overlapping_issues_sink_good(st info) {
int arr[info.size];
arr[info.ind] = 0;
}
void overlapping_issues_good() {
overlapping_issues_sink_good(overlapping_issues_source_good());
}
Write Preview
Loading…
Cancel
Save