Static Analysis launch checker in context of another checker

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Static Analysis launch checker in context of another checker

Reid Kleckner via cfe-dev
Hello all,

I'm writing a checker to analyze function calls in the body. Please let me know if we can launch another checker in the context of the current checker?

Thank you very much!

----------------
Best regards,
Thien Tran.

_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|

Re: Static Analysis launch checker in context of another checker

Reid Kleckner via cfe-dev
Hi,

Checkers which emit bug reports are ought to be independent. So in this sense, no, you cannot "launch" another checker inside the current checker. 

Hope this helps, 
Gábor 

On Tue, 1 Sep 2020, 08:25 Thien Tran via cfe-dev, <[hidden email]> wrote:
Hello all,

I'm writing a checker to analyze function calls in the body. Please let me know if we can launch another checker in the context of the current checker?

Thank you very much!

----------------
Best regards,
Thien Tran.
_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|

Re: Static Analysis launch checker in context of another checker

Reid Kleckner via cfe-dev
Thank you very much for your response,

I'm reading GenericTaintChecker and in its document "The taint information produced by it might be useful to other checkers". I wonder how I can get the information from GenericTaintChecker or is it better to add my own analysis to it?

----------------
Best regards,
Thien Tran.


On Wed, 2 Sep 2020 at 10:06, Gábor Márton <[hidden email]> wrote:
Hi,

Checkers which emit bug reports are ought to be independent. So in this sense, no, you cannot "launch" another checker inside the current checker. 

Hope this helps, 
Gábor 

On Tue, 1 Sep 2020, 08:25 Thien Tran via cfe-dev, <[hidden email]> wrote:
Hello all,

I'm writing a checker to analyze function calls in the body. Please let me know if we can launch another checker in the context of the current checker?

Thank you very much!

----------------
Best regards,
Thien Tran.
_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|

Re: Static Analysis launch checker in context of another checker

Reid Kleckner via cfe-dev
We have the convention of modeling and reporting checkers. Modeling checkers provide the information that is used by the reporting checkers. Ideally, taint analysis should be implemented in this way too. So, sooner or later we will refactor GenericTaintChecker to be like this.
Anyway, `isTainted` provided by the taint analysis is part of the modeling and can be reused by other checkers which do some reporting. Just make sure you register the dependency on the taint checker in Checkers.td.


On Wed, Sep 2, 2020 at 9:22 AM Thien Tran <[hidden email]> wrote:
Thank you very much for your response,

I'm reading GenericTaintChecker and in its document "The taint information produced by it might be useful to other checkers". I wonder how I can get the information from GenericTaintChecker or is it better to add my own analysis to it?

----------------
Best regards,
Thien Tran.


On Wed, 2 Sep 2020 at 10:06, Gábor Márton <[hidden email]> wrote:
Hi,

Checkers which emit bug reports are ought to be independent. So in this sense, no, you cannot "launch" another checker inside the current checker. 

Hope this helps, 
Gábor 

On Tue, 1 Sep 2020, 08:25 Thien Tran via cfe-dev, <[hidden email]> wrote:
Hello all,

I'm writing a checker to analyze function calls in the body. Please let me know if we can launch another checker in the context of the current checker?

Thank you very much!

----------------
Best regards,
Thien Tran.
_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|

Re: Static Analysis launch checker in context of another checker

Reid Kleckner via cfe-dev
In reply to this post by Reid Kleckner via cfe-dev
The taint propagation toolset GenericTaintChecker wants to make available to other checkers is just a collection of helper functions/data structures. For instance, it would make sense if StreamChecker could mark user inout from fgets() as tainted. Later, when the analyzer would find a read of that value, GenericTaintChecker could check whether it is a taintes symbol.

The key thing to note here is that these checkers would still work independently (StreamChecker wouldnt make GenericTaintChecker run), but do share knowledge with the use of the GDM.

Here is what you want to do: create a header file that contains functions like this:

ProgramStateRef markTainted(ProgramStateRef State, SVal S) {
  // definition should be in the checker file
  return State->add<TaintedSymbols>(S);
}

Or something similar, I just wrotr this code to demonstrate what I wanted to say, didnt check whether this is how it works on the inside :)


On Wed, 2 Sep 2020, 09:23 Thien Tran via cfe-dev, <[hidden email]> wrote:
Thank you very much for your response,

I'm reading GenericTaintChecker and in its document "The taint information produced by it might be useful to other checkers". I wonder how I can get the information from GenericTaintChecker or is it better to add my own analysis to it?

----------------
Best regards,
Thien Tran.


On Wed, 2 Sep 2020 at 10:06, Gábor Márton <[hidden email]> wrote:
Hi,

Checkers which emit bug reports are ought to be independent. So in this sense, no, you cannot "launch" another checker inside the current checker. 

Hope this helps, 
Gábor 

On Tue, 1 Sep 2020, 08:25 Thien Tran via cfe-dev, <[hidden email]> wrote:
Hello all,

I'm writing a checker to analyze function calls in the body. Please let me know if we can launch another checker in the context of the current checker?

Thank you very much!

----------------
Best regards,
Thien Tran.
_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|

Re: Static Analysis launch checker in context of another checker

Reid Kleckner via cfe-dev
> ProgramStateRef markTainted(ProgramStateRef State, SVal S)

We already have a bunch of `addTaint()` overloaded functions in Taint.h to propagate the `TaintMap` in GDM. And `isTainted` is the counterpart to read that.

On Wed, Sep 2, 2020 at 10:02 AM Kristóf Umann <[hidden email]> wrote:
The taint propagation toolset GenericTaintChecker wants to make available to other checkers is just a collection of helper functions/data structures. For instance, it would make sense if StreamChecker could mark user inout from fgets() as tainted. Later, when the analyzer would find a read of that value, GenericTaintChecker could check whether it is a taintes symbol.

The key thing to note here is that these checkers would still work independently (StreamChecker wouldnt make GenericTaintChecker run), but do share knowledge with the use of the GDM.

Here is what you want to do: create a header file that contains functions like this:

ProgramStateRef markTainted(ProgramStateRef State, SVal S) {
  // definition should be in the checker file
  return State->add<TaintedSymbols>(S);
}

Or something similar, I just wrotr this code to demonstrate what I wanted to say, didnt check whether this is how it works on the inside :)


On Wed, 2 Sep 2020, 09:23 Thien Tran via cfe-dev, <[hidden email]> wrote:
Thank you very much for your response,

I'm reading GenericTaintChecker and in its document "The taint information produced by it might be useful to other checkers". I wonder how I can get the information from GenericTaintChecker or is it better to add my own analysis to it?

----------------
Best regards,
Thien Tran.


On Wed, 2 Sep 2020 at 10:06, Gábor Márton <[hidden email]> wrote:
Hi,

Checkers which emit bug reports are ought to be independent. So in this sense, no, you cannot "launch" another checker inside the current checker. 

Hope this helps, 
Gábor 

On Tue, 1 Sep 2020, 08:25 Thien Tran via cfe-dev, <[hidden email]> wrote:
Hello all,

I'm writing a checker to analyze function calls in the body. Please let me know if we can launch another checker in the context of the current checker?

Thank you very much!

----------------
Best regards,
Thien Tran.
_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|

Re: Static Analysis launch checker in context of another checker

Reid Kleckner via cfe-dev
Yep, i totally meant my example to be, well, an example :^)

On Wed, 2 Sep 2020, 10:09 Gábor Márton, <[hidden email]> wrote:
> ProgramStateRef markTainted(ProgramStateRef State, SVal S)

We already have a bunch of `addTaint()` overloaded functions in Taint.h to propagate the `TaintMap` in GDM. And `isTainted` is the counterpart to read that.

On Wed, Sep 2, 2020 at 10:02 AM Kristóf Umann <[hidden email]> wrote:
The taint propagation toolset GenericTaintChecker wants to make available to other checkers is just a collection of helper functions/data structures. For instance, it would make sense if StreamChecker could mark user inout from fgets() as tainted. Later, when the analyzer would find a read of that value, GenericTaintChecker could check whether it is a taintes symbol.

The key thing to note here is that these checkers would still work independently (StreamChecker wouldnt make GenericTaintChecker run), but do share knowledge with the use of the GDM.

Here is what you want to do: create a header file that contains functions like this:

ProgramStateRef markTainted(ProgramStateRef State, SVal S) {
  // definition should be in the checker file
  return State->add<TaintedSymbols>(S);
}

Or something similar, I just wrotr this code to demonstrate what I wanted to say, didnt check whether this is how it works on the inside :)


On Wed, 2 Sep 2020, 09:23 Thien Tran via cfe-dev, <[hidden email]> wrote:
Thank you very much for your response,

I'm reading GenericTaintChecker and in its document "The taint information produced by it might be useful to other checkers". I wonder how I can get the information from GenericTaintChecker or is it better to add my own analysis to it?

----------------
Best regards,
Thien Tran.


On Wed, 2 Sep 2020 at 10:06, Gábor Márton <[hidden email]> wrote:
Hi,

Checkers which emit bug reports are ought to be independent. So in this sense, no, you cannot "launch" another checker inside the current checker. 

Hope this helps, 
Gábor 

On Tue, 1 Sep 2020, 08:25 Thien Tran via cfe-dev, <[hidden email]> wrote:
Hello all,

I'm writing a checker to analyze function calls in the body. Please let me know if we can launch another checker in the context of the current checker?

Thank you very much!

----------------
Best regards,
Thien Tran.
_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev