[analyzer] MIGChecker: Improve intermediate diagnostic notes.

Add a BugReporterVisitor for highlighting the events of deallocating a parameter. All such events are relevant to the emitted report (as long as the report is indeed emitted), so all of them will get highlighted. Add a trackExpressionValue visitor for highlighting where does the error return code come from. Do not add a trackExpressionValue visitor for highlighting how the deallocated argument(s) was(were) copied around. This still remains to be implemented. rdar://problem/35380337 Differential Revision: https://reviews.llvm.org/D58368 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@354641 91177308-0d34-0410-b5e6-96231b3b80d8
author: Artem Dergachev <artem.dergachev@gmail.com> 2019-02-22 00:06:30 +0000
committer: Artem Dergachev <artem.dergachev@gmail.com> 2019-02-22 00:06:30 +0000
commit: 46ca8eecbe17c8864b89d038a4f02d8a05024f55 (patch)
tree: 8ba05776ae58a2974d847399267a77ad585c097d /test/Analysis/mig.mm
parent: f016479d52538ebdbe0fbc6a61638d8c39c5dd4c (diff)
1 files changed, 21 insertions, 5 deletions
diff --git a/test/Analysis/mig.mm b/test/Analysis/mig.mm
index 6c70bfc314..6bcd45b36a 100644
--- a/test/Analysis/mig.mm
+++ b/test/Analysis/mig.mm
@@ -1,5 +1,5 @@
 // RUN: %clang_analyze_cc1 -w -analyzer-checker=core,alpha.osx.MIG\
-// RUN:                    -fblocks -verify %s
+// RUN:                       -analyzer-output=text -fblocks -verify %s
 
 // XNU APIs.
 
@@ -20,9 +20,11 @@ kern_return_t vm_deallocate(mach_port_name_t, vm_address_t, vm_size_t);
 
 MIG_SERVER_ROUTINE
 kern_return_t basic_test(mach_port_name_t port, vm_address_t address, vm_size_t size) {
-  vm_deallocate(port, address, size);
-  if (size > 10) {
+  vm_deallocate(port, address, size); // expected-note{{Value passed through parameter 'address' is deallocated}}
+  if (size > 10) { // expected-note{{Assuming 'size' is > 10}}
+                   // expected-note@-1{{Taking true branch}}
     return KERN_ERROR; // expected-warning{{MIG callback fails with error after deallocating argument value. This is a use-after-free vulnerability because the caller will try to deallocate it again}}
+											 // expected-note@-1{{MIG callback fails with error after deallocating argument value. This is a use-after-free vulnerability because the caller will try to deallocate it again}}
   }
   return KERN_SUCCESS;
 }
@@ -42,6 +44,18 @@ kern_return_t no_crash(mach_port_name_t port, vm_address_t address, vm_size_t si
   vm_deallocate(port, address, size);
 }
 
+// When releasing two parameters, add a note for both of them.
+// Also when returning a variable, explain why do we think that it contains
+// a non-success code.
+MIG_SERVER_ROUTINE
+kern_return_t release_twice(mach_port_name_t port, vm_address_t addr1, vm_address_t addr2, vm_size_t size) {
+  kern_return_t ret = KERN_ERROR; // expected-note{{'ret' initialized to 1}}
+  vm_deallocate(port, addr1, size); // expected-note{{Value passed through parameter 'addr1' is deallocated}}
+  vm_deallocate(port, addr2, size); // expected-note{{Value passed through parameter 'addr2' is deallocated}}
+  return ret; // expected-warning{{MIG callback fails with error after deallocating argument value. This is a use-after-free vulnerability because the caller will try to deallocate it again}}
+                     // expected-note@-1{{MIG callback fails with error after deallocating argument value. This is a use-after-free vulnerability because the caller will try to deallocate it again}}
+}
+
 // Check that we work on Objective-C messages and blocks.
 @interface I
 - (kern_return_t)fooAtPort:(mach_port_name_t)port withAddress:(vm_address_t)address ofSize:(vm_size_t)size;
@@ -51,8 +65,9 @@ kern_return_t no_crash(mach_port_name_t port, vm_address_t address, vm_size_t si
 - (kern_return_t)fooAtPort:(mach_port_name_t)port
                withAddress:(vm_address_t)address
                     ofSize:(vm_size_t)size MIG_SERVER_ROUTINE {
-  vm_deallocate(port, address, size);
+  vm_deallocate(port, address, size); // expected-note{{Value passed through parameter 'address' is deallocated}}
   return KERN_ERROR; // expected-warning{{MIG callback fails with error after deallocating argument value. This is a use-after-free vulnerability because the caller will try to deallocate it again}}
+                     // expected-note@-1{{MIG callback fails with error after deallocating argument value. This is a use-after-free vulnerability because the caller will try to deallocate it again}}
 }
 @end
 
@@ -60,8 +75,9 @@ void test_block() {
   kern_return_t (^block)(mach_port_name_t, vm_address_t, vm_size_t) =
       ^MIG_SERVER_ROUTINE (mach_port_name_t port,
                            vm_address_t address, vm_size_t size) {
-        vm_deallocate(port, address, size);
+        vm_deallocate(port, address, size); // expected-note{{Value passed through parameter 'address' is deallocated}}
         return KERN_ERROR; // expected-warning{{MIG callback fails with error after deallocating argument value. This is a use-after-free vulnerability because the caller will try to deallocate it again}}
+                           // expected-note@-1{{MIG callback fails with error after deallocating argument value. This is a use-after-free vulnerability because the caller will try to deallocate it again}}
       };
 }
author	Artem Dergachev <artem.dergachev@gmail.com>	2019-02-22 00:06:30 +0000
committer	Artem Dergachev <artem.dergachev@gmail.com>	2019-02-22 00:06:30 +0000
commit	46ca8eecbe17c8864b89d038a4f02d8a05024f55 (patch)
tree	8ba05776ae58a2974d847399267a77ad585c097d /test/Analysis/mig.mm
parent	f016479d52538ebdbe0fbc6a61638d8c39c5dd4c (diff)