JavaScript is not currently enabled, but is required for full
CodeSonar manual search and browse functionality.
If you are viewing this file in your hub's Web GUI, enable
JavaScript in your browser: you will also need it for GUI
functionality.
If you opened this file directly from disk, your browser may be
directly suppressing JavaScript functionality: certain browsers
perform this suppression on local files (but not files delivered by
web servers) for security reasons.
-
If you access the manual through the hub's Web GUI, the
functionality will not be suppressed because the hub is a web
server.
-
Alternatively, your browser may allow you to explicitly
disable the security setting that suppresses functionality. See
the CodeSonar
FAQ for more information.
Path Checking
CodeSonar provides on-demand feasibility checking for:
- the paths leading to a warning location, and
- taint introduction and
propagation along one or more paths.
Path checking is available for C/C++ code only.
Important Note:
the CodeSonar Web GUI makes extensive use of JavaScript. Make sure
JavaScript is enabled in your web browser.
CodeSonar offers three kinds of path checking: warning feasibility, taint propagation, and taint propagation in warning
context.
When a CodeSonar user performs a search or exploration of the
paths leading to a warning location, it inspects the program call
graph and obtains a set of call graph paths that match the user's
specifications. In some cases, one or more of these call graph paths
may not correspond to an execution path that can actually occur in
the program. In other cases, call graph paths may correspond to a
valid execution path, but only under conditions that mean the warning
does not occur.
- When a call graph path does correspond to an execution path, we
say that it is feasible.
- When a path is feasible and the warning occurs on that path, we
say that it is a feasible warning path.
Checking feasibility sets of call graph paths is computationally
expensive, so is only performed on demand. In order to be tractable,
the checking for each call graph path will limit the amount of effort
spent looking for a corresponding feasible warning path: there is
both a time limit and an upper bound on the number of paths that will
be explored.
Taint propagation checking is carried out with respect to the
taint on a specific occurrence
of a specific program element. Each function in a call graph path is
inspected to determine whether it is a source or propagator (or
neither) for the taint on the element of interest.
Note that the taint source may not occur directly on the call
path. For example, suppose function f_source() is a taint source and returns a
tainted value. If function main()
calls f_source() and then passes the
tainted value to another function f_sink(), we will not see the taint source if we
check for taint propagation along the call path main()→f_sink().
This is a hybrid of warning
feasibility checking and taint
propagation checking: each call path is inspected to determine
whether both the warning and taint propagation can
feasibly occur.
Path checking functionality is provided in the following page
types.
Note that path checking is not available if the project is
currently being analyzed.
Path checking results are obtained and reported as follows.
| GUI Reference Link |
Explore Callers
|
| Path Checking Type |
Depends on page
mode:
|
| Invoking Path Checking |
Two options.
|
| Results Display |
For a call graph path (...->)A->B->...->W, the
color and format of node A corresponds to the path checking
result for the path A->B->...->W.
The Explore Callers page also provides a color blind
mode , in which path checking outcomes are displayed
using a set of colors that can be distinguished by a viewer
with deuteranomaly. Click enable color blind mode in the
legend (top right of upper panel) to enable color blind mode;
click disable color blind mode to disable it. The color
mappings in color blind mode are as follows.
| Path
Checking Outcome
|
Color in Color Blind Mode |
(otherwise) |
| Yes |
Pink |
(Red) |
| Unlikely |
Yellow |
(Yellow) |
| Not Sure |
Light Blue |
(Blue) |
| No |
Dark Blue |
(Green) |
|
| GUI Reference Link |
Extended Warning
Report
|
| Path Checking Type |
warning feasibility
|
| Invoking Path Checking |
Path checking is implicitly invoked by opening an Extended
Warning Report for a particular path. |
| Results Display |
If a call graph path selected for viewing is determined to
correspond to a feasible warning path then that path is
highlighted in the Extended Warning Report code excerpt.
Otherwise, CodeSonar prints a message above the excerpt
explaining that a feasible warning path could not be found. |
| GUI Reference Link |
Search Callers
|
| Path Checking Type |
Depends on page
mode:
|
| Invoking Path Checking
|
Two options.
- Click check paths to
check all paths in the current page of the table.
CodeSonar will step through the results, checking one path
at a time and reporting the outcome in the Warning Detected or
Taint Detected
column (as appropriate) as it progresses.
To stop this process at any time, click stop checking. CodeSonar will
finish checking its current path and then stop. If you
click check paths
again, the checking will resume where it left off.
- Click check now (on the
Warning Detected or
Taint Detected line)
in an
expanded path entry to check that path.
If CodeSonar is already performing a path check, it will
finish checking its current path and then switch to
checking the path you have chosen. Once this check is
complete, CodeSonar will resume any remaining checking
where it left off.
If the path has already been checked (and so a result is
displayed), the link will be labeled check again.
|
| Results Display |
Path checking results are shown in the Warning Detected and Taint Detected columns of the result table
and on the Warning Detected and
Taint Detected lines of each
expanded
path entry. |
The possible path checking outcomes depend on the kind of
check.
Warning feasibility
checking has four possible outcomes.
| Warning Detected |
Color [*] |
Explanation |
| Yes |
Red |
The analysis determined that the warning does occur on that
call path (before any limits were reached). |
| Unlikely |
Yellow |
The analysis explored the maximum permitted number of paths
without finding a corresponding feasible warning path. |
| Not Sure |
Blue |
The time limit expired before the analysis could find a
corresponding feasible warning path. |
| No |
Green |
The analysis determined that the warning does not occur on
that call path (before any limits were reached). |
[*] The
Explore Callers page offers a color blind mode with a different set of
color mappings.
In some cases CodeSonar may be unable to find a feasible warning
path corresponding to some call graph path B->...W but then find a
feasible warning path for A->...B->...W. For this reason, you
may sometimes see paths with multiple color changes. In these cases,
the color at the start of the path indicates the finding for the path
as a whole. In particular, a path whose first link is colored red is
a feasible warning path, even if the path contains links of other
colors.
Taint propagation checking
has three possible outcomes.
| Taint Propagation Status |
Format |
Explanation |
| Source |
Red Outline |
Taint propagates to the element of interest along this path;
the taint source occurs directly on the path. |
| Propagates |
Red Underline |
Taint propagates to the element of interest along this path;
the taint source does not occur on the path. |
| No |
- |
Taint does not propagate to the element of interest along
this path. |
Taint propagation
checking in warning context has two possible outcomes.
| Taint+Warning Propagation Status |
Color [*] |
Explanation |
| Yes |
Red |
Taint propagates to the element of interest along the call
path path and the taint source occurs directly on the path
and the analysis determined that the warning does occur on
the call path (before any limits were reached). |
| Unlikely |
Yellow |
The analysis explored the maximum permitted number of paths
without finding a corresponding feasible warning path with taint
propagation and a taint source. |
| Not Sure |
Blue |
The time limit expired before the analysis could find a
corresponding feasible warning path with taint propagation and a
taint source. |
| No |
Green |
The analysis determined that the warning does not occur on
the call path (before any limits were reached), or that taint
does not propagate to the element of interest along the path, or
that |
[*] The Explore Callers page offers a color blind mode with an alternative set of
color mappings.
