clang  8.0.0svn
TaintTesterChecker.cpp
Go to the documentation of this file.
1 //== TaintTesterChecker.cpp ----------------------------------- -*- C++ -*--=//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This checker can be used for testing how taint data is propagated.
11 //
12 //===----------------------------------------------------------------------===//
13 #include "ClangSACheckers.h"
18 
19 using namespace clang;
20 using namespace ento;
21 
22 namespace {
23 class TaintTesterChecker : public Checker< check::PostStmt<Expr> > {
24 
25  mutable std::unique_ptr<BugType> BT;
26  void initBugType() const;
27 
28  /// Given a pointer argument, get the symbol of the value it contains
29  /// (points to).
30  SymbolRef getPointedToSymbol(CheckerContext &C,
31  const Expr* Arg,
32  bool IssueWarning = true) const;
33 
34 public:
35  void checkPostStmt(const Expr *E, CheckerContext &C) const;
36 };
37 }
38 
39 inline void TaintTesterChecker::initBugType() const {
40  if (!BT)
41  BT.reset(new BugType(this, "Tainted data", "General"));
42 }
43 
44 void TaintTesterChecker::checkPostStmt(const Expr *E,
45  CheckerContext &C) const {
46  ProgramStateRef State = C.getState();
47  if (!State)
48  return;
49 
50  if (State->isTainted(E, C.getLocationContext())) {
51  if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
52  initBugType();
53  auto report = llvm::make_unique<BugReport>(*BT, "tainted",N);
54  report->addRange(E->getSourceRange());
55  C.emitReport(std::move(report));
56  }
57  }
58 }
59 
60 void ento::registerTaintTesterChecker(CheckerManager &mgr) {
61  mgr.registerChecker<TaintTesterChecker>();
62 }
const SymExpr * SymbolRef
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
LineState State
This represents one expression.
Definition: Expr.h:105
Dataflow Directional Tag Classes.
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:268