clang  14.0.0git
TaintTesterChecker.cpp
Go to the documentation of this file.
1 //== TaintTesterChecker.cpp ----------------------------------- -*- C++ -*--=//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This checker can be used for testing how taint data is propagated.
10 //
11 //===----------------------------------------------------------------------===//
12 
13 #include "Taint.h"
19 
20 using namespace clang;
21 using namespace ento;
22 using namespace taint;
23 
24 namespace {
25 class TaintTesterChecker : public Checker< check::PostStmt<Expr> > {
26 
27  mutable std::unique_ptr<BugType> BT;
28  void initBugType() const;
29 
30  /// Given a pointer argument, get the symbol of the value it contains
31  /// (points to).
32  SymbolRef getPointedToSymbol(CheckerContext &C,
33  const Expr* Arg,
34  bool IssueWarning = true) const;
35 
36 public:
37  void checkPostStmt(const Expr *E, CheckerContext &C) const;
38 };
39 }
40 
41 inline void TaintTesterChecker::initBugType() const {
42  if (!BT)
43  BT.reset(new BugType(this, "Tainted data", "General"));
44 }
45 
46 void TaintTesterChecker::checkPostStmt(const Expr *E,
47  CheckerContext &C) const {
48  ProgramStateRef State = C.getState();
49  if (!State)
50  return;
51 
52  if (isTainted(State, E, C.getLocationContext())) {
53  if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
54  initBugType();
55  auto report = std::make_unique<PathSensitiveBugReport>(*BT, "tainted", N);
56  report->addRange(E->getSourceRange());
57  C.emitReport(std::move(report));
58  }
59  }
60 }
61 
62 void ento::registerTaintTesterChecker(CheckerManager &mgr) {
63  mgr.registerChecker<TaintTesterChecker>();
64 }
65 
66 bool ento::shouldRegisterTaintTesterChecker(const CheckerManager &mgr) {
67  return true;
68 }
clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:324
clang::ento::ProgramStateRef
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Definition: ProgramState_Fwd.h:37
AttributeLangSupport::C
@ C
Definition: SemaDeclAttr.cpp:54
clang::ento::SymbolRef
const SymExpr * SymbolRef
Definition: SymExpr.h:110
clang::ento::taint::isTainted
bool isTainted(ProgramStateRef State, const Stmt *S, const LocationContext *LCtx, TaintTagType Kind=TaintTagGeneric)
Check if the statement has a tainted value in the given state.
BuiltinCheckerRegistration.h
CheckerManager.h
Taint.h
BugType.h
State
LineState State
Definition: UnwrappedLineFormatter.cpp:986
CheckerContext.h
Checker.h
clang
Definition: CalledOnceCheck.h:17
clang::Expr
This represents one expression.
Definition: Expr.h:109