clang::ento::taint Namespace Reference

Typedefs
using	TaintTagType = unsigned
	The type of taint, which helps to differentiate between different types of taint.

Functions
ProgramStateRef	addTaint (ProgramStateRef State, const Stmt *S, const LocationContext *LCtx, TaintTagType Kind=TaintTagGeneric)
	Create a new state in which the value of the statement is marked as tainted.
ProgramStateRef	addTaint (ProgramStateRef State, SVal V, TaintTagType Kind=TaintTagGeneric)
	Create a new state in which the value is marked as tainted.
ProgramStateRef	addTaint (ProgramStateRef State, SymbolRef Sym, TaintTagType Kind=TaintTagGeneric)
	Create a new state in which the symbol is marked as tainted.
ProgramStateRef	addTaint (ProgramStateRef State, const MemRegion *R, TaintTagType Kind=TaintTagGeneric)
	Create a new state in which the pointer represented by the region is marked as tainted.
ProgramStateRef	removeTaint (ProgramStateRef State, SVal V)
ProgramStateRef	removeTaint (ProgramStateRef State, const MemRegion *R)
ProgramStateRef	removeTaint (ProgramStateRef State, SymbolRef Sym)
ProgramStateRef	addPartialTaint (ProgramStateRef State, SymbolRef ParentSym, const SubRegion *SubRegion, TaintTagType Kind=TaintTagGeneric)
	Create a new state in a which a sub-region of a given symbol is tainted.
bool	isTainted (ProgramStateRef State, const Stmt *S, const LocationContext *LCtx, TaintTagType Kind=TaintTagGeneric)
	Check if the statement has a tainted value in the given state.
bool	isTainted (ProgramStateRef State, SVal V, TaintTagType Kind=TaintTagGeneric)
	Check if the value is tainted in the given state.
bool	isTainted (ProgramStateRef State, SymbolRef Sym, TaintTagType Kind=TaintTagGeneric)
	Check if the symbol is tainted in the given state.
bool	isTainted (ProgramStateRef State, const MemRegion *Reg, TaintTagType Kind=TaintTagGeneric)
	Check if the pointer represented by the region is tainted in the given state.
std::vector< SymbolRef >	getTaintedSymbols (ProgramStateRef State, const Stmt *S, const LocationContext *LCtx, TaintTagType Kind=TaintTagGeneric)
	Returns the tainted Symbols for a given Statement and state.
std::vector< SymbolRef >	getTaintedSymbols (ProgramStateRef State, SVal V, TaintTagType Kind=TaintTagGeneric)
	Returns the tainted Symbols for a given SVal and state.
std::vector< SymbolRef >	getTaintedSymbols (ProgramStateRef State, SymbolRef Sym, TaintTagType Kind=TaintTagGeneric)
	Returns the tainted Symbols for a SymbolRef and state.
std::vector< SymbolRef >	getTaintedSymbols (ProgramStateRef State, const MemRegion *Reg, TaintTagType Kind=TaintTagGeneric)
	Returns the tainted (index, super/sub region, symbolic region) symbols for a given memory region.
std::vector< SymbolRef >	getTaintedSymbolsImpl (ProgramStateRef State, const Stmt *S, const LocationContext *LCtx, TaintTagType Kind, bool returnFirstOnly)
std::vector< SymbolRef >	getTaintedSymbolsImpl (ProgramStateRef State, SVal V, TaintTagType Kind, bool returnFirstOnly)
std::vector< SymbolRef >	getTaintedSymbolsImpl (ProgramStateRef State, SymbolRef Sym, TaintTagType Kind, bool returnFirstOnly)
std::vector< SymbolRef >	getTaintedSymbolsImpl (ProgramStateRef State, const MemRegion *Reg, TaintTagType Kind, bool returnFirstOnly)
void	printTaint (ProgramStateRef State, raw_ostream &Out, const char *nl="\n", const char *sep="")
LLVM_DUMP_METHOD void	dumpTaint (ProgramStateRef State)

Variables
static constexpr TaintTagType	TaintTagGeneric = 0

Typedef Documentation

TaintTagType

using clang::ento::taint::TaintTagType = typedef unsigned

The type of taint, which helps to differentiate between different types of taint.

Definition at line 25 of file Taint.h.

Function Documentation

addPartialTaint()

ProgramStateRef clang::ento::taint::addPartialTaint	(	ProgramStateRef	State,
		SymbolRef	ParentSym,
		const SubRegion *	SubRegion,
		TaintTagType	Kind = TaintTagGeneric
	)

Create a new state in a which a sub-region of a given symbol is tainted.

This might be necessary when referring to regions that can not have an individual symbol, e.g. if they are represented by the default binding of a LazyCompoundVal.

Definition at line 124 of file Taint.cpp.

References addTaint(), clang::ento::MemRegion::getBaseRegion(), and clang::T.

Referenced by addTaint().

addTaint() [1/4]

ProgramStateRef clang::ento::taint::addTaint	(	ProgramStateRef	State,
		const MemRegion *	R,
		TaintTagType	Kind = TaintTagGeneric
	)

Create a new state in which the pointer represented by the region is marked as tainted.

Definition at line 79 of file Taint.cpp.

References addTaint().

addTaint() [2/4]

ProgramStateRef clang::ento::taint::addTaint	(	ProgramStateRef	State,
		const Stmt *	S,
		const LocationContext *	LCtx,
		TaintTagType	Kind = TaintTagGeneric
	)

Create a new state in which the value of the statement is marked as tainted.

Definition at line 45 of file Taint.cpp.

References addTaint().

Referenced by addPartialTaint(), and addTaint().

addTaint() [3/4]

ProgramStateRef clang::ento::taint::addTaint	(	ProgramStateRef	State,
		SVal	V,
		TaintTagType	Kind = TaintTagGeneric
	)

Create a new state in which the value is marked as tainted.

Definition at line 51 of file Taint.cpp.

References addPartialTaint(), addTaint(), and V.

addTaint() [4/4]

ProgramStateRef clang::ento::taint::addTaint	(	ProgramStateRef	State,
		SymbolRef	Sym,
		TaintTagType	Kind = TaintTagGeneric
	)

Create a new state in which the symbol is marked as tainted.

Definition at line 86 of file Taint.cpp.

dumpTaint()

void clang::ento::taint::dumpTaint

(

ProgramStateRef

State

)

Definition at line 41 of file Taint.cpp.

References printTaint().

getTaintedSymbols() [1/4]

std::vector< SymbolRef > clang::ento::taint::getTaintedSymbols	(	ProgramStateRef	State,
		const MemRegion *	Reg,
		TaintTagType	Kind = TaintTagGeneric
	)

Returns the tainted (index, super/sub region, symbolic region) symbols for a given memory region.

Definition at line 187 of file Taint.cpp.

References getTaintedSymbolsImpl().

getTaintedSymbols() [2/4]

std::vector< SymbolRef > clang::ento::taint::getTaintedSymbols	(	ProgramStateRef	State,
		const Stmt *	S,
		const LocationContext *	LCtx,
		TaintTagType	Kind = TaintTagGeneric
	)

Returns the tainted Symbols for a given Statement and state.

Definition at line 169 of file Taint.cpp.

References getTaintedSymbolsImpl().

getTaintedSymbols() [3/4]

std::vector< SymbolRef > clang::ento::taint::getTaintedSymbols	(	ProgramStateRef	State,
		SVal	V,
		TaintTagType	Kind = TaintTagGeneric
	)

Returns the tainted Symbols for a given SVal and state.

Definition at line 176 of file Taint.cpp.

References getTaintedSymbolsImpl(), and V.

getTaintedSymbols() [4/4]

std::vector< SymbolRef > clang::ento::taint::getTaintedSymbols	(	ProgramStateRef	State,
		SymbolRef	Sym,
		TaintTagType	Kind = TaintTagGeneric
	)

Returns the tainted Symbols for a SymbolRef and state.

Definition at line 181 of file Taint.cpp.

References getTaintedSymbolsImpl().

getTaintedSymbolsImpl() [1/4]

std::vector< SymbolRef > clang::ento::taint::getTaintedSymbolsImpl	(	ProgramStateRef	State,
		const MemRegion *	Reg,
		TaintTagType	Kind,
		bool	returnFirstOnly
	)

Definition at line 212 of file Taint.cpp.

References getTaintedSymbolsImpl().

getTaintedSymbolsImpl() [2/4]

std::vector< SymbolRef > clang::ento::taint::getTaintedSymbolsImpl	(	ProgramStateRef	State,
		const Stmt *	S,
		const LocationContext *	LCtx,
		TaintTagType	Kind,
		bool	returnFirstOnly
	)

Definition at line 193 of file Taint.cpp.

References getTaintedSymbolsImpl().

Referenced by getTaintedSymbols(), getTaintedSymbolsImpl(), and isTainted().

getTaintedSymbolsImpl() [3/4]

std::vector< SymbolRef > clang::ento::taint::getTaintedSymbolsImpl	(	ProgramStateRef	State,
		SVal	V,
		TaintTagType	Kind,
		bool	returnFirstOnly
	)

Definition at line 202 of file Taint.cpp.

References getTaintedSymbolsImpl(), and V.

getTaintedSymbolsImpl() [4/4]

std::vector< SymbolRef > clang::ento::taint::getTaintedSymbolsImpl	(	ProgramStateRef	State,
		SymbolRef	Sym,
		TaintTagType	Kind,
		bool	returnFirstOnly
	)

Definition at line 251 of file Taint.cpp.

References getTaintedSymbolsImpl(), clang::ento::SubRegion::isSubRegionOf(), and clang::ento::SymExpr::symbols().

isTainted() [1/4]

bool clang::ento::taint::isTainted	(	ProgramStateRef	State,
		const MemRegion *	Reg,
		TaintTagType	Kind = TaintTagGeneric
	)

Check if the pointer represented by the region is tainted in the given state.

Definition at line 158 of file Taint.cpp.

References getTaintedSymbolsImpl().

isTainted() [2/4]

bool clang::ento::taint::isTainted	(	ProgramStateRef	State,
		const Stmt *	S,
		const LocationContext *	LCtx,
		TaintTagType	Kind = TaintTagGeneric
	)

Check if the statement has a tainted value in the given state.

Definition at line 147 of file Taint.cpp.

References getTaintedSymbolsImpl().

isTainted() [3/4]

bool clang::ento::taint::isTainted	(	ProgramStateRef	State,
		SVal	V,
		TaintTagType	Kind = TaintTagGeneric
	)

Check if the value is tainted in the given state.

Definition at line 153 of file Taint.cpp.

References getTaintedSymbolsImpl(), and V.

isTainted() [4/4]

bool clang::ento::taint::isTainted	(	ProgramStateRef	State,
		SymbolRef	Sym,
		TaintTagType	Kind = TaintTagGeneric
	)

Check if the symbol is tainted in the given state.

Definition at line 164 of file Taint.cpp.

References getTaintedSymbolsImpl().

printTaint()

void clang::ento::taint::printTaint	(	ProgramStateRef	State,
		raw_ostream &	Out,
		const char *	nl = "\n",
		const char *	sep = ""
	)

Referenced by dumpTaint().

removeTaint() [1/3]

ProgramStateRef clang::ento::taint::removeTaint	(	ProgramStateRef	State,
		const MemRegion *	R
	)

Definition at line 107 of file Taint.cpp.

References removeTaint().

removeTaint() [2/3]

ProgramStateRef clang::ento::taint::removeTaint	(	ProgramStateRef	State,
		SVal	V
	)

Definition at line 98 of file Taint.cpp.

References removeTaint(), and V.

Referenced by removeTaint().

removeTaint() [3/3]

ProgramStateRef clang::ento::taint::removeTaint	(	ProgramStateRef	State,
		SymbolRef	Sym
	)

Definition at line 113 of file Taint.cpp.

Variable Documentation

TaintTagGeneric

constexpr TaintTagType clang::ento::taint::TaintTagGeneric = 0

staticconstexpr

Definition at line 27 of file Taint.h.