xref: /minix3/external/bsd/llvm/dist/clang/lib/StaticAnalyzer/Checkers/TaintTesterChecker.cpp (revision 0a6a1f1d05b60e214de2f05a7310ddd1f0e590e7) 
1f4a2713aSLionel Sambuc //== TaintTesterChecker.cpp ----------------------------------- -*- C++ -*--=//
2f4a2713aSLionel Sambuc //
3f4a2713aSLionel Sambuc //                     The LLVM Compiler Infrastructure
4f4a2713aSLionel Sambuc //
5f4a2713aSLionel Sambuc // This file is distributed under the University of Illinois Open Source
6f4a2713aSLionel Sambuc // License. See LICENSE.TXT for details.
7f4a2713aSLionel Sambuc //
8f4a2713aSLionel Sambuc //===----------------------------------------------------------------------===//
9f4a2713aSLionel Sambuc //
10f4a2713aSLionel Sambuc // This checker can be used for testing how taint data is propagated.
11f4a2713aSLionel Sambuc //
12f4a2713aSLionel Sambuc //===----------------------------------------------------------------------===//
13f4a2713aSLionel Sambuc #include "ClangSACheckers.h"
14f4a2713aSLionel Sambuc #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
15f4a2713aSLionel Sambuc #include "clang/StaticAnalyzer/Core/Checker.h"
16f4a2713aSLionel Sambuc #include "clang/StaticAnalyzer/Core/CheckerManager.h"
17f4a2713aSLionel Sambuc #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
18f4a2713aSLionel Sambuc 
19f4a2713aSLionel Sambuc using namespace clang;
20f4a2713aSLionel Sambuc using namespace ento;
21f4a2713aSLionel Sambuc 
22f4a2713aSLionel Sambuc namespace {
23f4a2713aSLionel Sambuc class TaintTesterChecker : public Checker< check::PostStmt<Expr> > {
24f4a2713aSLionel Sambuc 
25*0a6a1f1dSLionel Sambuc   mutable std::unique_ptr<BugType> BT;
26f4a2713aSLionel Sambuc   void initBugType() const;
27f4a2713aSLionel Sambuc 
28f4a2713aSLionel Sambuc   /// Given a pointer argument, get the symbol of the value it contains
29f4a2713aSLionel Sambuc   /// (points to).
30f4a2713aSLionel Sambuc   SymbolRef getPointedToSymbol(CheckerContext &C,
31f4a2713aSLionel Sambuc                                const Expr* Arg,
32f4a2713aSLionel Sambuc                                bool IssueWarning = true) const;
33f4a2713aSLionel Sambuc 
34f4a2713aSLionel Sambuc public:
35f4a2713aSLionel Sambuc   void checkPostStmt(const Expr *E, CheckerContext &C) const;
36f4a2713aSLionel Sambuc };
37f4a2713aSLionel Sambuc }
38f4a2713aSLionel Sambuc 
initBugType() const39f4a2713aSLionel Sambuc inline void TaintTesterChecker::initBugType() const {
40f4a2713aSLionel Sambuc   if (!BT)
41*0a6a1f1dSLionel Sambuc     BT.reset(new BugType(this, "Tainted data", "General"));
42f4a2713aSLionel Sambuc }
43f4a2713aSLionel Sambuc 
checkPostStmt(const Expr * E,CheckerContext & C) const44f4a2713aSLionel Sambuc void TaintTesterChecker::checkPostStmt(const Expr *E,
45f4a2713aSLionel Sambuc                                        CheckerContext &C) const {
46f4a2713aSLionel Sambuc   ProgramStateRef State = C.getState();
47f4a2713aSLionel Sambuc   if (!State)
48f4a2713aSLionel Sambuc     return;
49f4a2713aSLionel Sambuc 
50f4a2713aSLionel Sambuc   if (State->isTainted(E, C.getLocationContext())) {
51f4a2713aSLionel Sambuc     if (ExplodedNode *N = C.addTransition()) {
52f4a2713aSLionel Sambuc       initBugType();
53f4a2713aSLionel Sambuc       BugReport *report = new BugReport(*BT, "tainted",N);
54f4a2713aSLionel Sambuc       report->addRange(E->getSourceRange());
55f4a2713aSLionel Sambuc       C.emitReport(report);
56f4a2713aSLionel Sambuc     }
57f4a2713aSLionel Sambuc   }
58f4a2713aSLionel Sambuc }
59f4a2713aSLionel Sambuc 
registerTaintTesterChecker(CheckerManager & mgr)60f4a2713aSLionel Sambuc void ento::registerTaintTesterChecker(CheckerManager &mgr) {
61f4a2713aSLionel Sambuc   mgr.registerChecker<TaintTesterChecker>();
62f4a2713aSLionel Sambuc }
63