1//== TaintTesterChecker.cpp ----------------------------------- -*- C++ -*--=// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This checker can be used for testing how taint data is propagated. 11// 12//===----------------------------------------------------------------------===// 13#include "ClangSACheckers.h" 14#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 15#include "clang/StaticAnalyzer/Core/Checker.h" 16#include "clang/StaticAnalyzer/Core/CheckerManager.h" 17#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 18 19using namespace clang; 20using namespace ento; 21 22namespace { 23class TaintTesterChecker : public Checker< check::PostStmt<Expr> > { 24 25 mutable OwningPtr<BugType> BT; 26 void initBugType() const; 27 28 /// Given a pointer argument, get the symbol of the value it contains 29 /// (points to). 30 SymbolRef getPointedToSymbol(CheckerContext &C, 31 const Expr* Arg, 32 bool IssueWarning = true) const; 33 34public: 35 void checkPostStmt(const Expr *E, CheckerContext &C) const; 36}; 37} 38 39inline void TaintTesterChecker::initBugType() const { 40 if (!BT) 41 BT.reset(new BugType("Tainted data", "General")); 42} 43 44void TaintTesterChecker::checkPostStmt(const Expr *E, 45 CheckerContext &C) const { 46 ProgramStateRef State = C.getState(); 47 if (!State) 48 return; 49 50 if (State->isTainted(E, C.getLocationContext())) { 51 if (ExplodedNode *N = C.addTransition()) { 52 initBugType(); 53 BugReport *report = new BugReport(*BT, "tainted",N); 54 report->addRange(E->getSourceRange()); 55 C.emitReport(report); 56 } 57 } 58} 59 60void ento::registerTaintTesterChecker(CheckerManager &mgr) { 61 mgr.registerChecker<TaintTesterChecker>(); 62} 63