[analyzer] Taint: add taint propagation rules for string and memory copy

functions.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148370 91177308-0d34-0410-b5e6-96231b3b80d8

1 files changed, 25 insertions, 4 deletions

diff --git a/lib/StaticAnalyzer/Core/CheckerContext.cpp b/lib/StaticAnalyzer/Core/CheckerContext.cpp
index 3737ca5467..cb272fb1c3 100644
--- a/lib/StaticAnalyzer/Core/CheckerContext.cpp
+++ b/lib/StaticAnalyzer/Core/CheckerContext.cpp
@@ -13,6 +13,8 @@
 //===----------------------------------------------------------------------===//
 
 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
+#include "clang/Basic/Builtins.h"
+
 using namespace clang;
 using namespace ento;
 
@@ -23,12 +25,31 @@ const FunctionDecl *CheckerContext::getCalleeDecl(const CallExpr *CE) const {
   return L.getAsFunctionDecl();
 }
 
-StringRef CheckerContext::getCalleeName(const CallExpr *CE) const {
-  const FunctionDecl *funDecl = getCalleeDecl(CE);
-  if (!funDecl)
+StringRef CheckerContext::getCalleeName(const FunctionDecl *FunDecl) const {
+  if (!FunDecl)
     return StringRef();
-  IdentifierInfo *funI = funDecl->getIdentifier();
+  IdentifierInfo *funI = FunDecl->getIdentifier();
   if (!funI)
     return StringRef();
   return funI->getName();
 }
+
+
+bool CheckerContext::isCLibraryFunction(const FunctionDecl *FD,
+                                        StringRef Name){
+  // To avoid false positives (Ex: finding user defined functions with
+  // similar names), only perform fuzzy name matching when it's a builtin.
+  // Using a string compare is slow, we might want to switch on BuiltinID here.
+  unsigned BId = FD->getBuiltinID();
+  if (BId != 0) {
+    ASTContext &Context = getASTContext();
+    StringRef BName = Context.BuiltinInfo.GetName(BId);
+    if (StringRef(BName).find(Name) != StringRef::npos)
+      return true;
+  }
+
+  if (FD->isExternC() && FD->getIdentifier()->getName().equals(Name))
+    return true;
+
+  return false;
+}