diff options
| author | Anna Zaks <ganna@apple.com> | 2011-11-16 19:58:10 +0000 |
|---|---|---|
| committer | Anna Zaks <ganna@apple.com> | 2011-11-16 19:58:10 +0000 |
| commit | ceac1d6e0521161adf7ac9834b1a7ad79d73fea4 (patch) | |
| tree | fb413a2f5a4347d695c27e6362f20d7cf23f5eea /lib/StaticAnalyzer/Core/ProgramState.cpp | |
| parent | 57e156a7ed2ce9083f77dde7a4b757ccc9cf8e50 (diff) | |
[analyzer] Adding basic building blocks for taint propagation.
TaintTag.h will contain definitions of different taint kinds and their properties.
TaintManager will be responsible for implementing taint specific operations, storing taint.
ProgramState will provide API to add/remove taint.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@144824 91177308-0d34-0410-b5e6-96231b3b80d8
Diffstat (limited to 'lib/StaticAnalyzer/Core/ProgramState.cpp')
| -rw-r--r-- | lib/StaticAnalyzer/Core/ProgramState.cpp | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/lib/StaticAnalyzer/Core/ProgramState.cpp b/lib/StaticAnalyzer/Core/ProgramState.cpp index 73788cc42e..3ce3db7313 100644 --- a/lib/StaticAnalyzer/Core/ProgramState.cpp +++ b/lib/StaticAnalyzer/Core/ProgramState.cpp @@ -15,6 +15,7 @@ #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SubEngine.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/TaintManager.h" #include "llvm/Support/raw_ostream.h" using namespace clang; @@ -623,3 +624,52 @@ bool ProgramState::scanReachableSymbols(const MemRegion * const *I, } return true; } + +const ProgramState* ProgramState::addTaint(const Stmt *S, + TaintTagType Kind) const { + SymbolRef Sym = getSVal(S).getAsSymbol(); + assert(Sym && "Cannot add taint to statements whose value is not a symbol"); + return addTaint(Sym, Kind); +} + +const ProgramState* ProgramState::addTaint(SymbolRef Sym, + TaintTagType Kind) const { + const ProgramState *NewState = set<TaintMap>(Sym, Kind); + assert(NewState); + return NewState; +} + +bool ProgramState::isTainted(const Stmt *S, TaintTagType Kind) const { + return isTainted(getSVal(S), Kind); +} + +bool ProgramState::isTainted(SVal V, TaintTagType Kind) const { + const SymExpr* Sym = V.getAsSymbol(); + if (!Sym) + Sym = V.getAsSymbolicExpression(); + if (!Sym) + return false; + return isTainted(Sym, Kind); +} + +bool ProgramState::isTainted(const SymExpr* Sym, TaintTagType Kind) const { + // Check taint on derived symbols. + if (const SymbolDerived *SD = dyn_cast<SymbolDerived>(Sym)) + return isTainted(SD->getParentSymbol(), Kind); + + if (const SymIntExpr *SIE = dyn_cast<SymIntExpr>(Sym)) + return isTainted(SIE->getLHS(), Kind); + + if (const SymSymExpr *SSE = dyn_cast<SymSymExpr>(Sym)) + return (isTainted(SSE->getLHS(), Kind) || isTainted(SSE->getRHS(), Kind)); + + // Check taint on the current symbol. + if (const SymbolData *SymR = dyn_cast<SymbolData>(Sym)) { + const TaintTagType *Tag = get<TaintMap>(SymR); + return (Tag && *Tag == Kind); + } + + // TODO: Remove llvm unreachable. + llvm_unreachable("We do not know show to check taint on this symbol."); + return false; +} |