1 //== TaintTesterChecker.cpp ----------------------------------- -*- C++ -*--=// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This checker can be used for testing how taint data is propagated. 11 // 12 //===----------------------------------------------------------------------===// 13 #include "ClangSACheckers.h" 14 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 15 #include "clang/StaticAnalyzer/Core/Checker.h" 16 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 17 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 18 19 using namespace clang; 20 using namespace ento; 21 22 namespace { 23 class TaintTesterChecker : public Checker< check::PostStmt<Expr> > { 24 25 mutable OwningPtr<BugType> BT; 26 void initBugType() const; 27 28 /// Given a pointer argument, get the symbol of the value it contains 29 /// (points to). 30 SymbolRef getPointedToSymbol(CheckerContext &C, 31 const Expr* Arg, 32 bool IssueWarning = true) const; 33 34 public: 35 void checkPostStmt(const Expr *E, CheckerContext &C) const; 36 }; 37 } 38 39 inline void TaintTesterChecker::initBugType() const { 40 if (!BT) 41 BT.reset(new BugType("Tainted data", "General")); 42 } 43 44 void TaintTesterChecker::checkPostStmt(const Expr *E, 45 CheckerContext &C) const { 46 ProgramStateRef State = C.getState(); 47 if (!State) 48 return; 49 50 if (State->isTainted(E, C.getLocationContext())) { 51 if (ExplodedNode *N = C.addTransition()) { 52 initBugType(); 53 BugReport *report = new BugReport(*BT, "tainted",N); 54 report->addRange(E->getSourceRange()); 55 C.emitReport(report); 56 } 57 } 58 } 59 60 void ento::registerTaintTesterChecker(CheckerManager &mgr) { 61 mgr.registerChecker<TaintTesterChecker>(); 62 } 63