commit a50b7ab5af79690855af68f1fff7897291ba9535
author Anna Zaks <ganna@apple.com> Mon Dec 05 18:58:01 2011 +0000
committer Anna Zaks <ganna@apple.com> Mon Dec 05 18:58:01 2011 +0000
tree 4899e1a2bd97369438bbedd24cb6419d28979b35
parent 5845717880d1b0ecaf68c58093681eb18ace9237

[analyzer] Add a debug checker to test for tainted data.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@145827 91177308-0d34-0410-b5e6-96231b3b80d8

lib/StaticAnalyzer/Checkers/TaintTesterChecker.cpp

diff --git a/lib/StaticAnalyzer/Checkers/TaintTesterChecker.cpp b/lib/StaticAnalyzer/Checkers/TaintTesterChecker.cpp
new file mode 100644
index 0000000..0819e86
--- /dev/null
+++ b/lib/StaticAnalyzer/Checkers/TaintTesterChecker.cpp
@@ -0,0 +1,62 @@
+//== TaintTesterChecker.cpp ----------------------------------- -*- C++ -*--=//
+//
+//                     The LLVM Compiler Infrastructure
+//
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+//
+//===----------------------------------------------------------------------===//
+//
+// This checker can be used for testing how taint data is propagated.
+//
+//===----------------------------------------------------------------------===//
+#include "ClangSACheckers.h"
+#include "clang/StaticAnalyzer/Core/Checker.h"
+#include "clang/StaticAnalyzer/Core/CheckerManager.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
+#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
+
+using namespace clang;
+using namespace ento;
+
+namespace {
+class TaintTesterChecker : public Checker< check::PostStmt<Expr> > {
+
+  mutable llvm::OwningPtr<BugType> BT;
+  void initBugType() const;
+
+  /// Given a pointer argument, get the symbol of the value it contains
+  /// (points to).
+  SymbolRef getPointedToSymbol(CheckerContext &C,
+                               const Expr* Arg,
+                               bool IssueWarning = true) const;
+
+public:
+  void checkPostStmt(const Expr *E, CheckerContext &C) const;
+};
+}
+
+inline void TaintTesterChecker::initBugType() const {
+  if (!BT)
+    BT.reset(new BugType("Tainted data", "General"));
+}
+
+void TaintTesterChecker::checkPostStmt(const Expr *E,
+                                       CheckerContext &C) const {
+  const ProgramState *State = C.getState();
+  if (!State)
+    return;
+
+  if (E && State->isTainted(E)) {
+    if (ExplodedNode *N = C.addTransition()) {
+      initBugType();
+      BugReport *report = new BugReport(*BT, "tainted",N);
+      report->addRange(E->getSourceRange());
+      C.EmitReport(report);
+    }
+  }
+}
+
+void ento::registerTaintTesterChecker(CheckerManager &mgr) {
+  mgr.registerChecker<TaintTesterChecker>();
+}