[analyzer] Skip casts when determining taint dependencies + pretty

printing.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148517 91177308-0d34-0410-b5e6-96231b3b80d8

diff --git a/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h b/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h
index 2987116e4f1e3fb3db3d160d5f82e2a02a6b0ef8..806613fff107041f6f4131a57621edb934d647c5 100644 (file)
--- a/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h
+++ b/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h
@@ -368,10 +368,12 @@ public:
   // Pretty-printing.
   void print(raw_ostream &Out, const char *nl = "\n",
              const char *sep = "") const;
-
   void printDOT(raw_ostream &Out) const;
+  void printTaint(raw_ostream &Out, const char *nl = "\n",
+                  const char *sep = "") const;
 
   void dump() const;
+  void dumpTaint() const;
 
 private:
   /// Increments the number of times this state is referenced by ExplodeNodes.

diff --git a/lib/StaticAnalyzer/Core/ProgramState.cpp b/lib/StaticAnalyzer/Core/ProgramState.cpp
index 5eb0e06bca5dda154ec6479f78842ce483388fd5..a8061e1b4044d790555fa927255a0ccd91a0772e 100644 (file)
--- a/lib/StaticAnalyzer/Core/ProgramState.cpp
+++ b/lib/StaticAnalyzer/Core/ProgramState.cpp
@@ -413,6 +413,22 @@ void ProgramState::dump() const {
   print(llvm::errs());
 }
 
+void ProgramState::printTaint(raw_ostream &Out,
+                              const char *NL, const char *Sep) const {
+  TaintMapImpl TM = get<TaintMap>();
+
+  if (!TM.isEmpty())
+    Out <<"Tainted Symbols:" << NL;
+
+  for (TaintMapImpl::iterator I = TM.begin(), E = TM.end(); I != E; ++I) {
+    Out << I->first << " : " << I->second << NL;
+  }
+}
+
+void ProgramState::dumpTaint() const {
+  printTaint(llvm::errs());
+}
+
 //===----------------------------------------------------------------------===//
 // Generic Data Map.
 //===----------------------------------------------------------------------===//
@@ -602,6 +618,11 @@ const ProgramState* ProgramState::addTaint(const MemRegion *R,
 
 const ProgramState* ProgramState::addTaint(SymbolRef Sym,
                                            TaintTagType Kind) const {
+  // If this is a symbol cast, remove the cast before adding the taint. Taint
+  // is cast agnostic.
+  while (const SymbolCast *SC = dyn_cast<SymbolCast>(Sym))
+    Sym = SC->getOperand();
+
   const ProgramState *NewState = set<TaintMap>(Sym, Kind);
   assert(NewState);
   return NewState;
@@ -662,6 +683,10 @@ bool ProgramState::isTainted(SymbolRef Sym, TaintTagType Kind) const {
     if (const SymbolRegionValue *SRV = dyn_cast<SymbolRegionValue>(*SI))
       Tainted = Tainted || isTainted(SRV->getRegion(), Kind);
 
+    // If If this is a SymbolCast from a tainted value, it's also tainted.
+    if (const SymbolCast *SC = dyn_cast<SymbolCast>(*SI))
+      Tainted = Tainted || isTainted(SC->getOperand(), Kind);
+
     if (Tainted)
       return true;
   }