bool isTainted(const Stmt *S, TaintTagType Kind = TaintTagGeneric) const;
bool isTainted(SVal V, TaintTagType Kind = TaintTagGeneric) const;
bool isTainted(const SymExpr* Sym, TaintTagType Kind = TaintTagGeneric) const;
+ bool isTainted(const MemRegion *Reg, TaintTagType Kind=TaintTagGeneric) const;
//==---------------------------------------------------------------------==//
// Accessing the Generic Data Map (GDM).
}
bool ProgramState::isTainted(const Stmt *S, TaintTagType Kind) const {
+ SVal val = getSVal(S);
return isTainted(getSVal(S), Kind);
}
bool ProgramState::isTainted(SVal V, TaintTagType Kind) const {
- return isTainted(V.getAsSymExpr(), Kind);
+ if (const SymExpr *Sym = V.getAsSymExpr())
+ return isTainted(Sym, Kind);
+ if (loc::MemRegionVal *RegVal = dyn_cast<loc::MemRegionVal>(&V))
+ return isTainted(RegVal->getRegion(), Kind);
+ return false;
+}
+
+bool ProgramState::isTainted(const MemRegion *Reg, TaintTagType K) const {
+ if (!Reg)
+ return false;
+
+ // Element region (array element) is tainted if either the base or the offset
+ // are tainted.
+ if (const ElementRegion *ER = dyn_cast<ElementRegion>(Reg))
+ return isTainted(ER->getSuperRegion(), K) || isTainted(ER->getIndex(), K);
+
+ if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(Reg))
+ return isTainted(SR->getSymbol(), K);
+
+ if (const SubRegion *ER = dyn_cast<SubRegion>(Reg))
+ return isTainted(ER->getSuperRegion(), K);
+
+ return false;
}
bool ProgramState::isTainted(const SymExpr* Sym, TaintTagType Kind) const {
if (!Sym)
return false;
- // Travese all the symbols this symbol depends on to see if any are tainted.
+ // Traverse all the symbols this symbol depends on to see if any are tainted.
bool Tainted = false;
for (SymExpr::symbol_iterator SI = Sym->symbol_begin(), SE =Sym->symbol_end();
SI != SE; ++SI) {
#define BUFSIZE 10
int Buffer[BUFSIZE];
-void bufferScanfAssignment(int x) {
+struct XYStruct {
+ int x;
+ float y;
+};
+
+void taintTracking(int x) {
int n;
int *addr = &Buffer[0];
scanf("%d", &n);
- addr += n;// expected-warning {{tainted}}
- *addr = n; // expected-warning 2 {{tainted}}
+ addr += n;// expected-warning 2 {{tainted}}
+ *addr = n; // expected-warning 3 {{tainted}}
double tdiv = n / 30; // expected-warning 3 {{tainted}}
char *loc_cast = (char *) n; // expected-warning {{tainted}}
char tinc = tdiv++; // expected-warning {{tainted}}
int tincdec = (char)tinc--; // expected-warning 2 {{tainted}}
- int tprtarithmetic1 = *(addr+1);
+ // Tainted ptr arithmetic/array element address.
+ int tprtarithmetic1 = *(addr+1); // expected-warning 2 {{tainted}}
+ // Tainted struct address, casts.
+ struct XYStruct *xyPtr = 0;
+ scanf("%p", &xyPtr);
+ void *tXYStructPtr = xyPtr; // expected-warning 2 {{tainted}}
+ struct XYStruct *xyPtrCopy = tXYStructPtr; // expected-warning 2 {{tainted}}
}
projects / clang / commitdiff