1 //== TaintTesterChecker.cpp ----------------------------------- -*- C++ -*--=//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This checker can be used for testing how taint data is propagated.
10 //
11 //===----------------------------------------------------------------------===//
12 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
13 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
14 #include "clang/StaticAnalyzer/Core/Checker.h"
15 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
16 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
17 
18 using namespace clang;
19 using namespace ento;
20 
21 namespace {
22 class TaintTesterChecker : public Checker< check::PostStmt<Expr> > {
23 
24   mutable std::unique_ptr<BugType> BT;
25   void initBugType() const;
26 
27   /// Given a pointer argument, get the symbol of the value it contains
28   /// (points to).
29   SymbolRef getPointedToSymbol(CheckerContext &C,
30                                const Expr* Arg,
31                                bool IssueWarning = true) const;
32 
33 public:
34   void checkPostStmt(const Expr *E, CheckerContext &C) const;
35 };
36 }
37 
38 inline void TaintTesterChecker::initBugType() const {
39   if (!BT)
40     BT.reset(new BugType(this, "Tainted data", "General"));
41 }
42 
43 void TaintTesterChecker::checkPostStmt(const Expr *E,
44                                        CheckerContext &C) const {
45   ProgramStateRef State = C.getState();
46   if (!State)
47     return;
48 
49   if (State->isTainted(E, C.getLocationContext())) {
50     if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
51       initBugType();
52       auto report = llvm::make_unique<BugReport>(*BT, "tainted",N);
53       report->addRange(E->getSourceRange());
54       C.emitReport(std::move(report));
55     }
56   }
57 }
58 
59 void ento::registerTaintTesterChecker(CheckerManager &mgr) {
60   mgr.registerChecker<TaintTesterChecker>();
61 }
62 
63 bool ento::shouldRegisterTaintTesterChecker(const LangOptions &LO) {
64   return true;
65 }
66