[cfe-commits] r146006 - in /cfe/trunk: include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h lib/StaticAnalyzer/Core/ProgramState.cpp test/Analysis/taint-tester.c

Anna Zaks ganna at apple.com
Tue Dec 6 17:09:52 PST 2011 

Author: zaks
Date: Tue Dec  6 19:09:52 2011
New Revision: 146006

URL: http://llvm.org/viewvc/llvm-project?rev=146006&view=rev
Log:
[analyzer] Propagate taint through MemRegions.
SVal can be not only a symbol, but a MemRegion. Add support for such
cases.

Modified:
    cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h
    cfe/trunk/lib/StaticAnalyzer/Core/ProgramState.cpp
    cfe/trunk/test/Analysis/taint-tester.c

Modified: cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h?rev=146006&r1=146005&r2=146006&view=diff
==============================================================================
--- cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h (original)
+++ cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h Tue Dec  6 19:09:52 2011
@@ -301,6 +301,7 @@
   bool isTainted(const Stmt *S, TaintTagType Kind = TaintTagGeneric) const;
   bool isTainted(SVal V, TaintTagType Kind = TaintTagGeneric) const;
   bool isTainted(const SymExpr* Sym, TaintTagType Kind = TaintTagGeneric) const;
+  bool isTainted(const MemRegion *Reg, TaintTagType Kind=TaintTagGeneric) const;
 
   //==---------------------------------------------------------------------==//
   // Accessing the Generic Data Map (GDM).

Modified: cfe/trunk/lib/StaticAnalyzer/Core/ProgramState.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/ProgramState.cpp?rev=146006&r1=146005&r2=146006&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/ProgramState.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Core/ProgramState.cpp Tue Dec  6 19:09:52 2011
@@ -664,18 +664,41 @@
 }
 
 bool ProgramState::isTainted(const Stmt *S, TaintTagType Kind) const {
+  SVal val = getSVal(S);
   return isTainted(getSVal(S), Kind);
 }
 
 bool ProgramState::isTainted(SVal V, TaintTagType Kind) const {
-  return isTainted(V.getAsSymExpr(), Kind);
+  if (const SymExpr *Sym = V.getAsSymExpr())
+    return isTainted(Sym, Kind);
+  if (loc::MemRegionVal *RegVal = dyn_cast<loc::MemRegionVal>(&V))
+    return isTainted(RegVal->getRegion(), Kind);
+  return false;
+}
+
+bool ProgramState::isTainted(const MemRegion *Reg, TaintTagType K) const {
+  if (!Reg)
+    return false;
+
+  // Element region (array element) is tainted if either the base or the offset
+  // are tainted.
+  if (const ElementRegion *ER = dyn_cast<ElementRegion>(Reg))
+    return isTainted(ER->getSuperRegion(), K) || isTainted(ER->getIndex(), K);
+
+  if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(Reg))
+    return isTainted(SR->getSymbol(), K);
+
+  if (const SubRegion *ER = dyn_cast<SubRegion>(Reg))
+    return isTainted(ER->getSuperRegion(), K);
+
+  return false;
 }
 
 bool ProgramState::isTainted(const SymExpr* Sym, TaintTagType Kind) const {
   if (!Sym)
     return false;
   
-  // Travese all the symbols this symbol depends on to see if any are tainted.
+  // Traverse all the symbols this symbol depends on to see if any are tainted.
   bool Tainted = false;
   for (SymExpr::symbol_iterator SI = Sym->symbol_begin(), SE =Sym->symbol_end();
        SI != SE; ++SI) {

Modified: cfe/trunk/test/Analysis/taint-tester.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/taint-tester.c?rev=146006&r1=146005&r2=146006&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/taint-tester.c (original)
+++ cfe/trunk/test/Analysis/taint-tester.c Tue Dec  6 19:09:52 2011
@@ -6,18 +6,29 @@
 #define BUFSIZE 10
 int Buffer[BUFSIZE];
 
-void bufferScanfAssignment(int x) {
+struct XYStruct {
+  int x;
+  float y;
+};
+
+void taintTracking(int x) {
   int n;
   int *addr = &Buffer[0];
   scanf("%d", &n);
-  addr += n;// expected-warning {{tainted}}
-  *addr = n; // expected-warning 2 {{tainted}}
+  addr += n;// expected-warning 2 {{tainted}}
+  *addr = n; // expected-warning 3 {{tainted}}
 
   double tdiv = n / 30; // expected-warning 3 {{tainted}}
   char *loc_cast = (char *) n; // expected-warning {{tainted}}
   char tinc = tdiv++; // expected-warning {{tainted}}
   int tincdec = (char)tinc--; // expected-warning 2 {{tainted}}
-  int tprtarithmetic1 = *(addr+1);
 
+  // Tainted ptr arithmetic/array element address.
+  int tprtarithmetic1 = *(addr+1); // expected-warning 2 {{tainted}}
 
+  // Tainted struct address, casts.
+  struct XYStruct *xyPtr = 0;
+  scanf("%p", &xyPtr);
+  void *tXYStructPtr = xyPtr; // expected-warning 2 {{tainted}}
+  struct XYStruct *xyPtrCopy = tXYStructPtr; // expected-warning 2 {{tainted}}
 }

More information about the cfe-commits mailing list