[PATCH] D11700: Added remove taint support to ProgramState.
Ted Kremenek
kremenek at apple.com
Fri Jul 31 22:49:47 PDT 2015
krememek added a comment.
In general I'm not a fan of the taint methods being directly on `ProgramState`, but this extends the current pattern. We could move the APIs elsewhere later.
================
Comment at: include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h:338-339
@@ +337,4 @@
+ /// Create a new state in which the symbol is marked as non-tainted.
+ ProgramStateRef removeTaint(SymbolRef S,
+ TaintTagType Kind = TaintTagGeneric) const;
+
----------------
The parameters from the two lines should line up.
================
Comment at: lib/StaticAnalyzer/Core/ProgramState.cpp:687-721
@@ -686,1 +686,37 @@
+ProgramStateRef ProgramState::removeTaint(const Stmt *S,
+ const LocationContext *LCtx,
+ TaintTagType Kind) const {
+ if (const Expr *E = dyn_cast_or_null<Expr>(S))
+ S = E->IgnoreParens();
+
+ SymbolRef Sym = getSVal(S, LCtx).getAsSymbol();
+ if (Sym)
+ return removeTaint(Sym, Kind);
+
+ const MemRegion *R = getSVal(S, LCtx).getAsRegion();
+ removeTaint(R, Kind);
+
+ // Cannot remove taint, so just return the state.
+ return this;
+}
+
+ProgramStateRef ProgramState::removeTaint(const MemRegion *R,
+ TaintTagType Kind) const {
+ if (const SymbolicRegion *SR = dyn_cast_or_null<SymbolicRegion>(R))
+ return removeTaint(SR->getSymbol(), Kind);
+ return this;
+}
+
+ProgramStateRef ProgramState::removeTaint(SymbolRef Sym,
+ TaintTagType Kind) const {
+ // If this is a symbol cast, remove the cast before removing the taint. Taint
+ // is cast agnostic.
+ while (const SymbolCast *SC = dyn_cast<SymbolCast>(Sym))
+ Sym = SC->getOperand();
+
+ ProgramStateRef NewState = remove<TaintMap>(Sym);
+ assert(NewState);
+ return NewState;
+}
+
----------------
This seems reasonable enough. It mostly mirrors the other taint operations we have, and there is noticeably a fair amount of copy-paste here that I wonder could be better factored. `removeTaint` looks pretty much identical to `addTaint` except that it uses the `remove` function on the TaintMap. I'm particularly concerned about the copy-paste for the first `removeTaint`, as that is a non-trivial amount of logic. Could this case possibly be refactored a bit with `addTaint`?
http://reviews.llvm.org/D11700
More information about the cfe-commits
mailing list