/Users/buildslave/jenkins/workspace/coverage/llvm-project/clang/include/clang/StaticAnalyzer/Checkers/Taint.h

Source
//=== Taint.h - Taint tracking and basic propagation rules. --------*- C++ -*-//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// Defines basic, non-domain-specific mechanisms for tracking tainted values.
//
//===----------------------------------------------------------------------===//

#ifndef LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_TAINT_H
#define LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_TAINT_H

#include "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"

namespace clang {
namespace ento {
namespace taint {

/// The type of taint, which helps to differentiate between different types of
/// taint.
using TaintTagType = unsigned;

static constexpr TaintTagType TaintTagGeneric = 0;

/// Create a new state in which the value of the statement is marked as tainted.
LLVM_NODISCARD ProgramStateRef addTaint(ProgramStateRef State, const Stmt *S,
                                        const LocationContext *LCtx,
                                        TaintTagType Kind = TaintTagGeneric);

/// Create a new state in which the value is marked as tainted.
LLVM_NODISCARD ProgramStateRef addTaint(ProgramStateRef State, SVal V,
                                        TaintTagType Kind = TaintTagGeneric);

/// Create a new state in which the symbol is marked as tainted.
LLVM_NODISCARD ProgramStateRef addTaint(ProgramStateRef State, SymbolRef Sym,
                                        TaintTagType Kind = TaintTagGeneric);

/// Create a new state in which the pointer represented by the region
/// is marked as tainted.
LLVM_NODISCARD ProgramStateRef addTaint(ProgramStateRef State,
                                        const MemRegion *R,
                                        TaintTagType Kind = TaintTagGeneric);

LLVM_NODISCARD ProgramStateRef removeTaint(ProgramStateRef State, SVal V);

LLVM_NODISCARD ProgramStateRef removeTaint(ProgramStateRef State,
                                           const MemRegion *R);

LLVM_NODISCARD ProgramStateRef removeTaint(ProgramStateRef State,
                                           SymbolRef Sym);

/// Create a new state in a which a sub-region of a given symbol is tainted.
/// This might be necessary when referring to regions that can not have an
/// individual symbol, e.g. if they are represented by the default binding of
/// a LazyCompoundVal.
LLVM_NODISCARD ProgramStateRef addPartialTaint(
    ProgramStateRef State, SymbolRef ParentSym, const SubRegion *SubRegion,
    TaintTagType Kind = TaintTagGeneric);

/// Check if the statement has a tainted value in the given state.
bool isTainted(ProgramStateRef State, const Stmt *S,
               const LocationContext *LCtx,
               TaintTagType Kind = TaintTagGeneric);

/// Check if the value is tainted in the given state.
bool isTainted(ProgramStateRef State, SVal V,
               TaintTagType Kind = TaintTagGeneric);

/// Check if the symbol is tainted in the given state.
bool isTainted(ProgramStateRef State, SymbolRef Sym,
               TaintTagType Kind = TaintTagGeneric);

/// Check if the pointer represented by the region is tainted in the given
/// state.
bool isTainted(ProgramStateRef State, const MemRegion *Reg,
               TaintTagType Kind = TaintTagGeneric);

void printTaint(ProgramStateRef State, raw_ostream &Out, const char *nl = "\n",
                const char *sep = "");

LLVM_DUMP_METHOD void dumpTaint(ProgramStateRef State);

/// The bug visitor prints a diagnostic message at the location where a given
/// variable was tainted.
class TaintBugVisitor final : public BugReporterVisitor {
private:
  const SVal V;

public:
  TaintBugVisitor(const SVal V) : V(V) {}
  void Profile(llvm::FoldingSetNodeID &ID) const override { ID.Add(V); }

  PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
                                   BugReporterContext &BRC,
                                   PathSensitiveBugReport &BR) override;
};

} // namespace taint
} // namespace ento
} // namespace clang

#endif

Line	Count	Source
1		//=== Taint.h - Taint tracking and basic propagation rules. --------- C++ --//
2		//
3		// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4		// See https://llvm.org/LICENSE.txt for license information.
5		// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6		//
7		//===----------------------------------------------------------------------===//
8		//
9		// Defines basic, non-domain-specific mechanisms for tracking tainted values.
10		//
11		//===----------------------------------------------------------------------===//
12
13		#ifndef LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_TAINT_H
14		#define LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_TAINT_H
15
16		#include "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h"
17		#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
18
19		namespace clang {
20		namespace ento {
21		namespace taint {
22
23		/// The type of taint, which helps to differentiate between different types of
24		/// taint.
25		using TaintTagType = unsigned;
26
27		static constexpr TaintTagType TaintTagGeneric = 0;
28
29		/// Create a new state in which the value of the statement is marked as tainted.
30		LLVM_NODISCARD ProgramStateRef addTaint(ProgramStateRef State, const Stmt *S,
31		const LocationContext *LCtx,
32		TaintTagType Kind = TaintTagGeneric);
33
34		/// Create a new state in which the value is marked as tainted.
35		LLVM_NODISCARD ProgramStateRef addTaint(ProgramStateRef State, SVal V,
36		TaintTagType Kind = TaintTagGeneric);
37
38		/// Create a new state in which the symbol is marked as tainted.
39		LLVM_NODISCARD ProgramStateRef addTaint(ProgramStateRef State, SymbolRef Sym,
40		TaintTagType Kind = TaintTagGeneric);
41
42		/// Create a new state in which the pointer represented by the region
43		/// is marked as tainted.
44		LLVM_NODISCARD ProgramStateRef addTaint(ProgramStateRef State,
45		const MemRegion *R,
46		TaintTagType Kind = TaintTagGeneric);
47
48		LLVM_NODISCARD ProgramStateRef removeTaint(ProgramStateRef State, SVal V);
49
50		LLVM_NODISCARD ProgramStateRef removeTaint(ProgramStateRef State,
51		const MemRegion *R);
52
53		LLVM_NODISCARD ProgramStateRef removeTaint(ProgramStateRef State,
54		SymbolRef Sym);
55
56		/// Create a new state in a which a sub-region of a given symbol is tainted.
57		/// This might be necessary when referring to regions that can not have an
58		/// individual symbol, e.g. if they are represented by the default binding of
59		/// a LazyCompoundVal.
60		LLVM_NODISCARD ProgramStateRef addPartialTaint(
61		ProgramStateRef State, SymbolRef ParentSym, const SubRegion *SubRegion,
62		TaintTagType Kind = TaintTagGeneric);
63
64		/// Check if the statement has a tainted value in the given state.
65		bool isTainted(ProgramStateRef State, const Stmt *S,
66		const LocationContext *LCtx,
67		TaintTagType Kind = TaintTagGeneric);
68
69		/// Check if the value is tainted in the given state.
70		bool isTainted(ProgramStateRef State, SVal V,
71		TaintTagType Kind = TaintTagGeneric);
72
73		/// Check if the symbol is tainted in the given state.
74		bool isTainted(ProgramStateRef State, SymbolRef Sym,
75		TaintTagType Kind = TaintTagGeneric);
76
77		/// Check if the pointer represented by the region is tainted in the given
78		/// state.
79		bool isTainted(ProgramStateRef State, const MemRegion *Reg,
80		TaintTagType Kind = TaintTagGeneric);
81
82		void printTaint(ProgramStateRef State, raw_ostream &Out, const char *nl = "\n",
83		const char *sep = "");
84
85		LLVM_DUMP_METHOD void dumpTaint(ProgramStateRef State);
86
87		/// The bug visitor prints a diagnostic message at the location where a given
88		/// variable was tainted.
89		class TaintBugVisitor final : public BugReporterVisitor {
90		private:
91		const SVal V;
92
93		public:
94	357	TaintBugVisitor(const SVal V) : V(V) {}
95	357	void Profile(llvm::FoldingSetNodeID &ID) const override { ID.Add(V); }
96
97		PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
98		BugReporterContext &BRC,
99		PathSensitiveBugReport &BR) override;
100		};
101
102		} // namespace taint
103		} // namespace ento
104		} // namespace clang
105
106		#endif

Coverage Report

Created: 2022-05-14 11:35