Home Explore Help
Sign In
SMusatov
/
ydb
mirror of https://github.com/ydb-platform/ydb.git
1
0
Fork 0
Files
Tree: 677ca3a536
Branches Tags
ydb
/
contrib
/
libs
/
clang14
/
lib
/
StaticAnalyzer
/
Checkers
/
Taint.h

Taint.h 4.2 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106 
  1. //=== Taint.h - Taint tracking and basic propagation rules. --------*- C++ -*-//
    2. 

  2. //
    3. 

  3. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
    4. 

  4. // See https://llvm.org/LICENSE.txt for license information.
    5. 

  5. // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
    6. 

  6. //
    7. 

  7. //===----------------------------------------------------------------------===//
    8. 

  8. //
    9. 

  9. // Defines basic, non-domain-specific mechanisms for tracking tainted values.
    10. 

  10. //
    11. 

  11. //===----------------------------------------------------------------------===//
    12. 

  12. 

  13. #ifndef LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_TAINT_H
    14. 

  14. #define LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_TAINT_H
    15. 

  15. 

  16. #include "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h"
    17. 

  17. #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
    18. 

  18. 

  19. namespace clang {
    20. 

  20. namespace ento {
    21. 

  21. namespace taint {
    22. 

  22. 

  23. /// The type of taint, which helps to differentiate between different types of
    24. 

  24. /// taint.
    25. 

  25. using TaintTagType = unsigned;
    26. 

  26. 

  27. static constexpr TaintTagType TaintTagGeneric = 0;
    28. 

  28. 

  29. /// Create a new state in which the value of the statement is marked as tainted.
    30. 

  30. LLVM_NODISCARD ProgramStateRef addTaint(ProgramStateRef State, const Stmt *S,
    31. 

  31.                                         const LocationContext *LCtx,
    32. 

  32.                                         TaintTagType Kind = TaintTagGeneric);
    33. 

  33. 

  34. /// Create a new state in which the value is marked as tainted.
    35. 

  35. LLVM_NODISCARD ProgramStateRef addTaint(ProgramStateRef State, SVal V,
    36. 

  36.                                         TaintTagType Kind = TaintTagGeneric);
    37. 

  37. 

  38. /// Create a new state in which the symbol is marked as tainted.
    39. 

  39. LLVM_NODISCARD ProgramStateRef addTaint(ProgramStateRef State, SymbolRef Sym,
    40. 

  40.                                         TaintTagType Kind = TaintTagGeneric);
    41. 

  41. 

  42. /// Create a new state in which the pointer represented by the region
    43. 

  43. /// is marked as tainted.
    44. 

  44. LLVM_NODISCARD ProgramStateRef addTaint(ProgramStateRef State,
    45. 

  45.                                         const MemRegion *R,
    46. 

  46.                                         TaintTagType Kind = TaintTagGeneric);
    47. 

  47. 

  48. LLVM_NODISCARD ProgramStateRef removeTaint(ProgramStateRef State, SVal V);
    49. 

  49. 

  50. LLVM_NODISCARD ProgramStateRef removeTaint(ProgramStateRef State,
    51. 

  51.                                            const MemRegion *R);
    52. 

  52. 

  53. LLVM_NODISCARD ProgramStateRef removeTaint(ProgramStateRef State,
    54. 

  54.                                            SymbolRef Sym);
    55. 

  55. 

  56. /// Create a new state in a which a sub-region of a given symbol is tainted.
    57. 

  57. /// This might be necessary when referring to regions that can not have an
    58. 

  58. /// individual symbol, e.g. if they are represented by the default binding of
    59. 

  59. /// a LazyCompoundVal.
    60. 

  60. LLVM_NODISCARD ProgramStateRef addPartialTaint(
    61. 

  61.     ProgramStateRef State, SymbolRef ParentSym, const SubRegion *SubRegion,
    62. 

  62.     TaintTagType Kind = TaintTagGeneric);
    63. 

  63. 

  64. /// Check if the statement has a tainted value in the given state.
    65. 

  65. bool isTainted(ProgramStateRef State, const Stmt *S,
    66. 

  66.                const LocationContext *LCtx,
    67. 

  67.                TaintTagType Kind = TaintTagGeneric);
    68. 

  68. 

  69. /// Check if the value is tainted in the given state.
    70. 

  70. bool isTainted(ProgramStateRef State, SVal V,
    71. 

  71.                TaintTagType Kind = TaintTagGeneric);
    72. 

  72. 

  73. /// Check if the symbol is tainted in the given state.
    74. 

  74. bool isTainted(ProgramStateRef State, SymbolRef Sym,
    75. 

  75.                TaintTagType Kind = TaintTagGeneric);
    76. 

  76. 

  77. /// Check if the pointer represented by the region is tainted in the given
    78. 

  78. /// state.
    79. 

  79. bool isTainted(ProgramStateRef State, const MemRegion *Reg,
    80. 

  80.                TaintTagType Kind = TaintTagGeneric);
    81. 

  81. 

  82. void printTaint(ProgramStateRef State, raw_ostream &Out, const char *nl = "\n",
    83. 

  83.                 const char *sep = "");
    84. 

  84. 

  85. LLVM_DUMP_METHOD void dumpTaint(ProgramStateRef State);
    86. 

  86. 

  87. /// The bug visitor prints a diagnostic message at the location where a given
    88. 

  88. /// variable was tainted.
    89. 

  89. class TaintBugVisitor final : public BugReporterVisitor {
    90. 

  90. private:
    91. 

  91.   const SVal V;
    92. 

  92. 

  93. public:
    94. 

  94.   TaintBugVisitor(const SVal V) : V(V) {}
    95. 

  95.   void Profile(llvm::FoldingSetNodeID &ID) const override { ID.Add(V); }
    96. 

  96. 

  97.   PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
    98. 

  98.                                    BugReporterContext &BRC,
    99. 

  99.                                    PathSensitiveBugReport &BR) override;
    100. 

  100. };
    101. 

  101. 

  102. } // namespace taint
    103. 

  103. } // namespace ento
    104. 

  104. } // namespace clang
    105. 

  105. 

  106. #endif
    107.