clang  19.0.0git
Taint.h
Go to the documentation of this file.
1 //=== Taint.h - Taint tracking and basic propagation rules. --------*- C++ -*-//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // Defines basic, non-domain-specific mechanisms for tracking tainted values.
10 //
11 //===----------------------------------------------------------------------===//
12 
13 #ifndef LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_TAINT_H
14 #define LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_TAINT_H
15 
16 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h"
17 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
18 
19 namespace clang {
20 namespace ento {
21 namespace taint {
22 
23 /// The type of taint, which helps to differentiate between different types of
24 /// taint.
25 using TaintTagType = unsigned;
26 
27 static constexpr TaintTagType TaintTagGeneric = 0;
28 
29 /// Create a new state in which the value of the statement is marked as tainted.
30 [[nodiscard]] ProgramStateRef addTaint(ProgramStateRef State, const Stmt *S,
31  const LocationContext *LCtx,
32  TaintTagType Kind = TaintTagGeneric);
33 
34 /// Create a new state in which the value is marked as tainted.
35 [[nodiscard]] ProgramStateRef addTaint(ProgramStateRef State, SVal V,
36  TaintTagType Kind = TaintTagGeneric);
37 
38 /// Create a new state in which the symbol is marked as tainted.
39 [[nodiscard]] ProgramStateRef addTaint(ProgramStateRef State, SymbolRef Sym,
40  TaintTagType Kind = TaintTagGeneric);
41 
42 /// Create a new state in which the pointer represented by the region
43 /// is marked as tainted.
44 [[nodiscard]] ProgramStateRef addTaint(ProgramStateRef State,
45  const MemRegion *R,
46  TaintTagType Kind = TaintTagGeneric);
47 
48 [[nodiscard]] ProgramStateRef removeTaint(ProgramStateRef State, SVal V);
49 
50 [[nodiscard]] ProgramStateRef removeTaint(ProgramStateRef State,
51  const MemRegion *R);
52 
53 [[nodiscard]] ProgramStateRef removeTaint(ProgramStateRef State, SymbolRef Sym);
54 
55 /// Create a new state in a which a sub-region of a given symbol is tainted.
56 /// This might be necessary when referring to regions that can not have an
57 /// individual symbol, e.g. if they are represented by the default binding of
58 /// a LazyCompoundVal.
59 [[nodiscard]] ProgramStateRef
60 addPartialTaint(ProgramStateRef State, SymbolRef ParentSym,
61  const SubRegion *SubRegion,
62  TaintTagType Kind = TaintTagGeneric);
63 
64 /// Check if the statement has a tainted value in the given state.
65 bool isTainted(ProgramStateRef State, const Stmt *S,
66  const LocationContext *LCtx,
67  TaintTagType Kind = TaintTagGeneric);
68 
69 /// Check if the value is tainted in the given state.
70 bool isTainted(ProgramStateRef State, SVal V,
71  TaintTagType Kind = TaintTagGeneric);
72 
73 /// Check if the symbol is tainted in the given state.
74 bool isTainted(ProgramStateRef State, SymbolRef Sym,
75  TaintTagType Kind = TaintTagGeneric);
76 
77 /// Check if the pointer represented by the region is tainted in the given
78 /// state.
79 bool isTainted(ProgramStateRef State, const MemRegion *Reg,
80  TaintTagType Kind = TaintTagGeneric);
81 
82 /// Returns the tainted Symbols for a given Statement and state.
83 std::vector<SymbolRef> getTaintedSymbols(ProgramStateRef State, const Stmt *S,
84  const LocationContext *LCtx,
85  TaintTagType Kind = TaintTagGeneric);
86 
87 /// Returns the tainted Symbols for a given SVal and state.
88 std::vector<SymbolRef> getTaintedSymbols(ProgramStateRef State, SVal V,
89  TaintTagType Kind = TaintTagGeneric);
90 
91 /// Returns the tainted Symbols for a SymbolRef and state.
92 std::vector<SymbolRef> getTaintedSymbols(ProgramStateRef State, SymbolRef Sym,
93  TaintTagType Kind = TaintTagGeneric);
94 
95 /// Returns the tainted (index, super/sub region, symbolic region) symbols
96 /// for a given memory region.
97 std::vector<SymbolRef> getTaintedSymbols(ProgramStateRef State,
98  const MemRegion *Reg,
99  TaintTagType Kind = TaintTagGeneric);
100 
101 std::vector<SymbolRef> getTaintedSymbolsImpl(ProgramStateRef State,
102  const Stmt *S,
103  const LocationContext *LCtx,
104  TaintTagType Kind,
105  bool returnFirstOnly);
106 
107 std::vector<SymbolRef> getTaintedSymbolsImpl(ProgramStateRef State, SVal V,
108  TaintTagType Kind,
109  bool returnFirstOnly);
110 
111 std::vector<SymbolRef> getTaintedSymbolsImpl(ProgramStateRef State,
112  SymbolRef Sym, TaintTagType Kind,
113  bool returnFirstOnly);
114 
115 std::vector<SymbolRef> getTaintedSymbolsImpl(ProgramStateRef State,
116  const MemRegion *Reg,
117  TaintTagType Kind,
118  bool returnFirstOnly);
119 
120 void printTaint(ProgramStateRef State, raw_ostream &Out, const char *nl = "\n",
121  const char *sep = "");
122 
123 LLVM_DUMP_METHOD void dumpTaint(ProgramStateRef State);
124 } // namespace taint
125 } // namespace ento
126 } // namespace clang
127 
128 #endif
V
#define V(N, I)
Definition: ASTContext.h:3299
State
LineState State
Definition: UnwrappedLineFormatter.cpp:1193
clang::LocationContext
It wraps the AnalysisDeclContext to represent both the call stack with the help of StackFrameContext ...
Definition: AnalysisDeclContext.h:215
clang::Stmt
Stmt - This represents one statement.
Definition: Stmt.h:84
clang::ento::MemRegion
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:96
clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:55
clang::ento::SubRegion
SubRegion - A region that subsets another larger region.
Definition: MemRegion.h:441
clang::ento::SymExpr
Symbolic value.
Definition: SymExpr.h:30
clang::ento::taint::getTaintedSymbolsImpl
std::vector< SymbolRef > getTaintedSymbolsImpl(ProgramStateRef State, const Stmt *S, const LocationContext *LCtx, TaintTagType Kind, bool returnFirstOnly)
Definition: Taint.cpp:193
clang::ento::taint::addTaint
ProgramStateRef addTaint(ProgramStateRef State, const Stmt *S, const LocationContext *LCtx, TaintTagType Kind=TaintTagGeneric)
Create a new state in which the value of the statement is marked as tainted.
Definition: Taint.cpp:45
clang::ento::taint::getTaintedSymbols
std::vector< SymbolRef > getTaintedSymbols(ProgramStateRef State, const Stmt *S, const LocationContext *LCtx, TaintTagType Kind=TaintTagGeneric)
Returns the tainted Symbols for a given Statement and state.
Definition: Taint.cpp:169
clang::ento::taint::isTainted
bool isTainted(ProgramStateRef State, const Stmt *S, const LocationContext *LCtx, TaintTagType Kind=TaintTagGeneric)
Check if the statement has a tainted value in the given state.
Definition: Taint.cpp:147
clang::ento::taint::removeTaint
ProgramStateRef removeTaint(ProgramStateRef State, SVal V)
Definition: Taint.cpp:98
clang::ento::taint::printTaint
void printTaint(ProgramStateRef State, raw_ostream &Out, const char *nl="\n", const char *sep="")
clang::ento::taint::addPartialTaint
ProgramStateRef addPartialTaint(ProgramStateRef State, SymbolRef ParentSym, const SubRegion *SubRegion, TaintTagType Kind=TaintTagGeneric)
Create a new state in a which a sub-region of a given symbol is tainted.
Definition: Taint.cpp:124
clang::ento::taint::dumpTaint
LLVM_DUMP_METHOD void dumpTaint(ProgramStateRef State)
Definition: Taint.cpp:41
clang::ento::taint::TaintTagGeneric
static constexpr TaintTagType TaintTagGeneric
Definition: Taint.h:27
clang
The JSON file list parser is used to communicate input to InstallAPI.
Definition: CalledOnceCheck.h:17
Generated on Tue Jul 2 2024 01:37:20 for clang by doxygen 1.9.1