1 //= ProgramState.cpp - Path-Sensitive "State" for tracking values --*- C++ -*--=
3 // The LLVM Compiler Infrastructure
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
8 //===----------------------------------------------------------------------===//
10 // This file implements ProgramState and ProgramStateManager.
12 //===----------------------------------------------------------------------===//
14 #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
15 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
16 #include "clang/Analysis/CFG.h"
17 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
18 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
19 #include "clang/StaticAnalyzer/Core/PathSensitive/SubEngine.h"
20 #include "clang/StaticAnalyzer/Core/PathSensitive/TaintManager.h"
21 #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeMap.h"
22 #include "llvm/Support/raw_ostream.h"
24 using namespace clang;
27 namespace clang { namespace ento {
28 /// Increments the number of times this state is referenced.
30 void ProgramStateRetain(const ProgramState *state) {
31 ++const_cast<ProgramState*>(state)->refCount;
34 /// Decrement the number of times this state is referenced.
35 void ProgramStateRelease(const ProgramState *state) {
36 assert(state->refCount > 0);
37 ProgramState *s = const_cast<ProgramState*>(state);
38 if (--s->refCount == 0) {
39 ProgramStateManager &Mgr = s->getStateManager();
40 Mgr.StateSet.RemoveNode(s);
42 Mgr.freeStates.push_back(s);
47 ProgramState::ProgramState(ProgramStateManager *mgr, const Environment& env,
48 StoreRef st, GenericDataMap gdm)
54 stateMgr->getStoreManager().incrementReferenceCount(store);
57 ProgramState::ProgramState(const ProgramState &RHS)
58 : llvm::FoldingSetNode(),
59 stateMgr(RHS.stateMgr),
64 stateMgr->getStoreManager().incrementReferenceCount(store);
67 ProgramState::~ProgramState() {
69 stateMgr->getStoreManager().decrementReferenceCount(store);
72 ProgramStateManager::ProgramStateManager(ASTContext &Ctx,
73 StoreManagerCreator CreateSMgr,
74 ConstraintManagerCreator CreateCMgr,
75 llvm::BumpPtrAllocator &alloc,
77 : Eng(SubEng), EnvMgr(alloc), GDMFactory(alloc),
78 svalBuilder(createSimpleSValBuilder(alloc, Ctx, *this)),
79 CallEventMgr(new CallEventManager(alloc)), Alloc(alloc) {
80 StoreMgr = (*CreateSMgr)(*this);
81 ConstraintMgr = (*CreateCMgr)(*this, SubEng);
85 ProgramStateManager::~ProgramStateManager() {
86 for (GDMContextsTy::iterator I=GDMContexts.begin(), E=GDMContexts.end();
88 I->second.second(I->second.first);
92 ProgramStateManager::removeDeadBindings(ProgramStateRef state,
93 const StackFrameContext *LCtx,
94 SymbolReaper& SymReaper) {
96 // This code essentially performs a "mark-and-sweep" of the VariableBindings.
97 // The roots are any Block-level exprs and Decls that our liveness algorithm
98 // tells us are live. We then see what Decls they may reference, and keep
99 // those around. This code more than likely can be made faster, and the
100 // frequency of which this method is called should be experimented with
101 // for optimum performance.
102 ProgramState NewState = *state;
104 NewState.Env = EnvMgr.removeDeadBindings(NewState.Env, SymReaper, state);
106 // Clean up the store.
107 StoreRef newStore = StoreMgr->removeDeadBindings(NewState.getStore(), LCtx,
109 NewState.setStore(newStore);
110 SymReaper.setReapedStore(newStore);
112 ProgramStateRef Result = getPersistentState(NewState);
113 return ConstraintMgr->removeDeadBindings(Result, SymReaper);
116 ProgramStateRef ProgramState::bindLoc(Loc LV,
118 const LocationContext *LCtx,
119 bool notifyChanges) const {
120 ProgramStateManager &Mgr = getStateManager();
121 ProgramStateRef newState = makeWithStore(Mgr.StoreMgr->Bind(getStore(),
123 const MemRegion *MR = LV.getAsRegion();
124 if (MR && Mgr.getOwningEngine() && notifyChanges)
125 return Mgr.getOwningEngine()->processRegionChange(newState, MR, LCtx);
131 ProgramState::bindDefaultInitial(SVal loc, SVal V,
132 const LocationContext *LCtx) const {
133 ProgramStateManager &Mgr = getStateManager();
134 const MemRegion *R = loc.castAs<loc::MemRegionVal>().getRegion();
135 const StoreRef &newStore = Mgr.StoreMgr->BindDefaultInitial(getStore(), R, V);
136 ProgramStateRef new_state = makeWithStore(newStore);
137 return Mgr.getOwningEngine()
138 ? Mgr.getOwningEngine()->processRegionChange(new_state, R, LCtx)
143 ProgramState::bindDefaultZero(SVal loc, const LocationContext *LCtx) const {
144 ProgramStateManager &Mgr = getStateManager();
145 const MemRegion *R = loc.castAs<loc::MemRegionVal>().getRegion();
146 const StoreRef &newStore = Mgr.StoreMgr->BindDefaultZero(getStore(), R);
147 ProgramStateRef new_state = makeWithStore(newStore);
148 return Mgr.getOwningEngine()
149 ? Mgr.getOwningEngine()->processRegionChange(new_state, R, LCtx)
153 typedef ArrayRef<const MemRegion *> RegionList;
154 typedef ArrayRef<SVal> ValueList;
157 ProgramState::invalidateRegions(RegionList Regions,
158 const Expr *E, unsigned Count,
159 const LocationContext *LCtx,
160 bool CausedByPointerEscape,
161 InvalidatedSymbols *IS,
162 const CallEvent *Call,
163 RegionAndSymbolInvalidationTraits *ITraits) const {
164 SmallVector<SVal, 8> Values;
165 for (RegionList::const_iterator I = Regions.begin(),
166 End = Regions.end(); I != End; ++I)
167 Values.push_back(loc::MemRegionVal(*I));
169 return invalidateRegionsImpl(Values, E, Count, LCtx, CausedByPointerEscape,
174 ProgramState::invalidateRegions(ValueList Values,
175 const Expr *E, unsigned Count,
176 const LocationContext *LCtx,
177 bool CausedByPointerEscape,
178 InvalidatedSymbols *IS,
179 const CallEvent *Call,
180 RegionAndSymbolInvalidationTraits *ITraits) const {
182 return invalidateRegionsImpl(Values, E, Count, LCtx, CausedByPointerEscape,
187 ProgramState::invalidateRegionsImpl(ValueList Values,
188 const Expr *E, unsigned Count,
189 const LocationContext *LCtx,
190 bool CausedByPointerEscape,
191 InvalidatedSymbols *IS,
192 RegionAndSymbolInvalidationTraits *ITraits,
193 const CallEvent *Call) const {
194 ProgramStateManager &Mgr = getStateManager();
195 SubEngine* Eng = Mgr.getOwningEngine();
197 InvalidatedSymbols Invalidated;
201 RegionAndSymbolInvalidationTraits ITraitsLocal;
203 ITraits = &ITraitsLocal;
206 StoreManager::InvalidatedRegions TopLevelInvalidated;
207 StoreManager::InvalidatedRegions Invalidated;
208 const StoreRef &newStore
209 = Mgr.StoreMgr->invalidateRegions(getStore(), Values, E, Count, LCtx, Call,
210 *IS, *ITraits, &TopLevelInvalidated,
213 ProgramStateRef newState = makeWithStore(newStore);
215 if (CausedByPointerEscape) {
216 newState = Eng->notifyCheckersOfPointerEscape(newState, IS,
222 return Eng->processRegionChanges(newState, IS, TopLevelInvalidated,
223 Invalidated, LCtx, Call);
226 const StoreRef &newStore =
227 Mgr.StoreMgr->invalidateRegions(getStore(), Values, E, Count, LCtx, Call,
228 *IS, *ITraits, nullptr, nullptr);
229 return makeWithStore(newStore);
232 ProgramStateRef ProgramState::killBinding(Loc LV) const {
233 assert(!LV.getAs<loc::MemRegionVal>() && "Use invalidateRegion instead.");
235 Store OldStore = getStore();
236 const StoreRef &newStore =
237 getStateManager().StoreMgr->killBinding(OldStore, LV);
239 if (newStore.getStore() == OldStore)
242 return makeWithStore(newStore);
246 ProgramState::enterStackFrame(const CallEvent &Call,
247 const StackFrameContext *CalleeCtx) const {
248 const StoreRef &NewStore =
249 getStateManager().StoreMgr->enterStackFrame(getStore(), Call, CalleeCtx);
250 return makeWithStore(NewStore);
253 SVal ProgramState::getSValAsScalarOrLoc(const MemRegion *R) const {
254 // We only want to do fetches from regions that we can actually bind
255 // values. For example, SymbolicRegions of type 'id<...>' cannot
256 // have direct bindings (but their can be bindings on their subregions).
257 if (!R->isBoundable())
260 if (const TypedValueRegion *TR = dyn_cast<TypedValueRegion>(R)) {
261 QualType T = TR->getValueType();
262 if (Loc::isLocType(T) || T->isIntegralOrEnumerationType())
269 SVal ProgramState::getSVal(Loc location, QualType T) const {
270 SVal V = getRawSVal(location, T);
272 // If 'V' is a symbolic value that is *perfectly* constrained to
273 // be a constant value, use that value instead to lessen the burden
274 // on later analysis stages (so we have less symbolic values to reason
276 // We only go into this branch if we can convert the APSInt value we have
277 // to the type of T, which is not always the case (e.g. for void).
278 if (!T.isNull() && (T->isIntegralOrEnumerationType() || Loc::isLocType(T))) {
279 if (SymbolRef sym = V.getAsSymbol()) {
280 if (const llvm::APSInt *Int = getStateManager()
281 .getConstraintManager()
282 .getSymVal(this, sym)) {
283 // FIXME: Because we don't correctly model (yet) sign-extension
284 // and truncation of symbolic values, we need to convert
285 // the integer value to the correct signedness and bitwidth.
287 // This shows up in the following:
290 // unsigned x = foo();
294 // The symbolic value stored to 'x' is actually the conjured
295 // symbol for the call to foo(); the type of that symbol is 'char',
297 const llvm::APSInt &NewV = getBasicVals().Convert(T, *Int);
300 return loc::ConcreteInt(NewV);
302 return nonloc::ConcreteInt(NewV);
310 ProgramStateRef ProgramState::BindExpr(const Stmt *S,
311 const LocationContext *LCtx,
312 SVal V, bool Invalidate) const{
314 getStateManager().EnvMgr.bindExpr(Env, EnvironmentEntry(S, LCtx), V,
319 ProgramState NewSt = *this;
321 return getStateManager().getPersistentState(NewSt);
324 ProgramStateRef ProgramState::assumeInBound(DefinedOrUnknownSVal Idx,
325 DefinedOrUnknownSVal UpperBound,
327 QualType indexTy) const {
328 if (Idx.isUnknown() || UpperBound.isUnknown())
331 // Build an expression for 0 <= Idx < UpperBound.
332 // This is the same as Idx + MIN < UpperBound + MIN, if overflow is allowed.
333 // FIXME: This should probably be part of SValBuilder.
334 ProgramStateManager &SM = getStateManager();
335 SValBuilder &svalBuilder = SM.getSValBuilder();
336 ASTContext &Ctx = svalBuilder.getContext();
338 // Get the offset: the minimum value of the array index type.
339 BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
340 if (indexTy.isNull())
341 indexTy = svalBuilder.getArrayIndexType();
342 nonloc::ConcreteInt Min(BVF.getMinValue(indexTy));
345 SVal newIdx = svalBuilder.evalBinOpNN(this, BO_Add,
346 Idx.castAs<NonLoc>(), Min, indexTy);
347 if (newIdx.isUnknownOrUndef())
350 // Adjust the upper bound.
352 svalBuilder.evalBinOpNN(this, BO_Add, UpperBound.castAs<NonLoc>(),
355 if (newBound.isUnknownOrUndef())
358 // Build the actual comparison.
359 SVal inBound = svalBuilder.evalBinOpNN(this, BO_LT, newIdx.castAs<NonLoc>(),
360 newBound.castAs<NonLoc>(), Ctx.IntTy);
361 if (inBound.isUnknownOrUndef())
364 // Finally, let the constraint manager take care of it.
365 ConstraintManager &CM = SM.getConstraintManager();
366 return CM.assume(this, inBound.castAs<DefinedSVal>(), Assumption);
369 ConditionTruthVal ProgramState::isNonNull(SVal V) const {
370 ConditionTruthVal IsNull = isNull(V);
371 if (IsNull.isUnderconstrained())
373 return ConditionTruthVal(!IsNull.getValue());
376 ConditionTruthVal ProgramState::areEqual(SVal Lhs, SVal Rhs) const {
377 return stateMgr->getSValBuilder().areEqual(this, Lhs, Rhs);
380 ConditionTruthVal ProgramState::isNull(SVal V) const {
381 if (V.isZeroConstant())
387 SymbolRef Sym = V.getAsSymbol(/* IncludeBaseRegion */ true);
389 return ConditionTruthVal();
391 return getStateManager().ConstraintMgr->isNull(this, Sym);
394 ProgramStateRef ProgramStateManager::getInitialState(const LocationContext *InitLoc) {
395 ProgramState State(this,
396 EnvMgr.getInitialEnvironment(),
397 StoreMgr->getInitialStore(InitLoc),
398 GDMFactory.getEmptyMap());
400 return getPersistentState(State);
403 ProgramStateRef ProgramStateManager::getPersistentStateWithGDM(
404 ProgramStateRef FromState,
405 ProgramStateRef GDMState) {
406 ProgramState NewState(*FromState);
407 NewState.GDM = GDMState->GDM;
408 return getPersistentState(NewState);
411 ProgramStateRef ProgramStateManager::getPersistentState(ProgramState &State) {
413 llvm::FoldingSetNodeID ID;
417 if (ProgramState *I = StateSet.FindNodeOrInsertPos(ID, InsertPos))
420 ProgramState *newState = nullptr;
421 if (!freeStates.empty()) {
422 newState = freeStates.back();
423 freeStates.pop_back();
426 newState = (ProgramState*) Alloc.Allocate<ProgramState>();
428 new (newState) ProgramState(State);
429 StateSet.InsertNode(newState, InsertPos);
433 ProgramStateRef ProgramState::makeWithStore(const StoreRef &store) const {
434 ProgramState NewSt(*this);
435 NewSt.setStore(store);
436 return getStateManager().getPersistentState(NewSt);
439 void ProgramState::setStore(const StoreRef &newStore) {
440 Store newStoreStore = newStore.getStore();
442 stateMgr->getStoreManager().incrementReferenceCount(newStoreStore);
444 stateMgr->getStoreManager().decrementReferenceCount(store);
445 store = newStoreStore;
448 //===----------------------------------------------------------------------===//
449 // State pretty-printing.
450 //===----------------------------------------------------------------------===//
452 void ProgramState::print(raw_ostream &Out, const char *NL, const char *Sep,
453 const LocationContext *LC) const {
455 ProgramStateManager &Mgr = getStateManager();
456 Mgr.getStoreManager().print(getStore(), Out, NL, Sep);
458 // Print out the environment.
459 Env.print(Out, NL, Sep, LC);
461 // Print out the constraints.
462 Mgr.getConstraintManager().print(this, Out, NL, Sep);
464 // Print out the tracked dynamic types.
465 printDynamicTypeInfo(this, Out, NL, Sep);
467 // Print out tainted symbols.
468 printTaint(Out, NL, Sep);
470 // Print checker-specific data.
471 Mgr.getOwningEngine()->printState(Out, this, NL, Sep, LC);
474 void ProgramState::printDOT(raw_ostream &Out, const LocationContext *LC) const {
475 print(Out, "\\l", "\\|", LC);
478 LLVM_DUMP_METHOD void ProgramState::dump() const {
482 void ProgramState::printTaint(raw_ostream &Out,
483 const char *NL, const char *Sep) const {
484 TaintMapImpl TM = get<TaintMap>();
487 Out <<"Tainted symbols:" << NL;
489 for (TaintMapImpl::iterator I = TM.begin(), E = TM.end(); I != E; ++I) {
490 Out << I->first << " : " << I->second << NL;
494 void ProgramState::dumpTaint() const {
495 printTaint(llvm::errs());
498 AnalysisManager& ProgramState::getAnalysisManager() const {
499 return stateMgr->getOwningEngine()->getAnalysisManager();
502 //===----------------------------------------------------------------------===//
504 //===----------------------------------------------------------------------===//
506 void *const* ProgramState::FindGDM(void *K) const {
507 return GDM.lookup(K);
511 ProgramStateManager::FindGDMContext(void *K,
512 void *(*CreateContext)(llvm::BumpPtrAllocator&),
513 void (*DeleteContext)(void*)) {
515 std::pair<void*, void (*)(void*)>& p = GDMContexts[K];
517 p.first = CreateContext(Alloc);
518 p.second = DeleteContext;
524 ProgramStateRef ProgramStateManager::addGDM(ProgramStateRef St, void *Key, void *Data){
525 ProgramState::GenericDataMap M1 = St->getGDM();
526 ProgramState::GenericDataMap M2 = GDMFactory.add(M1, Key, Data);
531 ProgramState NewSt = *St;
533 return getPersistentState(NewSt);
536 ProgramStateRef ProgramStateManager::removeGDM(ProgramStateRef state, void *Key) {
537 ProgramState::GenericDataMap OldM = state->getGDM();
538 ProgramState::GenericDataMap NewM = GDMFactory.remove(OldM, Key);
543 ProgramState NewState = *state;
545 return getPersistentState(NewState);
548 bool ScanReachableSymbols::scan(nonloc::LazyCompoundVal val) {
549 bool wasVisited = !visited.insert(val.getCVData()).second;
553 StoreManager &StoreMgr = state->getStateManager().getStoreManager();
554 // FIXME: We don't really want to use getBaseRegion() here because pointer
555 // arithmetic doesn't apply, but scanReachableSymbols only accepts base
556 // regions right now.
557 const MemRegion *R = val.getRegion()->getBaseRegion();
558 return StoreMgr.scanReachableSymbols(val.getStore(), R, *this);
561 bool ScanReachableSymbols::scan(nonloc::CompoundVal val) {
562 for (nonloc::CompoundVal::iterator I=val.begin(), E=val.end(); I!=E; ++I)
569 bool ScanReachableSymbols::scan(const SymExpr *sym) {
570 for (SymExpr::symbol_iterator SI = sym->symbol_begin(),
571 SE = sym->symbol_end();
573 bool wasVisited = !visited.insert(*SI).second;
577 if (!visitor.VisitSymbol(*SI))
584 bool ScanReachableSymbols::scan(SVal val) {
585 if (Optional<loc::MemRegionVal> X = val.getAs<loc::MemRegionVal>())
586 return scan(X->getRegion());
588 if (Optional<nonloc::LazyCompoundVal> X =
589 val.getAs<nonloc::LazyCompoundVal>())
592 if (Optional<nonloc::LocAsInteger> X = val.getAs<nonloc::LocAsInteger>())
593 return scan(X->getLoc());
595 if (SymbolRef Sym = val.getAsSymbol())
598 if (const SymExpr *Sym = val.getAsSymbolicExpression())
601 if (Optional<nonloc::CompoundVal> X = val.getAs<nonloc::CompoundVal>())
607 bool ScanReachableSymbols::scan(const MemRegion *R) {
608 if (isa<MemSpaceRegion>(R))
611 bool wasVisited = !visited.insert(R).second;
615 if (!visitor.VisitMemRegion(R))
618 // If this is a symbolic region, visit the symbol for the region.
619 if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R))
620 if (!visitor.VisitSymbol(SR->getSymbol()))
623 // If this is a subregion, also visit the parent regions.
624 if (const SubRegion *SR = dyn_cast<SubRegion>(R)) {
625 const MemRegion *Super = SR->getSuperRegion();
629 // When we reach the topmost region, scan all symbols in it.
630 if (isa<MemSpaceRegion>(Super)) {
631 StoreManager &StoreMgr = state->getStateManager().getStoreManager();
632 if (!StoreMgr.scanReachableSymbols(state->getStore(), SR, *this))
637 // Regions captured by a block are also implicitly reachable.
638 if (const BlockDataRegion *BDR = dyn_cast<BlockDataRegion>(R)) {
639 BlockDataRegion::referenced_vars_iterator I = BDR->referenced_vars_begin(),
640 E = BDR->referenced_vars_end();
641 for ( ; I != E; ++I) {
642 if (!scan(I.getCapturedRegion()))
650 bool ProgramState::scanReachableSymbols(SVal val, SymbolVisitor& visitor) const {
651 ScanReachableSymbols S(this, visitor);
655 bool ProgramState::scanReachableSymbols(const SVal *I, const SVal *E,
656 SymbolVisitor &visitor) const {
657 ScanReachableSymbols S(this, visitor);
658 for ( ; I != E; ++I) {
665 bool ProgramState::scanReachableSymbols(const MemRegion * const *I,
666 const MemRegion * const *E,
667 SymbolVisitor &visitor) const {
668 ScanReachableSymbols S(this, visitor);
669 for ( ; I != E; ++I) {
676 ProgramStateRef ProgramState::addTaint(const Stmt *S,
677 const LocationContext *LCtx,
678 TaintTagType Kind) const {
679 if (const Expr *E = dyn_cast_or_null<Expr>(S))
680 S = E->IgnoreParens();
682 return addTaint(getSVal(S, LCtx), Kind);
685 ProgramStateRef ProgramState::addTaint(SVal V,
686 TaintTagType Kind) const {
687 SymbolRef Sym = V.getAsSymbol();
689 return addTaint(Sym, Kind);
691 // If the SVal represents a structure, try to mass-taint all values within the
692 // structure. For now it only works efficiently on lazy compound values that
693 // were conjured during a conservative evaluation of a function - either as
694 // return values of functions that return structures or arrays by value, or as
695 // values of structures or arrays passed into the function by reference,
696 // directly or through pointer aliasing. Such lazy compound values are
697 // characterized by having exactly one binding in their captured store within
698 // their parent region, which is a conjured symbol default-bound to the base
699 // region of the parent region.
700 if (auto LCV = V.getAs<nonloc::LazyCompoundVal>()) {
701 if (Optional<SVal> binding = getStateManager().StoreMgr->getDefaultBinding(*LCV)) {
702 if (SymbolRef Sym = binding->getAsSymbol())
703 return addPartialTaint(Sym, LCV->getRegion(), Kind);
707 const MemRegion *R = V.getAsRegion();
708 return addTaint(R, Kind);
711 ProgramStateRef ProgramState::addTaint(const MemRegion *R,
712 TaintTagType Kind) const {
713 if (const SymbolicRegion *SR = dyn_cast_or_null<SymbolicRegion>(R))
714 return addTaint(SR->getSymbol(), Kind);
718 ProgramStateRef ProgramState::addTaint(SymbolRef Sym,
719 TaintTagType Kind) const {
720 // If this is a symbol cast, remove the cast before adding the taint. Taint
722 while (const SymbolCast *SC = dyn_cast<SymbolCast>(Sym))
723 Sym = SC->getOperand();
725 ProgramStateRef NewState = set<TaintMap>(Sym, Kind);
730 ProgramStateRef ProgramState::addPartialTaint(SymbolRef ParentSym,
731 const SubRegion *SubRegion,
732 TaintTagType Kind) const {
733 // Ignore partial taint if the entire parent symbol is already tainted.
734 if (contains<TaintMap>(ParentSym) && *get<TaintMap>(ParentSym) == Kind)
737 // Partial taint applies if only a portion of the symbol is tainted.
738 if (SubRegion == SubRegion->getBaseRegion())
739 return addTaint(ParentSym, Kind);
741 const TaintedSubRegions *SavedRegs = get<DerivedSymTaint>(ParentSym);
742 TaintedSubRegions Regs =
743 SavedRegs ? *SavedRegs : stateMgr->TSRFactory.getEmptyMap();
745 Regs = stateMgr->TSRFactory.add(Regs, SubRegion, Kind);
746 ProgramStateRef NewState = set<DerivedSymTaint>(ParentSym, Regs);
751 bool ProgramState::isTainted(const Stmt *S, const LocationContext *LCtx,
752 TaintTagType Kind) const {
753 if (const Expr *E = dyn_cast_or_null<Expr>(S))
754 S = E->IgnoreParens();
756 SVal val = getSVal(S, LCtx);
757 return isTainted(val, Kind);
760 bool ProgramState::isTainted(SVal V, TaintTagType Kind) const {
761 if (const SymExpr *Sym = V.getAsSymExpr())
762 return isTainted(Sym, Kind);
763 if (const MemRegion *Reg = V.getAsRegion())
764 return isTainted(Reg, Kind);
768 bool ProgramState::isTainted(const MemRegion *Reg, TaintTagType K) const {
772 // Element region (array element) is tainted if either the base or the offset
774 if (const ElementRegion *ER = dyn_cast<ElementRegion>(Reg))
775 return isTainted(ER->getSuperRegion(), K) || isTainted(ER->getIndex(), K);
777 if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(Reg))
778 return isTainted(SR->getSymbol(), K);
780 if (const SubRegion *ER = dyn_cast<SubRegion>(Reg))
781 return isTainted(ER->getSuperRegion(), K);
786 bool ProgramState::isTainted(SymbolRef Sym, TaintTagType Kind) const {
790 // Traverse all the symbols this symbol depends on to see if any are tainted.
791 for (SymExpr::symbol_iterator SI = Sym->symbol_begin(), SE =Sym->symbol_end();
793 if (!isa<SymbolData>(*SI))
796 if (const TaintTagType *Tag = get<TaintMap>(*SI)) {
801 if (const SymbolDerived *SD = dyn_cast<SymbolDerived>(*SI)) {
802 // If this is a SymbolDerived with a tainted parent, it's also tainted.
803 if (isTainted(SD->getParentSymbol(), Kind))
806 // If this is a SymbolDerived with the same parent symbol as another
807 // tainted SymbolDerived and a region that's a sub-region of that tainted
808 // symbol, it's also tainted.
809 if (const TaintedSubRegions *Regs =
810 get<DerivedSymTaint>(SD->getParentSymbol())) {
811 const TypedValueRegion *R = SD->getRegion();
812 for (auto I : *Regs) {
813 // FIXME: The logic to identify tainted regions could be more
814 // complete. For example, this would not currently identify
815 // overlapping fields in a union as tainted. To identify this we can
816 // check for overlapping/nested byte offsets.
817 if (Kind == I.second && R->isSubRegionOf(I.first))
823 // If memory region is tainted, data is also tainted.
824 if (const SymbolRegionValue *SRV = dyn_cast<SymbolRegionValue>(*SI)) {
825 if (isTainted(SRV->getRegion(), Kind))
829 // If this is a SymbolCast from a tainted value, it's also tainted.
830 if (const SymbolCast *SC = dyn_cast<SymbolCast>(*SI)) {
831 if (isTainted(SC->getOperand(), Kind))
projects / FreeBSD / FreeBSD.git / blob