StaticAnalyzer/Checkers/Taint.h

0001 //=== Taint.h - Taint tracking and basic propagation rules. --------*- C++ -*-//
0002 //
0003 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
0004 // See https://llvm.org/LICENSE.txt for license information.
0005 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
0006 //
0007 //===----------------------------------------------------------------------===//
0008 //
0009 // Defines basic, non-domain-specific mechanisms for tracking tainted values.
0010 //
0011 //===----------------------------------------------------------------------===//
0012
0013 #ifndef LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_TAINT_H
0014 #define LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_TAINT_H
0015
0016 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h"
0017 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
0018
0019 namespace clang {
0020 namespace ento {
0021 namespace taint {
0022
0023 /// The type of taint, which helps to differentiate between different types of
0024 /// taint.
0025 using TaintTagType = unsigned;
0026
0027 static constexpr TaintTagType TaintTagGeneric = 0;
0028
0029 /// Create a new state in which the value of the statement is marked as tainted.
0030 [[nodiscard]] ProgramStateRef addTaint(ProgramStateRef State, const Stmt *S,
0031                                        const LocationContext *LCtx,
0032                                        TaintTagType Kind = TaintTagGeneric);
0033
0034 /// Create a new state in which the value is marked as tainted.
0035 [[nodiscard]] ProgramStateRef addTaint(ProgramStateRef State, SVal V,
0036                                        TaintTagType Kind = TaintTagGeneric);
0037
0038 /// Create a new state in which the symbol is marked as tainted.
0039 [[nodiscard]] ProgramStateRef addTaint(ProgramStateRef State, SymbolRef Sym,
0040                                        TaintTagType Kind = TaintTagGeneric);
0041
0042 /// Create a new state in which the pointer represented by the region
0043 /// is marked as tainted.
0044 [[nodiscard]] ProgramStateRef addTaint(ProgramStateRef State,
0045                                        const MemRegion *R,
0046                                        TaintTagType Kind = TaintTagGeneric);
0047
0048 [[nodiscard]] ProgramStateRef removeTaint(ProgramStateRef State, SVal V);
0049
0050 [[nodiscard]] ProgramStateRef removeTaint(ProgramStateRef State,
0051                                           const MemRegion *R);
0052
0053 [[nodiscard]] ProgramStateRef removeTaint(ProgramStateRef State, SymbolRef Sym);
0054
0055 /// Create a new state in a which a sub-region of a given symbol is tainted.
0056 /// This might be necessary when referring to regions that can not have an
0057 /// individual symbol, e.g. if they are represented by the default binding of
0058 /// a LazyCompoundVal.
0059 [[nodiscard]] ProgramStateRef
0060 addPartialTaint(ProgramStateRef State, SymbolRef ParentSym,
0061                 const SubRegion *SubRegion,
0062                 TaintTagType Kind = TaintTagGeneric);
0063
0064 /// Check if the statement has a tainted value in the given state.
0065 bool isTainted(ProgramStateRef State, const Stmt *S,
0066                const LocationContext *LCtx,
0067                TaintTagType Kind = TaintTagGeneric);
0068
0069 /// Check if the value is tainted in the given state.
0070 bool isTainted(ProgramStateRef State, SVal V,
0071                TaintTagType Kind = TaintTagGeneric);
0072
0073 /// Check if the symbol is tainted in the given state.
0074 bool isTainted(ProgramStateRef State, SymbolRef Sym,
0075                TaintTagType Kind = TaintTagGeneric);
0076
0077 /// Check if the pointer represented by the region is tainted in the given
0078 /// state.
0079 bool isTainted(ProgramStateRef State, const MemRegion *Reg,
0080                TaintTagType Kind = TaintTagGeneric);
0081
0082 /// Returns the tainted Symbols for a given Statement and state.
0083 std::vector<SymbolRef> getTaintedSymbols(ProgramStateRef State, const Stmt *S,
0084                                          const LocationContext *LCtx,
0085                                          TaintTagType Kind = TaintTagGeneric);
0086
0087 /// Returns the tainted Symbols for a given SVal and state.
0088 std::vector<SymbolRef> getTaintedSymbols(ProgramStateRef State, SVal V,
0089                                          TaintTagType Kind = TaintTagGeneric);
0090
0091 /// Returns the tainted Symbols for a SymbolRef and state.
0092 std::vector<SymbolRef> getTaintedSymbols(ProgramStateRef State, SymbolRef Sym,
0093                                          TaintTagType Kind = TaintTagGeneric);
0094
0095 /// Returns the tainted (index, super/sub region, symbolic region) symbols
0096 /// for a given memory region.
0097 std::vector<SymbolRef> getTaintedSymbols(ProgramStateRef State,
0098                                          const MemRegion *Reg,
0099                                          TaintTagType Kind = TaintTagGeneric);
0100
0101 std::vector<SymbolRef> getTaintedSymbolsImpl(ProgramStateRef State,
0102                                              const Stmt *S,
0103                                              const LocationContext *LCtx,
0104                                              TaintTagType Kind,
0105                                              bool returnFirstOnly);
0106
0107 std::vector<SymbolRef> getTaintedSymbolsImpl(ProgramStateRef State, SVal V,
0108                                              TaintTagType Kind,
0109                                              bool returnFirstOnly);
0110
0111 std::vector<SymbolRef> getTaintedSymbolsImpl(ProgramStateRef State,
0112                                              SymbolRef Sym, TaintTagType Kind,
0113                                              bool returnFirstOnly);
0114
0115 std::vector<SymbolRef> getTaintedSymbolsImpl(ProgramStateRef State,
0116                                              const MemRegion *Reg,
0117                                              TaintTagType Kind,
0118                                              bool returnFirstOnly);
0119
0120 void printTaint(ProgramStateRef State, raw_ostream &Out, const char *nl = "\n",
0121                 const char *sep = "");
0122
0123 LLVM_DUMP_METHOD void dumpTaint(ProgramStateRef State);
0124 } // namespace taint
0125 } // namespace ento
0126 } // namespace clang
0127
0128 #endif