Taint.h source code [clang/include/clang/StaticAnalyzer/Checkers/Taint.h]

1	//=== Taint.h - Taint tracking and basic propagation rules. --------- C++ --//
2	//
3	// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4	// See https://llvm.org/LICENSE.txt for license information.
5	// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6	//
7	//===----------------------------------------------------------------------===//
8	//
9	// Defines basic, non-domain-specific mechanisms for tracking tainted values.
10	//
11	//===----------------------------------------------------------------------===//
12
13	#ifndef LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_TAINT_H
14	#define LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_TAINT_H
15
16	#include "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h"
17	#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
18
19	namespace clang {
20	namespace ento {
21	namespace taint {
22
23	/// The type of taint, which helps to differentiate between different types of
24	/// taint.
25	using TaintTagType = unsigned;
26
27	static constexpr TaintTagType TaintTagGeneric = `0`;
28
29	/// Create a new state in which the value of the statement is marked as tainted.
30	[[nodiscard]] ProgramStateRef addTaint(ProgramStateRef State, const Stmt *S,
31	const LocationContext *LCtx,
32	TaintTagType Kind = TaintTagGeneric);
33
34	/// Create a new state in which the value is marked as tainted.
35	[[nodiscard]] ProgramStateRef addTaint(ProgramStateRef State, SVal V,
36	TaintTagType Kind = TaintTagGeneric);
37
38	/// Create a new state in which the symbol is marked as tainted.
39	[[nodiscard]] ProgramStateRef addTaint(ProgramStateRef State, SymbolRef Sym,
40	TaintTagType Kind = TaintTagGeneric);
41
42	/// Create a new state in which the pointer represented by the region
43	/// is marked as tainted.
44	[[nodiscard]] ProgramStateRef addTaint(ProgramStateRef State,
45	const MemRegion *R,
46	TaintTagType Kind = TaintTagGeneric);
47
48	[[nodiscard]] ProgramStateRef removeTaint(ProgramStateRef State, SVal V);
49
50	[[nodiscard]] ProgramStateRef removeTaint(ProgramStateRef State,
51	const MemRegion *R);
52
53	[[nodiscard]] ProgramStateRef removeTaint(ProgramStateRef State, SymbolRef Sym);
54
55	/// Create a new state in a which a sub-region of a given symbol is tainted.
56	/// This might be necessary when referring to regions that can not have an
57	/// individual symbol, e.g. if they are represented by the default binding of
58	/// a LazyCompoundVal.
59	[[nodiscard]] ProgramStateRef
60	addPartialTaint(ProgramStateRef State, SymbolRef ParentSym,
61	const SubRegion *SubRegion,
62	TaintTagType Kind = TaintTagGeneric);
63
64	/// Check if the statement has a tainted value in the given state.
65	bool isTainted(ProgramStateRef State, const Stmt *S,
66	const LocationContext *LCtx,
67	TaintTagType Kind = TaintTagGeneric);
68
69	/// Check if the value is tainted in the given state.
70	bool isTainted(ProgramStateRef State, SVal V,
71	TaintTagType Kind = TaintTagGeneric);
72
73	/// Check if the symbol is tainted in the given state.
74	bool isTainted(ProgramStateRef State, SymbolRef Sym,
75	TaintTagType Kind = TaintTagGeneric);
76
77	/// Check if the pointer represented by the region is tainted in the given
78	/// state.
79	bool isTainted(ProgramStateRef State, const MemRegion *Reg,
80	TaintTagType Kind = TaintTagGeneric);
81
82	/// Returns the tainted Symbols for a given Statement and state.
83	std::vector<SymbolRef> getTaintedSymbols(ProgramStateRef State, const Stmt *S,
84	const LocationContext *LCtx,
85	TaintTagType Kind = TaintTagGeneric);
86
87	/// Returns the tainted Symbols for a given SVal and state.
88	std::vector<SymbolRef> getTaintedSymbols(ProgramStateRef State, SVal V,
89	TaintTagType Kind = TaintTagGeneric);
90
91	/// Returns the tainted Symbols for a SymbolRef and state.
92	std::vector<SymbolRef> getTaintedSymbols(ProgramStateRef State, SymbolRef Sym,
93	TaintTagType Kind = TaintTagGeneric);
94
95	/// Returns the tainted (index, super/sub region, symbolic region) symbols
96	/// for a given memory region.
97	std::vector<SymbolRef> getTaintedSymbols(ProgramStateRef State,
98	const MemRegion *Reg,
99	TaintTagType Kind = TaintTagGeneric);
100
101	std::vector<SymbolRef> getTaintedSymbolsImpl(ProgramStateRef State,
102	const Stmt *S,
103	const LocationContext *LCtx,
104	TaintTagType Kind,
105	bool returnFirstOnly);
106
107	std::vector<SymbolRef> getTaintedSymbolsImpl(ProgramStateRef State, SVal V,
108	TaintTagType Kind,
109	bool returnFirstOnly);
110
111	std::vector<SymbolRef> getTaintedSymbolsImpl(ProgramStateRef State,
112	SymbolRef Sym, TaintTagType Kind,
113	bool returnFirstOnly);
114
115	std::vector<SymbolRef> getTaintedSymbolsImpl(ProgramStateRef State,
116	const MemRegion *Reg,
117	TaintTagType Kind,
118	bool returnFirstOnly);
119
120	void printTaint(ProgramStateRef State, raw_ostream &Out, const char *nl = "\n",
121	const char *sep = "");
122
123	LLVM_DUMP_METHOD void dumpTaint(ProgramStateRef State);
124	} // namespace taint
125	} // namespace ento
126	} // namespace clang
127
128	#endif
129

source code of clang/include/clang/StaticAnalyzer/Checkers/Taint.h