[analyzer] If memory region is tainted mark data as tainted.

+ random comments git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146199 91177308-0d34-0410-b5e6-96231b3b80d8
m-labs · Dec 8, 2011 · 5fc7def · 5fc7def
1 parent 1e4f68c
commit 5fc7def
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 3 deletions.
diff --git a/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h b/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h
@@ -120,7 +120,7 @@ class SymbolData : public SymExpr {
   }
 };
 
-/// A symbol representing the value of a MemRegion.
+///\brief A symbol representing the value stored at a MemRegion.
 class SymbolRegionValue : public SymbolData {
   const TypedValueRegion *R;
 

diff --git a/lib/StaticAnalyzer/Core/ProgramState.cpp b/lib/StaticAnalyzer/Core/ProgramState.cpp
@@ -709,6 +709,11 @@ bool ProgramState::isTainted(const SymExpr* Sym, TaintTagType Kind) const {
     // If this is a SymbolDerived with a tainted parent, it's also tainted.
     if (const SymbolDerived *SD = dyn_cast<SymbolDerived>(*SI))
       Tainted = Tainted || isTainted(SD->getParentSymbol(), Kind);
+
+    // If memory region is tainted, data is also tainted.
+    if (const SymbolRegionValue *SRV = dyn_cast<SymbolRegionValue>(*SI))
+      Tainted = Tainted || isTainted(SRV->getRegion(), Kind);
+
     if (Tainted)
       return true;
   }

diff --git a/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp b/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
@@ -97,10 +97,12 @@ SVal SimpleSValBuilder::evalCastFromNonLoc(NonLoc val, QualType castTy) {
     return UnknownVal();
   }
 
+  // If value is a non integer constant, produce unknown.
   if (!isa<nonloc::ConcreteInt>(val))
     return UnknownVal();
 
-  // Only handle casts from integers to integers.
+  // Only handle casts from integers to integers - if val is an integer constant
+  // being cast to a non integer type, produce unknown.
   if (!isLocType && !castTy->isIntegerType())
     return UnknownVal();
 

diff --git a/test/Analysis/taint-tester.c b/test/Analysis/taint-tester.c
@@ -8,7 +8,8 @@ int Buffer[BUFSIZE];
 
 struct XYStruct {
   int x;
-  float y;
+  int y;
+  char z;
 };
 
 void taintTracking(int x) {
@@ -26,9 +27,31 @@ void taintTracking(int x) {
   // Tainted ptr arithmetic/array element address.
   int tprtarithmetic1 = *(addr+1); // expected-warning 2 {{tainted}}
 
+  // Dereference.
+  int *ptr;
+  scanf("%p", &ptr);
+  int ptrDeref = *ptr; // expected-warning 2 {{tainted}}
+  int _ptrDeref = ptrDeref + 13; // expected-warning 2 {{tainted}}
+
+  // Pointer arithmetic + dereferencing.
+  // FIXME: We fail to propagate the taint here because RegionStore does not
+  // handle ElementRegions with symbolic indexes.
+  int addrDeref = *addr; // expected-warning {{tainted}}
+  int _addrDeref = addrDeref;
+
   // Tainted struct address, casts.
   struct XYStruct *xyPtr = 0;
   scanf("%p", &xyPtr);
   void *tXYStructPtr = xyPtr; // expected-warning 2 {{tainted}}
   struct XYStruct *xyPtrCopy = tXYStructPtr; // expected-warning 2 {{tainted}}
+  int ptrtx = xyPtr->x;// expected-warning 2 {{tainted}}
+  int ptrty = xyPtr->y;// expected-warning 2 {{tainted}}
+
+  // Taint on fields of a struct.
+  struct XYStruct xy = {2, 3, 11};
+  scanf("%f", &xy.y);
+  scanf("%f", &xy.x);
+  int tx = xy.x; // expected-warning {{tainted}}
+  int ty = xy.y; // FIXME: This should be tainted as well.
+  char ntz = xy.z;// no warning
 }