[analyzer] Propagate taint through NonLoc to NonLoc casts.

 - Created a new SymExpr type - SymbolCast.
 - SymbolCast is created when we don't know how to simplify a NonLoc to
NonLoc casts.
 - A bit of code refactoring: introduced dispatchCast to have better
code reuse, remove a goto.
 - Updated the test case to showcase the new taint flow.

llvm-svn: 145985

1 files changed, 7 insertions, 0 deletions

diff --git a/clang/lib/StaticAnalyzer/Core/ProgramState.cpp b/clang/lib/StaticAnalyzer/Core/ProgramState.cpp
index 79f4348b7c1..2dafeeee00f 100644
--- a/clang/lib/StaticAnalyzer/Core/ProgramState.cpp
+++ b/clang/lib/StaticAnalyzer/Core/ProgramState.cpp
@@ -560,6 +560,8 @@ bool ScanReachableSymbols::scan(const SymExpr *sym) {
     case SymExpr::ExtentKind:
     case SymExpr::MetadataKind:
       break;
+    case SymExpr::CastSymbolKind:
+      return scan(cast<SymbolCast>(sym)->getOperand());
     case SymExpr::SymIntKind:
       return scan(cast<SymIntExpr>(sym)->getLHS());
     case SymExpr::SymSymKind: {
@@ -672,10 +674,15 @@ bool ProgramState::isTainted(const SymExpr* Sym, TaintTagType Kind) const {
   if (!Sym)
     return false;
 
+  // TODO: Can we use symbol_iterator (like removeDeadBindingsWorker) here?
+
   // Check taint on derived symbols.
   if (const SymbolDerived *SD = dyn_cast<SymbolDerived>(Sym))
     return isTainted(SD->getParentSymbol(), Kind);
 
+  if (const SymbolCast *SC = dyn_cast<SymbolCast>(Sym))
+    return (isTainted(SC->getOperand(), Kind));
+
   if (const SymIntExpr *SIE = dyn_cast<SymIntExpr>(Sym))
     return isTainted(SIE->getLHS(), Kind);