From c25efccc8b448341f1aa124bb6fcc37a72dc0a46 Mon Sep 17 00:00:00 2001 From: Anna Zaks Date: Tue, 6 Dec 2011 23:12:27 +0000 Subject: [analyzer] Propagate taint through NonLoc to NonLoc casts. - Created a new SymExpr type - SymbolCast. - SymbolCast is created when we don't know how to simplify a NonLoc to NonLoc casts. - A bit of code refactoring: introduced dispatchCast to have better code reuse, remove a goto. - Updated the test case to showcase the new taint flow. llvm-svn: 145985 --- clang/lib/StaticAnalyzer/Core/ProgramState.cpp | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'clang/lib/StaticAnalyzer/Core/ProgramState.cpp') diff --git a/clang/lib/StaticAnalyzer/Core/ProgramState.cpp b/clang/lib/StaticAnalyzer/Core/ProgramState.cpp index 79f4348b7c1..2dafeeee00f 100644 --- a/clang/lib/StaticAnalyzer/Core/ProgramState.cpp +++ b/clang/lib/StaticAnalyzer/Core/ProgramState.cpp @@ -560,6 +560,8 @@ bool ScanReachableSymbols::scan(const SymExpr *sym) { case SymExpr::ExtentKind: case SymExpr::MetadataKind: break; + case SymExpr::CastSymbolKind: + return scan(cast(sym)->getOperand()); case SymExpr::SymIntKind: return scan(cast(sym)->getLHS()); case SymExpr::SymSymKind: { @@ -672,10 +674,15 @@ bool ProgramState::isTainted(const SymExpr* Sym, TaintTagType Kind) const { if (!Sym) return false; + // TODO: Can we use symbol_iterator (like removeDeadBindingsWorker) here? + // Check taint on derived symbols. if (const SymbolDerived *SD = dyn_cast(Sym)) return isTainted(SD->getParentSymbol(), Kind); + if (const SymbolCast *SC = dyn_cast(Sym)) + return (isTainted(SC->getOperand(), Kind)); + if (const SymIntExpr *SIE = dyn_cast(Sym)) return isTainted(SIE->getLHS(), Kind); -- cgit v1.2.3