This is an archive of the discontinued LLVM Phabricator instance.

[analyzer] Prepare generic taint checker for new sources
ClosedPublic

Authored by boga95 on Mar 6 2019, 2:47 PM.

Download Raw Diff

Details

Reviewers

gerazo
xazax.hun
Szelethus
a_sidorin
dcoughlin
george.karpenkov
NoQ

Commits

rG2827349c9d7e: [analyzer] Use the new infrastructure of expressing taint propagation, NFC
rL355703: [analyzer] Use the new infrastructure of expressing taint propagation, NFC
rC355703: [analyzer] Use the new infrastructure of expressing taint propagation, NFC

Summary

Previously the taint propagation rules and the taint sources were checked in different steps.
Taint propagation goes in two steps: addSourcesPre marked the tainted arguments and the return value, then the propagateFromPre set the tainted flag. After that addSourcesPost set the tainted flag for the source function's(scanf, socket, e.g) arguments or return value.
There is no reason why it should be that way. A source function can be interpreted as a propagation rule when no srcArg is defined.
I modified the TaintPropagationRule to support source functions and merged them with the propagation rules.

Diff Detail

Repository: rC Clang

Event Timeline

boga95 created this revision.Mar 6 2019, 2:47 PM

Herald added subscribers: cfe-commits, Charusso, dkrupp and 7 others. · View Herald TranscriptMar 6 2019, 2:47 PM

Ok, so "source" functions are now merely "propagate from nothing" functions? Fair enough!

This revision is now accepted and ready to land.Mar 7 2019, 4:15 PM

Yes, they do. Thanks for the review.

Cheers!

Closed by commit rC355703: [analyzer] Use the new infrastructure of expressing taint propagation, NFC (authored by Szelethus). · Explain WhyMar 8 2019, 7:47 AM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

lib/

StaticAnalyzer/

Checkers/

GenericTaintChecker.cpp

184 lines

Diff 189860

lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp

Show First 20 Lines • Show All 56 Lines • ▼ Show 20 Lines	private:
bool checkPre(const CallExpr *CE, CheckerContext &C) const;		bool checkPre(const CallExpr *CE, CheckerContext &C) const;

/// Add taint sources on a pre-visit.		/// Add taint sources on a pre-visit.
void addSourcesPre(const CallExpr *CE, CheckerContext &C) const;		void addSourcesPre(const CallExpr *CE, CheckerContext &C) const;

/// Propagate taint generated at pre-visit.		/// Propagate taint generated at pre-visit.
bool propagateFromPre(const CallExpr *CE, CheckerContext &C) const;		bool propagateFromPre(const CallExpr *CE, CheckerContext &C) const;

/// Add taint sources on a post visit.
void addSourcesPost(const CallExpr *CE, CheckerContext &C) const;

/// Check if the region the expression evaluates to is the standard input,		/// Check if the region the expression evaluates to is the standard input,
/// and thus, is tainted.		/// and thus, is tainted.
static bool isStdin(const Expr *E, CheckerContext &C);		static bool isStdin(const Expr *E, CheckerContext &C);

/// Given a pointer argument, return the value it points to.		/// Given a pointer argument, return the value it points to.
static Optional<SVal> getPointedToSVal(CheckerContext &C, const Expr *Arg);		static Optional<SVal> getPointedToSVal(CheckerContext &C, const Expr *Arg);

/// Functions defining the attack surface.
using FnCheck = ProgramStateRef (GenericTaintChecker::*)(
const CallExpr *, CheckerContext &C) const;
ProgramStateRef postScanf(const CallExpr *CE, CheckerContext &C) const;
ProgramStateRef postSocket(const CallExpr *CE, CheckerContext &C) const;
ProgramStateRef postRetTaint(const CallExpr *CE, CheckerContext &C) const;

/// Taint the scanned input if the file is tainted.
ProgramStateRef preFscanf(const CallExpr *CE, CheckerContext &C) const;

/// Check for CWE-134: Uncontrolled Format String.		/// Check for CWE-134: Uncontrolled Format String.
static const char MsgUncontrolledFormatString[];		static const char MsgUncontrolledFormatString[];
bool checkUncontrolledFormatString(const CallExpr *CE,		bool checkUncontrolledFormatString(const CallExpr *CE,
CheckerContext &C) const;		CheckerContext &C) const;

/// Check for:		/// Check for:
/// CERT/STR02-C. "Sanitize data passed to complex subsystems"		/// CERT/STR02-C. "Sanitize data passed to complex subsystems"
/// CWE-78, "Failure to Sanitize Data into an OS Command"		/// CWE-78, "Failure to Sanitize Data into an OS Command"
Show All 20 Lines	private:
/// src list to specify that all of the arguments can introduce taint. Use		/// src list to specify that all of the arguments can introduce taint. Use
/// InvalidArgIndex in the dst arguments to signify that all the non-const		/// InvalidArgIndex in the dst arguments to signify that all the non-const
/// pointer and reference arguments might be tainted on return. If		/// pointer and reference arguments might be tainted on return. If
/// ReturnValueIndex is added to the dst list, the return value will be		/// ReturnValueIndex is added to the dst list, the return value will be
/// tainted.		/// tainted.
struct TaintPropagationRule {		struct TaintPropagationRule {
enum class VariadicType { None, Src, Dst };		enum class VariadicType { None, Src, Dst };

		using PropagationFuncType = bool ()(bool IsTainted, const CallExpr ,
		CheckerContext &C);

/// List of arguments which can be taint sources and should be checked.		/// List of arguments which can be taint sources and should be checked.
ArgVector SrcArgs;		ArgVector SrcArgs;
/// List of arguments which should be tainted on function return.		/// List of arguments which should be tainted on function return.
ArgVector DstArgs;		ArgVector DstArgs;
/// Index for the first variadic parameter if exist.		/// Index for the first variadic parameter if exist.
unsigned VariadicIndex;		unsigned VariadicIndex;
/// Show when a function has variadic parameters. If it has, it marks all		/// Show when a function has variadic parameters. If it has, it marks all
/// of them as source or destination.		/// of them as source or destination.
VariadicType VarType;		VariadicType VarType;
		/// Special function for tainted source determination. If defined, it can
		/// override the default behavior.
		PropagationFuncType PropagationFunc;

TaintPropagationRule()		TaintPropagationRule()
: VariadicIndex(InvalidArgIndex), VarType(VariadicType::None) {}		: VariadicIndex(InvalidArgIndex), VarType(VariadicType::None),
		PropagationFunc(nullptr) {}

TaintPropagationRule(std::initializer_list<unsigned> &&Src,		TaintPropagationRule(std::initializer_list<unsigned> &&Src,
std::initializer_list<unsigned> &&Dst,		std::initializer_list<unsigned> &&Dst,
VariadicType Var = VariadicType::None,		VariadicType Var = VariadicType::None,
unsigned VarIndex = InvalidArgIndex)		unsigned VarIndex = InvalidArgIndex,
		PropagationFuncType Func = nullptr)
: SrcArgs(std::move(Src)), DstArgs(std::move(Dst)),		: SrcArgs(std::move(Src)), DstArgs(std::move(Dst)),
VariadicIndex(VarIndex), VarType(Var) {}		VariadicIndex(VarIndex), VarType(Var), PropagationFunc(Func) {}

/// Get the propagation rule for a given function.		/// Get the propagation rule for a given function.
static TaintPropagationRule		static TaintPropagationRule
getTaintPropagationRule(const FunctionDecl *FDecl, StringRef Name,		getTaintPropagationRule(const FunctionDecl *FDecl, StringRef Name,
CheckerContext &C);		CheckerContext &C);

void addSrcArg(unsigned A) { SrcArgs.push_back(A); }		void addSrcArg(unsigned A) { SrcArgs.push_back(A); }
void addDstArg(unsigned A) { DstArgs.push_back(A); }		void addDstArg(unsigned A) { DstArgs.push_back(A); }
Show All 17 Lines	static bool isTaintedOrPointsToTainted(const Expr *E, ProgramStateRef State,

Optional<SVal> V = getPointedToSVal(C, E);		Optional<SVal> V = getPointedToSVal(C, E);
return (V && State->isTainted(*V));		return (V && State->isTainted(*V));
}		}

/// Pre-process a function which propagates taint according to the		/// Pre-process a function which propagates taint according to the
/// taint rule.		/// taint rule.
ProgramStateRef process(const CallExpr *CE, CheckerContext &C) const;		ProgramStateRef process(const CallExpr *CE, CheckerContext &C) const;

		// Functions for custom taintedness propagation.
		static bool postSocket(bool IsTainted, const CallExpr *CE,
		CheckerContext &C);
};		};
};		};

const unsigned GenericTaintChecker::ReturnValueIndex;		const unsigned GenericTaintChecker::ReturnValueIndex;
const unsigned GenericTaintChecker::InvalidArgIndex;		const unsigned GenericTaintChecker::InvalidArgIndex;

const char GenericTaintChecker::MsgUncontrolledFormatString[] =		const char GenericTaintChecker::MsgUncontrolledFormatString[] =
"Untrusted data is used as a format string "		"Untrusted data is used as a format string "
Show All 20 Lines
GenericTaintChecker::TaintPropagationRule::getTaintPropagationRule(		GenericTaintChecker::TaintPropagationRule::getTaintPropagationRule(
const FunctionDecl *FDecl, StringRef Name, CheckerContext &C) {		const FunctionDecl *FDecl, StringRef Name, CheckerContext &C) {
// TODO: Currently, we might lose precision here: we always mark a return		// TODO: Currently, we might lose precision here: we always mark a return
// value as tainted even if it's just a pointer, pointing to tainted data.		// value as tainted even if it's just a pointer, pointing to tainted data.

// Check for exact name match for functions without builtin substitutes.		// Check for exact name match for functions without builtin substitutes.
TaintPropagationRule Rule =		TaintPropagationRule Rule =
llvm::StringSwitch<TaintPropagationRule>(Name)		llvm::StringSwitch<TaintPropagationRule>(Name)
		// Source functions
		// TODO: Add support for vfscanf & family.
		.Case("fdopen", TaintPropagationRule({}, {ReturnValueIndex}))
		.Case("fopen", TaintPropagationRule({}, {ReturnValueIndex}))
		.Case("freopen", TaintPropagationRule({}, {ReturnValueIndex}))
		.Case("getch", TaintPropagationRule({}, {ReturnValueIndex}))
		.Case("getchar", TaintPropagationRule({}, {ReturnValueIndex}))
		.Case("getchar_unlocked", TaintPropagationRule({}, {ReturnValueIndex}))
		.Case("getenv", TaintPropagationRule({}, {ReturnValueIndex}))
		.Case("gets", TaintPropagationRule({}, {0, ReturnValueIndex}))
		.Case("scanf", TaintPropagationRule({}, {}, VariadicType::Dst, 1))
		.Case("socket",
		TaintPropagationRule({}, {ReturnValueIndex}, VariadicType::None,
		InvalidArgIndex,
		&TaintPropagationRule::postSocket))
		.Case("wgetch", TaintPropagationRule({}, {ReturnValueIndex}))
		// Propagating functions
.Case("atoi", TaintPropagationRule({0}, {ReturnValueIndex}))		.Case("atoi", TaintPropagationRule({0}, {ReturnValueIndex}))
.Case("atol", TaintPropagationRule({0}, {ReturnValueIndex}))		.Case("atol", TaintPropagationRule({0}, {ReturnValueIndex}))
.Case("atoll", TaintPropagationRule({0}, {ReturnValueIndex}))		.Case("atoll", TaintPropagationRule({0}, {ReturnValueIndex}))
.Case("getc", TaintPropagationRule({0}, {ReturnValueIndex}))
.Case("fgetc", TaintPropagationRule({0}, {ReturnValueIndex}))		.Case("fgetc", TaintPropagationRule({0}, {ReturnValueIndex}))
		.Case("fgetln", TaintPropagationRule({0}, {ReturnValueIndex}))
		.Case("fgets", TaintPropagationRule({2}, {0, ReturnValueIndex}))
		.Case("fscanf", TaintPropagationRule({0}, {}, VariadicType::Dst, 2))
		.Case("getc", TaintPropagationRule({0}, {ReturnValueIndex}))
.Case("getc_unlocked", TaintPropagationRule({0}, {ReturnValueIndex}))		.Case("getc_unlocked", TaintPropagationRule({0}, {ReturnValueIndex}))
		.Case("getdelim", TaintPropagationRule({3}, {0}))
		.Case("getline", TaintPropagationRule({2}, {0}))
.Case("getw", TaintPropagationRule({0}, {ReturnValueIndex}))		.Case("getw", TaintPropagationRule({0}, {ReturnValueIndex}))
.Case("toupper", TaintPropagationRule({0}, {ReturnValueIndex}))
.Case("tolower", TaintPropagationRule({0}, {ReturnValueIndex}))
.Case("strchr", TaintPropagationRule({0}, {ReturnValueIndex}))
.Case("strrchr", TaintPropagationRule({0}, {ReturnValueIndex}))
.Case("read", TaintPropagationRule({0, 2}, {1, ReturnValueIndex}))
.Case("pread",		.Case("pread",
TaintPropagationRule({0, 1, 2, 3}, {1, ReturnValueIndex}))		TaintPropagationRule({0, 1, 2, 3}, {1, ReturnValueIndex}))
.Case("gets", TaintPropagationRule({}, {0, ReturnValueIndex}))		.Case("read", TaintPropagationRule({0, 2}, {1, ReturnValueIndex}))
.Case("fgets", TaintPropagationRule({2}, {0, ReturnValueIndex}))		.Case("strchr", TaintPropagationRule({0}, {ReturnValueIndex}))
.Case("getline", TaintPropagationRule({2}, {0}))		.Case("strrchr", TaintPropagationRule({0}, {ReturnValueIndex}))
.Case("getdelim", TaintPropagationRule({3}, {0}))		.Case("tolower", TaintPropagationRule({0}, {ReturnValueIndex}))
.Case("fgetln", TaintPropagationRule({0}, {ReturnValueIndex}))		.Case("toupper", TaintPropagationRule({0}, {ReturnValueIndex}))
.Default(TaintPropagationRule());		.Default(TaintPropagationRule());

if (!Rule.isNull())		if (!Rule.isNull())
return Rule;		return Rule;

// Check if it's one of the memory setting/copying functions.		// Check if it's one of the memory setting/copying functions.
// This check is specialized but faster then calling isCLibraryFunction.		// This check is specialized but faster then calling isCLibraryFunction.
unsigned BId = 0;		unsigned BId = 0;
Show All 39 Lines	GenericTaintChecker::TaintPropagationRule::getTaintPropagationRule(
// or smart memory copy:		// or smart memory copy:
// - memccpy - copying until hitting a special character.		// - memccpy - copying until hitting a special character.

return TaintPropagationRule();		return TaintPropagationRule();
}		}

void GenericTaintChecker::checkPreStmt(const CallExpr *CE,		void GenericTaintChecker::checkPreStmt(const CallExpr *CE,
CheckerContext &C) const {		CheckerContext &C) const {
// Check for errors first.		// Check for taintedness related errors first: system call, uncontrolled
		// format string, tainted buffer size.
if (checkPre(CE, C))		if (checkPre(CE, C))
return;		return;

// Add taint second.		// Marks the function's arguments and/or return value tainted if it present in
		// the list.
addSourcesPre(CE, C);		addSourcesPre(CE, C);
}		}

void GenericTaintChecker::checkPostStmt(const CallExpr *CE,		void GenericTaintChecker::checkPostStmt(const CallExpr *CE,
CheckerContext &C) const {		CheckerContext &C) const {
if (propagateFromPre(CE, C))		// Set the marked values as tainted. The return value only accessible from
return;		// checkPostStmt.
addSourcesPost(CE, C);		propagateFromPre(CE, C);
}		}

void GenericTaintChecker::addSourcesPre(const CallExpr *CE,		void GenericTaintChecker::addSourcesPre(const CallExpr *CE,
CheckerContext &C) const {		CheckerContext &C) const {
ProgramStateRef State = nullptr;		ProgramStateRef State = nullptr;
const FunctionDecl *FDecl = C.getCalleeDecl(CE);		const FunctionDecl *FDecl = C.getCalleeDecl(CE);
if (!FDecl \|\| FDecl->getKind() != Decl::Function)		if (!FDecl \|\| FDecl->getKind() != Decl::Function)
return;		return;

StringRef Name = C.getCalleeName(FDecl);		StringRef Name = C.getCalleeName(FDecl);
if (Name.empty())		if (Name.empty())
return;		return;

// First, try generating a propagation rule for this function.		// First, try generating a propagation rule for this function.
TaintPropagationRule Rule =		TaintPropagationRule Rule =
TaintPropagationRule::getTaintPropagationRule(FDecl, Name, C);		TaintPropagationRule::getTaintPropagationRule(FDecl, Name, C);
if (!Rule.isNull()) {		if (!Rule.isNull()) {
State = Rule.process(CE, C);		State = Rule.process(CE, C);
if (!State)		if (!State)
return;		return;
C.addTransition(State);		C.addTransition(State);
return;		return;
}		}

// Otherwise, check if we have custom pre-processing implemented.
FnCheck evalFunction = llvm::StringSwitch<FnCheck>(Name)
.Case("fscanf", &GenericTaintChecker::preFscanf)
.Default(nullptr);
// Check and evaluate the call.
if (evalFunction)
State = (this->*evalFunction)(CE, C);
if (!State)		if (!State)
return;		return;
C.addTransition(State);		C.addTransition(State);
}		}

bool GenericTaintChecker::propagateFromPre(const CallExpr *CE,		bool GenericTaintChecker::propagateFromPre(const CallExpr *CE,
CheckerContext &C) const {		CheckerContext &C) const {
ProgramStateRef State = C.getState();		ProgramStateRef State = C.getState();
Show All 27 Lines	bool GenericTaintChecker::propagateFromPre(const CallExpr *CE,

if (State != C.getState()) {		if (State != C.getState()) {
C.addTransition(State);		C.addTransition(State);
return true;		return true;
}		}
return false;		return false;
}		}

void GenericTaintChecker::addSourcesPost(const CallExpr *CE,
CheckerContext &C) const {
// Define the attack surface.
// Set the evaluation function by switching on the callee name.
const FunctionDecl *FDecl = C.getCalleeDecl(CE);
if (!FDecl \|\| FDecl->getKind() != Decl::Function)
return;

StringRef Name = C.getCalleeName(FDecl);
if (Name.empty())
return;
FnCheck evalFunction =
llvm::StringSwitch<FnCheck>(Name)
.Case("scanf", &GenericTaintChecker::postScanf)
// TODO: Add support for vfscanf & family.
.Case("getchar", &GenericTaintChecker::postRetTaint)
.Case("getchar_unlocked", &GenericTaintChecker::postRetTaint)
.Case("getenv", &GenericTaintChecker::postRetTaint)
.Case("fopen", &GenericTaintChecker::postRetTaint)
.Case("fdopen", &GenericTaintChecker::postRetTaint)
.Case("freopen", &GenericTaintChecker::postRetTaint)
.Case("getch", &GenericTaintChecker::postRetTaint)
.Case("wgetch", &GenericTaintChecker::postRetTaint)
.Case("socket", &GenericTaintChecker::postSocket)
.Default(nullptr);

// If the callee isn't defined, it is not of security concern.
// Check and evaluate the call.
ProgramStateRef State = nullptr;
if (evalFunction)
State = (this->*evalFunction)(CE, C);
if (!State)
return;

C.addTransition(State);
}

bool GenericTaintChecker::checkPre(const CallExpr *CE,		bool GenericTaintChecker::checkPre(const CallExpr *CE,
CheckerContext &C) const {		CheckerContext &C) const {

if (checkUncontrolledFormatString(CE, C))		if (checkUncontrolledFormatString(CE, C))
return true;		return true;

const FunctionDecl *FDecl = C.getCalleeDecl(CE);		const FunctionDecl *FDecl = C.getCalleeDecl(CE);
if (!FDecl \|\| FDecl->getKind() != Decl::Function)		if (!FDecl \|\| FDecl->getKind() != Decl::Function)
▲ Show 20 Lines • Show All 55 Lines • ▼ Show 20 Lines	GenericTaintChecker::TaintPropagationRule::process(const CallExpr *CE,
if (!IsTainted && VariadicType::Src == VarType) {		if (!IsTainted && VariadicType::Src == VarType) {
// Check if any of the arguments is tainted		// Check if any of the arguments is tainted
for (unsigned int i = VariadicIndex; i < CE->getNumArgs(); ++i) {		for (unsigned int i = VariadicIndex; i < CE->getNumArgs(); ++i) {
if ((IsTainted = isTaintedOrPointsToTainted(CE->getArg(i), State, C)))		if ((IsTainted = isTaintedOrPointsToTainted(CE->getArg(i), State, C)))
break;		break;
}		}
}		}

		if (PropagationFunc)
		IsTainted = PropagationFunc(IsTainted, CE, C);

if (!IsTainted)		if (!IsTainted)
return State;		return State;

// Mark the arguments which should be tainted after the function returns.		// Mark the arguments which should be tainted after the function returns.
for (unsigned ArgNum : DstArgs) {		for (unsigned ArgNum : DstArgs) {
// Should mark the return value?		// Should mark the return value?
if (ArgNum == ReturnValueIndex) {		if (ArgNum == ReturnValueIndex) {
State = State->add<TaintArgsOnPostVisit>(ReturnValueIndex);		State = State->add<TaintArgsOnPostVisit>(ReturnValueIndex);
Show All 20 Lines	for (unsigned int i = VariadicIndex; i < CE->getNumArgs(); ++i) {
(ArgTy->isReferenceType() && !Arg->getType().isConstQualified()))		(ArgTy->isReferenceType() && !Arg->getType().isConstQualified()))
State = State->add<TaintArgsOnPostVisit>(i);		State = State->add<TaintArgsOnPostVisit>(i);
}		}
}		}

return State;		return State;
}		}

// If argument 0 (file descriptor) is tainted, all arguments except for arg 0
// and arg 1 should get taint.
ProgramStateRef GenericTaintChecker::preFscanf(const CallExpr *CE,
CheckerContext &C) const {
assert(CE->getNumArgs() >= 2);
ProgramStateRef State = C.getState();

// Check is the file descriptor is tainted.
if (State->isTainted(CE->getArg(0), C.getLocationContext()) \|\|
isStdin(CE->getArg(0), C)) {
// All arguments except for the first two should get taint.
for (unsigned int i = 2; i < CE->getNumArgs(); ++i)
State = State->add<TaintArgsOnPostVisit>(i);
return State;
}

return nullptr;
}

// If argument 0(protocol domain) is network, the return value should get taint.		// If argument 0(protocol domain) is network, the return value should get taint.
ProgramStateRef GenericTaintChecker::postSocket(const CallExpr *CE,		bool GenericTaintChecker::TaintPropagationRule::postSocket(bool /IsTainted/,
CheckerContext &C) const {		const CallExpr *CE,
ProgramStateRef State = C.getState();		CheckerContext &C) {
if (CE->getNumArgs() < 3)
return State;

SourceLocation DomLoc = CE->getArg(0)->getExprLoc();		SourceLocation DomLoc = CE->getArg(0)->getExprLoc();
StringRef DomName = C.getMacroNameOrSpelling(DomLoc);		StringRef DomName = C.getMacroNameOrSpelling(DomLoc);
// White list the internal communication protocols.		// White list the internal communication protocols.
if (DomName.equals("AF_SYSTEM") \|\| DomName.equals("AF_LOCAL") \|\|		if (DomName.equals("AF_SYSTEM") \|\| DomName.equals("AF_LOCAL") \|\|
DomName.equals("AF_UNIX") \|\| DomName.equals("AF_RESERVED_36"))		DomName.equals("AF_UNIX") \|\| DomName.equals("AF_RESERVED_36"))
return State;		return false;
State = State->addTaint(CE, C.getLocationContext());
return State;
}

ProgramStateRef GenericTaintChecker::postScanf(const CallExpr *CE,
CheckerContext &C) const {
ProgramStateRef State = C.getState();
if (CE->getNumArgs() < 2)
return State;

// All arguments except for the very first one should get taint.
for (unsigned int i = 1; i < CE->getNumArgs(); ++i) {
// The arguments are pointer arguments. The data they are pointing at is
// tainted after the call.
const Expr *Arg = CE->getArg(i);
Optional<SVal> V = getPointedToSVal(C, Arg);
if (V)
State = State->addTaint(*V);
}
return State;
}

ProgramStateRef GenericTaintChecker::postRetTaint(const CallExpr *CE,		return true;
CheckerContext &C) const {
return C.getState()->addTaint(CE, C.getLocationContext());
}		}

bool GenericTaintChecker::isStdin(const Expr *E, CheckerContext &C) {		bool GenericTaintChecker::isStdin(const Expr *E, CheckerContext &C) {
ProgramStateRef State = C.getState();		ProgramStateRef State = C.getState();
SVal Val = C.getSVal(E);		SVal Val = C.getSVal(E);

// stdin is a pointer, so it would be a region.		// stdin is a pointer, so it would be a region.
const MemRegion *MemReg = Val.getAsRegion();		const MemRegion *MemReg = Val.getAsRegion();
▲ Show 20 Lines • Show All 164 Lines • Show Last 20 Lines