Lines Matching refs:CE
35 void checkPostStmt(const CallExpr *CE, CheckerContext &C) const;
38 void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
53 bool checkPre(const CallExpr *CE, CheckerContext &C) const;
56 void addSourcesPre(const CallExpr *CE, CheckerContext &C) const;
59 bool propagateFromPre(const CallExpr *CE, CheckerContext &C) const;
62 void addSourcesPost(const CallExpr *CE, CheckerContext &C) const;
75 ProgramStateRef postScanf(const CallExpr *CE, CheckerContext &C) const;
76 ProgramStateRef postSocket(const CallExpr *CE, CheckerContext &C) const;
77 ProgramStateRef postRetTaint(const CallExpr *CE, CheckerContext &C) const;
80 ProgramStateRef preFscanf(const CallExpr *CE, CheckerContext &C) const;
84 bool checkUncontrolledFormatString(const CallExpr *CE,
91 bool checkSystemCall(const CallExpr *CE, StringRef Name,
97 bool checkTaintedBufferSize(const CallExpr *CE, const FunctionDecl *FDecl,
168 ProgramStateRef process(const CallExpr *CE, CheckerContext &C) const;
281 void GenericTaintChecker::checkPreStmt(const CallExpr *CE, in checkPreStmt() argument
284 if (checkPre(CE, C)) in checkPreStmt()
288 addSourcesPre(CE, C); in checkPreStmt()
291 void GenericTaintChecker::checkPostStmt(const CallExpr *CE, in checkPostStmt() argument
293 if (propagateFromPre(CE, C)) in checkPostStmt()
295 addSourcesPost(CE, C); in checkPostStmt()
298 void GenericTaintChecker::addSourcesPre(const CallExpr *CE, in addSourcesPre() argument
301 const FunctionDecl *FDecl = C.getCalleeDecl(CE); in addSourcesPre()
313 State = Rule.process(CE, C); in addSourcesPre()
326 State = (this->*evalFunction)(CE, C); in addSourcesPre()
333 bool GenericTaintChecker::propagateFromPre(const CallExpr *CE, in propagateFromPre() argument
350 State = State->addTaint(CE, C.getLocationContext()); in propagateFromPre()
356 if (CE->getNumArgs() < (ArgNum + 1)) in propagateFromPre()
358 const Expr* Arg = CE->getArg(ArgNum); in propagateFromPre()
374 void GenericTaintChecker::addSourcesPost(const CallExpr *CE, in addSourcesPost() argument
378 const FunctionDecl *FDecl = C.getCalleeDecl(CE); in addSourcesPost()
403 State = (this->*evalFunction)(CE, C); in addSourcesPost()
410 bool GenericTaintChecker::checkPre(const CallExpr *CE, CheckerContext &C) const{ in checkPre() argument
412 if (checkUncontrolledFormatString(CE, C)) in checkPre()
415 const FunctionDecl *FDecl = C.getCalleeDecl(CE); in checkPre()
423 if (checkSystemCall(CE, Name, C)) in checkPre()
426 if (checkTaintedBufferSize(CE, FDecl, C)) in checkPre()
451 GenericTaintChecker::TaintPropagationRule::process(const CallExpr *CE, in process() argument
464 for (unsigned int i = 0; i < CE->getNumArgs(); ++i) { in process()
467 if ((IsTainted = isTaintedOrPointsToTainted(CE->getArg(i), State, C))) in process()
473 if (CE->getNumArgs() < (ArgNum + 1)) in process()
475 if ((IsTainted = isTaintedOrPointsToTainted(CE->getArg(ArgNum), State, C))) in process()
492 for (unsigned int i = 0; i < CE->getNumArgs(); ++i) { in process()
493 const Expr *Arg = CE->getArg(i); in process()
511 assert(ArgNum < CE->getNumArgs()); in process()
521 ProgramStateRef GenericTaintChecker::preFscanf(const CallExpr *CE, in preFscanf() argument
523 assert(CE->getNumArgs() >= 2); in preFscanf()
527 if (State->isTainted(CE->getArg(0), C.getLocationContext()) || in preFscanf()
528 isStdin(CE->getArg(0), C)) { in preFscanf()
530 for (unsigned int i = 2; i < CE->getNumArgs(); ++i) in preFscanf()
540 ProgramStateRef GenericTaintChecker::postSocket(const CallExpr *CE, in postSocket() argument
543 if (CE->getNumArgs() < 3) in postSocket()
546 SourceLocation DomLoc = CE->getArg(0)->getExprLoc(); in postSocket()
552 State = State->addTaint(CE, C.getLocationContext()); in postSocket()
556 ProgramStateRef GenericTaintChecker::postScanf(const CallExpr *CE, in postScanf() argument
559 if (CE->getNumArgs() < 2) in postScanf()
563 for (unsigned int i = 1; i < CE->getNumArgs(); ++i) { in postScanf()
566 const Expr* Arg = CE->getArg(i); in postScanf()
574 ProgramStateRef GenericTaintChecker::postRetTaint(const CallExpr *CE, in postRetTaint() argument
576 return C.getState()->addTaint(CE, C.getLocationContext()); in postRetTaint()
612 static bool getPrintfFormatArgumentNum(const CallExpr *CE, in getPrintfFormatArgumentNum() argument
618 const FunctionDecl *FDecl = C.getCalleeDecl(CE); in getPrintfFormatArgumentNum()
627 if ((Format->getType() == "printf") && CE->getNumArgs() > ArgNum) in getPrintfFormatArgumentNum()
632 if (C.getCalleeName(CE).find("setproctitle") != StringRef::npos) { in getPrintfFormatArgumentNum()
662 bool GenericTaintChecker::checkUncontrolledFormatString(const CallExpr *CE, in checkUncontrolledFormatString() argument
666 if (!getPrintfFormatArgumentNum(CE, C, ArgNum)) in checkUncontrolledFormatString()
670 if (generateReportIfTainted(CE->getArg(ArgNum), in checkUncontrolledFormatString()
676 bool GenericTaintChecker::checkSystemCall(const CallExpr *CE, in checkSystemCall() argument
695 if (ArgNum == UINT_MAX || CE->getNumArgs() < (ArgNum + 1)) in checkSystemCall()
698 if (generateReportIfTainted(CE->getArg(ArgNum), in checkSystemCall()
707 bool GenericTaintChecker::checkTaintedBufferSize(const CallExpr *CE, in checkTaintedBufferSize() argument
740 if (ArgNum != InvalidArgIndex && CE->getNumArgs() > ArgNum && in checkTaintedBufferSize()
741 generateReportIfTainted(CE->getArg(ArgNum), MsgTaintedBufferSize, C)) in checkTaintedBufferSize()