0

In Clang Static Analyzer, I have the ability to taint any SVal I am interested in. However, I wonder how could I taint the command line arguments. A simple example here:

int main(int argc, char **argv)
{
   memcpy(xxx,argv[0],xxx);
}

Because there is no caller to main function, so I can't use precall or postcall the get the SVal of argv as well as callExpr. I think clang must have provided such a interface to get the top frame function's arguments.How could I get it? beginfunction is the only hook function that would be invoked at the start of top frame function, but the only argument clang pass to us is CheckerContext. I try to get the SVal from it, but failed.

OSICracker
  • 11
  • 3
  • There is always a call to the `main` function. It's just not done from code you've written. How else do you think `main` would be "called"? I don't know if it's possible to catch that call though. – Some programmer dude Jul 11 '18 at 06:20
  • What I am not getting: Why do want to do that? For a static code analysis, the program is not run, so you have no command line argument and the main function is not executed, so ... ? – Rene Jul 11 '18 at 07:49
  • this is just an example, clang static analyzer use symbolic execution to find issues in the code. Indeed there's a start function to call main, but that case beyond my topic. In a single .c file, there are many functions that are called outside the file. but I need to get the symbolic value of the arguments of the top frame function. – OSICracker Jul 11 '18 at 10:35

1 Answers1

0

Problem solved! I hook the beginfunction and the code is

StoreManager & store = C.getStoreManager();
const ParmVarDecl *pdecl = C.getCurrentAnalysisDeclContext()->getDecl()->getAsFunction()->getParamDecl(0);
const Loc loc = store.getLValueVar(pdecl,C.getLocationContext());
ProgramStateRef state = C.getState();
Store s = state->getStore();
store.getBinding(s,loc).dump();

Here I get the SVal of the first argument of the top frame function.

OSICracker
  • 11
  • 3