In Clang Static Analyzer, I have the ability to taint any SVal I am interested in. However, I wonder how could I taint the command line arguments. A simple example here:
int main(int argc, char **argv)
{
memcpy(xxx,argv[0],xxx);
}
Because there is no caller to main function, so I can't use precall or postcall the get the SVal of argv as well as callExpr. I think clang must have provided such a interface to get the top frame function's arguments.How could I get it? beginfunction is the only hook function that would be invoked at the start of top frame function, but the only argument clang pass to us is CheckerContext. I try to get the SVal from it, but failed.
Problem solved! I hook the beginfunction and the code is
StoreManager & store = C.getStoreManager();
const ParmVarDecl *pdecl = C.getCurrentAnalysisDeclContext()->getDecl()->getAsFunction()->getParamDecl(0);
const Loc loc = store.getLValueVar(pdecl,C.getLocationContext());
ProgramStateRef state = C.getState();
Store s = state->getStore();
store.getBinding(s,loc).dump();
Here I get the SVal of the first argument of the top frame function.