[PATCH] D28445: [Analyzer] Extend taint propagation and checking
Vlad Tsyrklevich via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Sun Jan 15 21:27:15 PST 2017
vlad.tsyrklevich updated this revision to Diff 84517.
vlad.tsyrklevich added a comment.
Artem, thank you for the very detailed reply! Between this, and hitting the right search terms to find your clang analyzer guide my understanding of the symbol abstractions the analyzer exposes has improved significantly.
You state that it's not easy to derive the conjured symbols from the Store; however, it didn't seem to be too difficult to do by recursively finding the bindings for the constituent FieldRegions (if the LCV is backing a struct/union) or the first ElementRegion (if the LCV is backing an array) until you reach an element/field initialized with the conjured symbol. Does the new patch look correct to you? Your comment about the difficulty has me unsure whether I've fully grasped the scope of the problem.
One wrinkle you'll notice is in the patch to `taint-tester.c`, one FIXME for missing taint has been fixed, but now one variable that should not be tainted is! This seems to be because of overeager invalidation, not strictly the fault of the patch but it is exposed by it.
https://reviews.llvm.org/D28445
Files:
lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
lib/StaticAnalyzer/Core/ProgramState.cpp
test/Analysis/taint-generic.c
test/Analysis/taint-tester.c
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D28445.84517.patch
Type: text/x-patch
Size: 4916 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20170116/ce620602/attachment.bin>
More information about the cfe-commits
mailing list