[PATCH] D27753: [analyzer] alpha.security.DirtyScalar Checker
Zoltán Gera via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Fri Mar 10 04:23:36 PST 2017
gerazo added a comment.
> Stepping back a bit, what do you consider "dirty" vs "clean"? It seems that you are looking for prove that the values are known to be within the bounds of min and max int values. What happens if there is a comparison to an unknown symbolic value? Should that be considered as clean or tainted? Are there test cases for this?
I consider values as clean when they were checked by the programmer from both sides. However, my implementation purely works from constraints in effect (and using min and max is just the broadest constraint I could find). So you are totally right that comparison with unknown symbols is not covered nor in implementation, nor in tests. Can you suggest a universally working method which can handle all cases (e.g. complex expressions on both sides of the operator)? If we could find such an approach, that would be something which could really go into the GenericTaintChecker as an improvement. And I would gladly rewrite this whole stuff to fit the more general solution.
https://reviews.llvm.org/D27753
More information about the cfe-commits
mailing list