[cfe-dev] Help with Taint analysis

章磊 ioripolo at gmail.com
Wed Jan 13 18:09:02 PST 2010

I don't know if clang now has a right engine for taint analysis.

Of course you can create a new checker to track all taint information using
GRExprEngine as Zhongxing said, but GRExprEngine is path sensitive. Maybe
flow sensitive analysis for taint analysis is enough?

Otherwise, i think the result from taint analysis may be useful for other
checkers. So can we implement it  like LiveVariable analysis?

Phoenix is a framework for build compilers or program analysis tools from
MS. You can find an taint analysis example from the phoenix SDK docs.Maybe
you can borrow some ideas from it.

2010/1/13 Juan Carlos Martinez Santos <juanc.martinez.santos at gmail.com>

> Hello clang,
> I am interested in doing taint analysis. My idea is get a complete list of
> all variables which are potentially influenced by outside input. Checking
> the mail list, I found that a way to do this is walking into GRExprEngine
> and his friends (SVals and MemRegion).
> However, I don't know how to start.
> Thanks in advance,
> --
> Juan Carlos
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20100114/ca6ba516/attachment.html>

More information about the cfe-dev mailing list