[cfe-dev] Clear taint mark - static analyzer checker

Francisco Chiotta franchiotta at gmail.com
Sun May 3 21:22:09 PDT 2015 

Does it not work even if the argument passed on is a pointer?


This is an example:


void source(string* str){}

void destination(string* str){}


void somemethod(string* str){

source(str);

destination(str);

}


When I try to get the SVal associated to the argument in the ‘source’
method, I got a LazyCompoundVal class, and I can’t get the Symbol of it to
mark it as tainted.

2015-04-27 13:44 GMT-03:00 Anna Zaks <ganna at apple.com>:

>
> On Apr 25, 2015, at 5:59 PM, Francisco Chiotta <franchiotta at gmail.com>
> wrote:
>
> Thanks Anna. I was taking a look at GenericTaintChecker, and saw you are
> the main contributor of this module. My idea is to create a checker where
> the user can define what are the methods in which alert in case of tainted
> data is passed on them.
>
> It works great when tainting primitives types, e.g. char, but if i want to
> taint object like std:string, it doesn't work. It uses a getPointedToSymbol
> method based on GenericTaintChecker, to retrieve the symbolic value, and
> the passes it to the StateRef.addTaint(...) method:
>
>
> https://github.com/llvm-mirror/clang/blob/master/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp#L426
>
> But I can hardly understand why this doesn't retrieve any symbol when the
> arguments are objects.
>
>
> The analyzer's infrastructure for tracking objects passed by value is
> lagging behind; maybe that's what you are seeing..
>
> Thanks a lot.
> Francisco
>
>
> 2015-04-15 2:26 GMT-03:00 Anna Zaks <ganna at apple.com>:
>
>> Taint support has not been fully implemented. I suspect this explains why
>> there is no method to clear it.
>>
>> Anna.
>>
>> > On Apr 12, 2015, at 6:54 PM, Francisco Chiotta <franchiotta at gmail.com>
>> wrote:
>> >
>> > Hi community,
>> >
>> > I'm developing a static analyzer checker, and I need to clear the taint
>> mark for a specific symbol/stmt/region. Is that possible?
>> >
>> > I'm using the addTaint(..) methods of ProgramState class to add taint
>> information to symbols/stms/regions, but I don't see anything to clear the
>> taint mark to them.
>> >
>> > Does Anyone know how to do this?
>> >
>> > Thanks!
>> >
>> >
>> > _______________________________________________
>> > cfe-dev mailing list
>> > cfe-dev at cs.uiuc.edu
>> > http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20150504/c055078b/attachment.html>

More information about the cfe-dev mailing list