[cfe-dev] [Analyzer] Frustrating behavior of CompoundAssignOperator

[scott constable via cfe-dev]

Hi All,

I'm toying with a taint analysis checker, and for compound assignment
operators (CAOs) I would like to have a rule stating "if the LHS is tainted
or the RHS is tainted, then the LHS will become tainted." So far I've been
evaluating these rules by hooking PreStmt's, and I've been tracking tainted
memory with checkLocation. Taints are read during a checkLocation[load] and
written during a checkLocation[store]. This has worked beautifully for
every expression other than CAOs. For CAOs, I would expect the following
order of analysis:

load(LHS)
load(RHS)
preStmt(CAO)
store(LHS)

Instead I observe

load(RHS)
preStmt(CAO)
load(LHS)
store(LHS)

This is clearly problematic for my taint rule. At the time preStmt is
triggered, I only have the taint value for the RHS. If I instead implement
the rule during the load(LHS) or store(LHS), then I have to do something
ugly like resort to the ParentMap to figure out whether I'm loading/storing
during a CAO. If I implement the rule during a postStmt, then I would miss
the store(LHS), and would instead have to figure out which location had
been written to during the store. Although either of these solutions may
work in practice, it would seem silly to carve a hole in my design with an
exception for this one type of expression.

Is there a very good reason that the LHS and RHS are loaded on different
sides of the preStmt? If so, what would be the best workaround? If not,
could I easily reconfigure the core to load the LHS and RHS before visiting
the PreStmt?

~Scott Constable
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20151013/d844de95/attachment.html>