[cfe-dev] Adding taint sources to GenericTaintChecker
Artem Dergachev via cfe-dev
cfe-dev at lists.llvm.org
Wed Apr 13 08:08:43 PDT 2016
> Oh, is someone currently working on this? What would be the basic
workflow
> if anyone has to start working on adding support for float , atleast
taint
> analysis to start with?
We had a quick look in our team, but we don't have a ready-made patch.
First, you'd need a sub-class of SVal to store concrete floating-point
values, i.e. nonloc::ConcreteFloat that is similar to
nonloc::ConcreteInt but wraps around APFloat. You'd also need
SymFloatExpr and FloatSymExpr symbolic expression classes, similarly to
SymIntExpr and IntSymExpr but holding APFloat as their RHS or LHS
respectively. These symbolic expressions need to be considered in a few
places, eg. they need to inherit taint from their symbolic operand.
And after that probably I'd start with making ExprEngine and SValBuilder
produce less UnknownVal's for float-type stuff - instead, produce a
relevant atomic symbol or symbolic expression - and probably add a few
stubs into RangeConstraintManager to avoid simplifying these symbols. If
this doesn't cause many new false positives, then you should be already
ok with it, as it should be enough to let taint analysis work.
The final step would be to let RangeConstraintManager actually reason
about floats, i.e. transform "(conj_$1<float> >= 0.0): [1, 255]" into
"conj_$1<float>: [0.0, +inf]" (or whatever the current floating-point
semantics thinks about infinity). This would finish the open project.
More information about the cfe-dev
mailing list