[cfe-dev] Clang GenericTaintChecker limitations

Divya Muthukumaran via cfe-dev cfe-dev at lists.llvm.org
Thu Aug 11 05:08:55 PDT 2016

Hi Artem,

Thanks for your detailed reply. That was really helpful and got me started.
I also read the paper http://lcs.ios.ac.cn/~xuzb/canalyze/memmodel.pdf
which gave me a good overview of how the region store works.

I do have a follow up question regarding propagation of taint through
globals. I was trying to apply the Clang taint analysis to a toy key-value
store program. The interface consists of item * item_alloc(int key, int
value), item * item_get (int key), item_put (item*) and item_list(void) and
the key-value pairs are stored as a hashtable (item_table) with global
scope. A function_dispatcher() reads in user input on loop and dispatches
between those functions until the user enters 'quit'.

I was expecting that if I taint the item being added to the global
item_table when item_put() is invoked, then when item_get() is used to
retrieve any item, the resulting item gets the taint. But this doesn't seem
to happen.
It works correctly if I explicitly call item_alloc(), *taint_add(),
item_put(), item_get() in that order from my main() without using the

Does this mean that the global region pertaining to item_table gets
invalidated between user requests. Is there any way I can change this
behavior? I guess my alternative is to write a driver with all possible
interleavings of my interface functions, correct?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20160811/7b2aef6b/attachment.html>

More information about the cfe-dev mailing list