[cfe-dev] Clang GenericTaintChecker limitations

Gábor Horváth via cfe-dev cfe-dev at lists.llvm.org
Thu Aug 11 05:42:08 PDT 2016


Note that the analyzer do not reason about global variables right now.

And also not that there are no guarantees about the coverage. Therr might
be code that is not covered by the analysis at all. So I think, as is, the
analyzer is not suitable for any kind of verification. It can be a decent
bug finding tool though.


2016. aug. 11. du. 2:09 ezt írta ("Divya Muthukumaran via cfe-dev" <
cfe-dev at lists.llvm.org>):

> Hi Artem,
> Thanks for your detailed reply. That was really helpful and got me
> started. I also read the paper http://lcs.ios.ac.cn/~
> xuzb/canalyze/memmodel.pdf which gave me a good overview of how the
> region store works.
> I do have a follow up question regarding propagation of taint through
> globals. I was trying to apply the Clang taint analysis to a toy key-value
> store program. The interface consists of item * item_alloc(int key, int
> value), item * item_get (int key), item_put (item*) and item_list(void) and
> the key-value pairs are stored as a hashtable (item_table) with global
> scope. A function_dispatcher() reads in user input on loop and dispatches
> between those functions until the user enters 'quit'.
> I was expecting that if I taint the item being added to the global
> item_table when item_put() is invoked, then when item_get() is used to
> retrieve any item, the resulting item gets the taint. But this doesn't seem
> to happen.
> It works correctly if I explicitly call item_alloc(), *taint_add(),
> item_put(), item_get() in that order from my main() without using the
> dispatcher.
> Does this mean that the global region pertaining to item_table gets
> invalidated between user requests. Is there any way I can change this
> behavior? I guess my alternative is to write a driver with all possible
> interleavings of my interface functions, correct?
> Best,
> Divya
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20160811/b3de467d/attachment.html>

More information about the cfe-dev mailing list