[cfe-dev] Clang GenericTaintChecker limitations

Artem Dergachev via cfe-dev cfe-dev at lists.llvm.org
Thu Aug 11 09:04:19 PDT 2016


On 8/11/16 3:42 PM, Gábor Horváth wrote:
> Note that the analyzer do not reason about global variables right now.

@Gábor: Hmm, what do you mean? :o They're present in the Store and work 
like all other variables, they're just invalidated too often (on every 
unmodeled function call). If the variables are also const-qualified, 
then they shouldn't be invalidated, and should always resolve to their 
initial value (though i think there were some bugs there).

@Divya: if you think that your own API functions themselves do 
unnecessary invalidation (rather than user-defined functions or library 
functions), then you have an option to `evalCall` them - that's a 
special checker callback in which you can take care of all modeling, but

> And also not that there are no guarantees about the coverage. Therr 
> might be code that is not covered by the analysis at all.

@Gábor: Yeah, it might be that as well. The loop might have been to 
complex, and the analyzer didn't find the proper path through the loop 
(loops are currently inlined as well.

@Divya: you may want to increase the `-cc1 -analyzer-max-loop=4` option 
to a higher value). In the worst case, i'd have had a look at the 
ExplodedGraph 
(http://clang-analyzer.llvm.org/checker_dev_manual.html#visualizing) to 
see what exactly is going on.

It might also easily be something else, so if you can post some sample 
code, we'd probably make a better guess.


More information about the cfe-dev mailing list