[cfe-dev] Clang GenericTaintChecker limitations

Divya Muthukumaran via cfe-dev cfe-dev at lists.llvm.org
Thu Aug 18 07:05:08 PDT 2016


Hi Artem,

Thanks for sending that -- I commented out those lines in the source and
recompiled and the taint propagates correctly for the example I sent you.
But then I changed the code slightly, so that instead of storing the items
in a list, I store them in an array. New items are added to an offset of
the
array address (i.e., array[OFFSET] = new_item). Now the taint doesn't
propagate at all. Is there something about array modelling that is
different?


I have attached my revised test case with this email. Note that if I
replace A1 with A2 and B1 with B2 or hard code the offset into the array
the taint propagates correctly.

Thanks,
Divya


On Fri, Aug 12, 2016 at 9:21 AM, Artem Dergachev <noqnoqneo at gmail.com>
wrote:

> On 8/12/16 10:57 AM, Divya Muthukumaran wrote:
>
>>
>>
>>     So, long story short, this code is already too complex for our
>>     analyzer. Our default options are tweaked for maximum
>>     bugs-per-second in general case, but maybe we could make an option
>>     to analyze deeply, no matter how much time it takes.
>>
>> Ah Ok. Thanks for looking into this. If I had to do this bespoke for
>> analyzing my code, what would I have to change? Or is it too complex?
>>
>> The attached patch highlights the code responsible for conservative
> replay without inlining. It's not very complex, and i guess we could make
> an option for tweaking this particular behavior.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20160818/a06f76d6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.c
Type: text/x-csrc
Size: 3288 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20160818/a06f76d6/attachment-0001.c>


More information about the cfe-dev mailing list