[cfe-dev] [Analyzer] How to deal with lazy compound values when tracking state

Keno Fischer via cfe-dev cfe-dev at lists.llvm.org
Thu Mar 2 22:02:40 PST 2017


Hi there,

I'm implementing a kind of taint propagation and I'm running into a
bit of trouble when some of the tainted values are structs, because of
the LazyCompoundValue optimization. First to illustrate the kind of
thing I want to do, consider:

extern int tainted_function1();
void foo() {
    int x = tainted_function1();
    clang_analyzer_explain(x);
}

Where I try to annotate the taint upon returning from the call
(check::PostCall).
Now, this works well, because `x` is `symbol of type 'int' conjured at
statement 'tainted_function1()'`, so I can store its taintedness in a
SymbolRef->bool map and everyone is happy. However, I'm having trouble
extending the same logic to:

struct foo {
    int a;
    int b;
};
extern struct foo tainted_function2();
void foo() {
    struct foo val = tainted_function2();
    clang_analyzer_explain(val);
}

because `val` is then a `lazily frozen compound value of local
variable 'val'`. I tried playing with that a bit, but I'm having
trouble getting at the symbol from the lazy compound val (I tried
getBinding with the Store and the region from the lazy compound val,
but that just gives me another lazy compound value). How do I
de-lazify the value?



More information about the cfe-dev mailing list