[cfe-dev] [analyzer] Problem tracking taint applied to regions
Julian Ganz via cfe-dev
cfe-dev at lists.llvm.org
Tue Mar 20 06:43:28 PDT 2018
Hello cfe-dev,
> Using the information in subsequent post-statement checks is where I'm stuck. First, I noted that the taint is not propagated anywhere. I assumed that simple assignments were, for whatever reason, not yet considered (I also did not find anything in the generic taint checker), so I started implementing a `check::PostStmt<BinaryOperator>` checker. Since `isTainted()` on the statement behaved as expected on the last handler, I assumed the taint detection to be somewhat easier. Sure, I have to strip both the LHS and RHS of casts and paranthesis, but detecting taint should be easy, I thought. Turns out `isTainted()` never returns true.
>
> Now, dumping both the taint and the overall state using `ProgramState::dump()` and `ProgramState::dumpTaint()` reveals that the symbolic expression which was previously added to the taint map is still tainted, but the binding of this expression to `f.x` is gnone (`f.x: Undefined`).
It looks like the value is collected by the `SymbolReaper`, which I find strange since the statement containing the member expression is clearly still processed.
By now I suspect that I should have used a `SymbolMetadata` and somehow made sure it lives long enough (e.g. using `SymbolReaper::markInUse()`).
Greetings,
Julian
More information about the cfe-dev
mailing list