<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    @Gavin: I'm worried that you're choosing a wrong strategy here.
    Branches with tainted conditions can be used for sanitizing the
    input, but it sounds like you want to ban them rather than promote
    them. That said, i can't figure out what's the right solution for
    you unless i understand the original problem that you're trying to
    solve.<br>
    <br>
    @Kristof: Do you think you can implement a
    checkBeginControlDependentSection / checkEndControlDependentSection
    callback pair on top of your control dependency tracking mechanisms,
    so that they behaved intuitively and always perfectly paired each
    other, even in the more complicated cases like for-loops and Duff's
    devices? (there's no indication so far that we really need them -
    scope contexts are much more valuable and might actually be helpful
    here as well - but i'm kinda curious).<br>
    <br>
    <div class="moz-cite-prefix">On 9/20/19 10:46 AM, Kristóf Umann via
      cfe-dev wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CAGcXOD5Ce3u0g+bsK2CoAPVsXPEAA6toZoXV7CFpGXjtarVtSg@mail.gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div dir="ltr">
        <div dir="ltr">+ Artem because he knows everything about the
          analyzer and symbolic execution, + Balázs because he is
          currently working on TaintChecker.
          <div><br>
          </div>
          <div>My first instinct here would be to combine pathsensitive
            analysis with control flow analysis. In the header file <font
              face="monospace">clang/include/clang/Analysis/Analyses/Dominators.h</font>
            you will find the class <font face="monospace">ControlDependencyCalculator</font>.
            You could calculate the control dependencies of the block in
            which <font face="monospace">sensitive_func() </font>is
            called (you can retrieve that through the current <font
              face="monospace">ExplodedNode</font>) and find that the <font
              face="monospace">CFGBlock</font> whose <font
              face="monospace">getLastCondition()</font> is <font
              face="monospace">value < xxx</font> is in fact a
            control dependency. Then, you could, in theory, check
            whether parts of this expression is tainted.</div>
          <div><br>
          </div>
          <div>Artem, do you think this makes any sense?</div>
        </div>
        <br>
        <div class="gmail_quote">
          <div dir="ltr" class="gmail_attr">On Fri, 20 Sep 2019 at
            16:10, Gavin Cui via cfe-dev <<a
              href="mailto:cfe-dev@lists.llvm.org"
              moz-do-not-send="true">cfe-dev@lists.llvm.org</a>>
            wrote:<br>
          </div>
          <blockquote class="gmail_quote" style="margin:0px 0px 0px
            0.8ex;border-left:1px solid
            rgb(204,204,204);padding-left:1ex">Hello all,<br>
            I want to check if a tainted value can affect the control
            flow of some sensitive functions. For example:<br>
            <br>
            value = taint_source()<br>
            if (value < xxx) {<br>
                    sensitive_func()<br>
            }<br>
            <br>
            The taint propagation in clang static analyzer fit part of
            my need. One approach I can think of is: <br>
            Whenever I encounter a branch condition (register
            checkBranchCondition() call back), I will push a tag(tainted
            or not) to a taintStack variable in ProgramState.<br>
            After the branch block closed, I will pop one tag. <br>
            If sensitive_function() get encountered, I will check all
            the tags in taintStack to see if any of them is tainted.<br>
            <br>
            The problem is I did not find a callback like
            checkBranchCondition() which will be called every time
            exiting a branch block.  Then what should be a good approach
            for this control flow checking?<br>
            <br>
            Any suggestions would be appreciated.<br>
            <br>
            Thank you,<br>
            Gavin<br>
            _______________________________________________<br>
            cfe-dev mailing list<br>
            <a href="mailto:cfe-dev@lists.llvm.org" target="_blank"
              moz-do-not-send="true">cfe-dev@lists.llvm.org</a><br>
            <a
              href="https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev"
              rel="noreferrer" target="_blank" moz-do-not-send="true">https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev</a><br>
          </blockquote>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <pre class="moz-quote-pre" wrap="">_______________________________________________
cfe-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cfe-dev@lists.llvm.org">cfe-dev@lists.llvm.org</a>
<a class="moz-txt-link-freetext" href="https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev">https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>