[PATCH] D28445: [Analyzer] Extend taint propagation and checking

Artem Dergachev via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Tue Mar 7 07:52:41 PST 2017


NoQ accepted this revision.
NoQ added a comment.
This revision is now accepted and ready to land.

I believe this should land. Thank you very much for getting this far to get this fixed.

My take on the documentation:

  Return the default value bound to a region in a given store. The default binding is the value of sub-regions that were not initialized separately from their base region. For example, if the structure is zero-initialized upon construction, this method retrieves the concrete zero value, even if some or all fields were later overwritten manually. Default binding may be an unknown, undefined, concrete, or symbolic value.
  \param[in] store The store in which to make the lookup.
  \param[in] R The region to find the default binding for.



  Return the default value bound to a LazyCompoundVal. The default binding is used to represent the value of any fields or elements within the structure represented by the LazyCompoundVal which were not initialized explicitly separately from the whole structure. Default binding may be an unknown, undefined, concrete, or symbolic value.
  \param[in] lcv The lazy compound value.
  \return The default value bound to the LazyCompoundVal \c lcv, if a default binding exists.



================
Comment at: lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp:455
+  // Otherwise, return a nullptr as there's not yet a functional way to taint
+  // sub-regions of LCVs.
+  return nullptr;
----------------
I'm not sure if i mentioned this before, but for this case we could store taint information in the program state as a map **//T//** from symbols to sets of regions, so that a `SymbolDerived`-class symbol with parent symbol **//S//** and parent region **//R//** is auto-tainted when **//R//** is a sub-region of at least one region **//R'//** in **//T(S)//**.

That is, if we need to taint some fields in a structure with default symbol **//S//**, we add the relevant field regions to **//T(S)//**, and later lookup if the derived symbol's parent region is within one of the "tainted-regions-for-that-symbol".

That's a crazy plan, but i believe it's also quite expressive, using the SVal hierarchy to the fullest. So it might be the way to go.


https://reviews.llvm.org/D28445





More information about the cfe-commits mailing list