[PATCH] D28445: [Analyzer] Extend taint propagation and checking

[Vlad Tsyrklevich via Phabricator via cfe-commits]

vlad.tsyrklevich added inline comments.


================
Comment at: lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp:455
+  // Otherwise, return a nullptr as there's not yet a functional way to taint
+  // sub-regions of LCVs.
+  return nullptr;
----------------
NoQ wrote:
> I'm not sure if i mentioned this before, but for this case we could store taint information in the program state as a map **//T//** from symbols to sets of regions, so that a `SymbolDerived`-class symbol with parent symbol **//S//** and parent region **//R//** is auto-tainted when **//R//** is a sub-region of at least one region **//R'//** in **//T(S)//**.
> 
> That is, if we need to taint some fields in a structure with default symbol **//S//**, we add the relevant field regions to **//T(S)//**, and later lookup if the derived symbol's parent region is within one of the "tainted-regions-for-that-symbol".
> 
> That's a crazy plan, but i believe it's also quite expressive, using the SVal hierarchy to the fullest. So it might be the way to go.
That's exactly what I was considering, I can't imagine another clean way to keep track of that information otherwise (short of a linear scan of the taint data.)


https://reviews.llvm.org/D28445