[PATCH] D73536: [analyzer][taint] Remove taint from symbolic expressions if used in comparisons

Gábor Horváth via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Thu Feb 6 16:05:49 PST 2020


xazax.hun added a comment.

I think a crucial part of the design is what would we do for the following case:

  if (x < y || x > z)
    return;
  // Here we might not have ranges for x when y and z were symbolic. 
  mySink(x); // requires x to be in [0, 255]

So would we warn for the code above? X is certainly in SOME bounds but we were not smart enough to figure out what. And these symbolic constraints are not recorded in the range based constraint manager.

If we want to avoid potential false positives on the code above we do need to somehow record symbolic constraints somewhere.


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D73536/new/

https://reviews.llvm.org/D73536





More information about the cfe-commits mailing list