[PATCH] D71524: [analyzer] Support tainted objects in GenericTaintChecker
Borsik Gábor via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Wed Sep 30 14:29:29 PDT 2020
boga95 marked an inline comment as done.
boga95 added a comment.
In D71524#2291925 <https://reviews.llvm.org/D71524#2291925>, @steakhal wrote:
> In D71524#2284386 <https://reviews.llvm.org/D71524#2284386>, @Szelethus wrote:
>
>> I figured you're still working on this, sorry! I'd really like to chat about my earlier comment D71524#1917251 <https://reviews.llvm.org/D71524#1917251>, as it kind of challenges the high level idea.
>
> What about marking the `std::cin` object itself as tainted and any object created by `ifstream::ifstream(const char*)` or similar functions.
> Then propagate taint via the extraction operator (`operator>>`) only if the stream was tainted.
> This way we could reduce the false-positives of this crude heuristic. What do you think?
As far as I remember I tried to make `std::cin` tainted, but it was complicated. I run the checker against many projects and there wasn't any false positive related to this heuristic.
We can restrict the `operator>>` to `std::basic_stream` and cover only the standard library. I think most of the programmers will use this in a conventional way, therefore it should work for their implementation too.
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D71524/new/
https://reviews.llvm.org/D71524
More information about the cfe-commits
mailing list