[cfe-dev] Taint analysis

Dmitri Gribenko gribozavr at gmail.com
Wed Feb 1 06:32:20 PST 2012


I was playing with experimental taint analyzer and found a simple case
where taint checker fails:

void test_bad()
  char s[80];
  sprintf(s, "%s", "aaa");
  fscanf(stdin, "%s", s);
  printf(s); // expected-warning {{Uncontrolled Format String}}

If sprintf is commented out, diagnostic is produced as expected.

Full testcase attached.

Dmitri Gribenko

(j){printf("%d\n",i);}}} /*Dmitri Gribenko <gribozavr at gmail.com>*/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: taint-checker-fail.c
Type: text/x-csrc
Size: 675 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20120201/0a2b9247/attachment.c>

More information about the cfe-dev mailing list