[cfe-dev] Taint analysis
Dmitri Gribenko
gribozavr at gmail.com
Wed Feb 1 06:32:20 PST 2012
Hello,
I was playing with experimental taint analyzer and found a simple case
where taint checker fails:
void test_bad()
{
char s[80];
sprintf(s, "%s", "aaa");
fscanf(stdin, "%s", s);
printf(s); // expected-warning {{Uncontrolled Format String}}
}
If sprintf is commented out, diagnostic is produced as expected.
Full testcase attached.
Dmitri Gribenko
--
main(i,j){for(i=2;;i++){for(j=2;j<i;j++){if(!(i%j)){j=0;break;}}if
(j){printf("%d\n",i);}}} /*Dmitri Gribenko <gribozavr at gmail.com>*/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: taint-checker-fail.c
Type: text/x-csrc
Size: 675 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20120201/0a2b9247/attachment.c>
More information about the cfe-dev
mailing list