[cfe-dev] Checker - taint analysis with virtual functions (runtime polymorphism handling)

lifeasageek lifeasageek at gmail.com
Tue Sep 18 12:47:14 PDT 2012


I'm playing with Checker to implement taint-analysis for C++
applications. Refering GenericTaintChecker.cpp, I've implemented my
simple taint-analysis but it seems like tainted symbols are not
propagated for virtual function calls and Checker cannot handle the
C++ class runtime polymorphism?

>From my understanding, when checker sees virtual function call
expression, it only knows the declared class type, not the actually
allocated class type. In the example code below I've written, when
Checker sees g_table->append(), it only knows g_table is the member
function of ShapeTable, not of ShapeTableArray.

Could you tell me how to handle this C++ runtime polymorphism issues?
Can I force it to visit all the possible (or concrete) virtual
functions when Checker sees the virtual function calls?

class ShapeTable {
    virtual void append(int value) = 0;
    virtual int search(int value) = 0;

class ShapeTableArray :public ShapeTable {
    ShapeTableArray() : curPosition(0) {
        entries = (int*)malloc(sizeof(int) * MAX_ENTRIES);

    void append(int value) {
        entries[curPosition++] = value;

    int search(int value) {
        for (int i=0; i<MAX_ENTRIES; i++) {
            if (entries[i] == value)
                return i;
        return NOT_AVAILABLE;
    int *entries;
    int curPosition;

int main(void){
    ShapeTable *g_table = new ShapeTableArray();



View this message in context: http://clang-developers.42468.n3.nabble.com/Checker-taint-analysis-with-virtual-functions-runtime-polymorphism-handling-tp4026757.html
Sent from the Clang Developers mailing list archive at Nabble.com.

More information about the cfe-dev mailing list