[cfe-dev] Checker - taint analysis with virtual functions (runtime polymorphism handling)

Anna Zaks ganna at apple.com
Tue Sep 18 13:35:16 PDT 2012 

Hi Byoungyoung,

Taint analysis relies on the general clang infrastructure for propagating the taint through/into virtual (and regular) calls. Currently, the static analyzer core is not smart enough to de-virtualize the call in this example. However, we are actively working on better IPA support for C++.

Said that, we would only resolve the function if the analyzer has enough information to de-virtualize. By default (when not enough info is available), the analyzer core would treat the call as opaque. This is the desired behavior. Even for the taint checker, you might only want to propagate the taint into the specific function if you are sure that there is a path on which that would occur.

Cheers,
Anna.

On Sep 18, 2012, at 12:47 PM, lifeasageek <lifeasageek at gmail.com> wrote:

> Hello,
> 
> I'm playing with Checker to implement taint-analysis for C++
> applications. Refering GenericTaintChecker.cpp, I've implemented my
> simple taint-analysis but it seems like tainted symbols are not
> propagated for virtual function calls and Checker cannot handle the
> C++ class runtime polymorphism?
> 
> From my understanding, when checker sees virtual function call
> expression, it only knows the declared class type, not the actually
> allocated class type. In the example code below I've written, when
> Checker sees g_table->append(), it only knows g_table is the member
> function of ShapeTable, not of ShapeTableArray.
> 
> Could you tell me how to handle this C++ runtime polymorphism issues?
> Can I force it to visit all the possible (or concrete) virtual
> functions when Checker sees the virtual function calls?
> 
> ------------------------------------------------------
> class ShapeTable {
> public:
>    virtual void append(int value) = 0;
>    virtual int search(int value) = 0;
>    ShapeTable();
> };
> 
> class ShapeTableArray :public ShapeTable {
> public:
>    ShapeTableArray() : curPosition(0) {
>        entries = (int*)malloc(sizeof(int) * MAX_ENTRIES);
>    }
> 
>    void append(int value) {
>        entries[curPosition++] = value;
>        return;
>    }
> 
>    int search(int value) {
>        for (int i=0; i<MAX_ENTRIES; i++) {
>            if (entries[i] == value)
>                return i;
>        }
>        return NOT_AVAILABLE;
>    }
> private:
>    int *entries;
>    int curPosition;
> };
> 
> int main(void){
>    ShapeTable *g_table = new ShapeTableArray();
>    g_table->append(0x1234);
>    g_table->search(0x1234)
> 
> }
> 
> Thanks,
> Byoungyoung
> 
> 
> 
> 
> --
> View this message in context: http://clang-developers.42468.n3.nabble.com/Checker-taint-analysis-with-virtual-functions-runtime-polymorphism-handling-tp4026757.html
> Sent from the Clang Developers mailing list archive at Nabble.com.
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev

More information about the cfe-dev mailing list