[cfe-dev] Question about tainting support

Ted Kremenek kremenek at apple.com
Fri Jul 31 22:15:22 PDT 2015


LazyCompoundVal is just the value of ’s’, it is not ’s’ itself.  After the call to ‘m’, does ’s’ have a new value?  What, semantically, are you trying to track as being tainted?

Since ’s’ is a struct value, the LazyCompoundVal is just “the struct values of ’s’ when a specific symbolic Store was used”.  We use LazyCompoundVals as an important optimization hack over CompoundVals, but they themselves do not have identity.  They do, however, wrap things that do have identity.  For example, LazyCompoundVal wraps an underlying MemRegion, which is the abstract memory that would have contained the value.  In this case, the MemRegion is for the parameter ’s’ itself.  Is the idea for ’s’ itself to be tainted?  If so, you want to query for that MemRegion, and mark it tainted.

> On Jun 9, 2015, at 8:20 PM, Francisco Chiotta <franchiotta at gmail.com> wrote:
> 
> Is it possible to mark as tainted a Sval that represents a class or struct?
> 
> For example, take a look at this code:
> 
> void somemethod(string s) {
>     m(&s);
> }
> 
> I want to taint 's' as soon as it is passed on 'm' method. &s represents a loc, if I try to get the Sval from it, I get a nonloc:LazyCompundVar which doesn't have a symbol associated to make it tainted.
> 
> I'm a little bit confused, could anyone please clarify this?
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev





More information about the cfe-dev mailing list