[cfe-dev] General query : Alpha security checkers and taint analysis

Ashwin Ganesh via cfe-dev cfe-dev at lists.llvm.org
Mon Apr 4 01:16:15 PDT 2016

1) I went through GenericTaintChecker.cpp and I am not sure which part of
the code propagates the taint.For example,
x = getchar();
char y = x + 1;
Which part of the code taints y? Every part of the code i see seem to deal
with functions.

2) Secondly , how do i use the debugging checkers like TainTesterChecker? I
can't quite seem to locate this in the documentation


On Fri, Apr 1, 2016 at 10:31 PM, Artem Dergachev via cfe-dev <
cfe-dev at lists.llvm.org> wrote:

> Source for pretty much everything is available. To see what code
> corresponds to what checker, consult the Checkers.td file; for the
> TaintPropagation checker, GenericTaintChecker.cpp is the correct code file.
> With clang static analyzer, you don't need to (though you may) implement
> taint propagation manually in every checker - the TaintPropagation checker
> already does a pretty good job, just enable it and code parts that it
> doesn't support out of the box.
> The static analyzer works only with the source code in C/C++/Objective-C.
> You should have no problem dumping all accesses to the tainted values,
> similarly to TaintTester, though the current diagnostic engine isn't very
> suitable for massive dumps of big data for further analysis - it was
> designed to report small numbers of actual bug reports and provides useful
> facilities for that.
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20160404/5af06eaf/attachment.html>

More information about the cfe-dev mailing list