[cfe-dev] Adding taint sources to GenericTaintChecker

Artem Dergachev via cfe-dev cfe-dev at lists.llvm.org
Wed Apr 13 08:08:43 PDT 2016

 > Oh, is someone currently working on this? What would be the basic 
 > if anyone has to start working on adding support for float , atleast 
 > analysis to start with?

We had a quick look in our team, but we don't have a ready-made patch.

First, you'd need a sub-class of SVal to store concrete floating-point 
values, i.e. nonloc::ConcreteFloat that is similar to 
nonloc::ConcreteInt but wraps around APFloat. You'd also need 
SymFloatExpr and FloatSymExpr symbolic expression classes, similarly to 
SymIntExpr and IntSymExpr but holding APFloat as their RHS or LHS 
respectively. These symbolic expressions need to be considered in a few 
places, eg. they need to inherit taint from their symbolic operand.

And after that probably I'd start with making ExprEngine and SValBuilder 
produce less UnknownVal's for float-type stuff - instead, produce a 
relevant atomic symbol or symbolic expression - and probably add a few 
stubs into RangeConstraintManager to avoid simplifying these symbols. If 
this doesn't cause many new false positives, then you should be already 
ok with it, as it should be enough to let taint analysis work.

The final step would be to let RangeConstraintManager actually reason 
about floats, i.e. transform "(conj_$1<float> >= 0.0): [1, 255]" into 
"conj_$1<float>: [0.0, +inf]" (or whatever the current floating-point 
semantics thinks about infinity). This would finish the open project.

More information about the cfe-dev mailing list