[cfe-dev] Purpose of GenericTaintChecker

Artem Dergachev via cfe-dev cfe-dev at lists.llvm.org
Mon Jun 6 02:31:43 PDT 2016


The analyzer analyzes every statement in the CFG, first calling 
checkPreStmt for it, then "executing" the statement, then calling 
checkPostStmt. The "executing" phase may include other callbacks, such 
as checkBind or checkPreCall/checkPostCall. CFG terminators, such as 
`if()` or `for()` or `?:` or `&&`, are not covered with 
checkPreStmt/checkPostStmt, but with checkBranchCondition.

If you want to observe how taint flows, you can enable the 
debug.TaintTest checker - it warns on all expressions values of which 
are tainted.

If it's still not obvious how GenericTaintChecker operates, you can have 
a look at its unit tests in (test/Analysis/taint-generic.c) and try to 
figure out how's that different with your case. Like, gets() itself 
isn't a bug, so no warning here; but system(gets()) is already suspicious.

Yeah, taint information is the same for all checkers: if 
GenericTaintChecker is enabled, other checkers would see symbols marked 
by it as tainted as tainted.

In any case, i encourage you to share more details on what you're doing, 
because i've no way of guessing what subtle misunderstanding may be 
blocking you. Eg., you may be confusing value of the symbolic pointer 
and symbolic value behind that pointer, which is very easy to mess up 
when working with symbols before you collect some intuition/experience, 
or something like that, there may be a lot of problems when you just 
start. Since the previous thread, i finally published some guide for 
beginners 
(https://github.com/haoNoQ/clang-analyzer-guide/releases/download/v0.1/clang-analyzer-guide-v0.1.pdf) 
- though it doesn't contain much on taint (we're already past it, worth 
improving i guess), it might save some time on understanding the ideas 
behind the analyzer.

Another problem you might have encountered - why you don't see taint on 
a CallExpr instantly - is because there's a race between your checker 
and GenericTaintChecker, both of which are subscribing on 
check::PostStmt<CallExpr>. Order of calling different checkers on the 
same callback is currently undefined (though we realize that it's a good 
idea to create dependencies between checkers). Most of the time it 
doesn't matter though, because one usually catches tainted values on 
checkPreStmt's. But i've no way of guessing if that's what you're doing.



More information about the cfe-dev mailing list