[cfe-dev] [analyzer] Zombie symbols.
Artem Dergachev via cfe-dev
cfe-dev at lists.llvm.org
Tue Mar 29 07:10:59 PDT 2016
> You might want to store this in the repo by
> adding a document or extending this one:
> ./docs/analyzer/RegionStore.txt
Hmm, i wish i could fix the bugs rather than document them (= Will have
a look!
> Taint has never been fully implemented. I also
> want to investigate using flow-sensitive analysis
> for taint tracking instead of the approach the
> current half-implementation uses.
The current approach seems very sensible to me, i like it, and i'm not
quite aware of any significant theoretical problems.
The implementation gore of sharing the state trait across checkers is
annoying, but since we want to eventually share all traits in a generic
manner anyway, this problem would eventually be gone. It is also a bit
hard to work with tainted strings, but that seems to be an SVal
hierarchy thing rather than a taint implementation problem.
Taint analysis becomes the most effective with heavy IPA, probably
better even with inter-unit analysis and good call graph sorting to
ensure top-bottom analysis, implying huge node limits, because
input-output and usage are often spread out very far away from each
other, through many function calls. It wouldn't find many things if it
only considers small scopes.
More information about the cfe-dev
mailing list