[cfe-dev] [analyzer] Zombie symbols.

Artem Dergachev via cfe-dev cfe-dev at lists.llvm.org
Tue Mar 29 07:10:59 PDT 2016

 > You might want to store this in the repo by
 > adding a document or extending this one:
 > ./docs/analyzer/RegionStore.txt

Hmm, i wish i could fix the bugs rather than document them (= Will have 
a look!

 > Taint has never been fully implemented. I also
 > want to investigate using flow-sensitive analysis
 > for taint tracking instead of the approach the
 > current half-implementation uses.

The current approach seems very sensible to me, i like it, and i'm not 
quite aware of any significant theoretical problems.

The implementation gore of sharing the state trait across checkers is 
annoying, but since we want to eventually share all traits in a generic 
manner anyway, this problem would eventually be gone. It is also a bit 
hard to work with tainted strings, but that seems to be an SVal 
hierarchy thing rather than a taint implementation problem.

Taint analysis becomes the most effective with heavy IPA, probably 
better even with inter-unit analysis and good call graph sorting to 
ensure top-bottom analysis, implying huge node limits, because 
input-output and usage are often spread out very far away from each 
other, through many function calls. It wouldn't find many things if it 
only considers small scopes.

More information about the cfe-dev mailing list