[cfe-dev] [Analyzer] How to deal with lazy compound values when tracking state
Artem Dergachev via cfe-dev
cfe-dev at lists.llvm.org
Sun Mar 5 02:39:42 PST 2017
Hello, we're almost landing a patch to make this easier:
https://reviews.llvm.org/D28445
(the discussion should be helpful as well)
On 3/3/17 9:02 AM, Keno Fischer via cfe-dev wrote:
> Hi there,
>
> I'm implementing a kind of taint propagation and I'm running into a
> bit of trouble when some of the tainted values are structs, because of
> the LazyCompoundValue optimization. First to illustrate the kind of
> thing I want to do, consider:
>
> extern int tainted_function1();
> void foo() {
> int x = tainted_function1();
> clang_analyzer_explain(x);
> }
>
> Where I try to annotate the taint upon returning from the call
> (check::PostCall).
> Now, this works well, because `x` is `symbol of type 'int' conjured at
> statement 'tainted_function1()'`, so I can store its taintedness in a
> SymbolRef->bool map and everyone is happy. However, I'm having trouble
> extending the same logic to:
>
> struct foo {
> int a;
> int b;
> };
> extern struct foo tainted_function2();
> void foo() {
> struct foo val = tainted_function2();
> clang_analyzer_explain(val);
> }
>
> because `val` is then a `lazily frozen compound value of local
> variable 'val'`. I tried playing with that a bit, but I'm having
> trouble getting at the symbol from the lazy compound val (I tried
> getBinding with the Store and the region from the lazy compound val,
> but that just gives me another lazy compound value). How do I
> de-lazify the value?
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
More information about the cfe-dev
mailing list