[cfe-dev] [Analyzer] How to deal with lazy compound values when tracking state
Artem Dergachev via cfe-dev
cfe-dev at lists.llvm.org
Sun Mar 5 02:42:01 PST 2017
Whoops didn't notice Aleksei's comment sry, should unwrap the thread
before answering><
On 3/5/17 1:39 PM, Artem Dergachev wrote:
> Hello, we're almost landing a patch to make this easier:
> https://reviews.llvm.org/D28445
>
> (the discussion should be helpful as well)
>
> On 3/3/17 9:02 AM, Keno Fischer via cfe-dev wrote:
>> Hi there,
>>
>> I'm implementing a kind of taint propagation and I'm running into a
>> bit of trouble when some of the tainted values are structs, because of
>> the LazyCompoundValue optimization. First to illustrate the kind of
>> thing I want to do, consider:
>>
>> extern int tainted_function1();
>> void foo() {
>> int x = tainted_function1();
>> clang_analyzer_explain(x);
>> }
>>
>> Where I try to annotate the taint upon returning from the call
>> (check::PostCall).
>> Now, this works well, because `x` is `symbol of type 'int' conjured at
>> statement 'tainted_function1()'`, so I can store its taintedness in a
>> SymbolRef->bool map and everyone is happy. However, I'm having trouble
>> extending the same logic to:
>>
>> struct foo {
>> int a;
>> int b;
>> };
>> extern struct foo tainted_function2();
>> void foo() {
>> struct foo val = tainted_function2();
>> clang_analyzer_explain(val);
>> }
>>
>> because `val` is then a `lazily frozen compound value of local
>> variable 'val'`. I tried playing with that a bit, but I'm having
>> trouble getting at the symbol from the lazy compound val (I tried
>> getBinding with the Store and the region from the lazy compound val,
>> but that just gives me another lazy compound value). How do I
>> de-lazify the value?
>> _______________________________________________
>> cfe-dev mailing list
>> cfe-dev at lists.llvm.org
>> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>
More information about the cfe-dev
mailing list