[cfe-dev] [Analyzer] How to deal with lazy compound values when tracking state

Keno Fischer via cfe-dev cfe-dev at lists.llvm.org
Sun Mar 5 13:31:10 PST 2017 

Yes, I saw and have read the thread with interest, though admittedly I
am not sure I am perfectly clear on how to use it yet. However, before
asking for further help, I'll have to play with it a bit and see if I
can apply it to my use case.

On Sun, Mar 5, 2017 at 5:42 AM, Artem Dergachev <noqnoqneo at gmail.com> wrote:
> Whoops didn't notice Aleksei's comment sry, should unwrap the thread before
> answering><
>
>
>
> On 3/5/17 1:39 PM, Artem Dergachev wrote:
>>
>> Hello, we're almost landing a patch to make this easier:
>> https://reviews.llvm.org/D28445
>>
>> (the discussion should be helpful as well)
>>
>> On 3/3/17 9:02 AM, Keno Fischer via cfe-dev wrote:
>>>
>>> Hi there,
>>>
>>> I'm implementing a kind of taint propagation and I'm running into a
>>> bit of trouble when some of the tainted values are structs, because of
>>> the LazyCompoundValue optimization. First to illustrate the kind of
>>> thing I want to do, consider:
>>>
>>> extern int tainted_function1();
>>> void foo() {
>>>      int x = tainted_function1();
>>>      clang_analyzer_explain(x);
>>> }
>>>
>>> Where I try to annotate the taint upon returning from the call
>>> (check::PostCall).
>>> Now, this works well, because `x` is `symbol of type 'int' conjured at
>>> statement 'tainted_function1()'`, so I can store its taintedness in a
>>> SymbolRef->bool map and everyone is happy. However, I'm having trouble
>>> extending the same logic to:
>>>
>>> struct foo {
>>>      int a;
>>>      int b;
>>> };
>>> extern struct foo tainted_function2();
>>> void foo() {
>>>      struct foo val = tainted_function2();
>>>      clang_analyzer_explain(val);
>>> }
>>>
>>> because `val` is then a `lazily frozen compound value of local
>>> variable 'val'`. I tried playing with that a bit, but I'm having
>>> trouble getting at the symbol from the lazy compound val (I tried
>>> getBinding with the Store and the region from the lazy compound val,
>>> but that just gives me another lazy compound value). How do I
>>> de-lazify the value?
>>> _______________________________________________
>>> cfe-dev mailing list
>>> cfe-dev at lists.llvm.org
>>> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>>
>>
>

More information about the cfe-dev mailing list