[cfe-dev] Symbolic value assumption for some libc function
Gavin Cui via cfe-dev
cfe-dev at lists.llvm.org
Thu Mar 21 17:58:14 PDT 2019
Never mind, I have found them in StdLibraryFunctionsChecker. Sorry for disturbing you with stupid question.
By the way, I notice that the Clang Static Analyzer currently dose not support analysis across translational unit for scalability concern. Do you have any suggested direction if I really want to do the taint tracking across files?
Thank you,
Sincerely,
Gavin
> On Mar 21, 2019, at 7:52 PM, Gavin Cui <gavincrz at gmail.com> wrote:
>
> Hi, I was exploring the ArrayboundChecker and TaintPropagation. I tried to make the return value of read() system call a taint source. I have seen that you already defined it in the GenericTaintChecker.cpp. And I found that the checker will not raise an error for the following code even I replace .Case("read", TaintPropagationRule({0, 2}, {1, ReturnValueIndex})) with .Case("read", TaintPropagationRule({}, {ReturnValueIndex})):
>
> char buf[20];
> int ret = read(0, buf, 3);
> buf[ret] = 0; // expect to get warning: index is tainted
>
> I think it is because the tool makes the assumption that the return is less than or equal to 3 after read() syscall somewhere. But I have a hard time to locate the code which handle this specific case. Could you give me some suggestion about which files should I look into in order to turn off the assumption on read() return values?
>
> Thank you!
> Regards,
> Gavin
More information about the cfe-dev
mailing list