[cfe-dev] Clang Static Analyzer conditional terminating call back
Gavin Cui via cfe-dev
cfe-dev at lists.llvm.org
Fri Sep 20 07:09:49 PDT 2019
Hello all,
I want to check if a tainted value can affect the control flow of some sensitive functions. For example:
value = taint_source()
if (value < xxx) {
sensitive_func()
}
The taint propagation in clang static analyzer fit part of my need. One approach I can think of is:
Whenever I encounter a branch condition (register checkBranchCondition() call back), I will push a tag(tainted or not) to a taintStack variable in ProgramState.
After the branch block closed, I will pop one tag.
If sensitive_function() get encountered, I will check all the tags in taintStack to see if any of them is tainted.
The problem is I did not find a callback like checkBranchCondition() which will be called every time exiting a branch block. Then what should be a good approach for this control flow checking?
Any suggestions would be appreciated.
Thank you,
Gavin
More information about the cfe-dev
mailing list