NoQ added inline comments.
================
Comment at: clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp:289
+ NameRuleMap CustomPropagations{
+ {"c_str", {"std::__cxx11::basic_string", {{0}, {ReturnValueIndex}}}},
+ {"data", {"std::__cxx11::basic_string", {{0}, {ReturnValueIndex}}}},
----------------
Szelethus wrote:
> Hmm, is this the appropriate place to put these? It seems like this job is
> handled in `getTaintPropagationRule`. I thought `CustomPropagations` are
> reserved for the config file.
So `0` stands for `this`? Can we have a named constant please? ^.^
================
Comment at: clang/lib/StaticAnalyzer/Checkers/Taint.cpp:155-162
+ if (auto LCV = V.getAs<nonloc::LazyCompoundVal>()) {
+ if (Optional<SVal> binding =
+ State->getStateManager().getStoreManager().getDefaultBinding(
+ *LCV)) {
+ if (SymbolRef Sym = binding->getAsSymbol())
+ return isTainted(State, Sym, Kind);
+ }
----------------
Aha, ok, so this is your plan: only ever deal with fully conjured objects.
I suspect that it'll fail when the function that produces the object is fully
inlined. It's probably unlikely to happen with things like `std::cin` but it's
pretty likely to happen with custom taint sources defined by the user. Once you
want to fix this, you'll probably have to iterate through all direct bindings
in the structure and mark them tainted as well.
================
Comment at: clang/test/Analysis/taint-generic.cpp:129
+// Test I/O
+namespace std {
+template <class CharT>
----------------
Let's add a header simulator for this if we didn't already.
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D71524/new/
https://reviews.llvm.org/D71524
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
