xazax.hun added a comment.
You cannot always have constant bounds. E.g. a dynamically allocated array size
might depend on a variable.
Repository:
rG LLVM Github Monorepo
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D73536/new/
https://reviews.llvm.org/D73536
steakhal added a comment.
I genuinely think that in the following case we should warn, since the user
already had a chance to express the range assumption using an `assert`.
I think that regardless which checker in what condition checks for a given
constraint.
If the expression is tainted, we
xazax.hun added a comment.
I think a crucial part of the design is what would we do for the following case:
if (x < y || x > z)
return;
// Here we might not have ranges for x when y and z were symbolic.
mySink(x); // requires x to be in [0, 255]
So would we warn for the code above? X
Szelethus added a comment.
I think its very good that this conversation came up, and it might just happen
that we'll end up removing some taint when we have a better understanding of
how this works. For now, I think we can put this aside :)
Repository:
rG LLVM Github Monorepo
CHANGES SINCE
steakhal added a subscriber: martong.
steakhal added a comment.
I'm convinced that we shouldn't remove taint from expressions used in
comparisons.
With the current configuration files, `sink` functions are not too useful.
For now, I would delay developing a mechanism describing constraints