[analyzer] Support partially tainted records.
The analyzer's taint analysis can now reason about structures or arrays originating from taint sources in which only certain sections are tainted. In particular, it also benefits modeling functions like read(), which may read tainted data into a section of a structure, but RegionStore is incapable of expressing the fact that the rest of the structure remains intact, even if we try to model read() directly. Patch by Vlad Tsyrklevich! Differential revision: https://reviews.llvm.org/D28445 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@304162 91177308-0d34-0410-b5e6-96231b3b80d8
Showing
- include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h 15 additions, 0 deletions...de/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h
- include/clang/StaticAnalyzer/Core/PathSensitive/TaintManager.h 10 additions, 0 deletions...de/clang/StaticAnalyzer/Core/PathSensitive/TaintManager.h
- lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp 24 additions, 59 deletionslib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
- lib/StaticAnalyzer/Core/ProgramState.cpp 83 additions, 20 deletionslib/StaticAnalyzer/Core/ProgramState.cpp
- lib/StaticAnalyzer/Core/RegionStore.cpp 4 additions, 1 deletionlib/StaticAnalyzer/Core/RegionStore.cpp
- test/Analysis/taint-generic.c 31 additions, 10 deletionstest/Analysis/taint-generic.c
Loading
Please register or sign in to comment