Previously the taint propagation rules and the taint sources were checked in different steps.
Taint propagation goes in two steps: addSourcesPre marked the tainted arguments and the return value, then the propagateFromPre set the tainted flag. After that addSourcesPost set the tainted flag for the source function's(scanf, socket, e.g) arguments or return value.
There is no reason why it should be that way. A source function can be interpreted as a propagation rule when no srcArg is defined.
I modified the TaintPropagationRule to support source functions and merged them with the propagation rules.
Details
Details
- Reviewers
gerazo xazax.hun Szelethus a_sidorin dcoughlin george.karpenkov NoQ - Commits
- rG2827349c9d7e: [analyzer] Use the new infrastructure of expressing taint propagation, NFC
rL355703: [analyzer] Use the new infrastructure of expressing taint propagation, NFC
rC355703: [analyzer] Use the new infrastructure of expressing taint propagation, NFC
Diff Detail
Diff Detail
- Repository
- rC Clang
Event Timeline
Comment Actions
Ok, so "source" functions are now merely "propagate from nothing" functions? Fair enough!