This is an archive of the discontinued LLVM Phabricator instance.

[analyzer] Prepare generic taint checker for new sources
ClosedPublic

Authored by boga95 on Mar 6 2019, 2:47 PM.

Details

Summary

Previously the taint propagation rules and the taint sources were checked in different steps.
Taint propagation goes in two steps: addSourcesPre marked the tainted arguments and the return value, then the propagateFromPre set the tainted flag. After that addSourcesPost set the tainted flag for the source function's(scanf, socket, e.g) arguments or return value.
There is no reason why it should be that way. A source function can be interpreted as a propagation rule when no srcArg is defined.
I modified the TaintPropagationRule to support source functions and merged them with the propagation rules.

Diff Detail

Repository
rC Clang

Event Timeline

boga95 created this revision.Mar 6 2019, 2:47 PM
NoQ accepted this revision.Mar 7 2019, 4:15 PM

Ok, so "source" functions are now merely "propagate from nothing" functions? Fair enough!

This revision is now accepted and ready to land.Mar 7 2019, 4:15 PM
boga95 added a comment.Mar 8 2019, 1:04 AM

Yes, they do. Thanks for the review.

Szelethus accepted this revision.Mar 8 2019, 1:22 AM

Cheers!

This revision was automatically updated to reflect the committed changes.