Page MenuHomePhabricator

[analyzer][taint] Extent of heap regions should get taint sometimes

Authored by steakhal on Mar 31 2021, 6:31 AM.



If we allocate a tainted amount of memory, the extent of that region will clearly depend on a tainted value.

We could later make use of this, for example when we try to prove that the array access is valid (0 <= idx < extent).
If the inequality would depend on the tainted value, we should still emit a warning (in ArrayBoundV2), as we currently do if the idx is tainted.

Diff Detail

Event Timeline

steakhal created this revision.Mar 31 2021, 6:31 AM
steakhal requested review of this revision.Mar 31 2021, 6:31 AM
Herald added a project: Restricted Project. · View Herald TranscriptMar 31 2021, 6:31 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
steakhal updated this revision to Diff 334474.Mar 31 2021, 10:03 AM

Add a FIXME about placing a NoteTag describing why the extent was getting tainted.

martong accepted this revision.Apr 1 2021, 3:00 AM

I like it, looks good to me!

This revision is now accepted and ready to land.Apr 1 2021, 3:00 AM
NoQ added a comment.EditedApr 1 2021, 8:36 PM

This will be obsoleted by D69726 because they are going to be the same symbol from the start.

steakhal abandoned this revision.Apr 6 2021, 9:14 AM

Obsoleted by D69726.

This effort continues as the NFC D99959 patch.