Hi, all,
I am writing a taint tracking checker with clang static analyzer, and currently I want to do something when a branch is finished being analyzed. So I need to know when the symbolic execution reaches the end of a branch, which means how can I notice that the symbolic execution reaches the end of an If code block or Else code block? I have tried the CompoundStmt, but it didn’t work in the callback function CheckPostStmt, and neither did the BlockExpr work.
It seems that the control flow stmt can only be analyzed in a path-insensitive way, such as using the ASTDecl and ASTCodeBody callbacks. Are there any other possible ways during the symbolic execution to achieve this goal?
Thank you!
Hello,
You need to use the special checkBranchCondition() callback for handling CFG terminator statements such as if's, loops, and short-circuit operators.
Hello,
Sorry, i think i misunderstood your question. The checkBranchCondition callback is a kind of checkPreStmt for CFG terminators, but there's actually no "checkPostStmt" for CFG terminators.
Hello,
To track the end of a single execution path, you may possibly be need to
implement check::EndFunction corresponding callback.
Hello,
There is no simple multimap support (like REGISTER_*_WITH_PROGRAMSTATE) now.
However, for taint analysis this functionality may be easily extended with
using bitfields. So, I can imagine some functions like:
bool isTainted(ProgramStateRef State, SymbolRef Sym, unsigned TaintKind) {
const unsigned *TaintKinds = State->get<TaintMap>(Sym);
return TaintKinds && (*TaintKinds & (1 << TaintKind));
}
ProgramStateRef ProgramState::addTaint(SymbolRef Sym, TaintKind K) {
const unsigned *CurrKinds = get<TaintMap>(Sym);
unsigned NewFlag = 1 << K;
unsigned FinalFlags = CurrKinds ? (*CurrKinds | NewFlag) : NewFlag;
return set<TaintMap>(FinalFlags);
}
This may be a possible solution in your case.