Can SymExpr in clang carry multiple taints ?


I am writing a taint tracking checker with clang static analyzer, more specifically, I am trying to implement some sort of multiple taint tracking, which means I need to add more than one taints to the Symbolic Expressions, however it seems this can not be realized, because tests shows that the later taint will overwrite the earlier ones. Is there any possible approach to carry multiple taints in one SymExpr?

One more question is that I don’t find any function to remove the taint, is it possible to remove some taints at the end of each execution path? Thank you!

Unfortunately, both of these issues are still limitations of the current taint engine.

We clearly need a multimap from symbols to various taint tags, but we have only one taint tag kind for now, so there were no problems with that.

There's a patch that implements removeTaint():

Not sure why you want to change taint information at the end of the execution path; it have no effect anyway, because it's already the end of the execution path.