Clear taint mark - static analyzer checker

Hi community,

I’m developing a static analyzer checker, and I need to clear the taint mark for a specific symbol/stmt/region. Is that possible?

I’m using the addTaint(…) methods of ProgramState class to add taint information to symbols/stms/regions, but I don’t see anything to clear the taint mark to them.

Does Anyone know how to do this?

Thanks!

Taint support has not been fully implemented. I suspect this explains why there is no method to clear it.

Anna.

Thanks Anna. I was taking a look at GenericTaintChecker, and saw you are the main contributor of this module. My idea is to create a checker where the user can define what are the methods in which alert in case of tainted data is passed on them.

It works great when tainting primitives types, e.g. char, but if i want to taint object like std:string, it doesn’t work. It uses a getPointedToSymbol method based on GenericTaintChecker, to retrieve the symbolic value, and the passes it to the StateRef.addTaint(…) method:

https://github.com/llvm-mirror/clang/blob/master/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp#L426

But I can hardly understand why this doesn’t retrieve any symbol when the arguments are objects.

Thanks a lot.
Francisco

Thanks Anna. I was taking a look at GenericTaintChecker, and saw you are the main contributor of this module. My idea is to create a checker where the user can define what are the methods in which alert in case of tainted data is passed on them.

It works great when tainting primitives types, e.g. char, but if i want to taint object like std:string, it doesn’t work. It uses a getPointedToSymbol method based on GenericTaintChecker, to retrieve the symbolic value, and the passes it to the StateRef.addTaint(…) method:

https://github.com/llvm-mirror/clang/blob/master/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp#L426

But I can hardly understand why this doesn’t retrieve any symbol when the arguments are objects.

The analyzer’s infrastructure for tracking objects passed by value is lagging behind; maybe that’s what you are seeing…

Does it not work even if the argument passed on is a pointer?

This is an example:

void source(string* str){}

void destination(string* str){}

void somemethod(string* str){

source(str);

destination(str);

}

When I try to get the SVal associated to the argument in the ‘source’ method, I got a LazyCompoundVal class, and I can’t get the Symbol of it to mark it as tainted.