pointer values, taint propogation

I would like to write a checker to make sure that pointers from untrusted sources are not dereferenced. So I am playing around with the alpha.security.taint checker to try to understand how taint propagation works. I put together some simple test cases:

The indicated calls to printf should be flagged because an untrusted value is passed as the format string (the first argument). When I run the alpha.security.taint checker on this, it only flags the last two. Looking into this, I found that the static analyzer often assigns an unknown value to the result of casting from an integer to a pointer. Taint can’t be attached to an unknown value, so I need a known value for the pointer. Although I’m not sure if this is really what we want to do, for now I added a post-check call-back on cast expressions to my checker that casts the integer to unsigned and then assigns the result as the pointer value.

When I run alpha.security.taint together with this on the test file, it flags the calls to printf where (char *)l and (char *)u are passed, but not the calls where sv1, sp1, (char *)NULL+l, sv2, or sp2 are passed, even though these are just different expressions with the same value. I tried looking into this using the debugger, and found that when the analyzer calls ExprEngine::evalStore for the assignment statement (say “sv1 = (char *)ll”), it gives the pointer the appropriate value, but when the analyzer calls GenericTaintChecker::checkUncontrolledFormatString from the pre-check call-back for the call to printf on the following line of the test file, the pointer has an UnknownVal. (See excepts from the debugging session below.)

Can anyone help me understand what is going on here?

Thanks,

Ray