Static Analysis launch checker in context of another checker

Hello all,

I’m writing a checker to analyze function calls in the body. Please let me know if we can launch another checker in the context of the current checker?


Checkers which emit bug reports are ought to be independent. So in this sense, no, you cannot “launch” another checker inside the current checker.

Hope this helps,

Thank you very much for your response,

I’m reading GenericTaintChecker and in its document “The taint information produced by it might be useful to other checkers”. I wonder how I can get the information from GenericTaintChecker or is it better to add my own analysis to it?

We have the convention of modeling and reporting checkers. Modeling checkers provide the information that is used by the reporting checkers. Ideally, taint analysis should be implemented in this way too. So, sooner or later we will refactor GenericTaintChecker to be like this.
Anyway, isTainted provided by the taint analysis is part of the modeling and can be reused by other checkers which do some reporting. Just make sure you register the dependency on the taint checker in

The taint propagation toolset GenericTaintChecker wants to make available to other checkers is just a collection of helper functions/data structures. For instance, it would make sense if StreamChecker could mark user inout from fgets() as tainted. Later, when the analyzer would find a read of that value, GenericTaintChecker could check whether it is a taintes symbol.

The key thing to note here is that these checkers would still work independently (StreamChecker wouldnt make GenericTaintChecker run), but do share knowledge with the use of the GDM.

Here is what you want to do: create a header file that contains functions like this:

ProgramStateRef markTainted(ProgramStateRef State, SVal S) {
// definition should be in the checker file
return State->add(S);

Or something similar, I just wrotr this code to demonstrate what I wanted to say, didnt check whether this is how it works on the inside :slight_smile:

ProgramStateRef markTainted(ProgramStateRef State, SVal S)

We already have a bunch of addTaint() overloaded functions in Taint.h to propagate the TaintMap in GDM. And isTainted is the counterpart to read that.

Yep, i totally meant my example to be, well, an example :^)