[clang] [analyzer] Limit `isTainted()` by skipping complicated symbols (PR #105493)

Donát Nagy via cfe-commits Wed, 21 Aug 2024 04:51:54 -0700

================
@@ -459,7 +460,53 @@ unsigned radar11369570_hanging(const unsigned char *arr, 
int l) {
     longcmp(a, t, c);
     l -= 12;
   }
-  return 5/a; // expected-warning {{Division by a tainted value, possibly 
zero}}
+  return 5/a; // FIXME: Should be a "div by tainted" warning here.
+}
+
+// This computation used to take a very long time.
+void complex_taint_queries(const int *p) {
+  int tainted = 0;
+  scanf("%d", &tainted);
+
+  // Make "tmp" tainted.
+  int tmp = tainted + tainted;
+  clang_analyzer_isTainted_int(tmp); // expected-warning{{YES}}
+
+  // Make "tmp" SymExpr a lot more complicated by applying computation.
+  // This should balloon the symbol complexity.
+  tmp += p[0] + p[0];
+  tmp += p[1] + p[1];
+  tmp += p[2] + p[2];
+  clang_analyzer_dump_int(tmp); // expected-warning{{((((conj_}} symbol 
complexity: 8
+  clang_analyzer_isTainted_int(tmp); // expected-warning{{YES}}
+
+  tmp += p[3] + p[3];
+  clang_analyzer_dump_int(tmp); // expected-warning{{(((((conj_}} symbol 
complexity: 10
+  clang_analyzer_isTainted_int(tmp); // expected-warning{{NO}} 10 is already 
to ocomplex to be traversed
----------------
NagyDonat wrote:


```suggestion
  clang_analyzer_isTainted_int(tmp); // expected-warning{{NO}} 10 is already 
too complex to be traversed
```

https://github.com/llvm/llvm-project/pull/105493
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer] Limit `isTainted()` by skipping complicated symbols (PR #105493)

Reply via email to