vlad.tsyrklevich added inline comments.
================ Comment at: lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp:455 + // Otherwise, return a nullptr as there's not yet a functional way to taint + // sub-regions of LCVs. + return nullptr; ---------------- NoQ wrote: > I'm not sure if i mentioned this before, but for this case we could store > taint information in the program state as a map **//T//** from symbols to > sets of regions, so that a `SymbolDerived`-class symbol with parent symbol > **//S//** and parent region **//R//** is auto-tainted when **//R//** is a > sub-region of at least one region **//R'//** in **//T(S)//**. > > That is, if we need to taint some fields in a structure with default symbol > **//S//**, we add the relevant field regions to **//T(S)//**, and later > lookup if the derived symbol's parent region is within one of the > "tainted-regions-for-that-symbol". > > That's a crazy plan, but i believe it's also quite expressive, using the SVal > hierarchy to the fullest. So it might be the way to go. That's exactly what I was considering, I can't imagine another clean way to keep track of that information otherwise (short of a linear scan of the taint data.) https://reviews.llvm.org/D28445 _______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
