Hi Dave,
>>
>> 4. What’s the most interesting to me are PR103533
>> (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103533),
>
> Turning on taint detection by default would be a great project. It
> would be good to run the integration tests:
> https://github.com/davidmalcolm/gcc-analyzer-integration-tests
> to see if anything regresses, or if it adds noise - so this might be a
> bit of an open-ended project, in that we'd want to fix whatever issues
> show up there, as well as the known ones that are documented in that
> bug.
>
Sorry for replying to you late due to another project from my university.
Since most other ideas are being worked on by you or not big enough to make a
GSoC project, I decided to take on this project and have been getting familiar
with the analyzer this weekend. I want to sort several things out before
writing the proposal.
1. What should I do with the integration tests?
2. I ran gcc -fanalyzer -fanalyzer-checker=taint
./gcc-src/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools-signed-char.c , but I
got different results from what you documented in PR103533:
/usr/bin/ld: /lib/x86_64-linux-gnu/crt1.o: in function `_start':
(.text+0x17): undefined reference to `main'
collect2: error: ld returned 1 exit status
3. What does “ICE” mean when you said “ICE in alt_get_inherited_state in
abs-1.c, …”?
4. For the following program, nothing is reported with the taint mode turned
on. But there is -Wanalyzer-tained-divisor, is it expected?
__attribute__((tainted_args))
int fun0(int a)
{ return a; }
int main()
{
int b = 3 / fun0(0);
return b;
}
5. I guess the project would mostly modify constraint-manager.h and sm-taint.cc
<http://sm-taint.cc/>. Or are there other files that you suspect relevant for
this project?
6. Is the current implementation based on some papers? I found this
(https://users.ece.cmu.edu/~aavgerin/papers/Oakland10.pdf) and this
(https://www.ndss-symposium.org/wp-content/uploads/2017/09/Dynamic-Taint-Analysis-for-Automatic-Detection-Analysis-and-SignatureGeneration-of-Exploits-on-Commodity-Software-Dawn-Song.pdf),
but haven’t started reading yet. In addition, purging states of the constraint
manager sounds like a problem other people may have looked at. Is there any
related progress since you documented in PR103533?
As you said, this would be an open-ended project, so it would be very helpful
to get some feedback from you so that I know how to draft my proposal. In
addition, is it ok to deviate from the proposal after I start working?
Best,
Shengyu
