Treating undefined values as tainted

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Treating undefined values as tainted

Bakhvalov, Denis via cfe-dev

While testing some of the benchmarks on Clang Static Analyzer (CSA), I found out that it doesn't report quite a lot of bugs that actually crash the program with, for example, buffer overruns. (I compared the bugs found on fuzzers with it) Considering that rather it reports a bunch of uninitialized/undefined value warnings, I suppose this is because CSA doesn't treat uninitialized values as symbols or tainted, and quickly gives up on exploration from there on.

My question is, is there any option that instructs CSA to symbolize such uninitialized values, or mark them tainted? I hope I can get the program-crashing bugs to appear in the final report in this way.

Thank you,
Gwangmu Lee.

Gwangmu Lee
Ph.D. Student
+82) 10 4114 7441
Room 615, Bldg 301, Seoul National University, Gwanak-ro 1, Gwanak-gu, Seoul, South Korea.

cfe-dev mailing list
[hidden email]