While testing some of the benchmarks on Clang Static Analyzer (CSA), I found out that it doesn't report quite a lot of bugs that actually crash the program with, for example, buffer overruns. (I compared the bugs found on fuzzers with it) Considering that
rather it reports a bunch of uninitialized/undefined value warnings, I suppose this is because CSA doesn't treat uninitialized values as symbols or tainted, and quickly gives up on exploration from there on.
My question is, is there any option that instructs CSA to symbolize such uninitialized values, or mark them tainted? I hope I can get the program-crashing bugs to appear in the final report in this way.
+82) 10 4114 7441
Room 615, Bldg 301, Seoul National University, Gwanak-ro 1, Gwanak-gu, Seoul, South Korea.