gerazo added a comment. > Stepping back a bit, what do you consider "dirty" vs "clean"? It seems that > you are looking for prove that the values are known to be within the bounds > of min and max int values. What happens if there is a comparison to an > unknown symbolic value? Should that be considered as clean or tainted? Are > there test cases for this?
I consider values as clean when they were checked by the programmer from both sides. However, my implementation purely works from constraints in effect (and using min and max is just the broadest constraint I could find). So you are totally right that comparison with unknown symbols is not covered nor in implementation, nor in tests. Can you suggest a universally working method which can handle all cases (e.g. complex expressions on both sides of the operator)? If we could find such an approach, that would be something which could really go into the GenericTaintChecker as an improvement. And I would gladly rewrite this whole stuff to fit the more general solution. https://reviews.llvm.org/D27753 _______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
