On Wed, 2020-01-08 at 04:02 -0500, David Malcolm wrote: > Jeff reviewed the v1 version of this patch here: > https://gcc.gnu.org/ml/gcc-patches/2019-12/msg00509.html > > Given it's not ready for production, fine. Presumably one of the areas > > for improvement is a better answer to the "what constitutes exposure" > > question ;-) > I have followup work using function_set that could flesh this out > a bit, but this one isn't going to be "mature" for GCC 10; see > discussion in cover letter. > > Changed in v5: > - update ChangeLog path > - updated copyright years to include 2020 > > Changed in v4: > - Remove include of gcc-plugin.h, reworking includes accordingly. > - Wrap everything in #if ENABLE_ANALYZER > - Remove /// comment lines > - Rework on_leak vfunc: > https://gcc.gnu.org/ml/gcc-patches/2019-11/msg02028.html > - Rework for changes to is_named_call_p, resolving function pointers: > https://gcc.gnu.org/ml/gcc-patches/2019-12/msg00178.html > - Implement precision-of-wording vfuncs > > This patch adds a state machine checker for tracking exposure of > sensitive data (e.g. writing passwords to log files). > > This checker isn't ready for production, and is presented as a > proof-of-concept of the sm-based approach. > > gcc/analyzer/ChangeLog: > * sm-sensitive.cc: New file. I don't think anything has materially changed. So OK given this isn't really considered production ready, but provides a starting point for someone to work in this space.
jeff >
