diff options
| author | NagyDonat <donat.nagy@ericsson.com> | 2024-04-23 10:20:34 +0200 |
|---|---|---|
| committer | Tom Stellard <tstellar@redhat.com> | 2024-04-24 20:24:46 -0700 |
| commit | 3b4ba7277bd735ebea489d94c4ae771427283e6e (patch) | |
| tree | e9dc625e015ff69a77eb339d46cd24abe53ee17a | |
| parent | 7699b341b76359a8cd40163ebee6bcae104bbea7 (diff) | |
| download | llvm-3b4ba7277bd735ebea489d94c4ae771427283e6e.tar.gz | |
[analyzer] Fix performance of getTaintedSymbolsImpl() (#89606)
Previously the function
```
std::vector<SymbolRef> taint::getTaintedSymbolsImpl(ProgramStateRef State,
const MemRegion *Reg,
TaintTagType K,
bool returnFirstOnly)
```
(one of the 4 overloaded variants under this name) was handling element
regions in a highly inefficient manner: it performed the "also examine
the super-region" step twice. (Once in the branch for element regions,
and once in the more general branch for all `SubRegion`s -- note that
`ElementRegion` is a subclass of `SubRegion`.)
As pointer arithmetic produces `ElementRegion`s, it's not too difficult
to get a chain of N nested element regions where this inefficient
recursion would produce 2^N calls.
This commit is essentially NFC, apart from the performance improvements
and the removal of (probably irrelevant) duplicate entries from the
return value of `getTaintedSymbols()` calls.
Fixes #89045
(cherry picked from commit ce763bff081f8e97c7c3610ed0f15f14d60e875f)
| -rw-r--r-- | clang/lib/StaticAnalyzer/Checkers/Taint.cpp | 14 |
1 files changed, 6 insertions, 8 deletions
diff --git a/clang/lib/StaticAnalyzer/Checkers/Taint.cpp b/clang/lib/StaticAnalyzer/Checkers/Taint.cpp index 4edb671753bf..6362c82b009d 100644 --- a/clang/lib/StaticAnalyzer/Checkers/Taint.cpp +++ b/clang/lib/StaticAnalyzer/Checkers/Taint.cpp @@ -216,21 +216,17 @@ std::vector<SymbolRef> taint::getTaintedSymbolsImpl(ProgramStateRef State, std::vector<SymbolRef> TaintedSymbols; if (!Reg) return TaintedSymbols; - // Element region (array element) is tainted if either the base or the offset - // are tainted. + + // Element region (array element) is tainted if the offset is tainted. if (const ElementRegion *ER = dyn_cast<ElementRegion>(Reg)) { std::vector<SymbolRef> TaintedIndex = getTaintedSymbolsImpl(State, ER->getIndex(), K, returnFirstOnly); llvm::append_range(TaintedSymbols, TaintedIndex); if (returnFirstOnly && !TaintedSymbols.empty()) return TaintedSymbols; // return early if needed - std::vector<SymbolRef> TaintedSuperRegion = - getTaintedSymbolsImpl(State, ER->getSuperRegion(), K, returnFirstOnly); - llvm::append_range(TaintedSymbols, TaintedSuperRegion); - if (returnFirstOnly && !TaintedSymbols.empty()) - return TaintedSymbols; // return early if needed } + // Symbolic region is tainted if the corresponding symbol is tainted. if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(Reg)) { std::vector<SymbolRef> TaintedRegions = getTaintedSymbolsImpl(State, SR->getSymbol(), K, returnFirstOnly); @@ -239,6 +235,8 @@ std::vector<SymbolRef> taint::getTaintedSymbolsImpl(ProgramStateRef State, return TaintedSymbols; // return early if needed } + // Any subregion (including Element and Symbolic regions) is tainted if its + // super-region is tainted. if (const SubRegion *ER = dyn_cast<SubRegion>(Reg)) { std::vector<SymbolRef> TaintedSubRegions = getTaintedSymbolsImpl(State, ER->getSuperRegion(), K, returnFirstOnly); @@ -318,4 +316,4 @@ std::vector<SymbolRef> taint::getTaintedSymbolsImpl(ProgramStateRef State, } } return TaintedSymbols; -}
\ No newline at end of file +} |