You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: python/ql/src/experimental/dataflow/internal/readme.md
+17-2Lines changed: 17 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -37,7 +37,7 @@ Flow from control flow nodes to SSA variables comes from SSA variable definition
37
37
The global flow should be obtainable from a `PointsTo` analysis. It is specified via `viableCallable` and
38
38
`getAnOutNode`. Consider making `ReturnKind` a singleton IPA type as in java.
39
39
40
-
Global flow includes local flow within a consistent call context. Thus, for local flow to count as global flow, all relevant node should implement `getEnclosingCallable`.
40
+
Global flow includes local flow within a consistent call context. Thus, for local flow to count as global flow, all relevant nodes should implement `getEnclosingCallable`.
41
41
42
42
If complicated dispatch needs to be modelled, try using the `[reduced|pruned]viable*` predicates.
43
43
@@ -108,4 +108,19 @@ Review need for non-empty `isUnreachableInCall`.
108
108
Implement all predicates empty.
109
109
110
110
# Phase 1, experiments
111
-
Try recovering an existing taint tracking query by implementing sources, sinks, sanitizers, and barriers.
111
+
Try recovering an existing taint tracking query by implementing sources, sinks, sanitizers, and barriers.
112
+
113
+
---
114
+
115
+
# Status
116
+
117
+
## Achieved
118
+
119
+
- Simple flow into, out of, and through functions
120
+
121
+
## TODO
122
+
123
+
- Consider replacing def-use with def-to-first-use and use-to-next-use in local flow
124
+
- The regression tests track the value of guards in order to eliminate impossible data flow. We currently have regressions because of this. We cannot readily replicate the existing method, as it uses the interdefinedness of data flow and taint tracking (there is a boolean taint kind). C++ does something similar for eliminating impossible control flow, which we might be able to replicate (they infer values of "interesting" control flow nodes, which are those needed to determine values of guards).
125
+
- Flow for some syntactis constructs is done via extra taint steps in the existing implementation, we shoudl find a way to get data flow for it. Much of this should be covered by field flow.
126
+
- A document is being written about proper use of the shared data flow library, this should be adhered to.
0 commit comments