You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently escape.go mostly reuses esc.go's tagging scheme for simplicity, but that encoding scheme is unnecessarily lossy.
In particular, escape tags can only report that a parameter flows to the heap (EscHeap), or that it's dereferenced once before flowing to the heap (EscContentEscapes). However, there are hundreds of parameters in std cmd that are always dereferenced at least twice before flowing to the heap.
A quick experiment (tracking the shortest param path to heap and then logging when it's >=2) shows:
derefs count
2 686
3 165
4 53
5 12
6 1
7 2
And this is probably an underestimate, since any functions that call other tagged functions will be analyzed based on the latter's lossy tags.
The text was updated successfully, but these errors were encountered:
Currently escape.go mostly reuses esc.go's tagging scheme for simplicity, but that encoding scheme is unnecessarily lossy.
In particular, escape tags can only report that a parameter flows to the heap (EscHeap), or that it's dereferenced once before flowing to the heap (EscContentEscapes). However, there are hundreds of parameters in std cmd that are always dereferenced at least twice before flowing to the heap.
A quick experiment (tracking the shortest param path to heap and then logging when it's >=2) shows:
And this is probably an underestimate, since any functions that call other tagged functions will be analyzed based on the latter's lossy tags.
The text was updated successfully, but these errors were encountered: