We noticed on LULESH that logical conditions are incorrectly tainted when short-circuiting of boolean expressions is applied. It is unknown whether optimizations play role here, this needs to be investigated.
In that case, the condition a && b can be rewritten into a CFG where the final phi node has 'false' constant for the case where a is false and the path evaluating p is omitted. As a constant unrelated to the value of a, there's no taint label associated.
The problem appears in LULESH main loop and can be fixed with the help of simplifycfg pass, at least for the cases we saw (false evaluation of a leads to a direct jump outside of the loop). It is unknown if this can lead to other misses taint propagations.
We noticed on LULESH that logical conditions are incorrectly tainted when short-circuiting of boolean expressions is applied. It is unknown whether optimizations play role here, this needs to be investigated.
In that case, the condition
a && bcan be rewritten into a CFG where the final phi node has 'false' constant for the case where a is false and the path evaluating p is omitted. As a constant unrelated to the value of a, there's no taint label associated.The problem appears in LULESH main loop and can be fixed with the help of
simplifycfgpass, at least for the cases we saw (false evaluation of a leads to a direct jump outside of the loop). It is unknown if this can lead to other misses taint propagations.