Taint propagation on conditional jumps

[namreeb]

Consider the x86 instruction JG for example, where the jump is taken if ZF = 0 and SF = OF. If ZF has an untainted, concrete value of 1, then I would have expected the instruction to be considered untainted, irrespective of the value/taint of SF and OF, because those two registers can be considered "unused" in the instruction. But looking at https://github.com/JonathanSalwan/Triton/blob/master/src/libtriton/arch/x86/x86Semantics.cpp#L7661-L7664, it seems the taint is spread to the instruction by a simple union.

I realize this may be a deliberate choice, and if so then so be it. But I was hoping to understand the reasoning.

[JonathanSalwan]

Yep indeed, Triton performs an over-approximation of tainting. At the beginning it was a choice but we can affine this granularity.