infer_clone/infer/tests/codetoanalyze/java/topl/taint/Taint.topl

property TaintTrack
  prefix "StringBuilder"
  prefix "Taint"
  nondet (start building track)

  // We start tracking when we see calls to Taint.badString
  start -> start: *
  start -> track: badString(IgnoreThis, Ret) => s := Ret

  // Whatever we track, we'll keep tracking forever ...
  track -> track: *

  // ... but we also keep an eye for derived strings
  track -> building:    StringBuilder(Builder, Void) => b := Builder
  building -> building: *
  building -> dirty:    append(Builder, S) when S == s
  dirty -> track:       toString(Builder, S) => s := S

  // If anything we track is sent to Taint.sendToDb, we warn
  track -> error: sendToDb(IgnoreThis, S, Void) when S == s
[topl] Be more precise in extracting summaries. Summary: When extracting summaries, ask PulseFormula to work harder to prove that path-conditions are unsat. This reduces the number of false positives. Reviewed By: jvillard Differential Revision: D25270609 fbshipit-source-id: 61ef5e8ac 4 years ago			`property TaintTrack`
			`prefix "StringBuilder"`
			`prefix "Taint"`
			`nondet (start building track)`

			`// We start tracking when we see calls to Taint.badString`
			`start -> start: *`
			`start -> track: badString(IgnoreThis, Ret) => s := Ret`

			`// Whatever we track, we'll keep tracking forever ...`
			`track -> track: *`

			`// ... but we also keep an eye for derived strings`
			`track -> building: StringBuilder(Builder, Void) => b := Builder`
			`building -> building: *`
			`building -> dirty: append(Builder, S) when S == s`
			`dirty -> track: toString(Builder, S) => s := S`

			`// If anything we track is sent to Taint.sendToDb, we warn`
			`track -> error: sendToDb(IgnoreThis, S, Void) when S == s`