From 5e910929be47a3a64fff3da3d0959a271af7263d Mon Sep 17 00:00:00 2001
From: Sam Blackshear <shb@fb.com>
Date: Mon, 30 Oct 2017 14:39:33 -0700
Subject: [PATCH] [quandary] handle taint propagation in copying of structs/via
 derefs of pointers to structs

Reviewed By: mbouaziz

Differential Revision: D6182873

fbshipit-source-id: 5e194d4
---
 infer/src/quandary/TaintAnalysis.ml           | 16 ++++---
 infer/src/unit/TaintTests.ml                  | 17 ++++---
 .../codetoanalyze/cpp/quandary/issues.exp     | 19 +++++---
 .../codetoanalyze/cpp/quandary/strings.cpp    |  2 +-
 .../codetoanalyze/cpp/quandary/structs.cpp    | 44 +++++++++++++++++++
 .../codetoanalyze/java/quandary/issues.exp    | 30 ++++++-------
 6 files changed, 90 insertions(+), 38 deletions(-)
 create mode 100644 infer/tests/codetoanalyze/cpp/quandary/structs.cpp

diff --git a/infer/src/quandary/TaintAnalysis.ml b/infer/src/quandary/TaintAnalysis.ml
index 6059c34ce..bc85c7106 100644
--- a/infer/src/quandary/TaintAnalysis.ml
+++ b/infer/src/quandary/TaintAnalysis.ml
@@ -82,14 +82,14 @@ module Make (TaintSpecification : TaintSpec.S) = struct
 
     let add_return_source source ret_base access_tree =
       let trace = TraceDomain.of_source source in
-      let id_ap = AccessPath.Abs.Exact (ret_base, []) in
+      let id_ap = AccessPath.Abs.Abstracted (ret_base, []) in
       TaintDomain.add_trace id_ap trace access_tree
 
 
     let add_actual_source source index actuals access_tree proc_data =
       match List.nth_exn actuals index with
       | HilExp.AccessPath actual_ap_raw ->
-          let actual_ap = AccessPath.Abs.Exact actual_ap_raw in
+          let actual_ap = AccessPath.Abs.Abstracted actual_ap_raw in
           let trace = access_path_get_trace actual_ap access_tree proc_data in
           TaintDomain.add_trace actual_ap (TraceDomain.add_source source trace) access_tree
       | _ ->
@@ -562,16 +562,18 @@ module Make (TaintSpecification : TaintSpec.S) = struct
               | _, [], _ ->
                   astate_acc
               | TaintSpec.Propagate_to_return, actuals, Some ret_ap ->
-                  propagate_to_access_path (AccessPath.Abs.Exact (ret_ap, [])) actuals astate_acc
+                  propagate_to_access_path (AccessPath.Abs.Abstracted (ret_ap, [])) actuals
+                    astate_acc
               | ( TaintSpec.Propagate_to_receiver
                 , (AccessPath receiver_ap) :: (_ :: _ as other_actuals)
                 , _ ) ->
-                  propagate_to_access_path (AccessPath.Abs.Exact receiver_ap) other_actuals
+                  propagate_to_access_path (AccessPath.Abs.Abstracted receiver_ap) other_actuals
                     astate_acc
               | TaintSpec.Propagate_to_actual actual_index, _, _ -> (
                 match List.nth actuals actual_index with
                 | Some HilExp.AccessPath actual_ap ->
-                    propagate_to_access_path (AccessPath.Abs.Exact actual_ap) actuals astate_acc
+                    propagate_to_access_path (AccessPath.Abs.Abstracted actual_ap) actuals
+                      astate_acc
                 | _ ->
                     astate_acc )
               | _ ->
@@ -834,7 +836,9 @@ module Make (TaintSpecification : TaintSpec.S) = struct
           ~f:(fun acc (name, typ, taint_opt) ->
             match taint_opt with
             | Some source ->
-                let base_ap = AccessPath.Abs.Exact (AccessPath.of_pvar (Pvar.mk name pname) typ) in
+                let base_ap =
+                  AccessPath.Abs.Abstracted (AccessPath.of_pvar (Pvar.mk name pname) typ)
+                in
                 TaintDomain.add_trace base_ap (TraceDomain.of_source source) acc
             | None ->
                 acc)
diff --git a/infer/src/unit/TaintTests.ml b/infer/src/unit/TaintTests.ml
index 2f7d7d3fd..535f6e51a 100644
--- a/infer/src/unit/TaintTests.ml
+++ b/infer/src/unit/TaintTests.ml
@@ -125,38 +125,38 @@ let tests =
   let callbacks = {Ondemand.analyze_ondemand; get_proc_desc} in
   Ondemand.set_callbacks callbacks ;
   let test_list =
-    [ ("source recorded", [assign_to_source "ret_id"; invariant "{ ret_id$0 => (SOURCE -> ?) }"])
+    [ ("source recorded", [assign_to_source "ret_id"; invariant "{ ret_id$0* => (SOURCE -> ?) }"])
     ; ("non-source not recorded", [assign_to_non_source "ret_id"; assert_empty])
     ; ( "source flows to var"
       , [ assign_to_source "ret_id"
         ; var_assign_id "var" "ret_id"
-        ; invariant "{ ret_id$0 => (SOURCE -> ?), &var => (SOURCE -> ?) }" ] )
+        ; invariant "{ ret_id$0* => (SOURCE -> ?), &var* => (SOURCE -> ?) }" ] )
     ; ( "source flows to field"
       , [ assign_to_source "ret_id"
         ; assign_id_to_field "base_id" "f" "ret_id"
-        ; invariant "{ base_id$0.f => (SOURCE -> ?), ret_id$0 => (SOURCE -> ?) }" ] )
+        ; invariant "{ base_id$0.f* => (SOURCE -> ?), ret_id$0* => (SOURCE -> ?) }" ] )
     ; ( "source flows to field then var"
       , [ assign_to_source "ret_id"
         ; assign_id_to_field "base_id" "f" "ret_id"
         ; read_field_to_id "read_id" "base_id" "f"
         ; var_assign_id "var" "read_id"
         ; invariant
-            "{ base_id$0.f => (SOURCE -> ?),\n  ret_id$0 => (SOURCE -> ?),\n  &var => (SOURCE -> ?) }"
+            "{ base_id$0.f* => (SOURCE -> ?),\n  ret_id$0* => (SOURCE -> ?),\n  &var* => (SOURCE -> ?) }"
         ] )
     ; ( "source flows to var then cleared"
       , [ assign_to_source "ret_id"
         ; var_assign_id "var" "ret_id"
-        ; invariant "{ ret_id$0 => (SOURCE -> ?), &var => (SOURCE -> ?) }"
+        ; invariant "{ ret_id$0* => (SOURCE -> ?), &var* => (SOURCE -> ?) }"
         ; assign_to_non_source "non_source_id"
         ; var_assign_id "var" "non_source_id"
-        ; invariant "{ ret_id$0 => (SOURCE -> ?) }" ] )
+        ; invariant "{ ret_id$0* => (SOURCE -> ?) }" ] )
     ; ( "source flows to field then cleared"
       , [ assign_to_source "ret_id"
         ; assign_id_to_field "base_id" "f" "ret_id"
-        ; invariant "{ base_id$0.f => (SOURCE -> ?), ret_id$0 => (SOURCE -> ?) }"
+        ; invariant "{ base_id$0.f* => (SOURCE -> ?), ret_id$0* => (SOURCE -> ?) }"
         ; assign_to_non_source "non_source_id"
         ; assign_id_to_field "base_id" "f" "non_source_id"
-        ; invariant "{ ret_id$0 => (SOURCE -> ?) }" ] )
+        ; invariant "{ ret_id$0* => (SOURCE -> ?) }" ] )
     ; ( "sink without source not tracked"
       , [assign_to_non_source "ret_id"; call_sink "ret_id"; assert_empty] ) ]
     |> TestInterpreter.create_tests ~pp_opt:pp_sparse
@@ -164,4 +164,3 @@ let tests =
          ~initial:(MockTaintAnalysis.Domain.empty, IdAccessPathMapDomain.empty)
   in
   "taint_test_suite" >::: test_list
-
diff --git a/infer/tests/codetoanalyze/cpp/quandary/issues.exp b/infer/tests/codetoanalyze/cpp/quandary/issues.exp
index 3f907d112..e147f337d 100644
--- a/infer/tests/codetoanalyze/cpp/quandary/issues.exp
+++ b/infer/tests/codetoanalyze/cpp/quandary/issues.exp
@@ -24,7 +24,7 @@ codetoanalyze/cpp/quandary/basics.cpp, basics::Obj_endpoint, 1, QUANDARY_TAINT_E
 codetoanalyze/cpp/quandary/basics.cpp, basics::Obj_endpoint, 2, QUANDARY_TAINT_ERROR, [Return from basics::Obj_endpoint,Call to __infer_taint_sink]
 codetoanalyze/cpp/quandary/basics.cpp, basics::object_source_sink_bad, 2, QUANDARY_TAINT_ERROR, [Return from basics::Obj_method_source,Call to basics::Obj_method_sink]
 codetoanalyze/cpp/quandary/basics.cpp, basics::propagateBad, 3, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to basics::callSink,Call to __infer_taint_sink]
-codetoanalyze/cpp/quandary/basics.cpp, basics::returnSourceToSinkBad, 2, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source with tainted data &return,Return from basics::returnSource,Call to __infer_taint_sink]
+codetoanalyze/cpp/quandary/basics.cpp, basics::returnSourceToSinkBad, 2, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source with tainted data &return*,Return from basics::returnSource,Call to __infer_taint_sink]
 codetoanalyze/cpp/quandary/basics.cpp, basics::sourceThenCallSinkBad, 2, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to basics::callSink,Call to __infer_taint_sink]
 codetoanalyze/cpp/quandary/basics.cpp, basics::sourceToSinkDirectBad, 2, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink]
 codetoanalyze/cpp/quandary/basics.cpp, basics::static_source_sink_bad, 2, QUANDARY_TAINT_ERROR, [Return from basics::Obj_static_source,Call to basics::Obj_static_sink]
@@ -62,12 +62,12 @@ codetoanalyze/cpp/quandary/files.cpp, files::read_file_call_exec_bad1, 5, SHELL_
 codetoanalyze/cpp/quandary/files.cpp, files::read_file_call_exec_bad2, 5, SHELL_INJECTION, [Return from std::basic_istream<char,std::char_traits<char>>_readsome,Call to execle]
 codetoanalyze/cpp/quandary/files.cpp, files::read_file_call_exec_bad3, 5, SHELL_INJECTION, [Return from std::basic_istream<char,std::char_traits<char>>_getline,Call to execle]
 codetoanalyze/cpp/quandary/files.cpp, files::read_file_call_exec_bad5, 4, SHELL_INJECTION, [Return from std::basic_istream<char,std::char_traits<char>>_getline,Call to execle]
-codetoanalyze/cpp/quandary/pointers.cpp, pointers::FP_reuse_pointer_as_local_ok, 2, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source with tainted data @val$0,Return from pointers::reuse_pointer_as_local,Call to __infer_taint_sink]
-codetoanalyze/cpp/quandary/pointers.cpp, pointers::assign_pointer_pass_to_sink_bad1, 2, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source with tainted data @val$0,Return from pointers::assign_pointer_to_source,Call to __infer_taint_sink]
-codetoanalyze/cpp/quandary/pointers.cpp, pointers::assign_pointer_pass_to_sink_bad2, 3, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source with tainted data @val$0,Return from pointers::assign_pointer_to_source,Call to __infer_taint_sink]
-codetoanalyze/cpp/quandary/pointers.cpp, pointers::assign_source_by_reference_bad1, 3, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source with tainted data @val$0,Return from pointers::assign_source_by_reference,Call to __infer_taint_sink]
-codetoanalyze/cpp/quandary/pointers.cpp, pointers::assign_source_by_reference_bad2, 2, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source with tainted data @val$0,Return from pointers::assign_source_by_reference,Call to __infer_taint_sink]
-codetoanalyze/cpp/quandary/pointers.cpp, pointers::assign_source_by_reference_bad3, 3, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source with tainted data @val$0,Return from pointers::assign_source_by_reference with tainted data @val$0,Return from pointers::call_assign_source_by_reference,Call to __infer_taint_sink]
+codetoanalyze/cpp/quandary/pointers.cpp, pointers::FP_reuse_pointer_as_local_ok, 2, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source with tainted data @val$0*,Return from pointers::reuse_pointer_as_local,Call to __infer_taint_sink]
+codetoanalyze/cpp/quandary/pointers.cpp, pointers::assign_pointer_pass_to_sink_bad1, 2, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source with tainted data @val$0*,Return from pointers::assign_pointer_to_source,Call to __infer_taint_sink]
+codetoanalyze/cpp/quandary/pointers.cpp, pointers::assign_pointer_pass_to_sink_bad2, 3, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source with tainted data @val$0*,Return from pointers::assign_pointer_to_source,Call to __infer_taint_sink]
+codetoanalyze/cpp/quandary/pointers.cpp, pointers::assign_source_by_reference_bad1, 3, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source with tainted data @val$0*,Return from pointers::assign_source_by_reference,Call to __infer_taint_sink]
+codetoanalyze/cpp/quandary/pointers.cpp, pointers::assign_source_by_reference_bad2, 2, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source with tainted data @val$0*,Return from pointers::assign_source_by_reference,Call to __infer_taint_sink]
+codetoanalyze/cpp/quandary/pointers.cpp, pointers::assign_source_by_reference_bad3, 3, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source with tainted data @val$0*,Return from pointers::assign_source_by_reference with tainted data @val$0*,Return from pointers::call_assign_source_by_reference,Call to __infer_taint_sink]
 codetoanalyze/cpp/quandary/strings.cpp, strings::append1_bad, 2, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink]
 codetoanalyze/cpp/quandary/strings.cpp, strings::append2_bad, 3, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink]
 codetoanalyze/cpp/quandary/strings.cpp, strings::assign1_bad, 2, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink]
@@ -77,6 +77,7 @@ codetoanalyze/cpp/quandary/strings.cpp, strings::concat2_bad, 4, QUANDARY_TAINT_
 codetoanalyze/cpp/quandary/strings.cpp, strings::concat3_bad, 2, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink]
 codetoanalyze/cpp/quandary/strings.cpp, strings::constructor1_bad, 3, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink]
 codetoanalyze/cpp/quandary/strings.cpp, strings::constructor2_bad, 3, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink]
+codetoanalyze/cpp/quandary/strings.cpp, strings::constructor3_bad, 3, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink]
 codetoanalyze/cpp/quandary/strings.cpp, strings::format1_bad, 3, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink]
 codetoanalyze/cpp/quandary/strings.cpp, strings::format2_bad, 3, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink]
 codetoanalyze/cpp/quandary/strings.cpp, strings::format3_bad, 3, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink]
@@ -97,6 +98,10 @@ codetoanalyze/cpp/quandary/strings.cpp, strings::strcpy2_bad, 3, QUANDARY_TAINT_
 codetoanalyze/cpp/quandary/strings.cpp, strings::strcpy2_bad, 4, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink]
 codetoanalyze/cpp/quandary/strings.cpp, strings::strncpy_bad, 4, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink]
 codetoanalyze/cpp/quandary/strings.cpp, strings::swap_bad, 4, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink]
+codetoanalyze/cpp/quandary/structs.cpp, structs::read_from_struct_source_field_bad, 2, SHELL_INJECTION, [Return from __infer_taint_source,Call to system]
+codetoanalyze/cpp/quandary/structs.cpp, structs::struct_field_source_bad, 3, QUANDARY_TAINT_ERROR, [Return from getenv,Call to __infer_taint_sink]
+codetoanalyze/cpp/quandary/structs.cpp, structs::struct_field_source_unique_pointer_bad, 2, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink]
+codetoanalyze/cpp/quandary/structs.cpp, structs::struct_source_bad, 2, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink]
 codetoanalyze/cpp/quandary/unknown_code.cpp, unknown_code::direct_bad, 2, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink]
 codetoanalyze/cpp/quandary/unknown_code.cpp, unknown_code::skip_indirect_bad, 3, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink]
 codetoanalyze/cpp/quandary/unknown_code.cpp, unknown_code::skip_pointer_bad, 3, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink]
diff --git a/infer/tests/codetoanalyze/cpp/quandary/strings.cpp b/infer/tests/codetoanalyze/cpp/quandary/strings.cpp
index 568857bc8..d934172ed 100644
--- a/infer/tests/codetoanalyze/cpp/quandary/strings.cpp
+++ b/infer/tests/codetoanalyze/cpp/quandary/strings.cpp
@@ -83,7 +83,7 @@ void constructor2_bad() {
   __infer_taint_sink(laundered_source);
 }
 
-void FN_constructor3_bad() {
+void constructor3_bad() {
   auto source = __infer_taint_source();
   auto laundered_source = std::string(source.begin(), source.begin() + 5);
   __infer_taint_sink(laundered_source);
diff --git a/infer/tests/codetoanalyze/cpp/quandary/structs.cpp b/infer/tests/codetoanalyze/cpp/quandary/structs.cpp
new file mode 100644
index 000000000..f9714fc62
--- /dev/null
+++ b/infer/tests/codetoanalyze/cpp/quandary/structs.cpp
@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 2016 - present Facebook, Inc.
+ * All rights reserved.
+ *
+ * This source code is licensed under the BSD style license found in the
+ * LICENSE file in the root directory of this source tree. An additional grant
+ * of patent rights can be found in the PATENTS file in the same directory.
+ */
+
+#include <memory>
+#include <string>
+
+struct mystruct {
+  char* str;
+  int i;
+};
+
+extern mystruct* __infer_taint_source();
+extern void __infer_taint_sink(mystruct);
+
+namespace structs {
+
+void struct_source_bad() {
+  mystruct* source = __infer_taint_source();
+  __infer_taint_sink(*source);
+}
+
+void struct_field_source_unique_pointer_bad() {
+  std::unique_ptr<mystruct> source(__infer_taint_source());
+  __infer_taint_sink(*source);
+}
+
+void struct_field_source_bad() {
+  mystruct source;
+  source.str = std::getenv("var");
+  __infer_taint_sink(source);
+}
+
+void read_from_struct_source_field_bad() {
+  mystruct* source = __infer_taint_source();
+  system(source->str);
+}
+
+} // namespace structs
diff --git a/infer/tests/codetoanalyze/java/quandary/issues.exp b/infer/tests/codetoanalyze/java/quandary/issues.exp
index f2bb714a9..80f0c4e2f 100644
--- a/infer/tests/codetoanalyze/java/quandary/issues.exp
+++ b/infer/tests/codetoanalyze/java/quandary/issues.exp
@@ -35,7 +35,7 @@ codetoanalyze/java/quandary/ContentProviders.java, Uri ContentProviders.insert(U
 codetoanalyze/java/quandary/ContentProviders.java, int ContentProviders.bulkInsert(Uri,android.content.ContentValues[]), 1, QUANDARY_TAINT_ERROR, [Return from int ContentProviders.bulkInsert(Uri,android.content.ContentValues[]),Call to File.<init>(String)]
 codetoanalyze/java/quandary/ContentProviders.java, int ContentProviders.delete(Uri,String,java.lang.String[]), 1, QUANDARY_TAINT_ERROR, [Return from int ContentProviders.delete(Uri,String,java.lang.String[]),Call to File.<init>(String)]
 codetoanalyze/java/quandary/ContentProviders.java, int ContentProviders.update(Uri,ContentValues,String,java.lang.String[]), 1, QUANDARY_TAINT_ERROR, [Return from int ContentProviders.update(Uri,ContentValues,String,java.lang.String[]),Call to File.<init>(String)]
-codetoanalyze/java/quandary/DynamicDispatch.java, void DynamicDispatch.FP_propagateViaConcreteTypeOk(), 4, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data &return,Return from Object DynamicDispatch$BadSubtype.returnSource(),Call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/DynamicDispatch.java, void DynamicDispatch.FP_propagateViaConcreteTypeOk(), 4, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data &return*,Return from Object DynamicDispatch$BadSubtype.returnSource(),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/DynamicDispatch.java, void DynamicDispatch.FP_propagateViaConcreteTypeOk(), 7, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void DynamicDispatch$BadSubtype.callSink(Object),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/DynamicDispatch.java, void DynamicDispatch.FP_propagateViaConcreteTypeOk(), 10, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/DynamicDispatch.java, void DynamicDispatch.callSinkViaInterfaceBad(DynamicDispatch$Interface), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void DynamicDispatch$BadInterfaceImpl1.callSink(Object),Call to void InferTaint.inferSensitiveSink(Object)]
@@ -43,9 +43,9 @@ codetoanalyze/java/quandary/DynamicDispatch.java, void DynamicDispatch.callSinkV
 codetoanalyze/java/quandary/DynamicDispatch.java, void DynamicDispatch.callSinkViaSubtypeBad(DynamicDispatch$Supertype), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void DynamicDispatch$BadSubtype.callSink(Object),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/DynamicDispatch.java, void DynamicDispatch.propagateViaInterfaceBad(DynamicDispatch$Interface), 3, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/DynamicDispatch.java, void DynamicDispatch.propagateViaSubtypeBad(DynamicDispatch$Supertype), 3, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]
-codetoanalyze/java/quandary/DynamicDispatch.java, void DynamicDispatch.returnSourceViaInterfaceBad(DynamicDispatch$Interface), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data &return,Return from Object DynamicDispatch$BadInterfaceImpl1.returnSource(),Call to void InferTaint.inferSensitiveSink(Object)]
-codetoanalyze/java/quandary/DynamicDispatch.java, void DynamicDispatch.returnSourceViaInterfaceBad(DynamicDispatch$Interface), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data &return,Return from Object DynamicDispatch$BadInterfaceImpl2.returnSource(),Call to void InferTaint.inferSensitiveSink(Object)]
-codetoanalyze/java/quandary/DynamicDispatch.java, void DynamicDispatch.returnSourceViaSubtypeBad(DynamicDispatch$Supertype), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data &return,Return from Object DynamicDispatch$BadSubtype.returnSource(),Call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/DynamicDispatch.java, void DynamicDispatch.returnSourceViaInterfaceBad(DynamicDispatch$Interface), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data &return*,Return from Object DynamicDispatch$BadInterfaceImpl1.returnSource(),Call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/DynamicDispatch.java, void DynamicDispatch.returnSourceViaInterfaceBad(DynamicDispatch$Interface), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data &return*,Return from Object DynamicDispatch$BadInterfaceImpl2.returnSource(),Call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/DynamicDispatch.java, void DynamicDispatch.returnSourceViaSubtypeBad(DynamicDispatch$Supertype), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data &return*,Return from Object DynamicDispatch$BadSubtype.returnSource(),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/Exceptions.java, void Exceptions.callSinkThenThrowBad(), 1, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void Exceptions.callSinkThenThrow(Object),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/Exceptions.java, void Exceptions.sinkAfterCatchBad(), 7, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/Exceptions.java, void Exceptions.sinkInCatchBad1(), 5, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]
@@ -74,7 +74,7 @@ codetoanalyze/java/quandary/Files.java, Path Files.pathsSinkBad1(), 2, QUANDARY_
 codetoanalyze/java/quandary/Files.java, Path Files.pathsSinkBad2(), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to Path Paths.get(String,java.lang.String[])]
 codetoanalyze/java/quandary/FlowSensitivity.java, void FlowSensitivity.callSourceAndSinkBad1(FlowSensitivity$Obj), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data @val$0.codetoanalyze.java.quandary.FlowSensitivity$Obj.f*,Return from void FlowSensitivity.sourceAndSink(FlowSensitivity$Obj),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/FlowSensitivity.java, void FlowSensitivity.callSourceAndSinkBad2(FlowSensitivity$Obj), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void FlowSensitivity.sourceAndSink(FlowSensitivity$Obj),Call to void InferTaint.inferSensitiveSink(Object)]
-codetoanalyze/java/quandary/FlowSensitivity.java, void FlowSensitivity.interproceduralFlowSensitivityBad(FlowSensitivity$Obj), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data @val$0.codetoanalyze.java.quandary.FlowSensitivity$Obj.f,Return from void FlowSensitivity.returnSource(FlowSensitivity$Obj),Call to void FlowSensitivity.callSink(FlowSensitivity$Obj),Call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/FlowSensitivity.java, void FlowSensitivity.interproceduralFlowSensitivityBad(FlowSensitivity$Obj), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data @val$0.codetoanalyze.java.quandary.FlowSensitivity$Obj.f*,Return from void FlowSensitivity.returnSource(FlowSensitivity$Obj),Call to void FlowSensitivity.callSink(FlowSensitivity$Obj),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/Intents.java, IBinder MyService.onBind(Intent), 1, QUANDARY_TAINT_ERROR, [Return from IBinder MyService.onBind(Intent),Call to ComponentName ContextWrapper.startService(Intent)]
 codetoanalyze/java/quandary/Intents.java, boolean MyService.onUnbind(Intent), 1, QUANDARY_TAINT_ERROR, [Return from boolean MyService.onUnbind(Intent),Call to ComponentName ContextWrapper.startService(Intent)]
 codetoanalyze/java/quandary/Intents.java, int MyService.onStartCommand(Intent,int,int), 1, QUANDARY_TAINT_ERROR, [Return from int MyService.onStartCommand(Intent,int,int),Call to ComponentName ContextWrapper.startService(Intent)]
@@ -123,7 +123,7 @@ codetoanalyze/java/quandary/Interprocedural.java, Object Interprocedural.irrelev
 codetoanalyze/java/quandary/Interprocedural.java, Object Interprocedural.irrelevantPassthroughsSourceInterprocedural(Object), 4, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data &return,Return from Object Interprocedural.returnSourceIrrelevantPassthrough(Object),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.FP_divergenceInCallee(), 3, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.FP_reassignInCallee(), 4, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]
-codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.FP_trackParamsOk(), 1, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data &return,Return from Object Interprocedural.returnSourceConditional(boolean),Call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.FP_trackParamsOk(), 1, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data &return*,Return from Object Interprocedural.returnSourceConditional(boolean),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.callDeepSink1Bad(), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void Interprocedural.callSinkA(Interprocedural$Obj),Call to void Interprocedural.callSink1(Interprocedural$Obj),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.callDeepSink3Bad(), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void Interprocedural.callSinkC(Interprocedural$Obj),Call to void Interprocedural.callSink3(Interprocedural$Obj),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.callDeepSink4Bad(), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void Interprocedural.callSinkD(Interprocedural$Obj),Call to void Interprocedural.callSink4(Interprocedural$Obj),Call to void InferTaint.inferSensitiveSink(Object)]
@@ -139,12 +139,12 @@ codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.callSinkP
 codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.callSinkVariadicBad(), 1, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void Interprocedural.callSinkVariadic(java.lang.Object[]),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.doublePassthroughBad(), 4, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.getGlobalThenCallSinkBad(), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void Interprocedural.getGlobalThenCallSink(),Call to void InferTaint.inferSensitiveSink(Object)]
-codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.returnSourceDirectBad(), 1, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data &return,Return from Object Interprocedural.returnSourceDirect(),Call to void InferTaint.inferSensitiveSink(Object)]
-codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.returnSourceDirectViaVarBad(), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data &return,Return from Object Interprocedural.returnSourceDirect(),Call to void InferTaint.inferSensitiveSink(Object)]
-codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.returnSourceIndirectBad(), 1, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data &return,Return from Object Interprocedural.returnSourceDirect() with tainted data &return,Return from Object Interprocedural.returnSourceIndirect(),Call to void InferTaint.inferSensitiveSink(Object)]
-codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.returnSourceViaFieldBad(), 1, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data &return.codetoanalyze.java.quandary.Interprocedural$Obj.f,Return from Interprocedural$Obj Interprocedural.returnSourceViaField(),Call to void InferTaint.inferSensitiveSink(Object)]
-codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.returnSourceViaGlobalBad(), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data &#GB<codetoanalyze/java/quandary/Interprocedural.java>$codetoanalyze.java.quandary.Interprocedural.codetoanalyze.java.quandary.Interprocedural.sGlobal,Return from void Interprocedural.returnSourceViaGlobal(),Call to void InferTaint.inferSensitiveSink(Object)]
-codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.returnSourceViaParameter1Bad(Interprocedural$Obj), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data @val$0.codetoanalyze.java.quandary.Interprocedural$Obj.f,Return from void Interprocedural.returnSourceViaParameter1(Interprocedural$Obj),Call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.returnSourceDirectBad(), 1, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data &return*,Return from Object Interprocedural.returnSourceDirect(),Call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.returnSourceDirectViaVarBad(), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data &return*,Return from Object Interprocedural.returnSourceDirect(),Call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.returnSourceIndirectBad(), 1, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data &return*,Return from Object Interprocedural.returnSourceDirect() with tainted data &return*,Return from Object Interprocedural.returnSourceIndirect(),Call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.returnSourceViaFieldBad(), 1, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data &return.codetoanalyze.java.quandary.Interprocedural$Obj.f*,Return from Interprocedural$Obj Interprocedural.returnSourceViaField(),Call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.returnSourceViaGlobalBad(), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data &#GB<codetoanalyze/java/quandary/Interprocedural.java>$codetoanalyze.java.quandary.Interprocedural.codetoanalyze.java.quandary.Interprocedural.sGlobal*,Return from void Interprocedural.returnSourceViaGlobal(),Call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.returnSourceViaParameter1Bad(Interprocedural$Obj), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data @val$0.codetoanalyze.java.quandary.Interprocedural$Obj.f*,Return from void Interprocedural.returnSourceViaParameter1(Interprocedural$Obj),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.returnSourceViaParameter2Bad(Interprocedural$Obj,Interprocedural$Obj), 3, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.setGlobalThenCallSinkBad(), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void Interprocedural.callSinkOnGlobal(),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.singlePassthroughBad(), 3, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]
@@ -200,11 +200,11 @@ codetoanalyze/java/quandary/Strings.java, void Strings.viaStringBuilderIgnoreRet
 codetoanalyze/java/quandary/Strings.java, void Strings.viaStringBuilderSugarBad(), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/Strings.java, void Strings.viaStringFormatVarArgsDirectBad(), 3, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/Strings.java, void Strings.viaStringFormatVarArgsIndirectBad(), 1, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void Strings.viaStringFormatVarArgsIndirect(Object),Call to void InferTaint.inferSensitiveSink(Object)]
-codetoanalyze/java/quandary/TaintExample.java, void TaintExample.interprocTaintErrorWithModelMethods1(), 1, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data &return,Return from Object TaintExample.returnTaintedSourceModelMethods(),Call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/TaintExample.java, void TaintExample.interprocTaintErrorWithModelMethods1(), 1, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data &return*,Return from Object TaintExample.returnTaintedSourceModelMethods(),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/TaintExample.java, void TaintExample.interprocTaintErrorWithModelMethods2(), 1, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void TaintExample.callSinkMethodModelMethods(Object),Call to void InferTaint.inferSensitiveSink(Object)]
-codetoanalyze/java/quandary/TaintExample.java, void TaintExample.interprocTaintErrorWithModelMethods3(), 1, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data &return,Return from Object TaintExample.returnTaintedSourceModelMethods(),Call to void TaintExample.callSinkMethodModelMethods(Object),Call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/TaintExample.java, void TaintExample.interprocTaintErrorWithModelMethods3(), 1, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data &return*,Return from Object TaintExample.returnTaintedSourceModelMethods(),Call to void TaintExample.callSinkMethodModelMethods(Object),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/TaintExample.java, void TaintExample.simpleTaintErrorWithModelMethods(), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]
-codetoanalyze/java/quandary/TaintedFormals.java, void TaintedFormals.callTaintedContextBad1(String), 2, QUANDARY_TAINT_ERROR, [Return from Object TaintedFormals.taintedContextBad(String) with tainted data &return,Return from Object TaintedFormals.taintedContextBad(String),Call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/TaintedFormals.java, void TaintedFormals.callTaintedContextBad1(String), 2, QUANDARY_TAINT_ERROR, [Return from Object TaintedFormals.taintedContextBad(String) with tainted data &return*,Return from Object TaintedFormals.taintedContextBad(String),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/TaintedFormals.java, void TaintedFormals.callTaintedContextBad2(), 1, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void TaintedFormals.taintedContextBad(String,Intent,Integer),Call to ComponentName ContextWrapper.startService(Intent)]
 codetoanalyze/java/quandary/TaintedFormals.java, void TaintedFormals.taintedContextBad(String,Intent,Integer), 3, QUANDARY_TAINT_ERROR, [Return from void TaintedFormals.taintedContextBad(String,Intent,Integer),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/TaintedFormals.java, void TaintedFormals.taintedContextBad(String,Intent,Integer), 4, QUANDARY_TAINT_ERROR, [Return from void TaintedFormals.taintedContextBad(String,Intent,Integer),Call to void InferTaint.inferSensitiveSink(Object)]