Updated QuandaryBO issue matching.

Reviewed By: jvillard Differential Revision: D9923601 fbshipit-source-id: a9791dc6c
6 years ago · 60784ad045
parent f1353ec3da
commit 60784ad045
2 changed files with 58 additions and 19 deletions
--- a/infer/src/quandary/quandaryBO.ml
+++ b/infer/src/quandary/quandaryBO.ml
@ -8,10 +8,11 @@
 open! IStd

 let update_issues all_issues =
-  let quandary_bug_names =
-    IssueType.[untrusted_buffer_access; untrusted_heap_allocation; untrusted_variable_length_array]
+  let quandary_access_issues = [IssueType.untrusted_buffer_access] in
+  let quandary_alloc_issues =
+    IssueType.[untrusted_heap_allocation; untrusted_variable_length_array]
  in
-  let inferbo_bug_names =
+  let inferbo_access_issues =
    IssueType.
      [ buffer_overrun_l1
      ; buffer_overrun_l2
@ -19,28 +20,45 @@ let update_issues all_issues =
      ; buffer_overrun_l4
      ; buffer_overrun_l5
      ; buffer_overrun_s2
-      ; buffer_overrun_u5
-      ; inferbo_alloc_is_big
+      ; buffer_overrun_u5 ]
+  in
+  let inferbo_alloc_issues =
+    IssueType.
+      [ inferbo_alloc_is_big
      ; inferbo_alloc_is_zero
      ; inferbo_alloc_is_negative
      ; inferbo_alloc_may_be_big
      ; inferbo_alloc_may_be_negative ]
  in
-  let is_quandary_issue issue =
-    List.mem quandary_bug_names issue.Issue.err_key.err_name ~equal:IssueType.equal
+  let is_quandary_access_issue issue =
+    List.mem quandary_access_issues issue.Issue.err_key.err_name ~equal:IssueType.equal
+  in
+  let is_quandary_alloc_issue issue =
+    List.mem quandary_alloc_issues issue.Issue.err_key.err_name ~equal:IssueType.equal
+  in
+  let is_relevant_quandary_issue issue =
+    is_quandary_access_issue issue || is_quandary_alloc_issue issue
+  in
+  let is_inferbo_access_issue issue =
+    List.mem inferbo_access_issues issue.Issue.err_key.err_name ~equal:IssueType.equal
  in
-  let is_inferbo_issue issue =
-    List.mem inferbo_bug_names issue.Issue.err_key.err_name ~equal:IssueType.equal
+  let is_inferbo_alloc_issue issue =
+    List.mem inferbo_alloc_issues issue.Issue.err_key.err_name ~equal:IssueType.equal
+  in
+  let is_relevant_inferbo_issue issue =
+    is_inferbo_access_issue issue || is_inferbo_alloc_issue issue
  in
  let quandary_issues, inferBO_issues =
    List.fold all_issues ~init:([], []) ~f:(fun (q_issues, iBO_issues) issue ->
-        if is_quandary_issue issue then (issue :: q_issues, iBO_issues)
-        else if is_inferbo_issue issue then (q_issues, issue :: iBO_issues)
+        if is_relevant_quandary_issue issue then (issue :: q_issues, iBO_issues)
+        else if is_relevant_inferbo_issue issue then (q_issues, issue :: iBO_issues)
        else (q_issues, iBO_issues) )
  in
  let matching_issues quandary_issue inferbo_issue =
    SourceFile.equal quandary_issue.Issue.proc_location.file inferbo_issue.Issue.proc_location.file
    && Int.equal quandary_issue.Issue.proc_location.line inferbo_issue.Issue.proc_location.line
+    && ( (is_quandary_alloc_issue quandary_issue && is_inferbo_alloc_issue inferbo_issue)
+       || (is_quandary_access_issue quandary_issue && is_inferbo_access_issue inferbo_issue) )
  in
  let paired_issues =
    (* Can be computed more efficiently (in n*log(n)) by using a Map mapping
@ -62,13 +80,13 @@ let update_issues all_issues =
            else IssueType.tainted_memory_allocation )
          ~merge_descriptions:(fun descs1 descs2 ->
            String.concat
-              ( "QuandaryBO error. Quandary error(s):\n"
-              :: (descs1 @ ("InferBO error(s):\n" :: descs2)) ) )
+              ( "QuandaryBO error. Quandary error(s): \""
+              :: (descs1 @ ("\". InferBO error(s):\"" :: (descs2 @ ["\"."]))) ) )
    ; err_data= Errlog.merge_err_data issue1.Issue.err_data issue2.Issue.err_data }
  in
  (* Can merge List.map, List.concat_map and List.filter_map into a single fold. *)
  let quandaryBO_issues = List.map ~f:merge_issues paired_issues in
-  let quandary_issuetypes =
+  let quandary_issues =
    IssueType.
      [ quandary_taint_error
      ; shell_injection
@ -82,16 +100,17 @@ let update_issues all_issues =
      ; untrusted_variable_length_array
      ; user_controlled_sql_risk ]
  in
-  let inferBO_issuetypes = inferbo_bug_names in
+  let inferbo_issues =
+    inferbo_alloc_issues @ inferbo_access_issues @ [IssueType.unreachable_code_after]
+  in
  let all_issues_filtered =
    List.filter
      ~f:(fun issue ->
        ( Config.quandary
-        || not (List.mem quandary_issuetypes issue.Issue.err_key.err_name ~equal:IssueType.equal)
-        )
+        || not (List.mem quandary_issues issue.Issue.err_key.err_name ~equal:IssueType.equal) )
        && ( Config.bufferoverrun
-           || not (List.mem inferBO_issuetypes issue.Issue.err_key.err_name ~equal:IssueType.equal)
-           ) )
+           || not (List.mem inferbo_issues issue.Issue.err_key.err_name ~equal:IssueType.equal) )
+        )
      all_issues
  in
  List.rev_append all_issues_filtered quandaryBO_issues
--- a/infer/tests/codetoanalyze/cpp/quandaryBO/tainted_index.cpp
+++ b/infer/tests/codetoanalyze/cpp/quandaryBO/tainted_index.cpp
@ -4,6 +4,8 @@
 * This source code is licensed under the MIT license found in the
 * LICENSE file in the root directory of this source tree.
 */
+#include <stdlib.h>
+
 extern int __infer_taint_source();

 void basic_bad() {
@ -33,3 +35,21 @@ void memory_alloc_bad2() {
    int arr[s];
  }
 }
+
+struct st {
+  int size;
+  int ind;
+};
+
+st overlapping_issues_source_good() {
+  return {.size = __infer_taint_source(), .ind = 10};
+}
+
+void overlapping_issues_sink_good(st info) {
+  int arr[info.size];
+  arr[info.ind] = 0;
+}
+
+void overlapping_issues_good() {
+  overlapping_issues_sink_good(overlapping_issues_source_good());
+}