[quandary] turn off dynamic dispatch handling in Java

Reviewed By: jeremydubreil Differential Revision: D6316897 fbshipit-source-id: 033f82b
7 years ago · 7428f36fbd
parent 758048078b
commit 7428f36fbd
3 changed files with 9 additions and 32 deletions
--- a/infer/src/quandary/TaintAnalysis.ml
+++ b/infer/src/quandary/TaintAnalysis.ml
@ -384,6 +384,7 @@ module Make (TaintSpecification : TaintSpec.S) = struct
      in
      TaintDomain.trace_fold add_to_caller_tree summary caller_access_tree
    let exec_instr (astate: Domain.astate) (proc_data: extras ProcData.t) _ (instr: HilInstr.t) =
      (* not all sinks are function calls; we might want to treat an array or field access as a
         sink too. do this by pretending an access is a call to a dummy function and using the
@ -456,7 +457,7 @@ module Make (TaintSpecification : TaintSpec.S) = struct
          |> add_sinks_for_access_path lhs_access_path loc |> exec_write lhs_access_path rhs_exp
      | Assume (assume_exp, _, _, loc) ->
          add_sources_sinks_for_exp assume_exp loc astate
-      | Call (ret_opt, Direct called_pname, actuals, call_flags, callee_loc) ->
+      | Call (ret_opt, Direct called_pname, actuals, _, callee_loc) ->
          let astate =
            List.fold
              ~f:(fun acc exp -> add_sources_sinks_for_exp exp callee_loc acc)
@ -635,20 +636,7 @@ module Make (TaintSpecification : TaintSpec.S) = struct
            in
            Domain.join astate_acc astate_with_sanitizer
          in
-          (* highly polymorphic call sites stress reactive mode too much by using too much memory.
+          analyze_call Domain.empty called_pname
             here, we choose an arbitrary call limit that allows us to finish the analysis in
             practice. this is obviously unsound; will try to remove in the future. *)
          let max_calls = 3 in
          let targets =
            if List.length call_flags.cf_targets <= max_calls then
              called_pname :: call_flags.cf_targets
            else (
              L.(debug Analysis Medium)
                "Skipping highly polymorphic call site for %a@." Typ.Procname.pp called_pname ;
              [called_pname] )
          in
          (* for each possible target of the call, apply the summary. join all results together *)
          List.fold ~f:analyze_call ~init:Domain.empty targets
      | _ ->
          astate
@ -794,7 +782,6 @@ module Make (TaintSpecification : TaintSpec.S) = struct
        ~init:TaintDomain.empty
        (TraceDomain.Source.get_tainted_formals pdesc tenv)
    in
    Preanal.do_dynamic_dispatch proc_desc (Cg.create (SourceFile.invalid __FILE__)) tenv ;
    let initial = make_initial proc_desc in
    let extras =
      let formal_map = FormalMap.make proc_desc in
--- a/infer/tests/codetoanalyze/java/quandary/DynamicDispatch.java
+++ b/infer/tests/codetoanalyze/java/quandary/DynamicDispatch.java
@ -72,12 +72,12 @@ public class DynamicDispatch {
  /** interface tests. for all of these, we should see a warning for both BadInterfaceImpl1 and
   BadInterfaceImpl2, but not OkInterfaceImpl */
-  static void returnSourceViaInterfaceBad(Interface i) {
+  static void FN_returnSourceViaInterfaceBad(Interface i) {
    Object source = i.returnSource();
    InferTaint.inferSensitiveSink(source);
  }
-  static void callSinkViaInterfaceBad(Interface i) {
+  static void FN_callSinkViaInterfaceBad(Interface i) {
    Object source = InferTaint.inferSecretSource();
    i.callSink(source);
  }
@ -130,24 +130,24 @@ public class DynamicDispatch {
    }
  }
-  static void returnSourceViaSubtypeBad(Supertype s) {
+  static void FN_returnSourceViaSubtypeBad(Supertype s) {
    Object source = s.returnSource();
    InferTaint.inferSensitiveSink(source);
  }
-  static void callSinkViaSubtypeBad(Supertype s) {
+  static void FN_callSinkViaSubtypeBad(Supertype s) {
    Object source = InferTaint.inferSecretSource();
    s.callSink(source);
  }
-  static void propagateViaSubtypeBad(Supertype s) {
+  static void FN_propagateViaSubtypeBad(Supertype s) {
    Object source = InferTaint.inferSecretSource();
    Object launderedSource = s.propagate(source);
    InferTaint.inferSensitiveSink(launderedSource);
  }
  // need to look and see if we know the concrete type of the receiver to get this one
-  static void FP_propagateViaConcreteTypeOk() {
+  static void propagateViaConcreteTypeOk() {
    Supertype s = new Supertype();
    Object source1 = s.returnSource();
--- a/infer/tests/codetoanalyze/java/quandary/issues.exp
+++ b/infer/tests/codetoanalyze/java/quandary/issues.exp
@ -35,17 +35,7 @@ codetoanalyze/java/quandary/ContentProviders.java, Uri ContentProviders.insert(U
 codetoanalyze/java/quandary/ContentProviders.java, int ContentProviders.bulkInsert(Uri,android.content.ContentValues[]), 1, QUANDARY_TAINT_ERROR, [Return from int ContentProviders.bulkInsert(Uri,android.content.ContentValues[]),Call to File.<init>(String)]
 codetoanalyze/java/quandary/ContentProviders.java, int ContentProviders.delete(Uri,String,java.lang.String[]), 1, QUANDARY_TAINT_ERROR, [Return from int ContentProviders.delete(Uri,String,java.lang.String[]),Call to File.<init>(String)]
 codetoanalyze/java/quandary/ContentProviders.java, int ContentProviders.update(Uri,ContentValues,String,java.lang.String[]), 1, QUANDARY_TAINT_ERROR, [Return from int ContentProviders.update(Uri,ContentValues,String,java.lang.String[]),Call to File.<init>(String)]
 codetoanalyze/java/quandary/DynamicDispatch.java, void DynamicDispatch.FP_propagateViaConcreteTypeOk(), 4, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data &return*,Return from Object DynamicDispatch$BadSubtype.returnSource(),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/DynamicDispatch.java, void DynamicDispatch.FP_propagateViaConcreteTypeOk(), 7, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void DynamicDispatch$BadSubtype.callSink(Object),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/DynamicDispatch.java, void DynamicDispatch.FP_propagateViaConcreteTypeOk(), 10, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/DynamicDispatch.java, void DynamicDispatch.callSinkViaInterfaceBad(DynamicDispatch$Interface), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void DynamicDispatch$BadInterfaceImpl1.callSink(Object),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/DynamicDispatch.java, void DynamicDispatch.callSinkViaInterfaceBad(DynamicDispatch$Interface), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void DynamicDispatch$BadInterfaceImpl2.callSink(Object),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/DynamicDispatch.java, void DynamicDispatch.callSinkViaSubtypeBad(DynamicDispatch$Supertype), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void DynamicDispatch$BadSubtype.callSink(Object),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/DynamicDispatch.java, void DynamicDispatch.propagateViaInterfaceBad(DynamicDispatch$Interface), 3, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/DynamicDispatch.java, void DynamicDispatch.propagateViaSubtypeBad(DynamicDispatch$Supertype), 3, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/DynamicDispatch.java, void DynamicDispatch.returnSourceViaInterfaceBad(DynamicDispatch$Interface), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data &return*,Return from Object DynamicDispatch$BadInterfaceImpl1.returnSource(),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/DynamicDispatch.java, void DynamicDispatch.returnSourceViaInterfaceBad(DynamicDispatch$Interface), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data &return*,Return from Object DynamicDispatch$BadInterfaceImpl2.returnSource(),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/DynamicDispatch.java, void DynamicDispatch.returnSourceViaSubtypeBad(DynamicDispatch$Supertype), 2, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource() with tainted data &return*,Return from Object DynamicDispatch$BadSubtype.returnSource(),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/Exceptions.java, void Exceptions.callSinkThenThrowBad(), 1, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void Exceptions.callSinkThenThrow(Object),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/Exceptions.java, void Exceptions.sinkAfterCatchBad(), 7, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/Exceptions.java, void Exceptions.sinkInCatchBad1(), 5, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]