[quandary] handle procedures that have name conflict with sinks, but different number of args

Summary: When a sink name is specified in `.inferconfig` or in OCaml, it might conflict with a function of the same name that has a different number of args. We shouldn't try to create a sink in this case, and we definitely shouldn't crash. Reviewed By: jeremydubreil Differential Revision: D5561216 fbshipit-source-id: fa1859b
7 years ago · 9c99c38b22
parent d850492ffe
commit 9c99c38b22
4 changed files with 21 additions and 7 deletions
--- a/infer/src/quandary/ClangTrace.ml
+++ b/infer/src/quandary/ClangTrace.ml
@ -140,7 +140,8 @@ module SinkKind = struct
      (QuandaryConfig.Sink.of_json Config.quandary_sinks)

  (* taint the nth parameter (0-indexed) *)
-  let taint_nth n kind = Some (kind, IntSet.singleton n)
+  let taint_nth n kind actuals =
+    if n < List.length actuals then Some (kind, IntSet.singleton n) else None

  let taint_all actuals kind =
    Some (kind, IntSet.of_list (List.mapi ~f:(fun actual_num _ -> actual_num) actuals))
@ -154,7 +155,7 @@ module SinkKind = struct
          let kind = of_string kind in
          try
            let n = int_of_string index in
-            taint_nth n kind
+            taint_nth n kind actuals
          with Failure _ ->
            (* couldn't parse the index, just taint everything *)
            taint_all actuals kind
--- a/infer/src/quandary/JavaTrace.ml
+++ b/infer/src/quandary/JavaTrace.ml
@ -221,7 +221,7 @@ module SinkKind = struct
    (* taint the nth non-"this" parameter (0-indexed) *)
    let taint_nth n kind =
      let first_index = if Typ.Procname.java_is_static pname then n else n + 1 in
-      Some (kind, IntSet.singleton first_index)
+      if first_index < List.length actuals then Some (kind, IntSet.singleton first_index) else None
    in
    match pname with
    | Typ.Procname.Java java_pname -> (
--- a/infer/src/quandary/TaintAnalysis.ml
+++ b/infer/src/quandary/TaintAnalysis.ml
@ -254,10 +254,9 @@ module Make (TaintSpecification : TaintSpec.S) = struct
            | None
             -> access_tree_acc )
        | None
-         -> Logging.internal_error
+         -> failwithf
              "Taint is supposed to flow into sink %a at index %d, but the index is out of bounds@\n"
-              CallSite.pp callee_site sink_index ;
-            access_tree_acc
+              CallSite.pp callee_site sink_index
        | _
         -> access_tree_acc
      in
@ -466,7 +465,10 @@ module Make (TaintSpecification : TaintSpec.S) = struct
          in
          let analyze_call astate_acc callee_pname =
            let call_site = CallSite.make callee_pname callee_loc in
-            let sink = TraceDomain.Sink.get call_site actuals proc_data.ProcData.tenv in
+            let sink =
+              if List.is_empty actuals then None
+              else TraceDomain.Sink.get call_site actuals proc_data.ProcData.tenv
+            in
            let astate_with_sink =
              match sink with
              | Some sink
--- a/infer/tests/codetoanalyze/java/quandary/ExternalSpecs.java
+++ b/infer/tests/codetoanalyze/java/quandary/ExternalSpecs.java
@ -102,5 +102,16 @@ public class ExternalSpecs {
    return sanitized;
  }

+  // if theres' a procedure with the same name defined in .inferconfig as a sink on parameter 1,
+  // we shouldn't crash
+  public static void loggingSink1() {}
+
+  // we shouldn't fail when calling this either
+  public static void loggingSink1(Object notASink) { }
+
+  void callLoggingSink1sOk(Object o) {
+    loggingSink1();
+    loggingSink1(o);
+  }

 }