[quandary] fix heuristic for recognizing buffer access

Summary: Previously, this would incorrectly classify types like `map<std::string, int>` as a buffer Reviewed By: mbouaziz Differential Revision: D6125530 fbshipit-source-id: c8564de
7 years ago · d2433476a5
parent 3d6168cd0d
commit d2433476a5
2 changed files with 12 additions and 5 deletions
--- a/infer/src/quandary/ClangTrace.ml
+++ b/infer/src/quandary/ClangTrace.ml
@ -202,21 +202,22 @@ module SinkKind = struct


  let get pname actuals _ =
-    let is_buffer_class cpp_name =
+    let is_buffer_like pname =
      (* assume it's a buffer class if it's "vector-y", "array-y", or "string-y". don't want to
         report on accesses to maps etc., but also want to recognize custom vectors like fbvector
         rather than overfitting to std::vector *)
      let typename =
-        String.lowercase (Typ.Name.to_string (Typ.Procname.objc_cpp_get_class_type_name cpp_name))
+        Typ.Procname.get_qualifiers pname |> QualifiedCppName.strip_template_args
+        |> QualifiedCppName.to_qual_string |> String.lowercase
      in
      String.is_substring ~substring:"vec" typename
      || String.is_substring ~substring:"array" typename
      || String.is_substring ~substring:"string" typename
    in
    match pname with
-    | Typ.Procname.ObjC_Cpp cpp_name -> (
+    | Typ.Procname.ObjC_Cpp _ -> (
      match Typ.Procname.get_method pname with
-      | "operator[]" when Config.developer_mode && is_buffer_class cpp_name ->
+      | "operator[]" when Config.developer_mode && is_buffer_like pname ->
          taint_nth 1 BufferAccess actuals
      | _ ->
          get_external_sink pname actuals )
--- a/infer/tests/codetoanalyze/cpp/quandary/vectors.cpp
+++ b/infer/tests/codetoanalyze/cpp/quandary/vectors.cpp
@ -8,6 +8,7 @@
 */

 #include <map>
+#include <string>
 #include <vector>

 extern int __infer_taint_source();
@ -30,7 +31,12 @@ void write_map_ok(std::map<int, int> map) {
  map[source] = 2;
 }

-void read_map_ok(std::map<int, int> map) {
+void write_string_map_ok(std::map<int, std::string> map) {
+  int source = __infer_taint_source();
+  map[source] = "string";
+}
+
+int read_map_ok(std::map<int, int> map) {
  int source = __infer_taint_source();
  return map[source];
 }