From d2433476a5af079d012a91719e63a7302c036d81 Mon Sep 17 00:00:00 2001
From: Sam Blackshear <shb@fb.com>
Date: Tue, 24 Oct 2017 11:11:21 -0700
Subject: [PATCH] [quandary] fix heuristic for recognizing buffer access

Summary: Previously, this would incorrectly classify types like `map<std::string, int>` as a buffer

Reviewed By: mbouaziz

Differential Revision: D6125530

fbshipit-source-id: c8564de
---
 infer/src/quandary/ClangTrace.ml                   | 9 +++++----
 infer/tests/codetoanalyze/cpp/quandary/vectors.cpp | 8 +++++++-
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/infer/src/quandary/ClangTrace.ml b/infer/src/quandary/ClangTrace.ml
index 608112e0f..ecd4a2c93 100644
--- a/infer/src/quandary/ClangTrace.ml
+++ b/infer/src/quandary/ClangTrace.ml
@@ -202,21 +202,22 @@ module SinkKind = struct
 
 
   let get pname actuals _ =
-    let is_buffer_class cpp_name =
+    let is_buffer_like pname =
       (* assume it's a buffer class if it's "vector-y", "array-y", or "string-y". don't want to
          report on accesses to maps etc., but also want to recognize custom vectors like fbvector
          rather than overfitting to std::vector *)
       let typename =
-        String.lowercase (Typ.Name.to_string (Typ.Procname.objc_cpp_get_class_type_name cpp_name))
+        Typ.Procname.get_qualifiers pname |> QualifiedCppName.strip_template_args
+        |> QualifiedCppName.to_qual_string |> String.lowercase
       in
       String.is_substring ~substring:"vec" typename
       || String.is_substring ~substring:"array" typename
       || String.is_substring ~substring:"string" typename
     in
     match pname with
-    | Typ.Procname.ObjC_Cpp cpp_name -> (
+    | Typ.Procname.ObjC_Cpp _ -> (
       match Typ.Procname.get_method pname with
-      | "operator[]" when Config.developer_mode && is_buffer_class cpp_name ->
+      | "operator[]" when Config.developer_mode && is_buffer_like pname ->
           taint_nth 1 BufferAccess actuals
       | _ ->
           get_external_sink pname actuals )
diff --git a/infer/tests/codetoanalyze/cpp/quandary/vectors.cpp b/infer/tests/codetoanalyze/cpp/quandary/vectors.cpp
index 0e3ad2092..6961aab0f 100644
--- a/infer/tests/codetoanalyze/cpp/quandary/vectors.cpp
+++ b/infer/tests/codetoanalyze/cpp/quandary/vectors.cpp
@@ -8,6 +8,7 @@
  */
 
 #include <map>
+#include <string>
 #include <vector>
 
 extern int __infer_taint_source();
@@ -30,7 +31,12 @@ void write_map_ok(std::map<int, int> map) {
   map[source] = 2;
 }
 
-void read_map_ok(std::map<int, int> map) {
+void write_string_map_ok(std::map<int, std::string> map) {
+  int source = __infer_taint_source();
+  map[source] = "string";
+}
+
+int read_map_ok(std::map<int, int> map) {
   int source = __infer_taint_source();
   return map[source];
 }