[quandaryBO] delete :(

Summary: This was never quite finished and inferbo has a new way to do sort of the same thing. Reviewed By: skcho, ngorogiannis Differential Revision: D20362619 fbshipit-source-id: 7c7935d47
5 years ago · e5b50d7d46
parent 1faf00e58e
commit e5b50d7d46
26 changed files with 4 additions and 501 deletions
--- a/2
+++ b/2
@ -68,7 +68,7 @@ DIRECT_TESTS += \
  cpp_linters-for-test-only \
  cpp_liveness \
  cpp_pulse \
-  cpp_quandary cpp_quandaryBO \
+  cpp_quandary \
  cpp_racerd \
  cpp_siof \
  cpp_starvation \
--- a/infer/man/man1/infer-analyze.txt
+++ b/infer/man/man1/infer-analyze.txt
@ -251,14 +251,6 @@ OPTIONS
           Activates: Enable --quandary and disable all other checkers
           (Conversely: --no-quandary-only)
       --quandaryBO
           Activates: [EXPERIMENTAL] The quandaryBO tainted buffer access
           analysis (Conversely: --no-quandaryBO)
       --quandaryBO-only
           Activates: Enable --quandaryBO and disable all other checkers
           (Conversely: --no-quandaryBO-only)
       --quiet,-q
           Activates: Do not print specs on standard output (default: only
           print for the report command) (Conversely: --no-quiet | -Q)
--- a/infer/man/man1/infer-full.txt
+++ b/infer/man/man1/infer-full.txt
@ -488,8 +488,6 @@ OPTIONS
             STRICT_MODE_VIOLATION (enabled by default),
             STRONG_SELF_NOT_CHECKED (enabled by default),
             Symexec_memory_error (enabled by default),
             TAINTED_BUFFER_ACCESS (enabled by default),
             TAINTED_MEMORY_ALLOCATION (enabled by default),
             THREAD_SAFETY_VIOLATION (enabled by default),
             TOPL_ERROR (enabled by default),
             UNARY_MINUS_APPLIED_TO_UNSIGNED_EXPRESSION (disabled by
@ -891,14 +889,6 @@ OPTIONS
       --quandary-sources json
           Specify custom sources for Quandary           See also infer-analyze(1).
       --quandaryBO
           Activates: [EXPERIMENTAL] The quandaryBO tainted buffer access
           analysis (Conversely: --no-quandaryBO)           See also infer-analyze(1).
       --quandaryBO-only
           Activates: Enable --quandaryBO and disable all other checkers
           (Conversely: --no-quandaryBO-only)           See also infer-analyze(1).
       --quiet,-q
           Activates: Do not print specs on standard output (default: only
           print for the report command) (Conversely: --no-quiet | -Q)       
--- a/infer/man/man1/infer-report.txt
+++ b/infer/man/man1/infer-report.txt
@ -219,8 +219,6 @@ OPTIONS
             STRICT_MODE_VIOLATION (enabled by default),
             STRONG_SELF_NOT_CHECKED (enabled by default),
             Symexec_memory_error (enabled by default),
             TAINTED_BUFFER_ACCESS (enabled by default),
             TAINTED_MEMORY_ALLOCATION (enabled by default),
             THREAD_SAFETY_VIOLATION (enabled by default),
             TOPL_ERROR (enabled by default),
             UNARY_MINUS_APPLIED_TO_UNSIGNED_EXPRESSION (disabled by
--- a/infer/man/man1/infer.txt
+++ b/infer/man/man1/infer.txt
@ -488,8 +488,6 @@ OPTIONS
             STRICT_MODE_VIOLATION (enabled by default),
             STRONG_SELF_NOT_CHECKED (enabled by default),
             Symexec_memory_error (enabled by default),
             TAINTED_BUFFER_ACCESS (enabled by default),
             TAINTED_MEMORY_ALLOCATION (enabled by default),
             THREAD_SAFETY_VIOLATION (enabled by default),
             TOPL_ERROR (enabled by default),
             UNARY_MINUS_APPLIED_TO_UNSIGNED_EXPRESSION (disabled by
@ -891,14 +889,6 @@ OPTIONS
       --quandary-sources json
           Specify custom sources for Quandary           See also infer-analyze(1).
       --quandaryBO
           Activates: [EXPERIMENTAL] The quandaryBO tainted buffer access
           analysis (Conversely: --no-quandaryBO)           See also infer-analyze(1).
       --quandaryBO-only
           Activates: Enable --quandaryBO and disable all other checkers
           (Conversely: --no-quandaryBO-only)           See also infer-analyze(1).
       --quiet,-q
           Activates: Do not print specs on standard output (default: only
           print for the report command) (Conversely: --no-quiet | -Q)       
--- a/infer/src/IR/Errlog.ml
+++ b/infer/src/IR/Errlog.ml
@ -75,15 +75,6 @@ type node =
 type err_key = {severity: Exceptions.severity; err_name: IssueType.t; err_desc: Localise.error_desc}
 [@@deriving compare]
 let merge_err_key err_key1 err_key2 ~merge_issues ~merge_descriptions =
  let max_sev sev1 sev2 = if Exceptions.compare_severity sev1 sev2 >= 0 then sev1 else sev2 in
  { severity= max_sev err_key1.severity err_key2.severity
  ; err_name= merge_issues err_key1.err_name err_key2.err_name
  ; err_desc=
      Localise.verbatim_desc
        (merge_descriptions err_key1.err_desc.descriptions err_key2.err_desc.descriptions) }
 (** Data associated to a specific error *)
 type err_data =
  { node_id: int
@ -102,21 +93,6 @@ type err_data =
 let compare_err_data err_data1 err_data2 = Location.compare err_data1.loc err_data2.loc
 let merge_err_data err_data1 err_data2 =
  { node_id= 0
  ; node_key= None
  ; session= 0
  ; loc= {err_data1.loc with col= -1}
  ; loc_in_ml_source= None
  ; loc_trace= concat_traces [("", err_data1.loc_trace); ("-----------", err_data2.loc_trace)]
  ; err_class= Exceptions.Checker
  ; visibility= Exceptions.Exn_user
  ; linters_def_file= None
  ; doc_url= None
  ; access= None
  ; extras= None }
 module ErrDataSet = (* set err_data with no repeated loc *)
 Caml.Set.Make (struct
  type t = err_data
--- a/infer/src/IR/Errlog.mli
+++ b/infer/src/IR/Errlog.mli
@ -44,16 +44,6 @@ type err_key = private
  {severity: Exceptions.severity; err_name: IssueType.t; err_desc: Localise.error_desc}
 [@@deriving compare]
 val merge_err_key :
     err_key
  -> err_key
  -> merge_issues:(IssueType.t -> IssueType.t -> IssueType.t)
  -> merge_descriptions:(string list -> string list -> string)
  -> err_key
 (** Merges two error keys, setting the result's severity to the maximum of that of the two arguments
    and giving the user the opportunity to pass a function to merge the IssueTypes and descriptions
    of the two. *)
 (** Data associated to a specific error *)
 type err_data = private
  { node_id: int
@ -70,11 +60,6 @@ type err_data = private
  ; extras: Jsonbug_t.extra option }
 [@@deriving compare]
 val merge_err_data : err_data -> err_data -> err_data
 (** Merges two err_datas, throwing out most information and setting the trace of the result to the
    concatenation of the traces of the two arguments with a separator in between. Used specifically
    for QuandaryBO. *)
 (** Type of the error log *)
 type t
--- a/infer/src/base/Checker.ml
+++ b/infer/src/base/Checker.ml
@ -27,7 +27,6 @@ type t =
  | Pulse
  | Purity
  | Quandary
  | QuandaryBO
  | RacerD
  | ResourceLeak
  | SIOF
@ -207,13 +206,6 @@ let config checker =
      ; cli_flag= "quandary"
      ; enabled_by_default= false
      ; cli_deprecated_flags= [] }
  | QuandaryBO ->
      { support= supports_clang_and_java_experimental
      ; short_documentation= "[EXPERIMENTAL] The quandaryBO tainted buffer access analysis"
      ; show_in_help= true
      ; cli_flag= "quandaryBO"
      ; enabled_by_default= false
      ; cli_deprecated_flags= [] }
  | RacerD ->
      { support= supports_clang_and_java
      ; short_documentation= "the RacerD thread safety analysis"
--- a/infer/src/base/Checker.mli
+++ b/infer/src/base/Checker.mli
@ -27,7 +27,6 @@ type t =
  | Pulse
  | Purity
  | Quandary
  | QuandaryBO
  | RacerD
  | ResourceLeak
  | SIOF
--- a/infer/src/base/Config.ml
+++ b/infer/src/base/Config.ml
@ -3117,20 +3117,6 @@ let procnames_locks_dir = results_dir ^/ procnames_locks_dir_name
   information found in the abstract state *)
 let dynamic_dispatch = is_checker_enabled Biabduction
 let quandaryBO_filtered_issues =
  if is_checker_enabled QuandaryBO then
    IssueType.
      [ buffer_overrun_u5
      ; buffer_overrun_l5
      ; buffer_overrun_l4
      ; untrusted_buffer_access
      ; untrusted_heap_allocation ]
    |> List.filter ~f:(fun issue ->
           let enabled = issue.IssueType.enabled || not filtering in
           IssueType.set_enabled issue true ; not enabled )
  else []
 (** Check if a Java package is external to the repository *)
 let java_package_is_external package =
  match external_java_packages with
--- a/infer/src/base/Config.mli
+++ b/infer/src/base/Config.mli
@ -679,7 +679,4 @@ val is_in_custom_symbols : string -> string -> bool
 val java_package_is_external : string -> bool
 (** Check if a Java package is external to the repository *)
 val quandaryBO_filtered_issues : IssueType.t list
 (** List of issues that are enabled by QuandaryBO but should not be in the final report.json *)
 val execution_id : Int64.t
--- a/infer/src/base/IssueType.ml
+++ b/infer/src/base/IssueType.ml
@ -438,10 +438,6 @@ let symexec_memory_error =
  register_from_string "Symexec_memory_error" ~hum:"Symbolic Execution Memory Error"
 let tainted_buffer_access = register_from_string "TAINTED_BUFFER_ACCESS"
 let tainted_memory_allocation = register_from_string "TAINTED_MEMORY_ALLOCATION"
 let thread_safety_violation = register_from_string "THREAD_SAFETY_VIOLATION"
 let complexity_increase ~kind ~is_on_cold_start ~is_on_ui_thread =
--- a/infer/src/base/IssueType.mli
+++ b/infer/src/base/IssueType.mli
@ -300,10 +300,6 @@ val strong_self_not_checked : t
 val symexec_memory_error : t
 val tainted_buffer_access : t
 val tainted_memory_allocation : t
 val thread_safety_violation : t
 val topl_error : t
--- a/infer/src/checkers/registerCheckers.ml
+++ b/infer/src/checkers/registerCheckers.ml
@ -44,13 +44,12 @@ let all_checkers =
    ; active=
        Config.(
          is_checker_enabled BufferOverrun || is_checker_enabled Cost
-          || is_checker_enabled LoopHoisting || is_checker_enabled Purity
+          || is_checker_enabled LoopHoisting || is_checker_enabled Purity)
          || is_checker_enabled QuandaryBO)
    ; callbacks=
        [ (Procedure BufferOverrunAnalysis.do_analysis, Language.Clang)
        ; (Procedure BufferOverrunAnalysis.do_analysis, Language.Java) ] }
  ; { name= "buffer overrun checker"
-    ; active= Config.(is_checker_enabled BufferOverrun || is_checker_enabled QuandaryBO)
+    ; active= Config.(is_checker_enabled BufferOverrun)
    ; callbacks=
        [ (Procedure BufferOverrunChecker.checker, Language.Clang)
        ; (Procedure BufferOverrunChecker.checker, Language.Java) ] }
@ -86,7 +85,7 @@ let all_checkers =
        ( if Config.is_checker_enabled Impurity then [(Procedure Pulse.checker, Language.Java)]
        else [] ) }
  ; { name= "quandary"
-    ; active= Config.(is_checker_enabled Quandary || is_checker_enabled QuandaryBO)
+    ; active= Config.(is_checker_enabled Quandary)
    ; callbacks=
        [ (Procedure JavaTaintAnalysis.checker, Language.Java)
        ; (Procedure ClangTaintAnalysis.checker, Language.Clang) ] }
--- a/infer/src/integration/JsonReports.ml
+++ b/infer/src/integration/JsonReports.ml
@ -318,7 +318,6 @@ let process_all_summaries_and_issues ~issues_outf ~costs_outf =
  SpecsFiles.iter_from_config ~f:(fun summary ->
      all_issues := process_summary ~costs_outf summary !all_issues ) ;
  all_issues := Issue.sort_filter_issues !all_issues ;
  if Config.is_checker_enabled QuandaryBO then all_issues := QuandaryBO.update_issues !all_issues ;
  List.iter
    ~f:(fun {Issue.proc_name; proc_location; err_key; err_data} ->
      let error_filter = mk_error_filter filters proc_name in
--- a/infer/src/quandary/quandaryBO.ml
+++ b/infer/src/quandary/quandaryBO.ml
@ -1,127 +0,0 @@
 (*
 * Copyright (c) Facebook, Inc. and its affiliates.
 *
 * This source code is licensed under the MIT license found in the
 * LICENSE file in the root directory of this source tree.
 *)
 open! IStd
 let update_issues all_issues =
  let quandary_access_issues = [IssueType.untrusted_buffer_access] in
  let quandary_alloc_issues =
    IssueType.[untrusted_heap_allocation; untrusted_variable_length_array]
  in
  let inferbo_access_issues =
    IssueType.
      [ buffer_overrun_l1
      ; buffer_overrun_l2
      ; buffer_overrun_l3
      ; buffer_overrun_l4
      ; buffer_overrun_l5
      ; buffer_overrun_s2
      ; buffer_overrun_u5 ]
  in
  let inferbo_alloc_issues =
    IssueType.
      [ inferbo_alloc_is_big
      ; inferbo_alloc_is_zero
      ; inferbo_alloc_is_negative
      ; inferbo_alloc_may_be_big
      ; inferbo_alloc_may_be_negative ]
  in
  let is_quandary_access_issue issue =
    List.mem quandary_access_issues issue.Issue.err_key.err_name ~equal:IssueType.equal
  in
  let is_quandary_alloc_issue issue =
    List.mem quandary_alloc_issues issue.Issue.err_key.err_name ~equal:IssueType.equal
  in
  let is_relevant_quandary_issue issue =
    is_quandary_access_issue issue || is_quandary_alloc_issue issue
  in
  let is_inferbo_access_issue issue =
    List.mem inferbo_access_issues issue.Issue.err_key.err_name ~equal:IssueType.equal
  in
  let is_inferbo_alloc_issue issue =
    List.mem inferbo_alloc_issues issue.Issue.err_key.err_name ~equal:IssueType.equal
  in
  let is_relevant_inferbo_issue issue =
    is_inferbo_access_issue issue || is_inferbo_alloc_issue issue
  in
  let quandary_issues, inferBO_issues =
    List.fold all_issues ~init:([], []) ~f:(fun (q_issues, iBO_issues) issue ->
        if is_relevant_quandary_issue issue then (issue :: q_issues, iBO_issues)
        else if is_relevant_inferbo_issue issue then (q_issues, issue :: iBO_issues)
        else (q_issues, iBO_issues) )
  in
  let matching_issues quandary_issue inferbo_issue =
    let trace_end_match () =
      let quandary_trace_end = List.last quandary_issue.Issue.err_data.loc_trace in
      let inferbo_trace_end = List.last inferbo_issue.Issue.err_data.loc_trace in
      match (quandary_trace_end, inferbo_trace_end) with
      | Some quandary_trace_elem, Some inferbo_trace_elem ->
          let q_loc = quandary_trace_elem.lt_loc in
          let i_loc = inferbo_trace_elem.lt_loc in
          SourceFile.equal q_loc.file i_loc.file && Int.equal q_loc.line i_loc.line
      | _ ->
          false
    in
    SourceFile.equal quandary_issue.Issue.proc_location.file inferbo_issue.Issue.proc_location.file
    && Int.equal quandary_issue.Issue.proc_location.line inferbo_issue.Issue.proc_location.line
    && trace_end_match ()
    && ( (is_quandary_alloc_issue quandary_issue && is_inferbo_alloc_issue inferbo_issue)
       || (is_quandary_access_issue quandary_issue && is_inferbo_access_issue inferbo_issue) )
  in
  let paired_issues =
    (* Can be computed more efficiently (in n*log(n)) by using a Map mapping
       file name + line number to quandary_issues to match with inferbo_issues *)
    List.concat_map quandary_issues ~f:(fun quandary_issue ->
        List.filter_map inferBO_issues ~f:(fun inferbo_issue ->
            if matching_issues quandary_issue inferbo_issue then Some (quandary_issue, inferbo_issue)
            else None ) )
  in
  let merge_issues (issue1, issue2) =
    { Issue.proc_name= issue1.Issue.proc_name
    ; proc_location= {issue1.Issue.proc_location with col= -1}
    ; err_key=
        Errlog.merge_err_key issue1.Issue.err_key issue2.Issue.err_key
          ~merge_issues:(fun issue1 _ ->
            if IssueType.equal issue1 IssueType.untrusted_buffer_access then
              IssueType.tainted_buffer_access
            else IssueType.tainted_memory_allocation )
          ~merge_descriptions:(fun descs1 descs2 ->
            String.concat
              ( "QuandaryBO error. Quandary error(s): \""
              :: (descs1 @ ("\". InferBO error(s):\"" :: (descs2 @ ["\"."]))) ) )
    ; err_data= Errlog.merge_err_data issue1.Issue.err_data issue2.Issue.err_data }
  in
  (* Can merge List.map, List.concat_map and List.filter_map into a single fold. *)
  let quandaryBO_issues = List.map ~f:merge_issues paired_issues in
  let quandary_issues =
    IssueType.
      [ quandary_taint_error
      ; shell_injection
      ; shell_injection_risk
      ; sql_injection
      ; sql_injection_risk
      ; untrusted_buffer_access
      ; untrusted_file_risk
      ; untrusted_heap_allocation
      ; untrusted_url_risk
      ; untrusted_variable_length_array
      ; user_controlled_sql_risk ]
  in
  let inferbo_issues =
    inferbo_alloc_issues @ inferbo_access_issues @ [IssueType.unreachable_code_after]
  in
  let filtered_issues = Config.quandaryBO_filtered_issues in
  let all_issues_filtered =
    List.filter
      ~f:(fun issue ->
        let issue_in ls = List.mem ls issue.Issue.err_key.err_name ~equal:IssueType.equal in
        (Config.is_checker_enabled Quandary || not (issue_in quandary_issues))
        && (Config.is_checker_enabled BufferOverrun || not (issue_in inferbo_issues))
        && not (issue_in filtered_issues) )
      all_issues
  in
  List.rev_append all_issues_filtered quandaryBO_issues
--- a/infer/src/quandary/quandaryBO.mli
+++ b/infer/src/quandary/quandaryBO.mli
@ -1,10 +0,0 @@
 (*
 * Copyright (c) Facebook, Inc. and its affiliates.
 *
 * This source code is licensed under the MIT license found in the
 * LICENSE file in the root directory of this source tree.
 *)
 open! IStd
 val update_issues : Issue.t list -> Issue.t list
--- a/infer/tests/codetoanalyze/cpp/quandaryBO/.inferconfig
+++ b/infer/tests/codetoanalyze/cpp/quandaryBO/.inferconfig
@ -1,8 +0,0 @@
 {
  "quandary-sources": [
    {
      "procedure": "__infer_taint_source",
      "kind": "Other"
    }
  ]
 }
--- a/infer/tests/codetoanalyze/cpp/quandaryBO/Makefile
+++ b/infer/tests/codetoanalyze/cpp/quandaryBO/Makefile
@ -1,57 +0,0 @@
 # Copyright (c) Facebook, Inc. and its affiliates.
 #
 # This source code is licensed under the MIT license found in the
 # LICENSE file in the root directory of this source tree.
 TESTS_DIR = ../../..
 OPTIONS_1 = \
  --quandaryBO-only --passthroughs --debug-exceptions --filtering \
  --project-root $(TESTS_DIR) \
 OPTIONS_2 = \
   --quandaryBO-only --quandary --enable-issue-type UNTRUSTED_BUFFER_ACCESS \
   --passthroughs --debug-exceptions --filtering \
   --project-root $(TESTS_DIR) \
 OPTIONS_3 = \
    --quandaryBO-only --bufferoverrun --enable-issue-type BUFFER_OVERRUN_U5 \
    --passthroughs --debug-exceptions --filtering \
    --project-root $(TESTS_DIR) \
 OPTIONS_4 = \
    --quandaryBO-only --bufferoverrun --debug-exceptions --no-filtering \
    --project-root $(TESTS_DIR) \
 test: test1 test2 test3 test4
 test1:
 	$(MAKE) -f multitest.make test TEST_SUFFIX=-t1 TEST_RESULT_SUFFIX=-t1 INFER_OPTIONS="$(OPTIONS_1)"
 test2:
 	$(MAKE) -f multitest.make test TEST_SUFFIX=-t2 TEST_RESULT_SUFFIX=-t2 INFER_OPTIONS="$(OPTIONS_2)"
 test3:
 	$(MAKE) -f multitest.make test TEST_SUFFIX=-t3 TEST_RESULT_SUFFIX=-t3 INFER_OPTIONS="$(OPTIONS_3)"
 test4:
 	$(MAKE) -f multitest.make test TEST_SUFFIX=-t4 TEST_RESULT_SUFFIX=-t4 INFER_OPTIONS="$(OPTIONS_4)"
 replace: replace1 replace2 replace3 replace4
 replace1:
 	$(MAKE) -f multitest.make replace TEST_SUFFIX=-t1 TEST_RESULT_SUFFIX=-t1 INFER_OPTIONS="$(OPTIONS_1)"
 replace2:
 	$(MAKE) -f multitest.make replace TEST_SUFFIX=-t2 TEST_RESULT_SUFFIX=-t2 INFER_OPTIONS="$(OPTIONS_2)"
 replace3:
 	$(MAKE) -f multitest.make replace TEST_SUFFIX=-t3 TEST_RESULT_SUFFIX=-t3 INFER_OPTIONS="$(OPTIONS_3)"
 replace4:
 	$(MAKE) -f multitest.make replace TEST_SUFFIX=-t4 TEST_RESULT_SUFFIX=-t4 INFER_OPTIONS="$(OPTIONS_4)"
 clean:
 	$(MAKE) -f multitest.make clean TEST_SUFFIX=-t1
 	$(MAKE) -f multitest.make clean TEST_SUFFIX=-t2
 	$(MAKE) -f multitest.make clean TEST_SUFFIX=-t3
 	$(MAKE) -f multitest.make clean TEST_SUFFIX=-t4
--- a/infer/tests/codetoanalyze/cpp/quandaryBO/codec.cpp
+++ b/infer/tests/codetoanalyze/cpp/quandaryBO/codec.cpp
@ -1,64 +0,0 @@
 /*
 * Copyright (c) Facebook, Inc. and its affiliates.
 *
 * This source code is licensed under the MIT license found in the
 * LICENSE file in the root directory of this source tree.
 */
 #include <cstdint>
 #include <memory>
 #include <stdexcept>
 extern int __infer_taint_source();
 namespace std {
 template <class T>
 unique_ptr<T> make_unique(size_t n) {
  typedef typename remove_extent<T>::type U;
  return unique_ptr<T>(new U[n]());
 }
 } // namespace std
 namespace Codec_Bad {
 uint32_t getP_Bad(uint32_t w) {
  auto w4 = w * 4; // BUG: can overflow
  auto w4m1 = w4 - 1; // BUG: can underflow (if w = 0)
  auto w4m1o15 = w4m1 | 15; // ALWAYS OK
  auto w4m1o15p1 = w4m1o15 + 1; // BUG: can overflow
  return w4m1o15p1;
 }
 void foo_Bad_FN() {
  int w = __infer_taint_source();
  int h = __infer_taint_source();
  auto p =
      getP_Bad(w); // MISSED BUG: downcasting signed int64 -> unsigned int32
  auto s = h * p; // BUG: multiplication can overflow
  auto d = std::make_unique<uint8_t[]>(s); // MISSED BUG: casting signed int64
                                           // -> unsigned int64,
 }
 } // namespace Codec_Bad
 namespace Codec_Bad2 {
 uint64_t getP_Bad(uint64_t w) {
  auto w4 = w * 4; // BUG: can overflow
  auto w4m1 = w4 - 1; // BUG: can underflow (if w = 0)
  auto w4m1o15 = w4m1 | 15; // ALWAYS OK
  auto w4m1o15p1 = w4m1o15 + 1; // BUG: can overflow
  return w4m1o15p1;
 }
 uint64_t checkedMultiply_Good(uint64_t a, uint64_t b) {
  __uint128_t mul = ((__uint128_t)a) * b; // OK: no overflow
  if ((mul >> 64) != 0) {
    throw std::runtime_error("Detected overflow in checked multiplcation");
  }
  auto result = (uint64_t)mul; // OK: within the bounds
  return result;
 }
 void foo_Bad_FN_FP() {
  int w = __infer_taint_source();
  int h = __infer_taint_source();
  auto p = getP_Bad(w); // MISSED BUG: casting signed int64 -> unsigned int64
  auto s = checkedMultiply_Good(h, p); // OK, FP
  auto d = std::make_unique<uint8_t[]>(s); // OK
 }
 } // namespace Codec_Bad2
--- a/infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp-t1
+++ b/infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp-t1
@ -1,5 +0,0 @@
 codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad2::foo_Bad_FN_FP, 3, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,<LHS trace>,Parameter `w`,Assignment,Binary operation: ([0, +oo] - 1):unsigned64 by call to `Codec_Bad2::getP_Bad` ]
 codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad::foo_Bad_FN, 4, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,<LHS trace>,Parameter `w`,Assignment,Binary operation: ([0, +oo] - 1):unsigned32 by call to `Codec_Bad::getP_Bad` ]
 codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0,-----------,<Offset trace>,Unknown value from: __infer_taint_source,Assignment,<Length trace>,Array declaration,Array access: Offset: [-oo, +oo] Size: 10]
 codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad2, 3, TAINTED_MEMORY_ALLOCATION, no_bucket, ERROR, [Return from __infer_taint_source,Call to __set_array_length with tainted index 1,-----------,Unknown value from: __infer_taint_source,Assignment,Allocation: Length: [-oo, 2147483647]]
 codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source with tainted data return*,Return from multi_level_source_bad,Call to multi_level_sink_bad with tainted index 0,Call to __array_access with tainted index 0,-----------,Call,Unknown value from: __infer_taint_source,Assignment,Assignment,Call,<Offset trace>,Parameter `i`,<Length trace>,Array declaration,Array access: Offset: [1, +oo] Size: 10 by call to `multi_level_sink_bad` ]
--- a/infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp-t2
+++ b/infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp-t2
@ -1,10 +0,0 @@
 codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad2::foo_Bad_FN_FP, 3, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,<LHS trace>,Parameter `w`,Assignment,Binary operation: ([0, +oo] - 1):unsigned64 by call to `Codec_Bad2::getP_Bad` ]
 codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad::foo_Bad_FN, 4, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,<LHS trace>,Parameter `w`,Assignment,Binary operation: ([0, +oo] - 1):unsigned32 by call to `Codec_Bad::getP_Bad` ]
 codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0,-----------,<Offset trace>,Unknown value from: __infer_taint_source,Assignment,<Length trace>,Array declaration,Array access: Offset: [-oo, +oo] Size: 10]
 codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0]
 codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad1_FN, 0, UNTRUSTED_VARIABLE_LENGTH_ARRAY, no_bucket, ERROR, [Return from __infer_taint_source,Call to __set_array_length with tainted index 1]
 codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad2, 3, TAINTED_MEMORY_ALLOCATION, no_bucket, ERROR, [Return from __infer_taint_source,Call to __set_array_length with tainted index 1,-----------,Unknown value from: __infer_taint_source,Assignment,Allocation: Length: [-oo, 2147483647]]
 codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad2, 3, UNTRUSTED_VARIABLE_LENGTH_ARRAY, no_bucket, ERROR, [Return from __infer_taint_source,Call to __set_array_length with tainted index 1]
 codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source with tainted data return*,Return from multi_level_source_bad,Call to multi_level_sink_bad with tainted index 0,Call to __array_access with tainted index 0,-----------,Call,Unknown value from: __infer_taint_source,Assignment,Assignment,Call,<Offset trace>,Parameter `i`,<Length trace>,Array declaration,Array access: Offset: [1, +oo] Size: 10 by call to `multi_level_sink_bad` ]
 codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source with tainted data return*,Return from multi_level_source_bad,Call to multi_level_sink_bad with tainted index 0,Call to __array_access with tainted index 0]
 codetoanalyze/cpp/quandaryBO/tainted_index.cpp, overlapping_issues_good, 1, UNTRUSTED_VARIABLE_LENGTH_ARRAY, no_bucket, ERROR, [Return from __infer_taint_source with tainted data @val$0.size*,Return from overlapping_issues_source_good,Call to overlapping_issues_sink_good with tainted index 0,Call to __set_array_length with tainted index 1]
--- a/infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp-t3
+++ b/infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp-t3
@ -1,8 +0,0 @@
 codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad2::foo_Bad_FN_FP, 3, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,<LHS trace>,Parameter `w`,Assignment,Binary operation: ([0, +oo] - 1):unsigned64 by call to `Codec_Bad2::getP_Bad` ]
 codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad::foo_Bad_FN, 4, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,<LHS trace>,Parameter `w`,Assignment,Binary operation: ([0, +oo] - 1):unsigned32 by call to `Codec_Bad::getP_Bad` ]
 codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, BUFFER_OVERRUN_U5, no_bucket, ERROR, [<Offset trace>,Unknown value from: __infer_taint_source,Assignment,<Length trace>,Array declaration,Array access: Offset: [-oo, +oo] Size: 10]
 codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0,-----------,<Offset trace>,Unknown value from: __infer_taint_source,Assignment,<Length trace>,Array declaration,Array access: Offset: [-oo, +oo] Size: 10]
 codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad2, 3, INFERBO_ALLOC_MAY_BE_BIG, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Allocation: Length: [-oo, 2147483647]]
 codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad2, 3, TAINTED_MEMORY_ALLOCATION, no_bucket, ERROR, [Return from __infer_taint_source,Call to __set_array_length with tainted index 1,-----------,Unknown value from: __infer_taint_source,Assignment,Allocation: Length: [-oo, 2147483647]]
 codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, BUFFER_OVERRUN_U5, no_bucket, ERROR, [Call,Unknown value from: __infer_taint_source,Assignment,Assignment,Call,<Offset trace>,Parameter `i`,<Length trace>,Array declaration,Array access: Offset: [1, +oo] Size: 10 by call to `multi_level_sink_bad` ]
 codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source with tainted data return*,Return from multi_level_source_bad,Call to multi_level_sink_bad with tainted index 0,Call to __array_access with tainted index 0,-----------,Call,Unknown value from: __infer_taint_source,Assignment,Assignment,Call,<Offset trace>,Parameter `i`,<Length trace>,Array declaration,Array access: Offset: [1, +oo] Size: 10 by call to `multi_level_sink_bad` ]
--- a/infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp-t4
+++ b/infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp-t4
@ -1,15 +0,0 @@
 codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad2::checkedMultiply_Good, 2, CONDITION_ALWAYS_FALSE, no_bucket, WARNING, [Here]
 codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad2::foo_Bad_FN_FP, 3, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,<LHS trace>,Parameter `w`,Assignment,Binary operation: ([0, +oo] - 1):unsigned64 by call to `Codec_Bad2::getP_Bad` ]
 codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad2::foo_Bad_FN_FP, 3, INTEGER_OVERFLOW_U5, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,<LHS trace>,Parameter `w`,Binary operation: ([0, +oo] × 4):unsigned64 by call to `Codec_Bad2::getP_Bad` ]
 codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad2::foo_Bad_FN_FP, 4, INTEGER_OVERFLOW_U5, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,<LHS trace>,Parameter `a`,<RHS trace>,Parameter `b`,Binary operation: ([0, +oo] × [0, +oo]):unsigned32 by call to `Codec_Bad2::checkedMultiply_Good` ]
 codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad2::getP_Bad, 4, INTEGER_OVERFLOW_L5, no_bucket, ERROR, [<LHS trace>,Parameter `w`,Assignment,Assignment,Assignment,Binary operation: ([-oo, +oo] + 1):unsigned64]
 codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad::foo_Bad_FN, 4, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,<LHS trace>,Parameter `w`,Assignment,Binary operation: ([0, +oo] - 1):unsigned32 by call to `Codec_Bad::getP_Bad` ]
 codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad::foo_Bad_FN, 5, INTEGER_OVERFLOW_U5, no_bucket, ERROR, [<LHS trace>,Unknown value from: __infer_taint_source,Assignment,<RHS trace>,Call,Parameter `w`,Assignment,Assignment,Assignment,Assignment,Assignment,Assignment,Binary operation: ([-oo, +oo] × [-oo, +oo]):unsigned32]
 codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad::getP_Bad, 4, INTEGER_OVERFLOW_L5, no_bucket, ERROR, [<LHS trace>,Parameter `w`,Assignment,Assignment,Assignment,Binary operation: ([-oo, +oo] + 1):unsigned32]
 codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, BUFFER_OVERRUN_U5, no_bucket, ERROR, [<Offset trace>,Unknown value from: __infer_taint_source,Assignment,<Length trace>,Array declaration,Array access: Offset: [-oo, +oo] Size: 10]
 codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0,-----------,<Offset trace>,Unknown value from: __infer_taint_source,Assignment,<Length trace>,Array declaration,Array access: Offset: [-oo, +oo] Size: 10]
 codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad2, 3, INFERBO_ALLOC_MAY_BE_BIG, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Allocation: Length: [-oo, 2147483647]]
 codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad2, 3, TAINTED_MEMORY_ALLOCATION, no_bucket, ERROR, [Return from __infer_taint_source,Call to __set_array_length with tainted index 1,-----------,Unknown value from: __infer_taint_source,Assignment,Allocation: Length: [-oo, 2147483647]]
 codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, BUFFER_OVERRUN_U5, no_bucket, ERROR, [Call,Unknown value from: __infer_taint_source,Assignment,Assignment,Call,<Offset trace>,Parameter `i`,<Length trace>,Array declaration,Array access: Offset: [1, +oo] Size: 10 by call to `multi_level_sink_bad` ]
 codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source with tainted data return*,Return from multi_level_source_bad,Call to multi_level_sink_bad with tainted index 0,Call to __array_access with tainted index 0,-----------,Call,Unknown value from: __infer_taint_source,Assignment,Assignment,Call,<Offset trace>,Parameter `i`,<Length trace>,Array declaration,Array access: Offset: [1, +oo] Size: 10 by call to `multi_level_sink_bad` ]
 codetoanalyze/cpp/quandaryBO/tainted_index.cpp, overlapping_issues_good, 1, BUFFER_OVERRUN_L5, no_bucket, ERROR, [Call,Assignment,Call,Parameter `__param_0->ind`,Assignment,Call,<Offset trace>,Parameter `info->ind`,<Length trace>,Parameter `info->size`,Array declaration,Array access: Offset: 10 Size: [0, +oo] by call to `overlapping_issues_sink_good` ]
--- a/infer/tests/codetoanalyze/cpp/quandaryBO/multitest.make
+++ b/infer/tests/codetoanalyze/cpp/quandaryBO/multitest.make
@ -1,15 +0,0 @@
 # Copyright (c) Facebook, Inc. and its affiliates.
 #
 # This source code is licensed under the MIT license found in the
 # LICENSE file in the root directory of this source tree.
 TESTS_DIR = ../../..
 # see explanations in cpp/errors/Makefile for the custom isystem
 CLANG_OPTIONS = -x c++ -std=c++11 -nostdinc++ -isystem$(ROOT_DIR) -isystem$(CLANG_INCLUDES)/c++/v1/ -c
 INFERPRINT_OPTIONS = --issues-tests
 SOURCES = $(wildcard *.cpp)
 include $(TESTS_DIR)/clang.make
--- a/infer/tests/codetoanalyze/cpp/quandaryBO/tainted_index.cpp
+++ b/infer/tests/codetoanalyze/cpp/quandaryBO/tainted_index.cpp
@ -1,73 +0,0 @@
 /*
 * Copyright (c) Facebook, Inc. and its affiliates.
 *
 * This source code is licensed under the MIT license found in the
 * LICENSE file in the root directory of this source tree.
 */
 #include <stdlib.h>
 extern int __infer_taint_source();
 extern void __infer_taint_sink(int i);
 void basic_bad() {
  int arr[10];
  int source = __infer_taint_source();
  arr[source] = 2;
 }
 int multi_level_source_bad() { return __infer_taint_source(); }
 void multi_level_sink_bad(int i) {
  int arr[10];
  if (i > 0)
    arr[i] = 2;
 }
 struct arg {
  int taint;
  int bo;
 };
 arg multi_level_source_ok() {
  return {.taint = __infer_taint_source(), .bo = 12};
 }
 void multi_level_sink_ok(int taint, int bo) {
  __infer_taint_sink(taint);
  int arr[10];
  arr[bo] = 0;
 }
 void multi_level_bad() {
  int i = multi_level_source_bad();
  multi_level_sink_bad(i);
 }
 void multi_level_good() { int i = multi_level_source_bad(); }
 void memory_alloc_bad1_FN() { int arr[__infer_taint_source()]; }
 void memory_alloc_bad2() {
  int s = __infer_taint_source();
  if (s <= 2147483647) {
    int arr[s];
  }
 }
 struct st {
  int size;
  int ind;
 };
 st overlapping_issues_source_good() {
  return {.size = __infer_taint_source(), .ind = 10};
 }
 void overlapping_issues_sink_good(st info) {
  int arr[info.size];
  arr[info.ind] = 0;
 }
 void overlapping_issues_good() {
  overlapping_issues_sink_good(overlapping_issues_source_good());
 }