[annotation-reachability] stop merging sanitized nodes' callees

Reviewed By: jeremydubreil Differential Revision: D14813350 fbshipit-source-id: 6a4fe44f8
6 years ago · f12bbacbdd
parent 87391f6f2f
commit f12bbacbdd
3 changed files with 15 additions and 4 deletions
--- a/infer/src/checkers/annotationReachability.ml
+++ b/infer/src/checkers/annotationReachability.ml
@ -548,14 +548,20 @@ module TransferFunctions (CFG : ProcCfg.S) = struct
      specs


-  let merge_callee_map call_site pdesc callee_pname astate =
+  let merge_callee_map call_site pdesc callee_pname tenv specs astate =
    match Payload.read pdesc callee_pname with
    | None ->
        astate
    | Some callee_call_map ->
        let add_call_site annot sink calls astate =
          if AnnotReachabilityDomain.CallSites.is_empty calls then astate
-          else Domain.add_call_site annot sink call_site astate
+          else
+            let pname = Procdesc.get_proc_name pdesc in
+            List.fold
+              ~f:(fun astate (spec : AnnotationSpec.t) ->
+                if spec.sanitizer_predicate tenv pname then astate
+                else Domain.add_call_site annot sink call_site astate )
+              ~init:astate specs
        in
        AnnotReachabilityDomain.fold
          (fun annot sink_map astate ->
@ -570,7 +576,7 @@ module TransferFunctions (CFG : ProcCfg.S) = struct
        let caller_pname = Procdesc.get_proc_name pdesc in
        let call_site = CallSite.make callee_pname call_loc in
        check_call tenv callee_pname caller_pname call_site astate extras
-        |> merge_callee_map call_site pdesc callee_pname
+        |> merge_callee_map call_site pdesc callee_pname tenv extras
    | Sil.Load (id, exp, _, _) when is_tracking_exp astate exp ->
        Domain.add_tracking_var (Var.of_id id) astate
    | Sil.Store (Exp.Lvar pvar, _, exp, _) when is_tracking_exp astate exp ->
--- a/infer/tests/codetoanalyze/cpp/annotation-reachability/Makefile
+++ b/infer/tests/codetoanalyze/cpp/annotation-reachability/Makefile
@ -7,7 +7,7 @@ TESTS_DIR = ../../..

 # see explanations in cpp/errors/Makefile for the custom isystem
 CLANG_OPTIONS = -x c++ -std=c++11 -nostdinc++ -isystem$(ROOT_DIR) -isystem$(CLANG_INCLUDES)/c++/v1/ -c
-INFER_OPTIONS = --annotation-reachability-only --debug-exceptions --project-root $(TESTS_DIR) --annotation-reachability-cxx '{ "TEST_ANNOT_REACH": { "sources": { "symbols": [ "CheckFrom::" ] }, "sinks": { "symbols": [ "Danger::", "death" ] } } }'
+INFER_OPTIONS = --annotation-reachability-only --debug-exceptions --project-root $(TESTS_DIR) --annotation-reachability-cxx '{ "TEST_ANNOT_REACH": { "sources": { "symbols": [ "CheckFrom::" ] }, "sinks": { "overrides": { "symbols": [ "Approved::"] },"symbols": [ "Danger::", "death" ] } } }'
 INFERPRINT_OPTIONS = --issues-tests


--- a/infer/tests/codetoanalyze/cpp/annotation-reachability/reachability.cpp
+++ b/infer/tests/codetoanalyze/cpp/annotation-reachability/reachability.cpp
@ -19,6 +19,10 @@ void foo();
 void bar();
 } // namespace Ok

+namespace Approved {
+void baz() { death(); }
+} // namespace Approved
+
 namespace CheckFrom {

 void death_via() { death(); }
@ -36,6 +40,7 @@ void safe() {
  good();
  Ok::foo();
  Ok::bar();
+  Approved::baz();
 }

 struct Destructive {