diff --git a/infer/src/quandary/TaintAnalysis.ml b/infer/src/quandary/TaintAnalysis.ml index 8672b569d..a945467da 100644 --- a/infer/src/quandary/TaintAnalysis.ml +++ b/infer/src/quandary/TaintAnalysis.ml @@ -473,8 +473,17 @@ module Make (TaintSpecification : TaintSpec.S) = struct actuals with | [(AccessPath lhs_access_path); rhs_exp] -> exec_write lhs_access_path rhs_exp access_tree + | [ (AccessPath lhs_access_path) + ; rhs_exp + ; (HilExp.AccessPath ((Var.ProgramVar pvar, _), [] as dummy_ret_access_path)) ] + when Pvar.is_frontend_tmp pvar + -> (* the frontend translates operator=(x, y) as operator=(x, y, dummy_ret) when + operator= returns a value type *) + exec_write lhs_access_path rhs_exp access_tree + |> exec_write dummy_ret_access_path rhs_exp | _ - -> failwithf "Unexpected call to operator= %a" HilInstr.pp instr ) + -> failwithf "Unexpected call to operator= %a in %a" HilInstr.pp instr + Typ.Procname.pp callee_pname ) | _ -> let model = TaintSpecification.handle_unknown_call callee_pname (Option.map ~f:snd ret_opt) diff --git a/infer/tests/codetoanalyze/cpp/quandary/basics.cpp b/infer/tests/codetoanalyze/cpp/quandary/basics.cpp index b04e31202..7dd6f2380 100644 --- a/infer/tests/codetoanalyze/cpp/quandary/basics.cpp +++ b/infer/tests/codetoanalyze/cpp/quandary/basics.cpp @@ -7,6 +7,8 @@ * of patent rights can be found in the PATENTS file in the same directory. */ +#include +#include #include extern void* __infer_taint_source(); @@ -169,4 +171,11 @@ std::string* unsanitized_bad(Obj* obj) { obj->string_sink(*source); return sanitized; } + +void atomic_eq(std::atomic> x, + std::chrono::duration y) { + // this gets translated as operator=(x, y, &tmp_return), which used to cause a + // crash + x = y; +} }