[analyzer] Taint is not being applied to classes, only class members #114270
Description
This might be working as intended, but just to be sure.
C++ file
class PortClass
{
public:
int foo;
};
void clang_analyzer_isTainted(int);
void clang_analyzer_isTainted(PortClass);
int ThisFunctionReturnsSomethingTainted1();
PortClass ThisFunctionReturnsSomethingTainted2();
template<typename T>
T ReadPrivilegedParam();
void foo()
{
int port1 = ThisFunctionReturnsSomethingTainted1();
clang_analyzer_isTainted(port1); // Tainted, as expected
int port2 = ReadPrivilegedParam<int>();
clang_analyzer_isTainted(port2); // Tainted, as expected
PortClass port3 = ThisFunctionReturnsSomethingTainted2();
clang_analyzer_isTainted(port3); // Not tainted ???
clang_analyzer_isTainted(port3.foo); // Tainted...
PortClass port4 = ReadPrivilegedParam<PortClass>();
clang_analyzer_isTainted(port4); // Not tainted ???
clang_analyzer_isTainted(port4.foo); // Tainted...
}
taint config file:
Propagations:
- Name: ReadPrivilegedParam
DstArgs: [-1]
- Name: privilegedextract
DstArgs: [-1]
- Name: ThisFunctionReturnsSomethingTainted1
DstArgs: [-1]
- Name: ThisFunctionReturnsSomethingTainted2
DstArgs: [-1]
Commands:
#!/bin/bash
echo "Generating AST"
clang-20 \
-c \
-x c++ \
-emit-ast \
-D__clang_analyzer__ \
-w \
-o repro.cpp.ast \
repro.cpp
touch externalDefMap.txt
echo "extdef mapping"
clang-extdef-mapping \
repro.cpp \
-- \
-c \
-x c++ \
>> externalDefMap.txt
echo "Analyzing"
clang-20 \
--analyze \
-Qunused-arguments \
-Xclang -analyzer-opt-analyze-headers \
-Xclang -analyzer-config \
-Xclang expand-macros=true \
-Xclang -analyzer-config \
-Xclang optin.taint.TaintPropagation:Config=myconfig.yaml \
-Xclang -analyzer-checker=debug.TaintTest,debug.ExprInspection,optin.taint.TaintedAlloc,optin.taint.TaintedDiv,optin.taint.GenericTaint \
-Xclang -analyzer-config \
-Xclang ctu-dir=. \
-Xclang -analyzer-config \
-Xclang display-ctu-progress=true \
-x c++ \
repro.cpp
This is run from a version of clang built from git on approximately October 9th
Output:
repro.cpp:19:17: warning: tainted [debug.TaintTest]
19 | int port1 = ThisFunctionReturnsSomethingTainted1();
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:20:5: warning: YES [debug.ExprInspection]
20 | clang_analyzer_isTainted(port1); // Tainted, as expected
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:20:30: warning: tainted [debug.TaintTest]
20 | clang_analyzer_isTainted(port1); // Tainted, as expected
| ^~~~~
repro.cpp:22:17: warning: tainted [debug.TaintTest]
22 | int port2 = ReadPrivilegedParam<int>();
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:23:5: warning: YES [debug.ExprInspection]
23 | clang_analyzer_isTainted(port2); // Tainted, as expected
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:23:30: warning: tainted [debug.TaintTest]
23 | clang_analyzer_isTainted(port2); // Tainted, as expected
| ^~~~~
repro.cpp:26:5: warning: NO [debug.ExprInspection] <---------------------------------------------
26 | clang_analyzer_isTainted(port3); // Not tainted ???
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:27:5: warning: YES [debug.ExprInspection]
27 | clang_analyzer_isTainted(port3.foo); // Tainted...
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:27:30: warning: tainted [debug.TaintTest]
27 | clang_analyzer_isTainted(port3.foo); // Tainted...
| ^~~~~~~~~
repro.cpp:30:5: warning: NO [debug.ExprInspection] <---------------------------------------------
30 | clang_analyzer_isTainted(port4); // Not tainted ???
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:31:5: warning: YES [debug.ExprInspection]
31 | clang_analyzer_isTainted(port4.foo); // Tainted...
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:31:30: warning: tainted [debug.TaintTest]
31 | clang_analyzer_isTainted(port4.foo); // Tainted...
| ^~~~~~~~~
12 warnings generated.
cc @llvm/issue-subscribers-clang-static-analyzer