-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for flow through content of global variables #16667
Add support for flow through content of global variables #16667
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. I think this needs a QA run. Also, please add failing tests for the cases you mentioned in the PR description, with a brief comment explaining why they fail.
The failing case already exists-- it's the one that still has the MISSING: tag where the others are removed. |
(Will DCA then QA) |
DCA: one new result (TP, stack trace exposure), no performance effects. Proceeding to QA. |
8527054
to
b440ae2
Compare
There are too many new results to sensibly check them all, but I checked a sample result from each of the 5 repositories with the most new results, and found they were all doing as intended. Some appeared to be TPs, and some FPs for unrelated reasons, e.g. taint-tracking losing sight of the fact that only one field of a struct carried tainted data, that don't reflect on the change made here. Performance results were unremarkable. Therefore I recommend merging this. |
b440ae2
to
4da5d66
Compare
@owen-mc I've rebased to re-test and added test expectation changes and a change note. Please review and merge if you're happy. |
I've made an issue to follow up the missing pointer content store step. |
Note flow via something like
sideEffect(&x)
is still broken. I think this is because we're lacking a store-step for*x = source()
, which should result inx
having taint with access path[PointerContent]
. This might also involve address operations being able to read taint (i.e. to note that if&x
is tainted with[PointerContent]
thenx
is tainted without an access path), but I'm not sure -- in any event I don't address the matter here. I'd suggest tackling that issue by cribbing off C/C++, which has surely addressed (no pun intended) this exact issue.