<div dir="ltr">I made the following test case for checking the modeling of taint propagation on the `<span style="font-family:monospace">strcpy</span>` function.<br>As I observed, only the first byte of the array became tainted, even though all bytes should be treated tainted.<br>In the test, you can see my expectations and the actual result.<br><br>```<br><span style="font-family:monospace">void strcpy_unbounded_tainted_buffer(char *buf) {<br>  scanf("%s", buf);<br><br>  char dst[32];<br>  strcpy(dst, buf);                       //        expected---vvv   vvv--- actual<br>  clang_analyzer_isTainted_char(dst[0]);  // expected-warning{{YES}} YES<br>  clang_analyzer_isTainted_char(dst[1]);  // expected-warning{{YES}} NO<br>  clang_analyzer_isTainted_char(dst[31]); // expected-warning{{YES}} NO<br>}<br><br>void strcpy_bounded_tainted_buffer(char *buf) {<br>  scanf("%s", buf);<br>  buf[10] = '\0';<br>  clang_analyzer_isTainted_char(buf[0]);  // expected-warning{{YES}} YES<br>  clang_analyzer_isTainted_char(buf[1]);  // expected-warning{{YES}} NO<br>  clang_analyzer_isTainted_char(buf[10]); // expected-warning{{NO}}  NO<br>  clang_analyzer_isTainted_char(buf[20]); // expected-warning{{YES}} NO<br><br>  char dst[32];<br>  strcpy(dst, buf);<br>  clang_analyzer_isTainted_char(dst[0]);  // expected-warning{{YES}} YES<br>  clang_analyzer_isTainted_char(dst[1]);  // expected-warning{{YES}} NO<br>  clang_analyzer_isTainted_char(dst[10]); // expected-warning{{NO}}  NO<br>  clang_analyzer_isTainted_char(dst[20]); // expected-warning{{NO}}  NO<br>}</span><br>```<br><br>Some clarification about `<span style="font-family:monospace">TaintedSubRegions</span>` and tainting `<span style="font-family:monospace">nonloc::LazyCompoundVal</span>`s would be also helpful since it might be related to this topic.<br><br>What are the reasons for this limitation on modeling taintedness regarding arrays?<br><br><br>Background and expectation:<br>This change would be the first step in migrating the diagnostic emitting parts of the `<span style="font-family:monospace">GenericTaintChecker</span>`.<br>Eg.: `<span style="font-family:monospace">checkUncontrolledFormatString</span>`, `<span style="font-family:monospace">checkSystemCall</span>`, `<span style="font-family:monospace">checkTaintedBufferSize</span>`.<br>As a result, multiple checkers will consume taintedness information for reporting warnings in the future and letting the `<span style="font-family:monospace">GenericTaintChecker</span>` do only modeling and propagation.<br><br>Regards, Balazs.</div>