<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/114270>114270</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
[analyzer] Taint is not being applied to classes, only class members
</td>
</tr>
<tr>
<th>Labels</th>
<td>
new issue
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
tomrittervg
</td>
</tr>
</table>
<pre>
This might be working as intended, but just to be sure.
C++ file
```
class PortClass
{
public:
int foo;
};
void clang_analyzer_isTainted(int);
void clang_analyzer_isTainted(PortClass);
int ThisFunctionReturnsSomethingTainted1();
PortClass ThisFunctionReturnsSomethingTainted2();
template<typename T>
T ReadPrivilegedParam();
void foo()
{
int port1 = ThisFunctionReturnsSomethingTainted1();
clang_analyzer_isTainted(port1); // Tainted, as expected
int port2 = ReadPrivilegedParam<int>();
clang_analyzer_isTainted(port2); // Tainted, as expected
PortClass port3 = ThisFunctionReturnsSomethingTainted2();
clang_analyzer_isTainted(port3); // Not tainted ???
clang_analyzer_isTainted(port3.foo); // Tainted...
PortClass port4 = ReadPrivilegedParam<PortClass>();
clang_analyzer_isTainted(port4); // Not tainted ???
clang_analyzer_isTainted(port4.foo); // Tainted...
}
```
taint config file:
```
Propagations:
- Name: ReadPrivilegedParam
DstArgs: [-1]
- Name: privilegedextract
DstArgs: [-1]
- Name: ThisFunctionReturnsSomethingTainted1
DstArgs: [-1]
- Name: ThisFunctionReturnsSomethingTainted2
DstArgs: [-1]
```
Commands:
```
#!/bin/bash
echo "Generating AST"
clang-20 \
-c \
-x c++ \
-emit-ast \
-D__clang_analyzer__ \
-w \
-o repro.cpp.ast \
repro.cpp
touch externalDefMap.txt
echo "extdef mapping"
clang-extdef-mapping \
repro.cpp \
-- \
-c \
-x c++ \
>> externalDefMap.txt
echo "Analyzing"
clang-20 \
--analyze \
-Qunused-arguments \
-Xclang -analyzer-opt-analyze-headers \
-Xclang -analyzer-config \
-Xclang expand-macros=true \
-Xclang -analyzer-config \
-Xclang optin.taint.TaintPropagation:Config=myconfig.yaml \
-Xclang -analyzer-checker=debug.TaintTest,debug.ExprInspection,optin.taint.TaintedAlloc,optin.taint.TaintedDiv,optin.taint.GenericTaint \
-Xclang -analyzer-config \
-Xclang ctu-dir=. \
-Xclang -analyzer-config \
-Xclang display-ctu-progress=true \
-x c++ \
repro.cpp
```
This is run from a version of clang built from git on approximately October 9th
Output:
```
repro.cpp:19:17: warning: tainted [debug.TaintTest]
19 | int port1 = ThisFunctionReturnsSomethingTainted1();
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:20:5: warning: YES [debug.ExprInspection]
20 | clang_analyzer_isTainted(port1); // Tainted, as expected
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:20:30: warning: tainted [debug.TaintTest]
20 | clang_analyzer_isTainted(port1); // Tainted, as expected
| ^~~~~
repro.cpp:22:17: warning: tainted [debug.TaintTest]
22 | int port2 = ReadPrivilegedParam<int>();
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:23:5: warning: YES [debug.ExprInspection]
23 | clang_analyzer_isTainted(port2); // Tainted, as expected
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:23:30: warning: tainted [debug.TaintTest]
23 | clang_analyzer_isTainted(port2); // Tainted, as expected
| ^~~~~
repro.cpp:26:5: warning: NO [debug.ExprInspection] <---------------------------------------------
26 | clang_analyzer_isTainted(port3); // Not tainted ???
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:27:5: warning: YES [debug.ExprInspection]
27 | clang_analyzer_isTainted(port3.foo); // Tainted...
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:27:30: warning: tainted [debug.TaintTest]
27 | clang_analyzer_isTainted(port3.foo); // Tainted...
| ^~~~~~~~~
repro.cpp:30:5: warning: NO [debug.ExprInspection] <---------------------------------------------
30 | clang_analyzer_isTainted(port4); // Not tainted ???
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:31:5: warning: YES [debug.ExprInspection]
31 | clang_analyzer_isTainted(port4.foo); // Tainted...
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:31:30: warning: tainted [debug.TaintTest]
31 | clang_analyzer_isTainted(port4.foo); // Tainted...
| ^~~~~~~~~
12 warnings generated.
```
cc @llvm/issue-subscribers-clang-static-analyzer
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJy0WEFzozoS_jXypQsKJDtODj44Jtnaw85kZ3LYPaUEtLFmQKIkkdjv8H77KwGxsUMcgicUpQKpu_m-7lZLghsjMom4ILNbMosmvLIbpRdWFVpYi_o5m8Qq3S0eN8JAIbKNhRjhRenfQmbADQhpUaaYErqCuLLwqzIWrHJSptLokyAiwbJpV4TeEnoLa5Fj238VtHf9muTcGHhQ2q7qp1Zofts8lFWci4Sw1pz7NqyVIuz2VTA6PNftsxIpJDmX2ROXPN_9hfpJmEfuUKeEXgtpCb3ZK30kvkfWVWpah8U56b6SiRVK_kBbaWl-qgLtRsisNRISet1VPnAdoExPlJvWYlHm3CJhK7srUfIC4ZGwu2b0EX4gTx-0eBY5Zpg-cM2LXjsdFzinNiLHAQCA2uml0jYEwqIxlM85uDbcCAOh94Tew35w5dINtyUm7rUDuYuK1qj6KLOVCza7O0UD8BEgOgbQIbDOBBvqrNMQf4SNHWP7pizYRgAIu2_vYZb8Ouo9TH3fP89uesbphykzxvXT4fQGGBvAcB71FqZ2pjlpSJRci6wpYq-l6ET8QauSZ9zF2RzKlQffeOF0el21ZxEZu9SZ0wMyu_VCMouO3X-wU-5t4NZqnthRVgbN4XOGAS4wTc-bPqpQfUFZqaLgMjXvxYJQRmhI6H0spGu52XTVMdkoIJT-CyVqbt2qtvz5SCjdr0gy82gAZLZqeryk87yFpF3TDn1YCOtxYztd0dPTSW4-dUZfOs8KNJZa-UlZ-kc29t1HCamqZAO4taglzyNc_4eXvt3aPoK4tSmuoeBlKWR2QrAZ9NrBnq92IHrDfeHmPLvrAQh9CJe1c96CO_K-17qw0_XfSlYGU4_rrCpQWtMZ-19tAl61tKdK-_ribZCnqM-Kt5P9jQRuSy5Tr-CJVoawyOoKx9hRpRXSrwuLX0-ITukgbLmq1QiLil1jwd_xIj_7oQ0mv1ETFqUYV1lj9BGNJXTV9NxtS_1vadyy5T5CV28wYLrMc5X0D0Xi-WSgnjoiqcfH-CCxlZcKB9kfo54KU-Z85zkzpVaZRtMTkZ7s7CT3--Wl3vgKA7qSsNaqAA7PqI1QEtS6WXEgrkRum9FMWFASeFlqtRUFt5jv4HtiVYwabuxR6fle2bKy79Wtw4Rny_DGNXNXGF-4lm6KsOVhJZzdnsb6tdgDQHgDZL6CP7N1qy9njszu_h5yveVCA8KWsxMq_7_7eaBxkqAdLq4StFz-3CbyE6TeYcOCUZH5YjZnr5ZqDyE6PtUofZNqo_bjH0ejBze7IK3Y0EB84ihwWVqxC9Lqa9mMTKurnvB8-34mOkDYyvvMdXDAVQ30z52cLork_IK8nA-N5IDD2ydr9ztMxubklzN5i5f1LTRflHIsGJJynzvNjk45Fo5PORYODdSA0_TFKVczGZlyX8RkSPk7kAnpK3ADWXPCxNT_8EybJECmQZ4_F4TeC2Mq9EwVm0SLGLXxmmORsdyKZL8_bjQn6YKlN-yGT3ARzlnAguurIJxsFsjn62sWT3nCWDCLw3Q-Z1PG-PoqoMlVMJuIBQ3oNAxYEM7Dq2noMxrgNODTWbymMZ1dk2mABRe573D5SmeTGtkiDKd0HkxyHmNu6v_IlEp8gXrUHeVm0UQvnJIXV5lxxISx5mDGCpvXP6D3VGZREwG38ZbKQoz13-ayzAWmYBXUP4rRuKVKyXzXvEOBhfPPpNL5YmNtWf8TqAOaCbupYj9RzqGtX2tEpVa_MLGvbjaE3rd8nhf0nwAAAP__xVgG-A">