I haven't checked the implementation, but fundamentally patching the TaintBugVisitor is not how we should improve the diagnostic for taint issues.
I saw that this patch is not about NoteTags, so I didn't go any further that point.

What we should do instead, to add a fancy NoteTags to each of the Post transitions to propagate interestingness to the taint sources.
Where each NoteTag does:

• checks if any of the taint destinations are actually 'interesting', if none then just return an empty note.
• take the taint source arguments and mark their pre-call values as interesting
• construct a descriptive message explaining what happened:
  • If the transition had no taint sources, then it must be a "taint source"
  • If we had tainted sources, tell the user that X', Y', and Z' arguments were tainted, hence we propagated taint
  • take all the "interesting" taint destinations and tell the user that X, Y and Z arguments become tainted due to the propagation rule.

I'm attaching my proposed version for improving the diagnostics where I demonstrate all what I said.

Let me know if it would be a good way to refine your patch or I should review your current implementation.

I completely agree with @steakhal, these should be note tags:

• The "visitor way" is to reverse-engineer the exploded graph after the fact.
• The "slightly more sophisticated visitor way" is have checker callbacks leave extra hints in the graph to assist reverse engineering, which is what you appear to be trying to do.
• The "note tag" way is to simply capture that information from inside checker callbacks in the form of lambda captures. It eliminates the need to think about how to store the information in the state (it's stored in the program point instead), or how to structure it.

I also completely agree with @steakhal that the intermediate notes are valuable. In the motivating example, ideally both strtol and getenv need a note ("taint propagated here" and "taint originated here" respectively).

The challenging part with note tags is how do you figure out whether your bug report is taint-related. The traditional solution is to check the BugType but in this case an indeterminate amount of checkers may emit taint-related reports. I think now's a good time to include a "generic data map"-like data structure in PathSensitiveBugReport objects, so that checkers could put some data there during emitReport(), which can be picked up by note tags and potentially mutated in the process. For example, you can introduce a set of tracked tainted symbols there, which will be pre-populated by the checker with the final tainted symbol, then every time a note tag discovers that a symbol in the set becomes a target of taint propagation, it removes the symbol from the set and replaces it with the symbols from which its taint originated, so that later note tags would react on these new symbols instead.

@steakhal, @NoQ

thanks for your reviews.

Please note that I am not extending TaintBugVisitor. On the contrary I removed it.
Instead I use NoteTag to generate the "Taint Originated here" text (see GenericTaintChecker.cpp:156).

I can also add additional NoteTags for generating propagation messages "Taint was propagated here" easily.

The challenging part with note tags is how do you figure out whether your bug report is taint-related.

I solved this by checking if the report is an instance of TaintBugReport a new BugReport type, which should be used by all taint related reports (ArrayBoundCheckerV2 checker and divisionbyzero checker
was changed to use this new report type for taint related reports).

The tricky part was is to how to show only that single "Taint originated here" note tag at the taint source only which is relevant to the report. This is done by remembering the unique flowid in the
NoteTag in the forward analysis direction (see GenericTaintChecker:cpp:859) InjectionTag = createTaintOriginTag(C, TaintFlowId); and then filtering out the irrelevant
NoteTags when the the report is generated (when the lamdba callback is called). See that flowid which reaches the sink is backpropagated in the PathSensitiveBugreport (see GenericTaintCHekcer.cpp:167).

FlowIds are unique and increased at every taint source (GenericTaintChecker:869) and it is stored as an additional simple int in the program state along with the already existing (Taint.cpp:22) TaintTagType.

My fear with the interestingness is that it may propagating backwards according to different "rules" than whot the taintedness is popagating in the foward direction even with the "extensions" pointed out by steakhal.
So the two types of propagation may be or can get out of sync.

So if the above is not a concern and you think implementing this with interestingness is more elegant, idiomatic and causes less maintenance burden, I am happy to create an alternative patch with that solution.

In D144269#4143066, @NoQ wrote:

The challenging part with note tags is how do you figure out whether your bug report is taint-related. The traditional solution is to check the BugType but in this case an indeterminate amount of checkers may emit taint-related reports.

Yeah, this is why we created a new type. Not sure what is the better infrastructure design, whether to create a subtype of BugType or BugReport, but it fundamentally achieves the same thing.

In D144269#4146809, @dkrupp wrote:

My fear with the interestingness is that it may propagating backwards according to different "rules" than whot the taintedness is popagating in the foward direction even with the "extensions" pointed out by steakhal.
So the two types of propagation may be or can get out of sync.

So if the above is not a concern and you think implementing this with interestingness is more elegant, idiomatic and causes less maintenance burden, I am happy to create an alternative patch with that solution.

@dkrupp and I discussed in detail whether to use FlowID's (what is currently implemented in the patch) or something similar, or reuse interestingness. Here's why we decided against reusing interestiness as is.

Interestingness, as it stands now, mostly expresses data-dependency, and is propageted with using the analyzers usualy somewhat conservative approach. While the length of a string is strictly speaking data dependent on the actual string, I don't think analyzer currently understand that. We approach taint very differently, and propagete it in some sense more liberally.

As I best recall, however, interestingness may be propagated through other means as well. If we reused interestingness, I fear that the interestiness set could be greater than the actual interesting tainted set, causing more notes to be emitted than needed.

For these reasons, which I admit are a result of some speculation, we concluded that interstingness as it is and taint are two different properties that are best separated.

In D144269#4143066, @NoQ wrote:

I think now's a good time to include a "generic data map"-like data structure in PathSensitiveBugReport objects, so that checkers could put some data there during emitReport(), which can be picked up by note tags and potentially mutated in the process.

Maybe a new interestingness kind (D65723)? Not sure how this design aged, but we don't really need to store an ID for this, so a simple interestingness flag (just not the default Thorough interestiness) is good enough.

In D144269#4146809, @dkrupp wrote:

The tricky part was is to how to show only that single "Taint originated here" note tag at the taint source only which is relevant to the report. This is done by remembering the unique flowid in the
NoteTag in the forward analysis direction (see GenericTaintChecker:cpp:859) InjectionTag = createTaintOriginTag(C, TaintFlowId); and then filtering out the irrelevant
NoteTags when the the report is generated (when the lamdba callback is called). See that flowid which reaches the sink is backpropagated in the PathSensitiveBugreport (see GenericTaintCHekcer.cpp:167).

FlowIds are unique and increased at every taint source (GenericTaintChecker:869) and it is stored as an additional simple int in the program state along with the already existing (Taint.cpp:22) TaintTagType.

If you propagate this property during analysis, those IDs may be needed, but a simple flag should suffice when BugReporter does it.

Yeah looks like I replied without properly reading the patch.

TaintBugReport is brilliant and we already have a precedent for subclassing BugReport in another checker. However I'm somewhat worried that once we start doing more of this, we'll eventually end up with multiple inheritance situations when the report needs multiple kinds of information. So at a glance my approach with a "generic data map" in bugreport objects looks a bit more future-proof to me. Also a bit easier to set up, no need to deal with custom RTTI.

So I think interestingness is just an example of such "generic data" attached to bug report. Interestingness is also somewhat confusing, because indeed, there are existing interesting rules, and I don't think anybody remembers what they are or what was even the purpose of having interestingness in the first place. Interestingness is currently used for tracking symbols with trackExpressionValue(), and we have those tracking kinds added by @Szelethus to make tracking behave slightly differently. So, yeah, I think interestingness shouldn't be used; it's already in use. I think it should be generalized upon i.e. just let checkers track whatever/however they want.

I guess my main point is, there shouldn't be a need to assist tracking by adding extra information to the program state. Information in the state should ideally be "material" to program execution, "tangible", it has to describe something that's actually stored somewhere in memory (either by directly defining it, or by constraining it). In particular, if two nodes result in indistinguishable future behavior of the program, we're supposed to merge them; but any "immaterial" bits of information in the state will prevent that from happening.

In our case it should be enough to have the lambda for propagation method ask "Hey, is this freshly produced propagation target value relevant to this specific report?" and if yes, mark the corresponding propagation source value as relevant to the report as well; also emit a note and "consume" the mark on the target value. Such chain of local decisions can easily replace the global taint flow identifier, and it's more flexible because this way the flow doesn't need to be "linear", it may branch in various ways and that's ok.

TaintBugReport is brilliant and we already have a precedent for subclassing BugReport in another checker. However I'm somewhat worried that once we start doing more of this, we'll eventually end up with multiple inheritance situations when the report needs multiple kinds of information. So at a glance my approach with a "generic data map" in bugreport objects looks a bit more future-proof to me. Also a bit easier to set up, no need to deal with custom RTTI.

Adding a data map (like a string->sval map) to the PathSensitiveBugreport instead of relying on dynamic casting sounds an easy addition. I will update the patch with this. Or you specifically mean this kind of datamap ? typedef llvm::ImmutableMap<void*, void*> GenericDataMap; (ProgramState.h:74) I guess it should not be immutable…

I guess my main point is, there shouldn't be a need to assist tracking by adding extra information to the program state. Information in the state should ideally be "material" to program execution, "tangible", it has to describe something that's actually stored somewhere in memory (either by directly defining it, or by constraining it). In particular, if two nodes result in indistinguishable future behavior of the program, we're supposed to merge them; but any "immaterial" bits of information in the state will prevent that from happening.

@NoQ aha! Now I see where you are coming from! If an SVal is tainted on both analysis branches, but their taint flow value is different (meaning that they carry taint values from different taint sources), then they cannot be merged which causes inefficiency.
I understand the generic principle, but I wonder how frequent would that be in practice. I would think not too much, because taint sources are uncommon. Especially having multiple taint sources in the same source file/Translation Unit (only that creates different taint flow ids).

In our case it should be enough to have the lambda for propagation method ask "Hey, is this freshly produced propagation target value relevant to this specific report?" and if yes, mark the corresponding propagation source value as relevant to the report as well; also emit a note and "consume" the mark on the target value. Such chain of local decisions can easily replace the global taint flow identifier, and it's more flexible because this way the flow doesn't need to be "linear", it may branch in various ways and that's ok.

Taint propagation is not only handled in the GenericTaintChecker:892, where we calculate that the taintedness should propagate from function argument x to y or return value, but also it spreads in peculiar ways within expressions, from subregion to parent region etc. handled in the addtaint(..) and addPartialTaint(..) functions in Taint.cpp. What your proposed solution would essentially mean that we would need to implement the taint propagation in backward direction too. I think this design would be fragile and difficult to maintain (especially if taint propagation would change in the future).

I definitely don’t have the full picture here, so if you think that the sval backtracking is the better way, because of the potential performance penalty of the taintflow solution with the merges, I will go down that road and start to work on an alternative patch.

First and foremost, I want to deeply apologize about my rushed response. When I say that the Taint originated here note remained, I wrongly draw conclusions. Won't happen again.

Taint-flow IDs:
I would challenge that we need a flow ID (number) because for me the tainted symbol already has a unique ID which should be suitable for this purpose.
What I can see is that it would be useful to know directly what was the first tainted symbols of any given tainted symbol. (SymbolData -> SymbolData mapping)
This is pretty much analog with what you implemented by piggybacking on the taint kind. Although, I'd argue that having an explicit mapping would be cleaner, but I can see that it's more on personal preference.
In addition to that, I think there is value in minimizing the number of places where we introduce such static counters, so I would adwise against that unless we have a good reason for doing so.

I'm thinking that although it's handy to have the originally tainted symbol directly at the error-node at hand, I'm still not sure if that couldn't be calculated and tracked back to the place where we introduced taint.

int n;
scanf("%d", &n); // binds $1, not important
int v = mytaintsource(n); // taint originated here, returns $2
int z = taintprop(v); // taint propagated here, returns $3
int x = 42 / z; // 42 div $3

Soundness of the back-propagation:
The back-propagation is always in-sync given that the state-transition of introducing taint also attaches the NoteTag explaining what it did and why.
This basically means that after we call addTaint() we must also add a NoteTag when we call addTransition(). Under these circumstances I find it easier to argue that the back-propagation is consistent (sound). If a specific checker (other than the GenericTaintChecker) models taint, it should stick to the rules described and emit the right NoteTag. That way even downstream checkers would play nicely with the taint-tracking and benefit from it.

Interestingness:
The concerns seem valid about that the set of interesting symbols could be larger than the actually required (and desired) set. However, I wouldn't worried about this much unless we have an example on which we can continue discussing that this is a real concern.
What I can see is that as-of-now we use the interestingness notion for this, and deviating or introducing something else would introduce complexity. So, I'm not strictly against having something else, but I would lean towards using interestingness here as well, unless we have clear-cut examples demonstrating the need for something more sophisticated.

Finally, I'd like to thank you for investing your time into this subject. We really should have done it much earlier. Without these similar improvements like this one, it's just half way done. Thank you.

If we worry about having taint-related reports without a Note message explaining where the taint was introduced, we could just assert that in a BugReportVisitor at the finalizeVisitor() callback. I think such an assertion would make a lot of sense.
To achieve this, we could take the R.getNotes() and check if any of them refers to a specific one produced by the NoteTag callback for taint sources, let's say TaintSourceTag for that PathDiagnosticNotePiece.

void MyVisitor::finalizeVisitor(BugReporterContext &, const ExplodedNode *, PathSensitiveBugReport &R) {
  assert(llvm::any_of(R.getNotes(),
                      [](const auto &Piece) { return Piece->getTag() == TaintSourceTag; }) &&
         "Each taint report should have at least one taint-source");
}

With this assertion, we would gain confidence that the taint reports are complete, or at least they all have at least one taint source.

In D144269#4237539, @dkrupp wrote:

This is a totally rewritten version of the patch which solely relies on the existing "interestingness" utility to track back the taint propagation. (And does not introduce a new FlowID in the ProgramState as requested in the reviews.)

-The new version also places a Note, when the taintedness is propagated to an argument or to a return value. So it should be easier for the user to follow how the taint information is spreading.
-"The taint originated here" is printed correctly at the taint source function, which introduces taintedness. (Main goal of this patch.)

Implementation:
-The createTaintPreTag() function places a NoteTag at the taint propagation function calls, if taintedness is propagated. Then at report creation, the tainted arguments are marked interesting if propagated taintedness is relevant for the bug report.

• The isTainted() function is extended to return the actually tainted SymbolRef. This is important to be able to consistently mark relevant symbol interesting which carries the taintedness in a complex expression.

So this is how you circumvent introducing "transitive interestingness", because now you know which symbol to track.

-createTaintPostTag(..) function places a NoteTag to the taint generating function calls to mark them interesting if they are relevant for a taintedness report. So if they propagated taintedness to interesting symbol(s).

The tests are passing and the reports on the open source projects are much better understandable than before (twin, tmux, curl):

https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=curl_curl-7_66_0_dkrupp_taint_origin_fix_new&run=tmux_2.6_dkrupp_taint_origin_fix_new&run=twin_v0.8.1_dkrupp_taint_origin_fix_new&is-unique=on&diff-type=New&checker-msg=%2auntrusted%2a&checker-msg=Out%20of%20bound%20memory%20access%20%28index%20is%20tainted%29

I've looked at the results you attached and they look good to me.

Do you have an example where two tainted values are contributing to the same bug? Something like:

n <- read();
m <- read();
malloc(n+m)

Will both of these values tracked back? What do the notes look like?

All in all, I'm pleased to see the improvements. It looks much better now IMO.
Using two NoteTags cleans up the implementation quite a bit, kudos.
I don't think there are major problems with this implementation, so I decided to spew your code with my nitpicks :D

Remember to clang-format your code. See clang/tools/clang-format/clang-format-diff.py.
And there are a few overloads of getNoteTag(), and there could be a better fit for usecases; you should decide.

I also find it difficult to track how a variable got tainted across assignments and computations like in this case.
This observation is completely orthogonal to your patch, I'm just noting it. it was bad previously as well.
Maybe we could have a visitor for explaining the taint tracking across assignments and computations to complement the NoteTag.

I hope I didn't miss much this time :D

All comments addressed. Thanks for the review @steakhal .

Looks even better. Only minor concerns remained, mostly about style and suggestions of llvm utilities.

I think as we converge, now it could be time to update the summary of the patch to reflect the current implementation. (e.g. flowids etc.)

All remarks from @steakhal has been fixed. Thanks for the review.
This new version now can handle the tracking back of multiple symbols!

You can find the improved reports on tmux, postgres, twin, openssl here:

here

@steakhal thanks for your review. All your remarks have been fixed.

@steakhal is there anything else to do before we merge this? Thanks.

@steakhal your comments are fixed. Thanks for the review.

To conclude the review, please respond to the "Not Done" inline comments, and mark them "Done" if you think they are resolved.
Thank you for your patience.

@steakhal thanks for the review. I fixed all outstanding remarks.
I left the test taint-diagnostic-visitor.c formatting as is to remain consistent with the rest of the file. I think we should keep it as is, or reformat the whole file.