Tag analysis is not working when tracking Result.
fshaked opened this issue · 3 comments
Issue
Tag analysis seems to miss obvious information flow, when tracking Result.
Minimal example here.
Steps to Reproduce
git clone https://github.com/fshaked/mirai-bug1.git
cd mirai-bug1
RUSTFLAGS="-Z always_encode_mir" RUSTC_WRAPPER=mirai MIRAI_FLAGS="--diag verify" cargo build
Expected Behavior
The verify!
macro should fail in both tests.
Actual Results
MIRAI terminates with no warnings.
Environment
$ rustup show
Default host: x86_64-unknown-linux-gnu
rustup home: /home/---/.rustup
installed toolchains
--------------------
nightly-2021-05-06-x86_64-unknown-linux-gnu (default)
nightly-x86_64-unknown-linux-gnu
active toolchain
----------------
nightly-2021-05-06-x86_64-unknown-linux-gnu (default)
rustc 1.54.0-nightly (bacf770f2 2021-05-05)
The first test case is fixed by #903.
The second illustrates a design issue: A field of the tainted value x flows into a field of y. This is not sufficient to taint all of y, even though the sub component propagation rule for the tag propagates the taint from x to the field that flows into y. For that to happen, we need a new tag propagation rule that specifies that tagging a field also tags the parent of the field.
Creating such a rule is not a trivial thing and not just from an implementation point of view. For instance, should we propagate to the parent of the parent? If so, what exactly counts as a parent? What if the parent in wrapped in an Rc? And so on.
For now I'm going to punt on this and declare the behavior of MIRAI for the second test case to be by design. If you have ideas about this and a proposed design that you can motivate by a scenario you can share, I'd be very happy to think it over some more.
Ah, looking at it from the perspective of does_not_have_tag makes quite a difference. I'll think this one over some more.