[taint] Enable pulse-taint-check-history by default

Summary: I think it is still useful to keep this option at least for now given that it results in some false negatives.

Reviewed By: dulmarod

Differential Revision:
D50079371

Privacy Context Container: L1208441

fbshipit-source-id: 8b15dc535eaea178cf6182e53a5c5220fee97a56

infer/man/man1/infer-analyze.txt

@@ -807,11 +807,11 @@ PULSE CHECKER OPTIONS
        --pulse-specialization-limit int
            Maximum number of summary specialization by procedure.
 
-       --pulse-taint-check-history
-           Activates: Check values histories for taint events before
+       --no-pulse-taint-check-history
+           Deactivates: Check values histories for taint events before
            reporting a taint issue. This is a temporary flag while the taint
            analysis transitions from being mainly attribute-based to being
-           history-based. (Conversely: --no-pulse-taint-check-history)
+           history-based. (Conversely: --pulse-taint-check-history)
 
        --pulse-taint-config +path
            Path to a taint analysis configuration file or a directory

infer/man/man1/infer-full.txt

@@ -1412,11 +1412,11 @@ OPTIONS
            Maximum number of summary specialization by procedure.       
     See also infer-analyze(1).
 
-       --pulse-taint-check-history
-           Activates: Check values histories for taint events before
+       --no-pulse-taint-check-history
+           Deactivates: Check values histories for taint events before
            reporting a taint issue. This is a temporary flag while the taint
            analysis transitions from being mainly attribute-based to being
-           history-based. (Conversely: --no-pulse-taint-check-history)       
+           history-based. (Conversely: --pulse-taint-check-history)       
     See also infer-analyze(1).
 
        --pulse-taint-config +path

infer/man/man1/infer.txt

@@ -1412,11 +1412,11 @@ OPTIONS
            Maximum number of summary specialization by procedure.       
     See also infer-analyze(1).
 
-       --pulse-taint-check-history
-           Activates: Check values histories for taint events before
+       --no-pulse-taint-check-history
+           Deactivates: Check values histories for taint events before
            reporting a taint issue. This is a temporary flag while the taint
            analysis transitions from being mainly attribute-based to being
-           history-based. (Conversely: --no-pulse-taint-check-history)       
+           history-based. (Conversely: --pulse-taint-check-history)       
     See also infer-analyze(1).
 
        --pulse-taint-config +path

infer/src/base/Config.ml

@@ -2660,7 +2660,7 @@ and pulse_taint_config =
 
 
 and pulse_taint_check_history =
-  CLOpt.mk_bool ~long:"pulse-taint-check-history"
+  CLOpt.mk_bool ~long:"pulse-taint-check-history" ~default:true
     ~in_help:InferCommand.[(Analyze, manual_pulse)]
     "Check values histories for taint events before reporting a taint issue. This is a temporary \
      flag while the taint analysis transitions from being mainly attribute-based to being \

infer/tests/build_systems/pulse_messages_objc/Makefile

@@ -6,7 +6,7 @@
 TESTS_DIR = ../..
 
 CLANG_OPTIONS = -c $(OBJCPP_CLANG_OPTIONS) -fobjc-arc
-INFER_OPTIONS = --pulse-only --debug-exceptions --project-root $(TESTS_DIR) --pulse-taint-config .infertaintconfig --pulse-taint-check-history
+INFER_OPTIONS = --pulse-only --debug-exceptions --project-root $(TESTS_DIR) --pulse-taint-config .infertaintconfig
 
 # test that the error messages are good; sort of mimicks what gets displayed on the console
 INFERPRINT_OPTIONS = --issues-tests-fields file,procedure,line,column,severity,bug_type,qualifier,suggestion --issues-tests

infer/tests/build_systems/pulse_taint_exclude_in_objc/Makefile

@@ -6,7 +6,7 @@
 TESTS_DIR = ../..
 
 CLANG_OPTIONS = -c $(OBJCPP_CLANG_OPTIONS) -fobjc-arc
-INFER_OPTIONS = --pulse-only --debug-exceptions --project-root $(TESTS_DIR) --pulse-taint-config taint_config.json --pulse-taint-check-history
+INFER_OPTIONS = --pulse-only --debug-exceptions --project-root $(TESTS_DIR) --pulse-taint-config taint_config.json
 
 INFERPRINT_OPTIONS = --project-root $(TESTS_DIR) --issues-tests
 

infer/tests/build_systems/pulse_taint_regex_objc/Makefile

@@ -6,7 +6,7 @@
 TESTS_DIR = ../..
 
 CLANG_OPTIONS = -c $(OBJCPP_CLANG_OPTIONS) -fobjc-arc
-INFER_OPTIONS = --pulse-only --debug-exceptions --project-root $(TESTS_DIR) --pulse-taint-config taint_config.json --pulse-taint-check-history
+INFER_OPTIONS = --pulse-only --debug-exceptions --project-root $(TESTS_DIR) --pulse-taint-config taint_config.json
 
 INFERPRINT_OPTIONS = --project-root $(TESTS_DIR) --issues-tests
 

infer/tests/build_systems/pulse_taint_sanitize_objc/Makefile

@@ -6,7 +6,7 @@
 TESTS_DIR = ../..
 
 CLANG_OPTIONS = -c $(OBJCPP_CLANG_OPTIONS) -fobjc-arc
-INFER_OPTIONS = --pulse-only --debug-exceptions --project-root $(TESTS_DIR) --pulse-taint-config taint_config.json --pulse-taint-check-history
+INFER_OPTIONS = --pulse-only --debug-exceptions --project-root $(TESTS_DIR) --pulse-taint-config taint_config.json
 
 INFERPRINT_OPTIONS = --project-root $(TESTS_DIR) --issues-tests
 

infer/tests/codetoanalyze/cpp/pulse/issues.exp

@@ -269,7 +269,7 @@ codetoanalyze/cpp/pulse/taint/basics.cpp, basics::via_field_ok2, 2, PULSE_UNNECE
 codetoanalyze/cpp/pulse/taint/basics.cpp, basics::via_passthrough_bad1, 4, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `basics::Obj::string_source` with kind `SimpleSource`,in call to function `std::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string` with no summary,value passed as argument `#1` to `basics::Obj::string_sink` with kind `SimpleSink`], source: basics::Obj::string_source, sink: basics::Obj::string_sink, tainted expression: UNKNOWN
 codetoanalyze/cpp/pulse/taint/basics.cpp, basics::via_passthrough_bad1, 4, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string<char,std::char_traits<char>,std::allocator<char>>&`)]
 codetoanalyze/cpp/pulse/taint/basics.cpp, basics::via_passthrough_bad2, 2, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string<char,std::char_traits<char>,std::allocator<char>>&`)]
-codetoanalyze/cpp/pulse/taint/basics.cpp, basics::via_passthrough_bad2, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `basics::Obj::string_source` with kind `SimpleSource`,in call to function `std::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string` with no summary,value passed as argument `#1` to `basics::Obj::string_sink` with kind `SimpleSink`], source: basics::Obj::string_source, sink: basics::Obj::string_sink, tainted expression: UNKNOWN
+codetoanalyze/cpp/pulse/taint/basics.cpp, basics::via_passthrough_bad2, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `basics::Obj::string_source` with kind `SimpleSource`,value passed as argument `#1` to `basics::Obj::string_sink` with kind `SimpleSink`], source: basics::Obj::string_source, sink: basics::Obj::string_sink, tainted expression: UNKNOWN
 codetoanalyze/cpp/pulse/taint/basics.cpp, basics::via_passthrough_bad2, 3, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string<char,std::char_traits<char>,std::allocator<char>>&`)]
 codetoanalyze/cpp/pulse/taint/basics.cpp, basics::taint_arg_source_bad, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value passed as argument `#0` to `basics::Obj::taint_arg_source` with kind `SimpleSource`,value passed as argument `#0` to `__infer_taint_sink` with kind `SimpleSink`], source: basics::Obj::taint_arg_source, sink: __infer_taint_sink, tainted expression: source
 codetoanalyze/cpp/pulse/taint/basics.cpp, basics::via_sanitizer_ok1, 3, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string<char,std::char_traits<char>,std::allocator<char>>&`)]
@@ -343,9 +343,7 @@ codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format1<std::string_&>, 0, P
 codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format1<std::string_&>, 1, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [first instantiated at,copied here (with type `std::basic_string<char,std::char_traits<char>,std::allocator<char>>&`)]
 codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format2<std::string_&>, 0, PULSE_CONST_REFABLE, no_bucket, ERROR, [Parameter fmt with type `std::basic_string<char,std::char_traits<char>,std::allocator<char>>`]
 codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format2<std::string_&>, 1, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [first instantiated at,copied here (with type `std::basic_string<char,std::char_traits<char>,std::allocator<char>>&`)]
-codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format1_bad, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `__infer_taint_source` with kind `SimpleSource`,value passed as argument `#0` to `__infer_taint_sink` with kind `SimpleSink`], source: __infer_taint_source, sink: __infer_taint_sink, tainted expression: UNKNOWN
 codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format1_bad, 3, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string<char,std::char_traits<char>,std::allocator<char>>&`)]
-codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format2_bad, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `__infer_taint_source` with kind `SimpleSource`,value passed as argument `#0` to `__infer_taint_sink` with kind `SimpleSink`], source: __infer_taint_source, sink: __infer_taint_sink, tainted expression: UNKNOWN
 codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format2_bad, 3, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string<char,std::char_traits<char>,std::allocator<char>>&`)]
 codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format3_bad, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `__infer_taint_source` with kind `SimpleSource`,in call to function `strings::format3<std::string_&>` with no summary,in call to function `strings::Formatter<std::basic_string<char,std::char_traits<char>,std::allocator<char>>&>::str` with no summary,in call to function `std::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string` with no summary,value passed as argument `#0` to `__infer_taint_sink` with kind `SimpleSink`], source: __infer_taint_source, sink: __infer_taint_sink, tainted expression: UNKNOWN
 codetoanalyze/cpp/pulse/taint/strings.cpp, strings::format3_bad, 3, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string<char,std::char_traits<char>,std::allocator<char>>&`)]
@@ -360,7 +358,7 @@ codetoanalyze/cpp/pulse/taint/structs.cpp, structs::struct_field_source_bad, 5,
 codetoanalyze/cpp/pulse/taint/taint_field.cpp, test_taint_field_bad, 2, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: field `manipulated` of value passed as argument `#0` to `taint_manipulated` with kind `Simple`,value passed as argument `#0` to `sink_int` with kind `Simple`], source: taint_manipulated, sink: sink_int, tainted expression: s->manipulated
 codetoanalyze/cpp/pulse/taint/taint_field.cpp, test_sink_field_bad, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `int_source` with kind `Simple`,field `manipulated` of value passed as argument `#0` to `sink_manipulated` with kind `Simple`], source: int_source, sink: sink_manipulated, tainted expression: s->manipulated
 codetoanalyze/cpp/pulse/taint/taint_field.cpp, test_sanitize_field_bad, 10, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value passed as argument `#0` to `taint_structure` with kind `Simple`,value passed as argument `#0` to `sink_int` with kind `Simple`], source: taint_structure, sink: sink_int, tainted expression: s->other
-codetoanalyze/cpp/pulse/taint/taint_field.cpp, test_propagate_to_field_bad, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `int_source` with kind `Simple`,in call to `propagate_to_manipulated`,value passed as argument `#0` to `sink_int` with kind `Simple`], source: int_source, sink: sink_int, tainted expression: s->manipulated
+codetoanalyze/cpp/pulse/taint/taint_field.cpp, test_propagate_to_field_bad, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `int_source` with kind `Simple`,value passed as argument `#0` to `sink_int` with kind `Simple`], source: int_source, sink: sink_int, tainted expression: s->manipulated
 codetoanalyze/cpp/pulse/taint/taint_field.cpp, test_taint_field_with_indirections_bad, 4, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: field `manipulated` of value passed as argument `#0` to `taint_manipulated_with_indirections` with kind `Simple`,value passed as argument `#0` to `sink_int` with kind `Simple`], source: taint_manipulated_with_indirections, sink: sink_int, tainted expression: (*s_ptr_ptr)->manipulated
 codetoanalyze/cpp/pulse/taint/unknown_code.cpp, unknown_code::direct_bad, 2, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `__infer_taint_source` with kind `SimpleSource`,in call to function `std::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string` with no summary,value passed as argument `#0` to `__infer_taint_sink` with kind `SimpleSink`], source: __infer_taint_source, sink: __infer_taint_sink, tainted expression: UNKNOWN
 codetoanalyze/cpp/pulse/taint/unknown_code.cpp, unknown_code::direct_bad, 2, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string<char,std::char_traits<char>,std::allocator<char>>&`)]
@@ -374,7 +372,7 @@ codetoanalyze/cpp/pulse/taint/unknown_code.cpp, unknown_code::skip_indirect, 0,
 codetoanalyze/cpp/pulse/taint/unknown_code.cpp, unknown_code::skip_indirect, 1, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string<char,std::char_traits<char>,std::allocator<char>>&`)]
 codetoanalyze/cpp/pulse/taint/unknown_code.cpp, unknown_code::skip_indirect, 2, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string<char,std::char_traits<char>,std::allocator<char>>&`)]
 codetoanalyze/cpp/pulse/taint/unknown_code.cpp, unknown_code::skip_indirect_bad, 2, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string<char,std::char_traits<char>,std::allocator<char>>&`)]
-codetoanalyze/cpp/pulse/taint/unknown_code.cpp, unknown_code::skip_indirect_bad, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `__infer_taint_source` with kind `SimpleSource`,in call to function `std::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string` with no summary,value passed as argument `#0` to `__infer_taint_sink` with kind `SimpleSink`], source: __infer_taint_source, sink: __infer_taint_sink, tainted expression: UNKNOWN
+codetoanalyze/cpp/pulse/taint/unknown_code.cpp, unknown_code::skip_indirect_bad, 3, TAINT_ERROR, no_bucket, ERROR, [source of the taint here: value returned from `__infer_taint_source` with kind `SimpleSource`,value passed as argument `#0` to `__infer_taint_sink` with kind `SimpleSink`], source: __infer_taint_source, sink: __infer_taint_sink, tainted expression: UNKNOWN
 codetoanalyze/cpp/pulse/taint/unknown_code.cpp, unknown_code::skip_indirect_bad, 3, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string<char,std::char_traits<char>,std::allocator<char>>&`)]
 codetoanalyze/cpp/pulse/taint/unknown_code.cpp, unknown_code::FN_via_skip_by_ref_bad, 3, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string<char,std::char_traits<char>,std::allocator<char>>&`)]
 codetoanalyze/cpp/pulse/taint/unknown_code.cpp, unknown_code::FN_via_skip_by_ref_bad, 4, PULSE_UNNECESSARY_COPY_INTERMEDIATE, no_bucket, ERROR, [copied here (with type `std::basic_string<char,std::char_traits<char>,std::allocator<char>>&`)]