Improved precision of collecting taint-potential access paths.

Author: marek-trtik

src/taint-analysis/taint_summary.cpp

@@ -702,20 +702,31 @@ void taint_algorithm_computing_summary_of_functiont::initialise_domain(
       const auto &fn_type=
         program->get_functions().function_map.at(callee_id).type;
 
-      for(const auto &arg : fn_call.arguments())
+      if(!database.contains(callee_id) || transition_rules->has_rule(callee_id))
       {
-        collect_lvsa_access_paths(
-          arg,
-          program->get_namespace(),
-          environment,
-          lvsa,
-          it,
-          *numbering);
+        // This is either a recursive function or a function for which we have
+        // a rule (any function not in the database has not been processed and
+        // since we're following an inverted topological ordering it therefore
+        // must recursively call us)
+        // If we don't have a summary then we assume that the function could
+        // use any of its arguments. If the function has a rule then it
+        // probably will use some of its arguments.
+        // In the future we could be more precise about exactly which arguments
+        // are used in the rule.
+        for(const auto &arg : fn_call.arguments())
+        {
+          collect_lvsa_access_paths(
+            arg,
+            program->get_namespace(),
+            environment,
+            lvsa,
+            it,
+            *numbering);
+        }
+        if(!database.contains(callee_id))
+          continue;
       }
 
-      if(!database.contains(callee_id))
-        continue;
-
       const std::shared_ptr<taint_summaryt> summary = database.at(callee_id);
       for(const std::pair<taint_lvalue_numbert, taint_variablet>& input
         : summary->input)