pub fn analyze_flow(stmts: &[Statement], sources: &TaintSources) -> FlowEnvExpand description
Run intra-procedural flow over stmts. sources declares
which bare names are tainted on entry (public params, binds).
Taint propagates transitively through assignments: an RHS that
references a previously-tainted local (v_sql := v_tmp after
v_tmp := p_user) inherits that local’s live taint, so
multi-hop laundering through intermediate variables cannot
escape the analysis. Because branches and loops can re-read a
name that is only tainted on a later pass, walk is iterated to
a fixpoint over the (finite) taint lattice before the env is
returned.
Back-compat wrapper over analyze_flow_bounded: the per-pass
re-lowering recursion is depth-guarded so a non-shrinking
malformed body (e.g. the bare token FOR UPDATE that a
SELECT … FOR UPDATE; fragment leaves behind, which classifies
as a BareLoop whose body_text re-lowers to the identical
BareLoop) terminates instead of overflowing the stack /
aborting the process (R13). Callers that need to surface the
typed degradation (outcome.limit_hit) should call
analyze_flow_bounded directly.