taints working intraprocedurally, a bug in inter I'm working out now

diff --git a/Robust/src/Analysis/Disjoint/ReachGraph.java b/Robust/src/Analysis/Disjoint/ReachGraph.java
index 03c6edba55bffed72c91cc2a24f141557d41ee00..629238254709f59ed923c896d0c3aa509288682c 100644 (file)
--- a/Robust/src/Analysis/Disjoint/ReachGraph.java
+++ b/Robust/src/Analysis/Disjoint/ReachGraph.java
@@ -466,7 +466,7 @@ public class ReachGraph {
                                        null,
                                        Canonical.intersection( betaY, betaHrn ),
                                        predsTrue,
-                                       null
+                                       edgeY.getTaints()
                                        );
 
         addEdgeOrMergeWithExisting( edgeNew );
@@ -621,7 +621,7 @@ public class ReachGraph {
                                                                   )
                                                ),
                        predsTrue,
-                       null
+                       edgeY.getTaints()
                        );
 
         addEdgeOrMergeWithExisting( edgeNew );
@@ -691,7 +691,7 @@ public class ReachGraph {
                    null,                 // field name
                    hrnNewest.getAlpha(), // beta
                    predsTrue,            // predicates
-                   null
+                   TaintSet.factory()    // taints
                    );
 
     addRefEdge( lnX, hrnNewest, edgeNew );
@@ -1438,6 +1438,56 @@ public class ReachGraph {
     return out;
   }
 
+
+  // used below to convert a TaintSet's parameter index taints to
+  // a TaintSet of caller taints
+  protected TaintSet 
+    toCallerContext( TaintSet   ts,
+                     FlatCall   fc,
+                     FlatMethod fmCallee
+                     ) {
+
+    TaintSet out = TaintSet.factory();
+
+    Iterator<Taint> itr = ts.iterator();
+    while( itr.hasNext() ) {
+      Taint t = itr.next();
+
+      if( !t.isParamTaint() ) {
+        // throw out non-parameter taints from callee
+        continue;
+      }
+
+      // what argument does this taint map to?
+      TempDescriptor tdArg = 
+        fc.getArgMatchingParamIndex( fmCallee,
+                                     t.getParamIndex() );
+      VariableNode vnArg = td2vn.get( tdArg );
+
+      // what allocation site does this taint refer to?
+      AllocSite as = t.getAllocSite();
+      
+      // look at the allocation sites that the
+      // arg references in the caller context--if
+      // the parameter taint matches, use the taints
+      // of the argument reference to grow the output set
+      Iterator<RefEdge> reItr = vnArg.iteratorToReferencees();
+      while( reItr.hasNext() ) {
+        RefEdge re = reItr.next();
+        
+        if( as.equals( re.getDst().getAllocSite() ) ) {
+          out = Canonical.union( out,
+                                 re.getTaints()
+                                 );
+        }
+      }      
+    }    
+
+    assert out.isCanonical();
+    return out;
+  }
+
+
   // used below to convert a ReachSet to an equivalent
   // version with shadow IDs merged into unshadowed IDs
   protected ReachSet unshadow( ReachSet rs ) {
@@ -1717,7 +1767,7 @@ public class ReachGraph {
                                       oocHrnIdOoc2callee 
                                       ),
                      preds,
-                     null
+                     TaintSet.factory() // no taints for in-context edges
                      );
       
       rg.addRefEdge( hrnSrcCallee,
@@ -1874,7 +1924,7 @@ public class ReachGraph {
                                                      oocHrnIdOoc2callee
                                                      ),
                                     preds,
-                                    null
+                                    TaintSet.factory() // no taints
                                     )
                        );              
         
@@ -2438,7 +2488,9 @@ public class ReachGraph {
                                         toCallerContext( reCallee.getBeta(),
                                                          calleeStatesSatisfied ),
                                         preds,
-                                        null
+                                        toCallerContext( reCallee.getTaints(),
+                                                         fc,
+                                                         fmCallee )
                                         );
 
         ChangeSet cs = ChangeSet.factory();

diff --git a/Robust/src/Analysis/Disjoint/Taint.java b/Robust/src/Analysis/Disjoint/Taint.java
index 71eae24e7bfaa7ee22848a3efa29ec55c78fa093..3c58ae9f26b604137d4dd12e2b6113d2d362acbf 100644 (file)
--- a/Robust/src/Analysis/Disjoint/Taint.java
+++ b/Robust/src/Analysis/Disjoint/Taint.java
@@ -70,6 +70,14 @@ public class Taint extends Canonical {
     allocSite  = as;
   }
 
+  public boolean isParamTaint() {
+    return paramIndex != null;
+  }
+
+  public boolean isSESETaint() {
+    return sese != null;
+  }
+
   public Integer getParamIndex() {
     return paramIndex;
   }

diff --git a/Robust/src/Tests/disjoint/taintTest1/test.java b/Robust/src/Tests/disjoint/taintTest1/test.java
index db695a56f414da1e943d9be7538bb8e1349105bd..04ed03b88372d93a309295dde59b370d74fdfece 100644 (file)
--- a/Robust/src/Tests/disjoint/taintTest1/test.java
+++ b/Robust/src/Tests/disjoint/taintTest1/test.java
@@ -1,20 +1,29 @@
 public class Foo {
   public Foo() {}
   public Foo f;
+  public Foo g;
 }
 
 public class Test {
 
   static public void main( String[] args ) {
 
-    Foo f = new Foo();
+    Foo a = new Foo();
+    Foo b = new Foo();
+    giveParamNames( a, b );
+  }
 
-    Foo g = doStuff( f );
+  static void giveParamNames( Foo a, Foo b ) {
+    Foo c = doStuff( a, b );
   }   
 
-  static Foo doStuff( Foo m ) {
-    
-    Foo n = new Foo();
-    return n;
+  static Foo doStuff( Foo m, Foo n ) {
+
+    m.f = new Foo();
+    n.f = new Foo();
+
+    m.g = n.f;
+
+    return new Foo();
   }
 }