From 85a9d07d9290e93f7de0db34b3d2ebbdd3b9ca8b Mon Sep 17 00:00:00 2001 From: jjenista <jjenista> Date: Sat, 26 Jun 2010 19:18:50 +0000 Subject: [PATCH] both reach states and taints were not propagating to caller contexts with the correct caller-context predicates. They should get the caller context predicates from the pre-call-site state or taint that indicated they should be brought from the callee. --- Robust/src/Analysis/Disjoint/Canonical.java | 46 +++--- Robust/src/Analysis/Disjoint/CanonicalOp.java | 8 +- Robust/src/Analysis/Disjoint/ExistPred.java | 135 +++++++++++++++--- Robust/src/Analysis/Disjoint/ReachGraph.java | 134 +++++++++++++---- Robust/src/Tests/disjoint/taintTest1/makefile | 2 +- 5 files changed, 245 insertions(+), 80 deletions(-) diff --git a/Robust/src/Analysis/Disjoint/Canonical.java b/Robust/src/Analysis/Disjoint/Canonical.java index f11ac4a8..d171bb69 100644 --- a/Robust/src/Analysis/Disjoint/Canonical.java +++ b/Robust/src/Analysis/Disjoint/Canonical.java @@ -1190,17 +1190,15 @@ abstract public class Canonical { - public static ReachState makePredsTrue( ReachState rs ) { + public static ReachState changePredsTo( ReachState rs, + ExistPredSet preds ) { assert rs != null; assert rs.isCanonical(); - // ops require two canonicals, in this case always supply - // the empty reach state as the second, it's never used, - // but makes the hashing happy CanonicalOp op = - new CanonicalOp( CanonicalOp.REACHSTATE_MAKEPREDSTRUE, + new CanonicalOp( CanonicalOp.REACHSTATE_CHANGEPREDSTO_EXISTPREDSET, rs, - ReachState.factory() ); + preds ); Canonical result = op2result.get( op ); if( result != null ) { @@ -1212,7 +1210,7 @@ abstract public class Canonical { // just remake state with the true predicate attached out.reachTuples.addAll( rs.reachTuples ); - out.preds = ExistPredSet.factory( ExistPred.factory() ); + out.preds = preds; out = (ReachState) makeCanonical( out ); op2result.put( op, out ); @@ -1220,17 +1218,15 @@ abstract public class Canonical { } - public static ReachSet makePredsTrue( ReachSet rs ) { + public static ReachSet changePredsTo( ReachSet rs, + ExistPredSet preds ) { assert rs != null; assert rs.isCanonical(); - // ops require two canonicals, in this case always supply - // the empty reach set as the second, it's never used, - // but makes the hashing happy CanonicalOp op = - new CanonicalOp( CanonicalOp.REACHSET_MAKEPREDSTRUE, + new CanonicalOp( CanonicalOp.REACHSET_CHANGEPREDSTO_EXISTPREDSET, rs, - ReachSet.factory() ); + preds ); Canonical result = op2result.get( op ); if( result != null ) { @@ -1243,7 +1239,9 @@ abstract public class Canonical { while( itr.hasNext() ) { ReachState state = itr.next(); out = Canonical.add( out, - Canonical.makePredsTrue( state ) + Canonical.changePredsTo( state, + preds + ) ); } @@ -1445,17 +1443,15 @@ abstract public class Canonical { } - public static Taint changePredsTo( Taint t, ExistPredSet preds ) { + public static Taint changePredsTo( Taint t, + ExistPredSet preds ) { assert t != null; assert t.isCanonical(); - // ops require two canonicals, in this case always supply - // the empty reach state as the second, it's never used, - // but makes the hashing happy CanonicalOp op = - new CanonicalOp( CanonicalOp.TAINT_CHANGEPREDSTO, + new CanonicalOp( CanonicalOp.TAINT_CHANGEPREDSTO_EXISTPREDSET, t, - t ); + preds ); Canonical result = op2result.get( op ); if( result != null ) { @@ -1476,17 +1472,15 @@ abstract public class Canonical { } - public static TaintSet changePredsTo( TaintSet ts, ExistPredSet preds ) { + public static TaintSet changePredsTo( TaintSet ts, + ExistPredSet preds ) { assert ts != null; assert ts.isCanonical(); - // ops require two canonicals, in this case always supply - // the empty reach set as the second, it's never used, - // but makes the hashing happy CanonicalOp op = - new CanonicalOp( CanonicalOp.TAINTSET_CHANGEPREDSTO, + new CanonicalOp( CanonicalOp.TAINTSET_CHANGEPREDSTO_EXISTPREDSET, ts, - ts ); + preds ); Canonical result = op2result.get( op ); if( result != null ) { diff --git a/Robust/src/Analysis/Disjoint/CanonicalOp.java b/Robust/src/Analysis/Disjoint/CanonicalOp.java index e280e33e..2a3c812d 100644 --- a/Robust/src/Analysis/Disjoint/CanonicalOp.java +++ b/Robust/src/Analysis/Disjoint/CanonicalOp.java @@ -32,14 +32,14 @@ public class CanonicalOp { public static final int REACHSTATE_TOCALLERCONTEXT_ALLOCSITE = 0xb2b1; public static final int REACHSET_UNSHADOW_ALLOCSITE = 0x1049; public static final int REACHSTATE_UNSHADOW_ALLOCSITE = 0x08ef; - public static final int REACHSTATE_MAKEPREDSTRUE = 0x0b9c; - public static final int REACHSET_MAKEPREDSTRUE = 0xdead; + public static final int REACHSTATE_CHANGEPREDSTO_EXISTPREDSET= 0x0b9c; + public static final int REACHSET_CHANGEPREDSTO_EXISTPREDSET = 0xdead; public static final int TAINT_ATTACH_EXISTPREDSET = 0xcce2; public static final int TAINTSET_ADD_TAINT = 0xcd17; public static final int TAINTSET_UNION_TAINTSET = 0xa835; public static final int TAINTSET_UNIONORPREDS_TAINTSET = 0x204f; - public static final int TAINT_CHANGEPREDSTO = 0x3ab4; - public static final int TAINTSET_CHANGEPREDSTO = 0x2ff1; + public static final int TAINT_CHANGEPREDSTO_EXISTPREDSET = 0x3ab4; + public static final int TAINTSET_CHANGEPREDSTO_EXISTPREDSET = 0x2ff1; protected int opCode; protected Canonical operand1; diff --git a/Robust/src/Analysis/Disjoint/ExistPred.java b/Robust/src/Analysis/Disjoint/ExistPred.java index 604c0fb0..18e74dbf 100644 --- a/Robust/src/Analysis/Disjoint/ExistPred.java +++ b/Robust/src/Analysis/Disjoint/ExistPred.java @@ -73,7 +73,11 @@ public class ExistPred extends Canonical { protected TypeDescriptor e_type; protected String e_field; - + // if the taint is non-null then the predicate + // is true only if the edge exists AND has the + // taint--ONLY ONE of the ne_state or e_taint + // may be non-null for an edge predicate + protected Taint e_taint; @@ -98,6 +102,7 @@ public class ExistPred extends Canonical { e_hrnDstID = null; e_type = null; e_field = null; + e_taint = null; e_srcOutCalleeContext = false; e_srcOutCallerContext = false; } @@ -123,6 +128,7 @@ public class ExistPred extends Canonical { e_hrnDstID = null; e_type = null; e_field = null; + e_taint = null; e_srcOutCalleeContext = false; e_srcOutCallerContext = false; } @@ -134,6 +140,7 @@ public class ExistPred extends Canonical { TypeDescriptor type, String field, ReachState state, + Taint taint, boolean srcOutCalleeContext, boolean srcOutCallerContext ) { @@ -143,6 +150,7 @@ public class ExistPred extends Canonical { type, field, state, + taint, srcOutCalleeContext, srcOutCallerContext ); @@ -156,16 +164,17 @@ public class ExistPred extends Canonical { TypeDescriptor type, String field, ReachState state, + Taint taint, boolean srcOutCalleeContext, boolean srcOutCallerContext ) { assert (tdSrc == null) || (hrnSrcID == null); assert hrnDstID != null; assert type != null; + assert (state == null) || (taint == null); // fields can be null when the edge is from // a variable node to a heap region! - // assert field != null; this.e_srcOutCalleeContext = srcOutCalleeContext; this.e_srcOutCallerContext = srcOutCallerContext; @@ -176,12 +185,47 @@ public class ExistPred extends Canonical { this.e_hrnSrcID = hrnSrcID; this.e_hrnDstID = hrnDstID; this.e_type = type; - this.e_field = field; + this.e_field = field; this.ne_state = state; + this.e_taint = taint; this.predType = TYPE_EDGE; n_hrnID = null; } + // for node or edge, check inputs + public static ExistPred factory( Integer hrnID, + TempDescriptor tdSrc, + Integer hrnSrcID, + Integer hrnDstID, + TypeDescriptor type, + String field, + ReachState state, + Taint taint, + boolean srcOutCalleeContext, + boolean srcOutCallerContext ) { + ExistPred out; + + if( hrnID != null ) { + out = new ExistPred( hrnID, state ); + + } else { + out = new ExistPred( tdSrc, + hrnSrcID, + hrnDstID, + type, + field, + state, + taint, + srcOutCalleeContext, + srcOutCallerContext ); + } + + out = (ExistPred) Canonical.makeCanonical( out ); + return out; + } + + + // only consider the subest of the caller elements that // are reachable by callee when testing predicates--if THIS @@ -206,20 +250,26 @@ public class ExistPred extends Canonical { return null; } - // when the state is null it is not part of the - // predicate, so we've already satisfied + // when the state is null we're done! if( ne_state == null ) { return hrn.getPreds(); - } - // otherwise look for state too - // TODO: contains OR containsSuperSet OR containsWithZeroes?? - if( hrn.getAlpha().containsIgnorePreds( ne_state ) - == null ) { - return hrn.getPreds(); + } else { + // otherwise look for state too + + // TODO: contains OR containsSuperSet OR containsWithZeroes?? + ReachState stateCaller = hrn.getAlpha().containsIgnorePreds( ne_state ); + + if( stateCaller == null ) { + return null; + + } else { + // it was here, return the predicates on the state!! + return stateCaller.getPreds(); + } } - return null; + // unreachable program point! } if( predType == TYPE_EDGE ) { @@ -295,17 +345,40 @@ public class ExistPred extends Canonical { return null; } - // only check state as part of the predicate if it - // is non-null - if( ne_state != null && - // TODO: contains OR containsSuperSet OR containsWithZeroes?? - hrnDst.getAlpha().containsIgnorePreds( ne_state ) != null - ) { - return null; + // when the state and taint are null we're done! + if( ne_state == null && + e_taint == null ) { + return edge.getPreds(); + + } else if( ne_state != null ) { + // otherwise look for state too + + // TODO: contains OR containsSuperSet OR containsWithZeroes?? + ReachState stateCaller = edge.getBeta().containsIgnorePreds( ne_state ); + + if( stateCaller == null ) { + return null; + + } else { + // it was here, return the predicates on the state!! + return stateCaller.getPreds(); + } + + } else { + // otherwise look for taint + + Taint tCaller = edge.getTaints().containsIgnorePreds( e_taint ); + + if( tCaller == null ) { + return null; + + } else { + // it was here, return the predicates on the taint!! + return tCaller.getPreds(); + } } - - // predicate satisfied - return edge.getPreds(); + + // unreachable program point! } throw new Error( "Unknown predicate type" ); @@ -392,6 +465,14 @@ public class ExistPred extends Canonical { return false; } + if( e_taint == null ) { + if( pred.e_taint != null ) { + return false; + } + } else if( !e_taint.equals( pred.e_taint ) ) { + return false; + } + return true; } @@ -437,7 +518,11 @@ public class ExistPred extends Canonical { if( ne_state != null ) { hash ^= ne_state.hashCode(); } - + + if( e_taint != null ) { + hash ^= e_taint.hashCode(); + } + return hash; } @@ -481,6 +566,10 @@ public class ExistPred extends Canonical { s += "w"+ne_state; } + if( e_taint != null ) { + s += "w"+e_taint; + } + return s; } diff --git a/Robust/src/Analysis/Disjoint/ReachGraph.java b/Robust/src/Analysis/Disjoint/ReachGraph.java index adf3a410..10be7c50 100644 --- a/Robust/src/Analysis/Disjoint/ReachGraph.java +++ b/Robust/src/Analysis/Disjoint/ReachGraph.java @@ -14,17 +14,17 @@ public class ReachGraph { // a special out-of-scope temp protected static final TempDescriptor tdReturn = new TempDescriptor( "_Return___" ); - - // some frequently used reachability constants - protected static final ReachState rstateEmpty = ReachState.factory(); - protected static final ReachSet rsetEmpty = ReachSet.factory(); - protected static final ReachSet rsetWithEmptyState = Canonical.makePredsTrue(ReachSet.factory( rstateEmpty )); // predicate constants public static final ExistPred predTrue = ExistPred.factory(); // if no args, true public static final ExistPredSet predsEmpty = ExistPredSet.factory(); public static final ExistPredSet predsTrue = ExistPredSet.factory( predTrue ); - + + // some frequently used reachability constants + protected static final ReachState rstateEmpty = ReachState.factory(); + protected static final ReachSet rsetEmpty = ReachSet.factory(); + protected static final ReachSet rsetWithEmptyState = Canonical.changePredsTo( ReachSet.factory( rstateEmpty ), + predsTrue ); // from DisjointAnalysis for convenience protected static int allocationDepth = -1; @@ -134,7 +134,7 @@ public class ReachGraph { if( inherent == null ) { if( markForAnalysis ) { inherent = - Canonical.makePredsTrue( + Canonical.changePredsTo( ReachSet.factory( ReachState.factory( ReachTuple.factory( id, @@ -143,7 +143,8 @@ public class ReachGraph { false // out-of-context ) ) - ) + ), + predsTrue ); } else { inherent = rsetWithEmptyState; @@ -653,10 +654,11 @@ public class ReachGraph { hrnY, tdNewEdge, f.getSymbol(), - Canonical.makePredsTrue( + Canonical.changePredsTo( Canonical.pruneBy( edgeY.getBeta(), hrnX.getAlpha() - ) + ), + predsTrue ), predsTrue, Canonical.changePredsTo( edgeY.getTaints(), @@ -1429,7 +1431,7 @@ public class ReachGraph { // used below to convert a ReachSet to its callee-context // equivalent with respect to allocation sites in this graph protected ReachSet toCalleeContext( ReachSet rs, - ExistPredSet preds, + ExistPredSet predsNodeOrEdge, Set<HrnIdOoc> oocHrnIdOoc2callee ) { ReachSet out = ReachSet.factory(); @@ -1512,14 +1514,36 @@ public class ReachGraph { stateCallee = stateNew; } - // attach the passed in preds - stateCallee = Canonical.attach( stateCallee, - preds ); + // make a predicate of the caller graph element + // and the caller state we just converted + ExistPredSet predsWithState = ExistPredSet.factory(); + + Iterator<ExistPred> predItr = predsNodeOrEdge.iterator(); + while( predItr.hasNext() ) { + ExistPred predNodeOrEdge = predItr.next(); + + predsWithState = + Canonical.add( predsWithState, + ExistPred.factory( predNodeOrEdge.n_hrnID, + predNodeOrEdge.e_tdSrc, + predNodeOrEdge.e_hrnSrcID, + predNodeOrEdge.e_hrnDstID, + predNodeOrEdge.e_type, + predNodeOrEdge.e_field, + stateCallee, + null, + predNodeOrEdge.e_srcOutCalleeContext, + predNodeOrEdge.e_srcOutCallerContext + ) + ); + } + stateCallee = Canonical.changePredsTo( stateCallee, + predsWithState ); + out = Canonical.add( out, stateCallee - ); - + ); } assert out.isCanonical(); return out; @@ -1591,6 +1615,57 @@ public class ReachGraph { } + // convert a caller taint set into a callee taint set + protected TaintSet + toCalleeContext( TaintSet ts, + ExistPredSet predsEdge ) { + + TaintSet out = TaintSet.factory(); + + // the idea is easy, the taint identifier itself doesn't + // change at all, but the predicates should be tautology: + // start with the preds passed in from the caller edge + // that host the taints, and alter them to have the taint + // added, just becoming more specific than edge predicate alone + + Iterator<Taint> itr = ts.iterator(); + while( itr.hasNext() ) { + Taint tCaller = itr.next(); + + ExistPredSet predsWithTaint = ExistPredSet.factory(); + + Iterator<ExistPred> predItr = predsEdge.iterator(); + while( predItr.hasNext() ) { + ExistPred predEdge = predItr.next(); + + predsWithTaint = + Canonical.add( predsWithTaint, + ExistPred.factory( predEdge.e_tdSrc, + predEdge.e_hrnSrcID, + predEdge.e_hrnDstID, + predEdge.e_type, + predEdge.e_field, + null, + tCaller, + predEdge.e_srcOutCalleeContext, + predEdge.e_srcOutCallerContext + ) + ); + } + + Taint tCallee = Canonical.changePredsTo( tCaller, + predsWithTaint ); + + out = Canonical.add( out, + tCallee + ); + } + + assert out.isCanonical(); + return out; + } + + // used below to convert a TaintSet to its caller-context // equivalent, just eliminate Taints with bad preds protected TaintSet @@ -1804,7 +1879,7 @@ public class ReachGraph { ), toCalleeContext( hrnCaller.getAlpha(), preds, - oocHrnIdOoc2callee + oocHrnIdOoc2callee ), preds, hrnCaller.getDescription() @@ -1835,17 +1910,14 @@ public class ReachGraph { hrnDstCallee.getID(), reArg.getType(), reArg.getField(), - null, + null, // state + null, // taint true, // out-of-callee-context false // out-of-caller-context ); ExistPredSet preds = ExistPredSet.factory( pred ); - - TaintSet taints = TaintSet.factory( reArg.getTaints(), - preds - ); RefEdge reCallee = new RefEdge( vnCallee, @@ -1857,7 +1929,8 @@ public class ReachGraph { oocHrnIdOoc2callee ), preds, - taints + toCalleeContext( reArg.getTaints(), + preds ) ); rg.addRefEdge( vnCallee, @@ -1886,7 +1959,8 @@ public class ReachGraph { hrnDstCallee.getID(), reCaller.getType(), reCaller.getField(), - null, + null, // state + null, // taint false, // out-of-callee-context false // out-of-caller-context ); @@ -1959,6 +2033,7 @@ public class ReachGraph { reCaller.getType(), reCaller.getField(), null, + null, outOfCalleeContext, outOfCallerContext ); @@ -2061,8 +2136,8 @@ public class ReachGraph { oocHrnIdOoc2callee ), preds, - Canonical.changePredsTo( reCaller.getTaints(), - preds ) + toCalleeContext( reCaller.getTaints(), + preds ) ) ); @@ -2081,6 +2156,13 @@ public class ReachGraph { ) ); + oocEdgeExisting.setTaints( Canonical.unionORpreds( oocEdgeExisting.getTaints(), + toCalleeContext( reCaller.getTaints(), + preds + ) + ) + ); + HeapRegionNode hrnCalleeAndOutContext = (HeapRegionNode) oocEdgeExisting.getSrc(); hrnCalleeAndOutContext.setAlpha( Canonical.unionORpreds( hrnCalleeAndOutContext.getAlpha(), diff --git a/Robust/src/Tests/disjoint/taintTest1/makefile b/Robust/src/Tests/disjoint/taintTest1/makefile index ab015921..75ab66b0 100644 --- a/Robust/src/Tests/disjoint/taintTest1/makefile +++ b/Robust/src/Tests/disjoint/taintTest1/makefile @@ -5,7 +5,7 @@ SOURCE_FILES=$(PROGRAM).java BUILDSCRIPT=~/research/Robust/src/buildscript BSFLAGS= -mainclass Test -justanalyze -ooojava -disjoint -disjoint-k 1 -enable-assertions -DEBUGFLAGS= -disjoint-write-dots final -disjoint-write-initial-contexts -disjoint-write-ihms # -disjoint-debug-snap-method main 0 10 true +DEBUGFLAGS= -disjoint-write-dots final -disjoint-write-initial-contexts -disjoint-write-ihms -disjoint-debug-snap-method main 0 10 true all: $(PROGRAM).bin -- 2.34.1