From e7982a2f4f3d853fa7282da1a2e8173f2b09e92c Mon Sep 17 00:00:00 2001 From: jjenista Date: Thu, 17 Jun 2010 23:21:15 +0000 Subject: [PATCH] taints working intraprocedurally, a bug in inter I'm working out now --- Robust/src/Analysis/Disjoint/ReachGraph.java | 64 +++++++++++++++++-- Robust/src/Analysis/Disjoint/Taint.java | 8 +++ .../src/Tests/disjoint/taintTest1/test.java | 21 ++++-- 3 files changed, 81 insertions(+), 12 deletions(-) diff --git a/Robust/src/Analysis/Disjoint/ReachGraph.java b/Robust/src/Analysis/Disjoint/ReachGraph.java index 03c6edba..62923825 100644 --- a/Robust/src/Analysis/Disjoint/ReachGraph.java +++ b/Robust/src/Analysis/Disjoint/ReachGraph.java @@ -466,7 +466,7 @@ public class ReachGraph { null, Canonical.intersection( betaY, betaHrn ), predsTrue, - null + edgeY.getTaints() ); addEdgeOrMergeWithExisting( edgeNew ); @@ -621,7 +621,7 @@ public class ReachGraph { ) ), predsTrue, - null + edgeY.getTaints() ); addEdgeOrMergeWithExisting( edgeNew ); @@ -691,7 +691,7 @@ public class ReachGraph { null, // field name hrnNewest.getAlpha(), // beta predsTrue, // predicates - null + TaintSet.factory() // taints ); addRefEdge( lnX, hrnNewest, edgeNew ); @@ -1438,6 +1438,56 @@ public class ReachGraph { return out; } + + // used below to convert a TaintSet's parameter index taints to + // a TaintSet of caller taints + protected TaintSet + toCallerContext( TaintSet ts, + FlatCall fc, + FlatMethod fmCallee + ) { + + TaintSet out = TaintSet.factory(); + + Iterator itr = ts.iterator(); + while( itr.hasNext() ) { + Taint t = itr.next(); + + if( !t.isParamTaint() ) { + // throw out non-parameter taints from callee + continue; + } + + // what argument does this taint map to? + TempDescriptor tdArg = + fc.getArgMatchingParamIndex( fmCallee, + t.getParamIndex() ); + VariableNode vnArg = td2vn.get( tdArg ); + + // what allocation site does this taint refer to? + AllocSite as = t.getAllocSite(); + + // look at the allocation sites that the + // arg references in the caller context--if + // the parameter taint matches, use the taints + // of the argument reference to grow the output set + Iterator reItr = vnArg.iteratorToReferencees(); + while( reItr.hasNext() ) { + RefEdge re = reItr.next(); + + if( as.equals( re.getDst().getAllocSite() ) ) { + out = Canonical.union( out, + re.getTaints() + ); + } + } + } + + assert out.isCanonical(); + return out; + } + + // used below to convert a ReachSet to an equivalent // version with shadow IDs merged into unshadowed IDs protected ReachSet unshadow( ReachSet rs ) { @@ -1717,7 +1767,7 @@ public class ReachGraph { oocHrnIdOoc2callee ), preds, - null + TaintSet.factory() // no taints for in-context edges ); rg.addRefEdge( hrnSrcCallee, @@ -1874,7 +1924,7 @@ public class ReachGraph { oocHrnIdOoc2callee ), preds, - null + TaintSet.factory() // no taints ) ); @@ -2438,7 +2488,9 @@ public class ReachGraph { toCallerContext( reCallee.getBeta(), calleeStatesSatisfied ), preds, - null + toCallerContext( reCallee.getTaints(), + fc, + fmCallee ) ); ChangeSet cs = ChangeSet.factory(); diff --git a/Robust/src/Analysis/Disjoint/Taint.java b/Robust/src/Analysis/Disjoint/Taint.java index 71eae24e..3c58ae9f 100644 --- a/Robust/src/Analysis/Disjoint/Taint.java +++ b/Robust/src/Analysis/Disjoint/Taint.java @@ -70,6 +70,14 @@ public class Taint extends Canonical { allocSite = as; } + public boolean isParamTaint() { + return paramIndex != null; + } + + public boolean isSESETaint() { + return sese != null; + } + public Integer getParamIndex() { return paramIndex; } diff --git a/Robust/src/Tests/disjoint/taintTest1/test.java b/Robust/src/Tests/disjoint/taintTest1/test.java index db695a56..04ed03b8 100644 --- a/Robust/src/Tests/disjoint/taintTest1/test.java +++ b/Robust/src/Tests/disjoint/taintTest1/test.java @@ -1,20 +1,29 @@ public class Foo { public Foo() {} public Foo f; + public Foo g; } public class Test { static public void main( String[] args ) { - Foo f = new Foo(); + Foo a = new Foo(); + Foo b = new Foo(); + giveParamNames( a, b ); + } - Foo g = doStuff( f ); + static void giveParamNames( Foo a, Foo b ) { + Foo c = doStuff( a, b ); } - static Foo doStuff( Foo m ) { - - Foo n = new Foo(); - return n; + static Foo doStuff( Foo m, Foo n ) { + + m.f = new Foo(); + n.f = new Foo(); + + m.g = n.f; + + return new Foo(); } } -- 2.34.1