Skip to content

Commit 38e6e1f

Browse files
author
owen-jones-diffblue
authored
Merge pull request diffblue#549 from diffblue/bugfix_add_aliasing_between_DO_and_EVSes
SEC-633: Bugfix: added alias-computation between a DO and EVSes in the domain.
2 parents 3e2e06d + 2fa71c2 commit 38e6e1f

File tree

2 files changed

+26
-4
lines changed

2 files changed

+26
-4
lines changed

src/taint-analysis/taint_summary.cpp

+24-3
Original file line numberDiff line numberDiff line change
@@ -520,14 +520,15 @@ numbered_lvalue_to_taint_mapt taint_algorithm_computing_summary_of_functiont::
520520
void taint_algorithm_computing_summary_of_functiont::assign(
521521
numbered_lvalue_to_taint_mapt &map,
522522
const taint_lvalue_numbert lvalue,
523-
const taint_sett &taint)
523+
const taint_sett &taint,
524+
const bool allow_bottom_assignment)
524525
{
525526
TMPROF_BLOCK();
526527

527528
const auto it = map.find(lvalue);
528529
if (it == map.end())
529530
{
530-
if(!taint.is_bottom())
531+
if(!taint.is_bottom() || allow_bottom_assignment)
531532
map.insert({ lvalue, taint });
532533
}
533534
else
@@ -919,6 +920,26 @@ taint_sett taint_algorithm_computing_summary_of_functiont::
919920
const auto input_it = input.find(lvalue_number);
920921
if(input_it != input.cend())
921922
result += input_it->second;
923+
else
924+
{
925+
const exprt &alias_expr = numbering->at(lvalue_number);
926+
if(alias_expr.id() == ID_dynamic_object)
927+
{
928+
const typet &alias_expr_type =
929+
program->get_namespace().follow(alias_expr.type());
930+
for(const auto &number_and_taint : a)
931+
{
932+
const exprt &expr = numbering->at(number_and_taint.first);
933+
if(expr.id() == ID_external_value_set)
934+
{
935+
const typet &expr_type =
936+
program->get_namespace().follow(expr.type());
937+
if(alias_expr_type == expr_type)
938+
result |= number_and_taint.second;
939+
}
940+
}
941+
}
942+
}
922943
}
923944
}
924945
return result;
@@ -943,7 +964,7 @@ void taint_algorithm_computing_summary_of_functiont::
943964
// Singular implies that lhs has exactly one element,
944965
// so we can access it directly
945966
for(const auto num : numbers_of_aliases)
946-
assign(result, num, taint_from_rule);
967+
assign(result, num, taint_from_rule, is_allowed_pure_assignment);
947968
}
948969
else
949970
{

src/taint-analysis/taint_summary.h

+2-1
Original file line numberDiff line numberDiff line change
@@ -350,7 +350,8 @@ class taint_algorithm_computing_summary_of_functiont
350350
void assign(
351351
numbered_lvalue_to_taint_mapt &map,
352352
const taint_lvalue_numbert lvalue,
353-
const taint_sett &taint);
353+
const taint_sett &taint,
354+
const bool allow_bottom_assignment = false);
354355

355356
void maybe_assign(
356357
numbered_lvalue_to_taint_mapt &map,

0 commit comments

Comments
 (0)