Merge pull request diffblue#125 from diffblue/marek/tpg_update_PR

marek-trtik · web-flow · commit 1962223371ee · 2017-05-09T13:46:37.000+01:00
Update of tokens propagation graph for instrumentation of shadow vari…
diff --git a/src/taint-analysis/taint_tokens_propagation_graph.cpp b/src/taint-analysis/taint_tokens_propagation_graph.cpp
@@ -55,21 +55,21 @@ taint_tokens_propagation_grapht::taint_tokens_propagation_grapht(
       if(propagation_rule->has_input_condition())
       {
         insert_forward_relation_from_token_to_rule(
-          names_of_tokens.right.at(propagation_rule->get_input_taint()), id);
-        map_from_rules_to_inputs[id].insert(
+          names_of_tokens.right.at(propagation_rule->get_input_taint()),
+          id,
           propagation_rule->get_input_location().arg_index);
       }
       else
       {
-        insert_forward_relation_from_token_to_rule(get_source_token(), id);
-        // We have to make sure that there is created a set (empty) for
-        // the rule of map from rules to input.
-        map_from_rules_to_inputs[id]={};
+        insert_forward_relation_from_token_to_rule(
+          get_source_token(),
+          id,
+          get_void_loc());
       }
 
       insert_forward_relation_from_rule_to_token(
-        id, names_of_tokens.right.at(propagation_rule->get_result_taint()));
-      map_from_rules_to_outputs[id].insert(
+        id,
+        names_of_tokens.right.at(propagation_rule->get_result_taint()),
         translate_taintable_location(propagation_rule->get_result_location()));
     }
   }
@@ -82,13 +82,13 @@ taint_tokens_propagation_grapht::taint_tokens_propagation_grapht(
       const rule_idt id=std::to_string(sanitizer_rule->get_id());
 
       insert_forward_relation_from_token_to_rule(
-        names_of_tokens.right.at(sanitizer_rule->get_sanitized_taint()), id);
-      // We have to make sure that there is created a set (empty) for
-      // the rule of map from rules to input.
-      map_from_rules_to_inputs[id]={};
-      map_from_rules_to_outputs[id].insert(
+        names_of_tokens.right.at(sanitizer_rule->get_sanitized_taint()),
+        id,
+        get_void_loc());
+      insert_forward_relation_from_rule_to_token(
+        id,
+        get_source_token(),
         translate_taintable_location(sanitizer_rule->get_sanitized_location()));
-
       sanitisers.insert(id);
     }
   }
@@ -103,36 +103,27 @@ taint_tokens_propagation_grapht::taint_tokens_propagation_grapht(
       if(sink_rule->has_input_condition())
       {
         insert_forward_relation_from_token_to_rule(
-          names_of_tokens.right.at(sink_rule->get_input_taint()), id);
-        map_from_rules_to_inputs[id].insert(
+          names_of_tokens.right.at(sink_rule->get_input_taint()),
+          id,
           sink_rule->get_input_location().arg_index);
       }
       else
-        insert_forward_relation_from_token_to_rule(get_source_token(), id);
-
+      {
+        insert_forward_relation_from_token_to_rule(
+          get_source_token(),
+          id,
+          get_void_loc());
+      }
       insert_forward_relation_from_token_to_rule(
-        names_of_tokens.right.at(sink_rule->get_sink_target_taint()), id);
-      insert_forward_relation_from_rule_to_token(id, get_sink_token());
-      map_from_rules_to_inputs[id].insert(
+        names_of_tokens.right.at(sink_rule->get_sink_target_taint()),
+        id,
         translate_taintable_location(sink_rule->get_sink_target_location()));
-      // We also have to make sure that there is created a set (empty) for
-      // the rule of map from rules to output.
-      map_from_rules_to_outputs[id]={};
+      insert_forward_relation_from_rule_to_token(
+        id,
+        get_sink_token(),
+        get_void_loc());
     }
   }
-  // Sanitisers require a special handling: we have to insert edges from
-  // a sanitasition rule into all tokens representing a propagation of tainted
-  // data without the sanitised taint.
-  for(const auto &sanitiser : sanitisers)
-    // For each token (sanitised) leading to the sanitisation rule.
-    for(const auto &sanitised_token : get_backward_tokens_from_rule(sanitiser))
-      // For each rule leading to the token later sanitised by the sanitisation
-      // rule.
-      for(const auto &rule : get_backward_rules_from_token(sanitised_token))
-        // For each token not affected by the sanitisation rule, but whose
-        // (some) successor rules may lead to token which is later sanitised.
-        for(const auto &token : get_backward_tokens_from_rule(rule))
-          insert_forward_relation_from_rule_to_token(sanitiser, token);
   std::sort(tokens.begin(), tokens.end());
   std::sort(rules.begin(), rules.end());
 }
@@ -158,46 +149,35 @@ void taint_tokens_propagation_grapht::insert_rule(const rule_idt &rid)
     rules.push_back(rid);
     forward_map_from_rules_to_tokens[rid]={};
     backward_map_from_rules_to_tokens[rid]={};
+    map_from_rules_to_inputs[rid]={};
+    map_from_rules_to_outputs[rid]={};
   }
 }
 
 void taint_tokens_propagation_grapht::
   insert_forward_relation_from_token_to_rule(
     const taint_tokent::namet &tid,
-    const rule_idt &rid)
+    const rule_idt &rid,
+    const int loc)
 {
   insert_token(tid);
   insert_rule(rid);
-  {
-    auto &out_rules=forward_map_from_tokens_to_rules[tid];
-    if(std::find(out_rules.cbegin(), out_rules.cend(), rid)==out_rules.cend())
-      out_rules.push_back(rid);
-  }
-  {
-    auto &in_tokens=backward_map_from_rules_to_tokens[rid];
-    if(std::find(in_tokens.cbegin(), in_tokens.cend(), tid)==in_tokens.cend())
-      in_tokens.push_back(tid);
-  }
+  forward_map_from_tokens_to_rules[tid].push_back(rid);
+  backward_map_from_rules_to_tokens[rid].push_back(tid);
+  map_from_rules_to_inputs[rid].push_back(loc);
 }
 
 void taint_tokens_propagation_grapht::
   insert_forward_relation_from_rule_to_token(
     const rule_idt &rid,
-    const taint_tokent::namet &tid)
+    const taint_tokent::namet &tid,
+    const int loc)
 {
   insert_token(tid);
   insert_rule(rid);
-  {
-    auto &out_tokens=forward_map_from_rules_to_tokens[rid];
-    if(std::find(out_tokens.cbegin(), out_tokens.cend(), tid)==
-       out_tokens.cend())
-      out_tokens.push_back(tid);
-  }
-  {
-    auto &in_rules=backward_map_from_tokens_to_rules[tid];
-    if(std::find(in_rules.cbegin(), in_rules.cend(), rid)==in_rules.cend())
-      in_rules.push_back(rid);
-  }
+  forward_map_from_rules_to_tokens[rid].push_back(tid);
+  backward_map_from_tokens_to_rules[tid].push_back(rid);
+  map_from_rules_to_outputs[rid].push_back(loc);
 }
 
 std::ostream &taint_to_dot(
@@ -208,18 +188,27 @@ std::ostream &taint_to_dot(
        << "  rankdir=TB;\n"
        << "  node [fontsize=12];\n\n";
   for(const taint_tokent::namet &token : graph.get_tokens())
+  {
     ostr << "  \"" << token
-         << "\" [label=\""
-         << (token == taint_tokens_propagation_grapht::get_source_token() ?
-               taint_tokens_propagation_grapht::get_source_token().name :
-             token == taint_tokens_propagation_grapht::get_sink_token() ?
-               taint_tokens_propagation_grapht::get_sink_token().name :
-               (msgstream() << token).get())
-         << "\", shape="
-         << (token==graph.get_source_token() ? "octagon" :
-            (token==graph.get_sink_token()   ? "doubleoctagon" :
-                                               "ellipse"))
-         << "];\n";
+         << "\" [label=\"";
+    if(token == taint_tokens_propagation_grapht::get_source_token())
+    {
+      ostr << taint_tokens_propagation_grapht::get_source_token().name
+           << "\", shape=octagon, style=filled, fillcolor=aquamarine";
+    }
+    else if(token == taint_tokens_propagation_grapht::get_sink_token())
+    {
+      ostr << taint_tokens_propagation_grapht::get_sink_token().name
+           << "\", shape=doubleoctagon, style=filled, fillcolor=lightcoral";
+    }
+    else
+    {
+      ostr << token << "\", shape=ellipse";
+      if(graph.get_forward_rules_from_token(token).empty())
+        ostr << ", style=filled, fillcolor=gold";
+    }
+    ostr << "];\n";
+  }
   ostr << "\n";
   for(const auto &rule : graph.get_rules())
   {
@@ -236,42 +225,74 @@ std::ostream &taint_to_dot(
     bool first=true;
     for(const auto index : graph.get_map_from_rules_to_inputs().at(rule))
     {
-      if(!first)
-        ostr << ", ";
-      ostr << "ARG" << index;
-      first=false;
+      if(index!=taint_tokens_propagation_grapht::get_void_loc())
+      {
+        if(!first)
+          ostr << ", ";
+        ostr << "ARG" << index;
+        first=false;
+      }
     }
     ostr << "}\\lOUTPUTS: {";
     first=true;
     for(const auto index : graph.get_map_from_rules_to_outputs().at(rule))
     {
-      if(!first)
-        ostr << ", ";
-      if(index<0)
-        ostr << "RETVAL";
-      else
-        ostr << "ARG" << index;
-      first=false;
+      if(index!=taint_tokens_propagation_grapht::get_void_loc())
+      {
+        if(!first)
+          ostr << ", ";
+        if(index==-1)
+          ostr << "RETVAL";
+        else
+          ostr << "ARG" << index;
+        first=false;
+      }
     }
     ostr << "}\\l\", shape=box"
          << (graph.get_sanitiser_rules().count(rule)!=0UL ?
               ", style=filled, fillcolor=lightgray" :
-              "" )
+              ", style=filled, fillcolor=azure" )
          << "];\n";
   }
   ostr << "\n";
-  for(const auto &token : graph.get_tokens())
+
+  for(const auto &rule : graph.get_rules())
   {
-    for(const auto &rule : graph.get_forward_rules_from_token(token))
-      ostr << "  \"" << token
-           << "\" -> "
-           << "\"" << rule
-           << "\";\n";
-    for(const auto &rule : graph.get_backward_rules_from_token(token))
-      ostr << "  \"" << rule
-           << "\" -> "
-           << "\"" << token
-           << "\";\n";
+    const auto &in_tokens=graph.get_backward_tokens_from_rule(rule);
+    const auto &in_locs=graph.get_map_from_rules_to_inputs().at(rule);
+    assert(in_tokens.size()==in_locs.size());
+    for(std::size_t i=0UL, n=in_tokens.size(); i!=n; ++i)
+    {
+      ostr << "  \"" << in_tokens.at(i) << "\" -> \"" << rule << "\"";
+      if(in_locs.at(i)!=taint_tokens_propagation_grapht::get_void_loc())
+      {
+        ostr << " [label=\"";
+        if(in_locs.at(i)==-1)
+          ostr << "RETVAL";
+        else
+          ostr << "ARG" << in_locs.at(i);
+        ostr << "\"]";
+      }
+      ostr << "\n";
+    }
+
+    const auto &out_tokens=graph.get_forward_tokens_from_rule(rule);
+    const auto &out_locs=graph.get_map_from_rules_to_outputs().at(rule);
+    assert(out_tokens.size()==out_locs.size());
+    for(std::size_t i=0UL, n=out_tokens.size(); i!=n; ++i)
+    {
+      ostr << "  \"" << rule << "\" -> \"" << out_tokens.at(i) << "\"";
+      if(out_locs.at(i)!=taint_tokens_propagation_grapht::get_void_loc())
+      {
+        ostr << " [label=\"";
+        if(out_locs.at(i)==-1)
+          ostr << "RETVAL";
+        else
+          ostr << "ARG" << out_locs.at(i);
+        ostr << "\"]";
+      }
+      ostr << "\n";
+    }
   }
   ostr << "}\n";
 
diff --git a/src/taint-analysis/taint_tokens_propagation_graph.h b/src/taint-analysis/taint_tokens_propagation_graph.h
@@ -57,8 +57,10 @@ class taint_tokens_propagation_grapht
           backward_map_from_rules_to_tokenst;
 
   // To track references of input and output parameters of individual rules.
-  // The "return_value" value in the output map is denoted by -1.
-  typedef std::map<rule_idt, std::set<int>>
+  // The "return_value" value in the output map is denoted by -1. The values
+  // 999 (see the static method 'get_void_loc()') means 'no value', i.e. it
+  // is a dummy reference, typically related to SOURCE and SINK nodes.
+  typedef std::map<rule_idt, std::vector<int>>
           map_from_rules_to_inputst;
   typedef map_from_rules_to_inputst map_from_rules_to_outputst;
 
@@ -75,6 +77,8 @@ class taint_tokens_propagation_grapht
     return { "com.diffblue.security.built-ins", "SINK" };
   }
 
+  static int get_void_loc() { return -2; }
+
   const std::vector<taint_tokent::namet> &get_tokens() const { return tokens; }
   const std::vector<rule_idt> &get_rules() const { return rules; }
   const std::set<rule_idt> &get_sanitiser_rules() const
@@ -112,21 +116,13 @@ class taint_tokens_propagation_grapht
 
   void insert_forward_relation_from_token_to_rule(
     const taint_tokent::namet &tid,
-    const rule_idt &rid);
+    const rule_idt &rid,
+    const int loc);
 
   void insert_forward_relation_from_rule_to_token(
     const rule_idt &rid,
-    const taint_tokent::namet &tid);
-
-  void insert_backward_relation_from_token_to_rule(
     const taint_tokent::namet &tid,
-    const rule_idt &rid)
-  { insert_forward_relation_from_rule_to_token(rid, tid); }
-
-  void insert_backward_relation_from_rule_to_token(
-    const rule_idt &rid,
-    const taint_tokent::namet &tid)
-  { insert_forward_relation_from_token_to_rule(tid, rid); }
+    const int loc);
 
   static constexpr std::size_t  SOURCE_index = 0ULL;
   static constexpr std::size_t  SINK_index = 1ULL;
