Merge pull request diffblue#398 from diffblue/fixes_in_instrumenter

marek-trtik · web-flow · commit 46da5ec73628 · 2018-05-09T13:16:10.000+01:00
SEC-369: Fixed instrumentation of NONDET and instances of wrapped primitive types.
diff --git a/regression/end_to_end/general005/test_general005.py b/regression/end_to_end/general005/test_general005.py
@@ -12,7 +12,6 @@ def test_general005():
             "build",
             "taint_traces_05_rules.json",
             os.path.realpath(os.path.dirname(__file__)),
-            "AssignmentAction.doUpload_all",
-            ["--data-flow-insensitive-instrumentation"]) as traces:
+            "AssignmentAction.doUpload_all") as traces:
         assert traces.count_traces() > 0
         assert traces.trace_exists("java::DummyAssignmentSubmissionEdit.setSubmittedText:(Ljava/lang/String;)V", 3)
diff --git a/regression/end_to_end/general006/test_general006.py b/regression/end_to_end/general006/test_general006.py
@@ -14,8 +14,7 @@ def test_general006():
             "taint_traces_06.war",
             "taint_traces_06_rules.json",
             os.path.realpath(os.path.dirname(__file__)),
-            "taint_test.test.doGet",
-            ["--data-flow-insensitive-instrumentation"]) as traces:
+            "taint_test.test.doGet") as traces:
         assert traces.count_traces() > 0
         assert traces.trace_exists(
             "java::taint_test.test.doGet:(Ljavax/servlet/http/HttpServletRequest;Ljavax/servlet/http/HttpServletResponse;)V",
diff --git a/src/taint-slicer/instrumenter.cpp b/src/taint-slicer/instrumenter.cpp
@@ -104,7 +104,9 @@ exprt make_or_update_initialiser(
   const std::set<taint_instrumentert::automaton_variable_idt> &
     names_of_shadow_variables)
 {
-  if(new_type.id()!=ID_struct)
+  if(new_type.id()!=ID_struct ||
+    (initialiser.id() == ID_side_effect &&
+      to_side_effect_expr(initialiser).get_statement() == ID_nondet))
   {
     // Rewrite type regardless, for example to turn (array*)null into
     // (wrapped_array*)null
@@ -308,6 +310,7 @@ exprt taint_instrumentert::drive_access_path_through_super_classes(
       namespacet(get_instrumented_symbol_table())));
   const typet &fixed_type=static_cast<const typet &>(fixed_type_irep);
   bool result_type_changed=fixed_type!=access_path.type();
+  const auto &full_fixed_type = instrumented_namespace.follow(fixed_type);
 
   if(const auto symbol=expr_try_dynamic_cast<symbol_exprt>(access_path))
   {
@@ -381,6 +384,60 @@ exprt taint_instrumentert::drive_access_path_through_super_classes(
     result.op0()=unary_op;
     return result;
   }
+  else if(access_path.id() == ID_typecast &&
+    is_primitive_type(access_path.type()) &&
+    full_fixed_type.id() == ID_struct)
+  {
+    // Special case for handling typecasts of instances of wrapped primitive
+    // data types. We resolve the typecast so that we build the struct
+    // initialiser for the wrapper type and we initialise all members by making
+    // accesses to the corresponding members in the origin wrapped access path.
+    exprt uncast_access_path = access_path;
+    while(uncast_access_path.id() == ID_typecast)
+      uncast_access_path = to_typecast_expr(uncast_access_path).op();
+    uncast_access_path =
+      drive_access_path_through_super_classes(uncast_access_path);
+    const typet uncasted_access_path_type =
+      instrumented_namespace.follow(uncast_access_path.type());
+    struct_exprt struct_expr(fixed_type);
+    // First we set the super instance (i.e. '@__CPROVER__super' member,
+    // which is actually the instance of the primitive type).
+    struct_expr.operands().push_back(
+      typecast_exprt(
+        get_super_if_subclassed(
+          uncast_access_path,
+          get_inverse_type_substitutions(),
+          get_instrumented_symbol_table()),
+        access_path.type()));
+    // Next we iterate over all shadow variables in the fixed (final) type
+    // and we set each of them either the value of the corresponding shadow
+    // variable in the original expression (if it has that shadow variable),
+    // or we set it to FALSE.
+    // NOTE: Wrapper structures of primitive data types always have only
+    //       the super instance and shadow variables (so, nothing else!).
+    for(const auto &component : to_struct_type(full_fixed_type).components())
+    {
+      // We have to skip the super instance.
+      if(names_of_shadow_variables.count(as_string(
+         component.get_name())) != 0UL)
+      {
+        if(uncasted_access_path_type.id() == ID_struct &&
+          to_struct_type(uncasted_access_path_type).has_component(
+            component.get_name())
+          )
+        {
+          struct_expr.operands().push_back(member_exprt(
+            uncast_access_path, component.get_name(), bool_typet()));
+        }
+        else
+        {
+          struct_expr.operands().push_back(
+            constant_exprt(ID_false, bool_typet()));
+        }
+      }
+    }
+    return struct_expr;
+  }
   else
   {
     // Default case: apply transformation to operands; apply operation to
@@ -393,7 +450,6 @@ exprt taint_instrumentert::drive_access_path_through_super_classes(
       op=get_super_if_subclassed(
         op, get_inverse_type_substitutions(), get_instrumented_symbol_table());
     }
-
     result=make_or_update_initialiser(
       result,
       instrumented_namespace.follow(fixed_type),
@@ -528,6 +584,42 @@ void taint_instrumentert::instrument_instructions_with_shadow_variables(
         {
           asgn.lhs()=drive_access_path_through_super_classes(asgn.lhs());
           asgn.rhs()=drive_access_path_through_super_classes(asgn.rhs());
+
+          // There is a possibility, that asgn.lhs().type()!=asgn.rhs().type().
+          // This may occur only when asgn.rhs().type() is a wrapper of
+          // a primitive data type and asgn.lhs() is an unwrapped primitive
+          // (e.g. array length) that cannot carry taint.
+          // The code below resolves the inconsistency, by applying member
+          // access to the super field of the asgn.rhs() until we get to
+          // the right one.
+
+          const auto &lhs_type =
+            instrumented_namespace.follow(asgn.lhs().type());
+          while(true)
+          {
+            const auto &rhs_type =
+              instrumented_namespace.follow(asgn.rhs().type());
+
+            // We check whether the inconsistency is not present (or has been
+            // fixed already).
+            if(rhs_type.id() != ID_struct || (lhs_type.id() == ID_struct &&
+               to_struct_type(lhs_type).get_tag() ==
+               to_struct_type(rhs_type).get_tag()))
+            {
+              break;
+            }
+
+            // And we fix the inconsistency by accessing the super instance (
+            // i.e. the wrapped type).
+            const auto &struct_type = to_struct_type(rhs_type);
+            INVARIANT(
+              struct_type.has_component(taint_name_of_super_variable()),
+              "Assignment has type mismatch that couldn't be resolved by "
+              "unwrapping the rhs.");
+            asgn.rhs() = member_exprt(
+              asgn.rhs(),
+              struct_type.get_component(taint_name_of_super_variable()));
+          }
         }
       }
       break;
