Skip to content

Commit 936bda1

Browse files
marek-trtikmarek-trtik
committed
Bug-fig: Removal of dead branches in chains propagation graph did not considered
loop edges (leading from a node back to it). Also, function sets of of the destroyed node was not merged with the target one. For that purpose (to improve the complexity of the operation) we slightly changed the type of the successors map.
1 parent 79c83c4 commit 936bda1

File tree

3 files changed

+35
-27
lines changed

3 files changed

+35
-27
lines changed

src/taint-slicer/instrumentation_props.cpp

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -62,8 +62,8 @@ static void perform_BFS(
6262
continue;
6363
reachable.insert(nid);
6464
if(do_fwd_search)
65-
for(const auto &fns_nid : chains.get_successors_map().at(nid))
66-
work.push_back(fns_nid.second);
65+
for(const auto &nid_fns : chains.get_successors_map().at(nid))
66+
work.push_back(nid_fns.first);
6767
else
6868
for(const auto pred_nid : chains.get_predecessors_map().at(nid))
6969
work.push_back(pred_nid);
@@ -126,8 +126,8 @@ void taint_build_instrumentation_props(
126126
// Here we collect functions appearing in sets labelling edges of
127127
// chains graph.
128128
for(const auto &elem : chains.get_successors_map()) // For each node
129-
for(const auto &fns_nid : elem.second) // For each out-edge from the node
130-
for(const auto &fn : fns_nid.first) // For each label on the edge
129+
for(const auto &nid_fns : elem.second) // For each out-edge from the node
130+
for(const auto &fn : nid_fns.second) // For each label on the edge
131131
functions.insert(fn);
132132
}
133133

src/taint-slicer/propagation_chains.cpp

Lines changed: 30 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -170,8 +170,8 @@ taint_propagation_chainst::taint_propagation_chainst(
170170
}
171171
// Build predecessors of nodes of chains.
172172
for(const auto &elem : successors)
173-
for(const auto &fns_nid : elem.second)
174-
predecessors[fns_nid.second].insert(elem.first);
173+
for(const auto &nid_fns : elem.second)
174+
predecessors[nid_fns.first].insert(elem.first);
175175
resolve_conditional_rule_applications(
176176
program,
177177
numbering,
@@ -242,7 +242,7 @@ taint_propagation_chainst::extend_chain_by_transition(
242242
}
243243
// Now we perform the the insertion of the transition to the new node and
244244
// we consider the case of the target node being sink.
245-
const auto res=successors[nid].insert({functions, dst_nid});
245+
const auto res=successors[nid].insert({dst_nid, functions});
246246
const std::vector<taint_rule_idt> &to_sink_rules=
247247
tokens_propagation_graph.get_backward_rules_from_token(
248248
tokens_propagation_graph.get_sink_token());
@@ -279,23 +279,31 @@ taint_propagation_chainst::erase_node(const node_idt nid)
279279
}
280280

281281
for(const auto &pred_nid : get_predecessors_map().at(nodes.size()))
282-
{
283-
auto &edges=successors.at(pred_nid);
284-
std::vector<successors_mapt::mapped_type::iterator> to_remove;
285-
for(auto it=edges.begin(); it!=edges.end(); ++it)
286-
if(it->second==nodes.size())
287-
to_remove.push_back(it);
288-
for(const auto &it : to_remove)
282+
if(pred_nid!=nodes.size())
289283
{
290-
edges.insert({it->first,nid});
291-
edges.erase(it);
284+
auto &edges=successors.at(pred_nid);
285+
edges[nid].insert(edges[nodes.size()].begin(), edges[nodes.size()].end());
286+
edges.erase(nodes.size());
292287
}
293-
}
294-
for(const auto &fns_nid : get_successors_map().at(nodes.size()))
288+
for(const auto &nid_fns : get_successors_map().at(nodes.size()))
289+
if(nid_fns.first!=nodes.size())
290+
{
291+
auto &edges=predecessors.at(nid_fns.first);
292+
edges.insert(nid);
293+
edges.erase(nodes.size());
294+
}
295+
if(get_predecessors_map().at(nodes.size()).count(nodes.size())!=0UL)
295296
{
296-
auto &edges=predecessors.at(fns_nid.second);
297-
edges.insert(nid);
298-
edges.erase(nodes.size());
297+
{
298+
auto &edges=successors.at(nodes.size());
299+
edges[nid].insert(edges[nodes.size()].begin(), edges[nodes.size()].end());
300+
edges.erase(nodes.size());
301+
}
302+
{
303+
auto &edges=predecessors.at(nodes.size());
304+
edges.insert(nid);
305+
edges.erase(nodes.size());
306+
}
299307
}
300308
successors.at(nid)=successors.at(nodes.size());
301309
successors.erase(nodes.size());
@@ -321,7 +329,7 @@ void taint_propagation_chainst::erase_dead_branches()
321329
continue;
322330
fwd_reachable.insert(nid);
323331
for(const auto &fns_nid : get_successors_map().at(nid))
324-
work.push_back(fns_nid.second);
332+
work.push_back(fns_nid.first);
325333
}
326334
}
327335
// Use BFS to find all nodes backward-reachable from sinks.
@@ -448,13 +456,13 @@ std::ostream &to_dot(
448456
for(const auto &nid : chains.get_sinks())
449457
ostr << " " << nid << " -> " << chains.get_nodes().size()+1U << ";\n";
450458
for(const auto &nid_edge : chains.get_successors_map())
451-
for(const auto &elabel_dstnid : nid_edge.second)
459+
for(const auto &dstnid_elabel : nid_edge.second)
452460
{
453-
ostr << " " << nid_edge.first << " -> " << elabel_dstnid.second;
461+
ostr << " " << nid_edge.first << " -> " << dstnid_elabel.first;
454462
ostr << " [label=\"FUNCTIONS {";
455-
if(!elabel_dstnid.first.empty())
463+
if(!dstnid_elabel.second.empty())
456464
ostr << "\\l";
457-
for(const auto &fid : elabel_dstnid.first)
465+
for(const auto &fid : dstnid_elabel.second)
458466
ostr << " " << fid << "\\l";
459467
ostr << "}\\l\"];\n";
460468
}

src/taint-slicer/propagation_chains.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -114,7 +114,7 @@ class taint_propagation_chainst
114114

115115
typedef std::map<
116116
node_idt,
117-
std::set<std::pair<function_ids_sett, node_idt> > >
117+
std::map<node_idt, function_ids_sett> >
118118
successors_mapt;
119119
typedef std::map<node_idt, std::set<node_idt> > predecessors_mapt;
120120

0 commit comments

Comments
 (0)