Apply taint summary before application of rules (even if a matching rule exist).

marek-trtik · marek-trtik · commit f91220ed8528 · 2018-02-27T10:54:47.000Z
There is also fixed rules file of the regression test 'taint_over_list'
where were wrong function names (that actually prevented the fixed bug
to be exposed).
diff --git a/regression/end_to_end/taint_over_list/rules.json b/regression/end_to_end/taint_over_list/rules.json
@@ -14,7 +14,7 @@
     {
       "comment": "Put tainted data to list",
       "class": "ArrayList",
-      "method": "add:(LA;)V",
+      "method": "add:(Ljava/lang/Object;)Z",
       "input": {
         "location": "arg1",
         "taint": "Tainted data"
@@ -27,7 +27,7 @@
     {
       "comment": "Get tainted data from list",
       "class": "ArrayList",
-      "method": "get:(I)LA;",
+      "method": "get:(I)Ljava/lang/Object;",
       "input": {
         "location": "this",
         "taint": "Tainted list"
diff --git a/src/taint-analysis/taint_summary.cpp b/src/taint-analysis/taint_summary.cpp
@@ -1095,6 +1095,40 @@ numbered_lvalue_to_taint_mapt taint_algorithm_computing_summary_of_functiont::
         const std::string callee_ident = as_string(callee_id);
         const code_typet &fn_type =
           program->get_functions().function_map.at(callee_id).type;
+        if(database.contains(callee_id))
+        {
+          std::shared_ptr<taint_summaryt> summary = database.at(callee_id);
+
+          transition_properties[Iit].push_back(
+            {taint_transition_property_typet::APPLICATION_OF_SUMMARY,
+             taint_rule_idt{},
+             ""});
+
+          statistics->on_taint_analysis_use_callee_summary(
+            summary, callee_ident);
+
+          numbered_lvalue_to_taint_mapt substituted_summary;
+          std::map<taint_variablet, taint_sett> symbols_substitution;
+          taint_build_symbols_substitution(
+            symbols_substitution,
+            a,
+            summary,
+            fn_call,
+            fn_type,
+            lvsa,
+            Iit,
+            caller_ident);
+          taint_build_substituted_summary(
+            substituted_summary,
+            summary->get_output(),
+            symbols_substitution,
+            caller_ident,
+            fn_call,
+            fn_type,
+            Iit,
+            lvsa);
+          result = assign(result, substituted_summary);
+        }
         std::vector<irep_idt> overridden_functions;
         get_virtual_function_callees(
           callee_expr,
@@ -1292,41 +1326,7 @@ numbered_lvalue_to_taint_mapt taint_algorithm_computing_summary_of_functiont::
             }
           }
         }
-        if(!rule_found && database.contains(callee_id))
-        {
-          std::shared_ptr<taint_summaryt> summary = database.at(callee_id);
-
-          transition_properties[Iit].push_back(
-            {taint_transition_property_typet::APPLICATION_OF_SUMMARY,
-             taint_rule_idt{},
-             ""});
-
-          statistics->on_taint_analysis_use_callee_summary(
-            summary, callee_ident);
-
-          numbered_lvalue_to_taint_mapt substituted_summary;
-          std::map<taint_variablet, taint_sett> symbols_substitution;
-          taint_build_symbols_substitution(
-            symbols_substitution,
-            a,
-            summary,
-            fn_call,
-            fn_type,
-            lvsa,
-            Iit,
-            caller_ident);
-          taint_build_substituted_summary(
-            substituted_summary,
-            summary->get_output(),
-            symbols_substitution,
-            caller_ident,
-            fn_call,
-            fn_type,
-            Iit,
-            lvsa);
-          result = assign(result, substituted_summary);
-        }
-        else if(!rule_found)
+        if(!rule_found && !database.contains(callee_id))
         {
           log->debug()
             << "*** WARNING: Neither matching rule nor summary was found for "
