Propagate bitvector analysis state across function calls

tautschnig · tautschnig · commit 10822d4baa5b · 2017-06-28T11:03:57.000+01:00
diff --git a/regression/goto-analyzer/taint-interproc1/interproc1.class b/regression/goto-analyzer/taint-interproc1/interproc1.class
diff --git a/regression/goto-analyzer/taint-interproc1/interproc1.java b/regression/goto-analyzer/taint-interproc1/interproc1.java
@@ -0,0 +1,19 @@
+class interproc1
+{
+  static void my_method()
+  {
+    Object o=null;
+
+    my_f(o); // T1 source
+    my_g(o);
+  }
+
+  static void my_g(Object p)
+  {
+    my_h(p); // T1 sink
+  }
+
+  static void my_f(Object p) { }
+  static void my_h(Object p) { }
+};
+
diff --git a/regression/goto-analyzer/taint-interproc1/taint.json b/regression/goto-analyzer/taint-interproc1/taint.json
@@ -0,0 +1,4 @@
+[
+{ "id": "my_f", "kind": "source", "where": "parameter1", "taint": "T1", "function": "interproc1.my_f" },
+{ "id": "my_h1", "kind": "sink",   "where": "parameter1", "taint": "T1", "function": "interproc1.my_h", "message": "There is a T1 flow" }
+]
diff --git a/regression/goto-analyzer/taint-interproc1/test.desc b/regression/goto-analyzer/taint-interproc1/test.desc
@@ -0,0 +1,8 @@
+CORE
+interproc1.class
+--taint taint.json
+^EXIT=0$
+^SIGNAL=0$
+^file interproc1.java line 13( function .*)?: There is a T1 flow \(taint rule my_h1\)$
+--
+^warning: ignoring
diff --git a/src/analyses/custom_bitvector_analysis.cpp b/src/analyses/custom_bitvector_analysis.cpp
@@ -334,6 +334,54 @@ void custom_bitvector_domaint::transform(
             }
           }
         }
+        else
+        {
+          goto_programt::const_targett next=from;
+          ++next;
+
+          // only if there is an actual call, i.e., we have a body
+          if(next!=to)
+          {
+            const code_typet &code_type=
+              to_code_type(ns.lookup(identifier).type);
+
+            code_function_callt::argumentst::const_iterator arg_it=
+              code_function_call.arguments().begin();
+            for(const auto &param : code_type.parameters())
+            {
+              const irep_idt &p_identifier=param.get_identifier();
+              if(p_identifier.empty())
+                continue;
+
+              // there may be a mismatch in the number of arguments
+              if(arg_it==code_function_call.arguments().end())
+                break;
+
+              // assignments arguments -> parameters
+              symbol_exprt p=ns.lookup(p_identifier).symbol_expr();
+              // may alias other stuff
+              std::set<exprt> lhs_set=cba.aliases(p, from);
+
+              vectorst rhs_vectors=get_rhs(*arg_it);
+
+              for(const auto &lhs : lhs_set)
+              {
+                assign_lhs(lhs, rhs_vectors);
+              }
+
+              // is it a pointer?
+              if(p.type().id()==ID_pointer)
+              {
+                dereference_exprt lhs_deref(p);
+                dereference_exprt rhs_deref(*arg_it);
+                vectorst rhs_vectors=get_rhs(rhs_deref);
+                assign_lhs(lhs_deref, rhs_vectors);
+              }
+
+              ++arg_it;
+            }
+          }
+        }
       }
     }
     break;

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +[
 +{ "id": "my_f", "kind": "source", "where": "parameter1", "taint": "T1", "function": "interproc1.my_f" },
 +{ "id": "my_h1", "kind": "sink",   "where": "parameter1", "taint": "T1", "function": "interproc1.my_h", "message": "There is a T1 flow" }
 +]