Apply further comments

Author: fabianbs96

include/phasar/PhasarLLVM/DataFlowSolver/IfdsIde/Problems/ExtendedTaintAnalysis/AbstractMemoryLocation.h

@@ -117,8 +117,9 @@ class AbstractMemoryLocationImpl final : public AbstractMemoryLoactionStorage {
   /// Are *this and TV equivalent?
   [[nodiscard]] bool equivalent(const AbstractMemoryLocationImpl &TV) const;
 
-  [[nodiscard]] bool equivalentExceptPointerArithmetics(
-      const AbstractMemoryLocationImpl &TV) const;
+  [[nodiscard]] bool
+  equivalentExceptPointerArithmetics(const AbstractMemoryLocationImpl &TV,
+                                     unsigned PALevel = 1) const;
 
   /// Are *this and TV equivalent wrt aliasing?
   bool mustAlias(

include/phasar/PhasarLLVM/DataFlowSolver/IfdsIde/Problems/IDEExtendedTaintAnalysis.h

@@ -123,7 +123,8 @@ class IDEExtendedTaintAnalysis
   /// llvm::StoreInst, llvm::MemSetInst, etc.
   FlowFunctionPtrType getStoreFF(const llvm::Value *PointerOp,
                                  const llvm::Value *ValueOp,
-                                 const llvm::Instruction *Store);
+                                 const llvm::Instruction *Store,
+                                 unsigned PALevel = 1);
 
   void populateWithMayAliases(SourceConfigTy &Facts) const;
 

include/phasar/PhasarLLVM/DataFlowSolver/IfdsIde/Problems/IFDSFieldSensTaintAnalysis.h

@@ -119,9 +119,9 @@ class IFDSFieldSensTaintAnalysis
   }
 
 private:
-  const TaintConfig &taintConfig;
+  const TaintConfig &Config;
 
-  TraceStats traceStats;
+  TraceStats Stats;
 };
 
 } // namespace psr

include/phasar/PhasarLLVM/TaintConfig/TaintConfig.h

@@ -61,11 +61,14 @@ class TaintConfig {
 
   TaintConfig(const psr::ProjectIRDB &Code, const nlohmann::json &Config);
   TaintConfig(const psr::ProjectIRDB &AnnotatedCode);
-  TaintConfig(TaintDescriptionCallBackTy SourceCB,
-              TaintDescriptionCallBackTy SinkCB);
+  TaintConfig(
+      TaintDescriptionCallBackTy SourceCB, TaintDescriptionCallBackTy SinkCB,
+      TaintDescriptionCallBackTy SanitizerCB = TaintDescriptionCallBackTy{});
+
+  void registerSourceCallBack(TaintDescriptionCallBackTy CB);
+  void registerSinkCallBack(TaintDescriptionCallBackTy CB);
+  void registerSanitizerCallBack(TaintDescriptionCallBackTy CB);
 
-  void registerSourceCallBack(const TaintDescriptionCallBackTy &CB);
-  void registerSinkCallBack(const TaintDescriptionCallBackTy &CB);
   [[nodiscard]] const TaintDescriptionCallBackTy &
   getRegisteredSourceCallBack() const;
   [[nodiscard]] const TaintDescriptionCallBackTy &
@@ -129,6 +132,7 @@ class TaintConfig {
   std::unordered_set<const llvm::Value *> SanitizerValues;
   TaintDescriptionCallBackTy SourceCallBack;
   TaintDescriptionCallBackTy SinkCallBack;
+  TaintDescriptionCallBackTy SanitizerCallBack;
 };
 
 //===----------------------------------------------------------------------===//

lib/PhasarLLVM/DataFlowSolver/IfdsIde/Problems/ExtendedTaintAnalysis/AbstractMemoryLocation.cpp

@@ -96,15 +96,16 @@ bool AbstractMemoryLocationImpl::equivalent(
 }
 
 bool AbstractMemoryLocationImpl::equivalentExceptPointerArithmetics(
-    const AbstractMemoryLocationImpl &TV) const {
+    const AbstractMemoryLocationImpl &TV, unsigned PALevel) const {
   if (base() != TV.base()) {
     return false;
   }
   size_t MinSize = std::min(offsets().size(), TV.offsets().size());
-  if (MinSize == 1) {
+  if (MinSize <= PALevel) {
     return true;
   }
-  return offsets().slice(0, MinSize - 1) == TV.offsets().slice(0, MinSize - 1);
+  return offsets().slice(0, MinSize - PALevel) ==
+         TV.offsets().slice(0, MinSize - PALevel);
 }
 
 bool AbstractMemoryLocationImpl::mustAlias(
@@ -195,7 +196,7 @@ std::ostream &operator<<(std::ostream &OS, const AbstractMemoryLocation &TV) {
 
 llvm::raw_ostream &operator<<(llvm::raw_ostream &OS,
                               const AbstractMemoryLocation &TV) {
-  // TODO: better representation
+  // -> Think about better representation
   OS << "(";
   if (LLVMZeroValue::getInstance()->isLLVMZeroValue(TV->base())) {
     OS << "<ZERO>";

lib/PhasarLLVM/DataFlowSolver/IfdsIde/Problems/IDEExtendedTaintAnalysis.cpp

@@ -11,6 +11,8 @@
 #include <type_traits>
 
 #include "llvm/ADT/SmallSet.h"
+#include "llvm/IR/IntrinsicInst.h"
+#include "llvm/Support/Casting.h"
 
 #include "phasar/DB/ProjectIRDB.h"
 #include "phasar/PhasarLLVM/ControlFlow/LLVMBasedICFG.h"
@@ -30,22 +32,6 @@
 #include "phasar/Utils/Utilities.h"
 
 namespace psr::XTaint {
-// Misc:
-
-template <typename ContainerTy>
-inline void printValues(const ContainerTy &Facts,
-                        std::ostream &OS = std::cerr) {
-  OS << "{";
-
-  for (const auto *Fact : Facts) {
-    OS << "\n\t" << llvmIRToString(Fact);
-  }
-
-  if (!Facts.empty()) {
-    OS << "\n";
-  }
-  OS << "}";
-}
 
 IDEExtendedTaintAnalysis::IDEExtendedTaintAnalysis(
     const ProjectIRDB *IRDB, const LLVMTypeHierarchy *TH,
@@ -138,15 +124,16 @@ IDEExtendedTaintAnalysis::getNormalFlowFunction(n_t Curr,
 IDEExtendedTaintAnalysis::FlowFunctionPtrType
 IDEExtendedTaintAnalysis::getStoreFF(const llvm::Value *PointerOp,
                                      const llvm::Value *ValueOp,
-                                     const llvm::Instruction *Store) {
+                                     const llvm::Instruction *Store,
+                                     unsigned PALevel) {
 
   auto TV = makeFlowFact(ValueOp);
   auto PTS = this->PT->getPointsToSet(PointerOp, Store);
 
   auto Mem = makeFlowFact(PointerOp);
   return makeLambdaFlow<d_t>([this, TV, Mem, PTS{std::move(PTS)}, PointerOp,
-                              ValueOp,
-                              Store](d_t Source) mutable -> std::set<d_t> {
+                              ValueOp, Store,
+                              PALevel](d_t Source) mutable -> std::set<d_t> {
     if (Source->isZero()) {
       std::set<d_t> Ret = {Source};
       generateFromZero(Ret, Store, PointerOp, ValueOp,
@@ -160,7 +147,7 @@ IDEExtendedTaintAnalysis::getStoreFF(const llvm::Value *PointerOp,
     /// easily reachable from TV by simply doing dome pointer arithmetics.
     /// Hence, when loading the value of TV back from Mem this still holds and
     /// must be preserved by the analysis.
-    if (TV->equivalentExceptPointerArithmetics(Source)) {
+    if (TV->equivalentExceptPointerArithmetics(Source, PALevel)) {
       auto Offset = Source - TV;
 
       // generate all may-aliases of Store->getPointerOperand()
@@ -322,17 +309,14 @@ IDEExtendedTaintAnalysis::getCallFlowFunction(n_t CallStmt, f_t DestFun) {
       return {Source};
     }
     std::set<d_t> Ret;
-    /// Don't qualify the 'auto' here, because we should not rely on those
-    /// iterators to be pointers
-
-    // NOLINTNEXTLINE(llvm-qualified-auto, readability-qualified-auto)
-    auto It = call->arg_begin();
-    // NOLINTNEXTLINE(llvm-qualified-auto, readability-qualified-auto)
-    auto End = call->arg_end();
-    // NOLINTNEXTLINE(llvm-qualified-auto, readability-qualified-auto)
-    auto FIt = DestFun->arg_begin();
-    // NOLINTNEXTLINE(llvm-qualified-auto, readability-qualified-auto)
-    auto FEnd = DestFun->arg_end();
+
+    using ArgIterator = llvm::User::const_op_iterator;
+    using ParamIterator = llvm::Function::const_arg_iterator;
+
+    ArgIterator It = call->arg_begin();
+    ArgIterator End = call->arg_end();
+    ParamIterator FIt = DestFun->arg_begin();
+    ParamIterator FEnd = DestFun->arg_end();
 
     const std::string CalleeName =
         (DestFun->hasName()) ? DestFun->getName().str() : "none";
@@ -390,17 +374,13 @@ IDEExtendedTaintAnalysis::getRetFlowFunction(n_t CallSite, f_t CalleeFun,
                                  d_t Source) {
     std::set<d_t> Ret;
 
-    /// Don't qualify the 'auto' here, because we should not rely on those
-    /// iterators to be pointers
+    using ArgIterator = llvm::User::const_op_iterator;
+    using ParamIterator = llvm::Function::const_arg_iterator;
 
-    // NOLINTNEXTLINE(llvm-qualified-auto, readability-qualified-auto)
-    auto It = Call->arg_begin();
-    // NOLINTNEXTLINE(llvm-qualified-auto, readability-qualified-auto)
-    auto End = Call->arg_end();
-    // NOLINTNEXTLINE(llvm-qualified-auto, readability-qualified-auto)
-    auto FIt = CalleeFun->arg_begin();
-    // NOLINTNEXTLINE(llvm-qualified-auto, readability-qualified-auto)
-    auto FEnd = CalleeFun->arg_end();
+    ArgIterator It = Call->arg_begin();
+    ArgIterator End = Call->arg_end();
+    ParamIterator FIt = CalleeFun->arg_begin();
+    ParamIterator FEnd = CalleeFun->arg_end();
 
     for (; FIt != FEnd && It != End; ++FIt, ++It) {
       // Only map back pointer parameters, since for all others we have
@@ -458,12 +438,18 @@ IDEExtendedTaintAnalysis::getSummaryFlowFunction(n_t CallStmt, f_t DestFun) {
     return handleConfig(CallStmt, std::move(SrcConfig), std::move(SinkConfig));
   }
 
-  /// TODO: MemSet
-  //   ...
-  //   } else if (auto MemSet = llvm::dyn_cast<llvm::MemSetInst>(call)) {
-  //     // Basically, MemSet is the same as Store
-  //     return getStoreFF(MemSet->getDest(), MemSet->getValue(), MemSet);
-  //   }
+  if (const auto *MemSet = llvm::dyn_cast<llvm::MemSetInst>(CallStmt)) {
+    /// Basically, MemSet is the same as Store
+    return getStoreFF(MemSet->getRawDest(), MemSet->getValue(), MemSet);
+  }
+
+  if (const auto *MemTrn = llvm::dyn_cast<llvm::MemTransferInst>(CallStmt)) {
+    /// Basically, MemCpy/MemMove are the same as Store.
+    /// We just need to take care about the additional level of indirection
+    /// i.e., not the source itself is stored, but the value it is pointing to
+    return getStoreFF(MemTrn->getRawDest(), MemTrn->getRawSource(), MemTrn,
+                      /*PALevel*/ 2);
+  }
 
   return nullptr;
 }
@@ -484,8 +470,6 @@ auto IDEExtendedTaintAnalysis::getNormalEdgeFunction(n_t Curr, d_t CurrNode,
 
   if (EntryPoints.count(Curr->getFunction()->getName().str()) &&
       Curr == &Curr->getFunction()->front().front()) {
-    // std::cout << "edge seed: " << CurrNode << " --> " << SuccNode
-    //           << " with null\n";
     return getGenEdgeFunction(BBO);
   }
 
@@ -494,10 +478,7 @@ auto IDEExtendedTaintAnalysis::getNormalEdgeFunction(n_t Curr, d_t CurrNode,
     if (const auto *Store = llvm::dyn_cast<llvm::StoreInst>(Curr)) {
       return {Store->getPointerOperand(), Store->getValueOperand()};
     }
-    /// TODO: MemSetInst inherits from CallInst, so move it to summaryEF
-    // if (const auto *MemSet = llvm::dyn_cast<llvm::MemSetInst>(Curr)) {
-    //   return {MemSet->getDest(), MemSet->getValue()};
-    // }
+
     return {nullptr, nullptr};
   }();
 
@@ -516,17 +497,12 @@ auto IDEExtendedTaintAnalysis::getNormalEdgeFunction(n_t Curr, d_t CurrNode,
 
     auto SaniConfig = getSanitizerConfigAt(Curr);
     if (!SaniConfig.empty()) {
-      // std::cerr << "NormalEF: handleEdgeConfig at " << llvmIRToString(Curr)
-      //           << " on " << CurrNode << " --> " << SuccNode << "\n";
       if (isMustAlias(SaniConfig, CurrNode)) {
         return makeEF<GenEdgeFunction>(BBO, Curr);
       }
     }
   }
 
-  // std::cerr << "StoreInst with EdgeID at " << llvmIRToString(Curr) << " on "
-  //           << CurrNode << " --> " << SuccNode << "\n";
-
   return getEdgeIdentity(Curr);
 }
 
@@ -642,7 +618,11 @@ auto IDEExtendedTaintAnalysis::getSummaryEdgeFunction(n_t Curr, d_t CurrNode,
     return makeEF<GenEdgeFunction>(BBO, Curr);
   }
 
-  /// TODO: MemSet
+  // MemIntrinsic covers memset, memcpy and memmove
+  if (const auto *MemSet = llvm::dyn_cast<llvm::MemIntrinsic>(Curr);
+      MemSet && CurrNode->mustAlias(makeFlowFact(MemSet->getRawDest()), *PT)) {
+    return makeEF<GenEdgeFunction>(BBO, Curr);
+  }
 
   return Ret;
 }
@@ -782,11 +762,6 @@ void IDEExtendedTaintAnalysis::doPostProcessing(
       const auto *Load = getApproxLoadFrom(L);
 
       switch (Sani.getKind()) {
-      // case EdgeDomain::Bot:
-      //   rem.push_back(L);
-      //   std::cerr << "Sanitize " << llvmIRToShortString(L) << " with Bottom "
-      //             << std::endl;
-      //   break;
       case EdgeDomain::Sanitized:
         Rem.push_back(L);
         std::cerr << "Sanitize " << llvmIRToShortString(L) << " from parent "