@ -493,9 +493,23 @@ let mark_visited summary node =
stats.Specs.nodes_visited_re <- IntSet.add (node_id :> int) stats.Specs.nodes_visited_re
stats.Specs.nodes_visited_re <- IntSet.add (node_id :> int) stats.Specs.nodes_visited_re
let add_taint_attrs tenv proc_name proc_desc prop =
match Taint.tainted_params proc_name with
| [] -> prop
| tainted_param_nums ->
let formal_params = Cfg.Procdesc.get_formals proc_desc in
let formal_params' =
IList.map (fun (p, _) -> Pvar.mk p proc_name) formal_params in
Taint.get_params_to_taint tainted_param_nums formal_params'
|> IList.fold_left
(fun prop_acc (param, taint_kind) ->
let attr =
PredSymb.Ataint { taint_source = proc_name; taint_kind; } in
Taint.add_tainting_attribute tenv attr param prop_acc)
let forward_tabulate tenv wl source =
let forward_tabulate tenv wl source =
let handled_some_exception = ref false in
let handle_exn_node curr_node exn =
let handle_exn curr_node exn =
let curr_pdesc = Cfg.Node.get_proc_desc curr_node in
let curr_pdesc = Cfg.Node.get_proc_desc curr_node in
let curr_pname = Cfg.Procdesc.get_proc_name curr_pdesc in
let curr_pname = Cfg.Procdesc.get_proc_name curr_pdesc in
Exceptions.print_exception_html "Failure of symbolic execution: " exn;
Exceptions.print_exception_html "Failure of symbolic execution: " exn;
@ -508,110 +522,100 @@ let forward_tabulate tenv wl source =
L.d_strln "SIL INSTR:";
L.d_strln "SIL INSTR:";
Cfg.Node.d_instrs ~sub_instrs: true (State.get_instr ()) curr_node; L.d_ln ();
Cfg.Node.d_instrs ~sub_instrs: true (State.get_instr ()) curr_node; L.d_ln ();
Reporting.log_error curr_pname exn;
Reporting.log_error curr_pname exn;
State.mark_instr_fail exn;
State.mark_instr_fail exn in
handled_some_exception := true in
let exe_iter f pathset =
while not (Worklist.is_empty wl) do
let ps_size = Paths.PathSet.size pathset in
let curr_node = Worklist.remove wl in
let cnt = ref 0 in
let curr_node_kind = Cfg.Node.get_kind curr_node in
let exe prop path =
let curr_node_id = Cfg.Node.get_id curr_node in
State.set_path path None;
let proc_desc = Cfg.Node.get_proc_desc curr_node in
incr cnt;
let proc_name = Cfg.Procdesc.get_proc_name proc_desc in
f prop path !cnt ps_size in
let formal_params = Cfg.Procdesc.get_formals proc_desc in
Paths.PathSet.iter exe pathset in
let summary = Specs.get_summary_unsafe "forward_tabulate" proc_name in
mark_visited summary curr_node; (* mark nodes visited in fp and re phases *)
let print_node_preamble curr_node proc_name session pathset_todo =
let session =
incr summary.Specs.sessions;
!(summary.Specs.sessions) in
do_before_node source session curr_node;
let pathset_todo = path_set_checkout_todo wl curr_node in
let succ_nodes = Cfg.Node.get_succs curr_node in
let exn_nodes = Cfg.Node.get_exn curr_node in
let exe_iter f pathset =
let ps_size = Paths.PathSet.size pathset in
let cnt = ref 0 in
let exe prop path =
State.set_path path None;
incr cnt;
f prop path !cnt ps_size in
Paths.PathSet.iter exe pathset in
let log_string proc_name =
let log_string proc_name =
let phase_string =
let phase_string =
if Specs.get_phase proc_name == Specs.FOOTPRINT then "FP" else "RE" in
if Specs.get_phase proc_name == Specs.FOOTPRINT then "FP" else "RE" in
let summary = Specs.get_summary_unsafe "forward_tabulate" proc_name in
let summary = Specs.get_summary_unsafe "forward_tabulate" proc_name in
let timestamp = Specs.get_timestamp summary in
let timestamp = Specs.get_timestamp summary in
F.sprintf "[%s:%d] %s" phase_string timestamp (Procname.to_string proc_name) in
F.sprintf "[%s:%d] %s" phase_string timestamp (Procname.to_string proc_name) in
let add_taint_attrs proc_name prop =
L.d_strln ("**** " ^ (log_string proc_name) ^ " " ^
match Taint.tainted_params proc_name with
"Node: " ^ string_of_int (Cfg.Node.get_id curr_node :> int) ^ ", " ^
| [] -> prop
"Procedure: " ^ Procname.to_string proc_name ^ ", " ^
| tainted_param_nums ->
"Session: " ^ string_of_int session ^ ", " ^
let formal_params' =
"Todo: " ^ string_of_int (Paths.PathSet.size pathset_todo) ^ " ****");
IList.map (fun (p, _) -> Pvar.mk p proc_name) formal_params in
L.d_increase_indent 1;
Taint.get_params_to_taint tainted_param_nums formal_params'
Propset.d Prop.prop_emp (Paths.PathSet.to_propset tenv pathset_todo);
|> IList.fold_left
L.d_strln ".... Instructions: .... ";
(fun prop_acc (param, taint_kind) ->
Cfg.Node.d_instrs ~sub_instrs: true (State.get_instr ()) curr_node;
let attr =
L.d_ln (); L.d_ln () in
PredSymb.Ataint { taint_source = proc_name; taint_kind; } in
Taint.add_tainting_attribute tenv attr param prop_acc)
let do_prop curr_node proc_desc proc_name handle_exn prop_ path cnt num_paths =
prop in
let prop =
let doit () =
if Config.taint_analysis
handled_some_exception := false;
then add_taint_attrs tenv proc_name proc_desc prop_
check_prop_size pathset_todo;
else prop_ in
L.d_strln ("**** " ^ (log_string proc_name) ^ " " ^
"Node: " ^ string_of_int (curr_node_id :> int) ^ ", " ^
("Processing prop " ^ string_of_int cnt ^ "/" ^ string_of_int num_paths);
"Procedure: " ^ Procname.to_string proc_name ^ ", " ^
L.d_increase_indent 1;
"Session: " ^ string_of_int session ^ ", " ^
"Todo: " ^ string_of_int (Paths.PathSet.size pathset_todo) ^ " ****");
State.reset_diverging_states_node ();
L.d_increase_indent 1;
let pset =
Propset.d Prop.prop_emp (Paths.PathSet.to_propset tenv pathset_todo);
do_symbolic_execution handle_exn tenv curr_node prop path in
L.d_strln ".... Instructions: .... ";
let succ_nodes = Cfg.Node.get_succs curr_node in
Cfg.Node.d_instrs ~sub_instrs: true (State.get_instr ()) curr_node;
let exn_nodes = Cfg.Node.get_exn curr_node in
L.d_ln (); L.d_ln ();
propagate_nodes_divergence tenv proc_desc pset succ_nodes exn_nodes wl;
L.d_decrease_indent 1; L.d_ln();
match curr_node_kind with
| Cfg.Node.Join_node ->
| exn when Exceptions.handle_exception exn && !Config.footprint ->
do_symexec_join proc_name tenv wl curr_node pathset_todo
handle_exn exn;
| Cfg.Node.Stmt_node _
L.d_decrease_indent 1; L.d_ln () in
| Cfg.Node.Prune_node _
| Cfg.Node.Exit_node _
let do_node curr_node proc_desc proc_name pathset_todo session handle_exn =
| Cfg.Node.Skip_node _
check_prop_size pathset_todo;
| Cfg.Node.Start_node _ ->
print_node_preamble curr_node proc_name session pathset_todo;
(fun prop path cnt num_paths ->
match Cfg.Node.get_kind curr_node with
| Cfg.Node.Join_node ->
let prop =
do_symexec_join proc_name tenv wl curr_node pathset_todo
if Config.taint_analysis
| Cfg.Node.Stmt_node _
then add_taint_attrs proc_name prop
| Cfg.Node.Prune_node _
else prop in
| Cfg.Node.Exit_node _
| Cfg.Node.Skip_node _
("Processing prop " ^ string_of_int cnt ^ "/" ^ string_of_int num_paths);
| Cfg.Node.Start_node _ ->
L.d_increase_indent 1;
exe_iter (do_prop curr_node proc_desc proc_name handle_exn) pathset_todo in
State.reset_diverging_states_node ();
let pset =
let do_node_and_handle curr_node proc_desc proc_name session =
do_symbolic_execution (handle_exn curr_node) tenv curr_node prop path in
let pathset_todo = path_set_checkout_todo wl curr_node in
L.d_decrease_indent 1; L.d_ln();
propagate_nodes_divergence tenv proc_desc pset succ_nodes exn_nodes wl;
| exn when Exceptions.handle_exception exn && !Config.footprint ->
handle_exn curr_node exn;
if Config.nonstop then
tenv proc_desc (Paths.PathSet.from_renamed_list [(prop, path)])
succ_nodes exn_nodes wl;
L.d_decrease_indent 1; L.d_ln ())
pathset_todo in
let handle_exn_called = ref false in
if !handled_some_exception then Printer.force_delayed_prints ();
let handle_exn exn =
handle_exn_called := true;
handle_exn_node curr_node exn in
do_node curr_node proc_desc proc_name pathset_todo session handle_exn;
if !handle_exn_called then Printer.force_delayed_prints ();
do_after_node source curr_node
do_after_node source curr_node
| exn when Exceptions.handle_exception exn ->
| exn when Exceptions.handle_exception exn ->
handle_exn curr_node exn;
handle_exn_node curr_node exn;
Printer.force_delayed_prints ();
Printer.force_delayed_prints ();
do_after_node source curr_node;
do_after_node source curr_node;
if not !Config.footprint then raise RE_EXE_ERROR
if not !Config.footprint then raise RE_EXE_ERROR in
while not (Worklist.is_empty wl) do
let curr_node = Worklist.remove wl in
let proc_desc = Cfg.Node.get_proc_desc curr_node in
let proc_name = Cfg.Procdesc.get_proc_name proc_desc in
let summary = Specs.get_summary_unsafe "forward_tabulate" proc_name in
mark_visited summary curr_node; (* mark nodes visited in fp and re phases *)
let session =
incr summary.Specs.sessions;
!(summary.Specs.sessions) in
do_before_node source session curr_node;
do_node_and_handle curr_node proc_desc proc_name session
L.d_strln ".... Work list empty. Stop ...."; L.d_ln ()
L.d_strln ".... Work list empty. Stop ...."; L.d_ln ()