pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[quandary] handling globals in function summaries

Browse Source 
Reviewed By: jeremydubreil

Differential Revision: D3866616

fbshipit-source-id: 1b77bca
master
Sam Blackshear 9 years ago committed by Facebook Github Bot 8
parent b1039f51f8
commit 4b9899d6b2
3 changed files with 112 additions and 34 deletions
Show Stats Download Patch File Download Diff File

61
infer/src/quandary/TaintAnalysis.ml
Unescape View File

@ -72,6 +72,10 @@ module Make (TraceDomain : QuandarySummary.Trace) = struct
F.fprintf fmt "(%a, %a)" TaintDomain.pp access_tree IdMapDomain.pp id_map
end
let is_global (var, _) = match var with
| Var.ProgramVar pvar -> Pvar.is_global pvar
| Var.LogicalVar _ -> false
module TransferFunctions (CFG : ProcCfg.S) = struct
module CFG = CFG
module Domain = Domain
@ -83,9 +87,9 @@ module Make (TraceDomain : QuandarySummary.Trace) = struct
let is_formal base formal_map =
AccessPath.BaseMap.mem base formal_map
let is_rooted_in_formal ap formal_map =
let is_rooted_in_environment ap formal_map =
let root, _ = AccessPath.extract ap in
is_formal root formal_map
is_formal root formal_map || is_global root
let resolve_id id_map id =
try Some (IdMapDomain.find id id_map)
@ -96,7 +100,7 @@ module Make (TraceDomain : QuandarySummary.Trace) = struct
match TaintDomain.get_node access_path access_tree with
| Some _ as node_opt ->
node_opt
| None when is_rooted_in_formal access_path proc_data.extras ->
| None when is_rooted_in_environment access_path proc_data.extras ->
let call_site = CallSite.make (Cfg.Procdesc.get_proc_name proc_data.ProcData.pdesc) loc in
let trace =
TraceDomain.of_source (TraceDomain.Source.make_footprint access_path call_site) in
@ -104,6 +108,12 @@ module Make (TraceDomain : QuandarySummary.Trace) = struct
| None ->
None
(* get the trace associated with [access_path] in [access_tree]. *)
let access_path_get_trace access_path access_tree proc_data loc =
match access_path_get_node access_path access_tree proc_data loc with
| Some (trace, _) -> trace
| None -> TraceDomain.initial
(* get the node associated with [exp] in [access_tree] *)
let exp_get_node exp typ { Domain.access_tree; id_map; } proc_data loc =
let f_resolve_id = resolve_id id_map in
@ -195,9 +205,7 @@ module Make (TraceDomain : QuandarySummary.Trace) = struct
| Some actual_ap ->
let projected_ap = project ~formal_ap ~actual_ap in
let projected_trace =
match access_path_get_node projected_ap access_tree proc_data callee_loc with
| Some (trace, _) -> trace
| None -> TraceDomain.initial in
access_path_get_trace projected_ap access_tree proc_data callee_loc in
Some (projected_ap, projected_trace)
| None ->
None in
@ -212,9 +220,8 @@ module Make (TraceDomain : QuandarySummary.Trace) = struct
| Some (_, actual_trace) -> actual_trace
| None -> TraceDomain.initial
end
| In_global _ ->
(* TODO: implement this once we add globals to the footprint (t13273652) *)
TraceDomain.initial in
| In_global global_ap ->
access_path_get_trace global_ap access_tree proc_data callee_loc in
let caller_ap_trace_opt =
match in_out_summary.output with
@ -222,9 +229,9 @@ module Make (TraceDomain : QuandarySummary.Trace) = struct
Some (apply_return ret_ap ret_ids, TraceDomain.initial)
| Out_formal (formal_num, formal_ap) ->
get_actual_ap_trace formal_num formal_ap access_tree
| Out_global _ ->
(* TODO: implement this once we add globals to the footprint (t13273652) *)
None in
| Out_global global_ap ->
let global_trace = access_path_get_trace global_ap access_tree proc_data callee_loc in
Some (global_ap, global_trace) in
match caller_ap_trace_opt with
| Some (caller_ap, caller_trace) ->
let output_trace = TraceDomain.of_summary_trace in_out_summary.output_trace in
@ -365,23 +372,35 @@ module Make (TraceDomain : QuandarySummary.Trace) = struct
| exception Not_found ->
if is_return base
then Some (QuandarySummary.make_return_output access_path)
else if is_global base
then Some (QuandarySummary.make_global_output access_path)
else None in
let add_summary_for_source source acc =
match TraceDomain.Source.get_footprint_access_path source with
| Some footprint_ap ->
let footprint_ap_base = fst (AccessPath.extract footprint_ap) in
let formal_index =
let input, output =
match AccessPath.BaseMap.find footprint_ap_base formal_map with
| index -> index
| formal_index ->
let input = QuandarySummary.make_formal_input formal_index footprint_ap in
let output =
match output_opt with
| Some output -> output
| None -> QuandarySummary.make_formal_output formal_index footprint_ap in
input, output
| exception Not_found ->
failwithf
"Couldn't find formal number for %a@." AccessPath.pp_base footprint_ap_base in
let input = QuandarySummary.make_formal_input formal_index footprint_ap in
let output =
match output_opt with
| Some output -> output
| None -> QuandarySummary.make_formal_output formal_index footprint_ap in
if is_global footprint_ap_base
then
let input = QuandarySummary.make_global_input footprint_ap in
let output =
match output_opt with
| Some output -> output
| None -> QuandarySummary.make_global_output footprint_ap in
input, output
else
failwithf
"Couldn't find formal number for %a@." AccessPath.pp_base footprint_ap_base in
let summary = QuandarySummary.make_in_out_summary input output summary_trace in
summary :: acc
| None ->

55
infer/tests/codetoanalyze/java/quandary/Interprocedural.java
Unescape View File

@ -15,6 +15,8 @@ class Interprocedural {
Object f;
static Object sGlobal;
static class Obj {
Object f;
}
@ -56,6 +58,21 @@ class Interprocedural {
InferTaint.inferSensitiveSink(returnSourceViaField().f);
}
public static void returnSourceViaGlobal() {
sGlobal = InferTaint.inferSecretSource();
}
public void returnSourceViaGlobalBad() {
returnSourceViaGlobal();
InferTaint.inferSensitiveSink(sGlobal);
}
public void returnSourceViaGlobalOk() {
returnSourceViaGlobal();
sGlobal = null;
InferTaint.inferSensitiveSink(sGlobal);
}
/** sink tests */
public static void callSinkParam1(Object param1, Object param2) {
@ -115,6 +132,44 @@ class Interprocedural {
callSinkOnLocal();
}
public static void callSinkOnGlobal() {
InferTaint.inferSensitiveSink(sGlobal);
}
public static void callSinkOnGlobalBad() {
sGlobal = InferTaint.inferSecretSource();
callSinkOnGlobal();
}
public static void callSinkOnGlobalOk() {
sGlobal = InferTaint.inferSecretSource();
sGlobal = null;
callSinkOnGlobal();
}
public static void setGlobal(Object o) {
sGlobal = o;
}
public static void setGlobalThenCallSinkBad() {
setGlobal(InferTaint.inferSecretSource());
callSinkOnGlobal();
}
public static Object getGlobal() {
return sGlobal;
}
public static void getGlobalThenCallSink() {
Object local = getGlobal();
InferTaint.inferSensitiveSink(sGlobal);
}
public static void getGlobalThenCallSinkBad() {
sGlobal = InferTaint.inferSecretSource();
getGlobalThenCallSink();
}
/** passthrough tests */
public static void singlePassthroughBad() {

30
infer/tests/codetoanalyze/java/quandary/issues.exp
Unescape View File

@ -29,19 +29,23 @@ Fields.java:44: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.infer
Fields.java:51: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 49]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 51]) via { }
Fields.java:56: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 55]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 56]) via { }
Fields.java:63: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 62]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 63]) via { }
Interprocedural.java:37: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 29]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 37]) via { Object Interprocedural.returnSourceDirect() at [line 37] }
Interprocedural.java:42: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 29]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 42]) via { Object Interprocedural.returnSourceDirect() at [line 41] }
Interprocedural.java:46: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 33]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 46]) via { Object Interprocedural.returnSourceIndirect() at [line 46] }
Interprocedural.java:56: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 51]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 56]) via { Interprocedural$Obj Interprocedural.returnSourceViaField() at [line 56] }
Interprocedural.java:66: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 66]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 62]) via { void Interprocedural.callSinkParam1(Object,Object) at [line 66] }
Interprocedural.java:78: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 78]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 74]) via { void Interprocedural.callSinkParam2(Object,Object) at [line 78] }
Interprocedural.java:91: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 90]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 86]) via { void Interprocedural.callSinkOnFieldDirect() at [line 91] }
Interprocedural.java:101: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 100]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 95]) via { void Interprocedural.callSinkOnFieldIndirect(Interprocedural$Obj) at [line 101] }
Interprocedural.java:115: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 114]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 110]) via { void Interprocedural.callSinkOnLocal() at [line 115], Object Interprocedural.getF() at [line 109] }
Interprocedural.java:123: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 121]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 123]) via { Object Interprocedural.id(Object) at [line 122] }
Interprocedural.java:130: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 127]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 130]) via { Object Interprocedural.id(Object) at [line 128], Object Interprocedural.id(Object) at [line 129] }
Interprocedural.java:141: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 136]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 141]) via { Object Interprocedural.returnSourceConditional(boolean) at [line 141] }
Interprocedural.java:152: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 150]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 152]) via { }
Interprocedural.java:39: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 31]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 39]) via { Object Interprocedural.returnSourceDirect() at [line 39] }
Interprocedural.java:44: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 31]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 44]) via { Object Interprocedural.returnSourceDirect() at [line 43] }
Interprocedural.java:48: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 35]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 48]) via { Object Interprocedural.returnSourceIndirect() at [line 48] }
Interprocedural.java:58: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 53]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 58]) via { Interprocedural$Obj Interprocedural.returnSourceViaField() at [line 58] }
Interprocedural.java:67: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 62]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 67]) via { void Interprocedural.returnSourceViaGlobal() at [line 66] }
Interprocedural.java:83: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 83]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 79]) via { void Interprocedural.callSinkParam1(Object,Object) at [line 83] }
Interprocedural.java:95: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 95]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 91]) via { void Interprocedural.callSinkParam2(Object,Object) at [line 95] }
Interprocedural.java:108: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 107]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 103]) via { void Interprocedural.callSinkOnFieldDirect() at [line 108] }
Interprocedural.java:118: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 117]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 112]) via { void Interprocedural.callSinkOnFieldIndirect(Interprocedural$Obj) at [line 118] }
Interprocedural.java:132: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 131]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 127]) via { void Interprocedural.callSinkOnLocal() at [line 132], Object Interprocedural.getF() at [line 126] }
Interprocedural.java:141: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 140]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 136]) via { void Interprocedural.callSinkOnGlobal() at [line 141] }
Interprocedural.java:156: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 155]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 136]) via { void Interprocedural.callSinkOnGlobal() at [line 156], void Interprocedural.setGlobal(Object) at [line 155] }
Interprocedural.java:170: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 169]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 165]) via { Object Interprocedural.getGlobal() at [line 164], void Interprocedural.getGlobalThenCallSink() at [line 170] }
Interprocedural.java:178: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 176]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 178]) via { Object Interprocedural.id(Object) at [line 177] }
Interprocedural.java:185: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 182]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 185]) via { Object Interprocedural.id(Object) at [line 183], Object Interprocedural.id(Object) at [line 184] }
Interprocedural.java:196: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 191]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 196]) via { Object Interprocedural.returnSourceConditional(boolean) at [line 196] }
Interprocedural.java:207: ERROR: QUANDARY_TAINT_ERROR Error: Other(Object InferTaint.inferSecretSource() at [line 205]) -> Other(void InferTaint.inferSensitiveSink(Object) at [line 207]) via { }
LoggingPrivateData.java:18: ERROR: QUANDARY_TAINT_ERROR Error: SharedPreferences(String SharedPreferences.getString(String,String) at [line 18]) -> Logging(int Log.d(String,String) at [line 18]) via { }
LoggingPrivateData.java:22: ERROR: QUANDARY_TAINT_ERROR Error: SharedPreferences(String SharedPreferences.getString(String,String) at [line 22]) -> Logging(int Log.d(String,String) at [line 22]) via { }
LoggingPrivateData.java:37: ERROR: QUANDARY_TAINT_ERROR Error: SharedPreferences(String SharedPreferences.getString(String,String) at [line 36]) -> Logging(int Log.w(String,Throwable) at [line 37]) via { }

Write Preview
Loading…
Cancel
Save