|
|
|
@ -640,64 +640,59 @@ module Make (TaintSpecification : TaintSpec.S) = struct
|
|
|
|
| _ ->
|
|
|
|
| _ ->
|
|
|
|
Some ret_ap
|
|
|
|
Some ret_ap
|
|
|
|
in
|
|
|
|
in
|
|
|
|
let analyze_call astate_acc callee_pname =
|
|
|
|
let call_site = CallSite.make callee_pname callee_loc in
|
|
|
|
let call_site = CallSite.make callee_pname callee_loc in
|
|
|
|
let astate_with_sink =
|
|
|
|
let astate_with_sink =
|
|
|
|
if List.is_empty actuals then astate
|
|
|
|
if List.is_empty actuals then astate
|
|
|
|
else
|
|
|
|
else
|
|
|
|
let sinks = TraceDomain.Sink.get call_site actuals call_flags proc_data.ProcData.tenv in
|
|
|
|
let sinks =
|
|
|
|
List.fold sinks ~init:astate ~f:(fun astate sink ->
|
|
|
|
TraceDomain.Sink.get call_site actuals call_flags proc_data.ProcData.tenv
|
|
|
|
add_sink sink actuals astate proc_data call_site )
|
|
|
|
in
|
|
|
|
in
|
|
|
|
List.fold sinks ~init:astate ~f:(fun astate sink ->
|
|
|
|
let astate_with_summary =
|
|
|
|
add_sink sink actuals astate proc_data call_site )
|
|
|
|
let sources = TraceDomain.Source.get call_site actuals proc_data.tenv in
|
|
|
|
in
|
|
|
|
match sources with
|
|
|
|
let astate_with_summary =
|
|
|
|
| _ :: _ ->
|
|
|
|
let sources = TraceDomain.Source.get call_site actuals proc_data.tenv in
|
|
|
|
(* don't use a summary for a procedure that is a direct source *)
|
|
|
|
match sources with
|
|
|
|
List.fold sources ~init:astate_with_sink
|
|
|
|
| _ :: _ ->
|
|
|
|
~f:(fun astate {TraceDomain.Source.source; index} ->
|
|
|
|
(* don't use a summary for a procedure that is a direct source *)
|
|
|
|
match index with
|
|
|
|
List.fold sources ~init:astate_with_sink
|
|
|
|
|
|
|
|
~f:(fun astate {TraceDomain.Source.source; index} ->
|
|
|
|
|
|
|
|
match index with
|
|
|
|
|
|
|
|
| None ->
|
|
|
|
|
|
|
|
Option.value_map dummy_ret_opt ~default:astate ~f:(fun ret_base ->
|
|
|
|
|
|
|
|
add_return_source source ret_base astate )
|
|
|
|
|
|
|
|
| Some index ->
|
|
|
|
|
|
|
|
add_actual_source source index actuals astate_with_sink proc_data )
|
|
|
|
|
|
|
|
| [] -> (
|
|
|
|
|
|
|
|
match Payload.read proc_data.pdesc callee_pname with
|
|
|
|
|
|
|
|
| None ->
|
|
|
|
|
|
|
|
handle_unknown_call callee_pname astate_with_sink
|
|
|
|
|
|
|
|
| Some summary -> (
|
|
|
|
|
|
|
|
let ret_typ = snd ret_ap in
|
|
|
|
|
|
|
|
let access_tree = TaintSpecification.of_summary_access_tree summary in
|
|
|
|
|
|
|
|
match
|
|
|
|
|
|
|
|
TaintSpecification.get_model callee_pname ret_typ actuals proc_data.tenv
|
|
|
|
|
|
|
|
access_tree
|
|
|
|
|
|
|
|
with
|
|
|
|
|
|
|
|
| Some model ->
|
|
|
|
|
|
|
|
handle_model callee_pname astate_with_sink model
|
|
|
|
|
|
|
|
| None ->
|
|
|
|
| None ->
|
|
|
|
apply_summary dummy_ret_opt actuals access_tree astate_with_sink proc_data
|
|
|
|
Option.value_map dummy_ret_opt ~default:astate ~f:(fun ret_base ->
|
|
|
|
call_site ) )
|
|
|
|
add_return_source source ret_base astate )
|
|
|
|
in
|
|
|
|
| Some index ->
|
|
|
|
let astate_with_sanitizer =
|
|
|
|
add_actual_source source index actuals astate_with_sink proc_data )
|
|
|
|
match dummy_ret_opt with
|
|
|
|
| [] -> (
|
|
|
|
|
|
|
|
match Payload.read proc_data.pdesc callee_pname with
|
|
|
|
| None ->
|
|
|
|
| None ->
|
|
|
|
astate_with_summary
|
|
|
|
handle_unknown_call callee_pname astate_with_sink
|
|
|
|
| Some ret_base -> (
|
|
|
|
| Some summary -> (
|
|
|
|
match TraceDomain.Sanitizer.get callee_pname proc_data.tenv with
|
|
|
|
let ret_typ = snd ret_ap in
|
|
|
|
| Some sanitizer ->
|
|
|
|
let access_tree = TaintSpecification.of_summary_access_tree summary in
|
|
|
|
let ret_ap = AccessPath.Abs.Exact (ret_base, []) in
|
|
|
|
match
|
|
|
|
let ret_trace = access_path_get_trace ret_ap astate_with_summary proc_data in
|
|
|
|
TaintSpecification.get_model callee_pname ret_typ actuals proc_data.tenv
|
|
|
|
let ret_trace' = TraceDomain.add_sanitizer sanitizer ret_trace in
|
|
|
|
access_tree
|
|
|
|
TaintDomain.add_trace ret_ap ret_trace' astate_with_summary
|
|
|
|
with
|
|
|
|
| None ->
|
|
|
|
| Some model ->
|
|
|
|
astate_with_summary )
|
|
|
|
handle_model callee_pname astate_with_sink model
|
|
|
|
in
|
|
|
|
| None ->
|
|
|
|
Domain.join astate_acc astate_with_sanitizer
|
|
|
|
apply_summary dummy_ret_opt actuals access_tree astate_with_sink proc_data
|
|
|
|
|
|
|
|
call_site ) )
|
|
|
|
|
|
|
|
in
|
|
|
|
|
|
|
|
let astate_with_sanitizer =
|
|
|
|
|
|
|
|
match dummy_ret_opt with
|
|
|
|
|
|
|
|
| None ->
|
|
|
|
|
|
|
|
astate_with_summary
|
|
|
|
|
|
|
|
| Some ret_base -> (
|
|
|
|
|
|
|
|
match TraceDomain.Sanitizer.get callee_pname proc_data.tenv with
|
|
|
|
|
|
|
|
| Some sanitizer ->
|
|
|
|
|
|
|
|
let ret_ap = AccessPath.Abs.Exact (ret_base, []) in
|
|
|
|
|
|
|
|
let ret_trace = access_path_get_trace ret_ap astate_with_summary proc_data in
|
|
|
|
|
|
|
|
let ret_trace' = TraceDomain.add_sanitizer sanitizer ret_trace in
|
|
|
|
|
|
|
|
TaintDomain.add_trace ret_ap ret_trace' astate_with_summary
|
|
|
|
|
|
|
|
| None ->
|
|
|
|
|
|
|
|
astate_with_summary )
|
|
|
|
in
|
|
|
|
in
|
|
|
|
analyze_call Domain.empty callee_pname
|
|
|
|
astate_with_sanitizer
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
let exec_instr (astate : Domain.t) (proc_data : extras ProcData.t) _ (instr : HilInstr.t) =
|
|
|
|
let exec_instr (astate : Domain.t) (proc_data : extras ProcData.t) _ (instr : HilInstr.t) =
|
|
|
|
|
Mehdi Bouaziz
6 years ago
committed by
Facebook Github Bot