SailfishChecker_8h_source.html

//

// Created by yongchao on 12/20/22.

//


#ifndef CLEARBLUE_YAPSACHECKER_H

#define CLEARBLUE_YAPSACHECKER_H


#include <map>

#include <set>


#include "Analysis/Bitcode/TSDataLayout.h"

#include "Analysis/CFG/CFGReachabilityAnalysis.h"

#include "Analysis/GVFA/NullPtrAnalysis.h"

#include "Analysis/Graph/DomTreePass.h"

#include "Analysis/TypeInference/TypeInference.h"

#include "Checker/PSA/PSAChecker.h"

#include "Checker/PSA/SymbolicSummary.h"

#include "Checker/PSA/TraceSummary.h"

#include "Checker/Sailfish/BotUpParallelPass.h"

#include "Checker/Sailfish/SummaryMapper.h"

#include "IR/SEG/SymbolicExprGraph.h"

#include "IR/SEG/SymbolicExprGraphBuilder.h"

#include "Report/BugReport/Reporter.h"


typedef struct StatisticsEntry {

  StringRef FunctionName;

  StringRef TaskName;

  size_t NumStartedPoints;

  size_t NumProducedSummaries;

  size_t RunningTime;


  StatisticsEntry(StringRef FN, StringRef TN, size_t NSP, size_t NPS, size_t RT)

      : FunctionName(FN), TaskName(TN), NumStartedPoints(NSP),

        NumProducedSummaries(NPS), RunningTime(RT) {}

} StatisticsEntry;


typedef struct ParallelThreadLocal {

  std::vector<std::pair<int, std::shared_ptr<VulnerabilityTrace>>> VulnTraces;

  std::vector<StatisticsEntry> Statistics;

} ParallelThreadLocal;


class SailfishChecker : public BotUpParallelPass, Reporter {

  friend class SailfishFunctionChecker;


private:

  //  SymbolicExprGraphBuilder *SEGBuilder = nullptr;

  DomTreePass *DTP = nullptr;

  //  CBCallGraph *CG = nullptr;

  NullPtrAnalysis *NPA = nullptr;

  CFGReachabilityAnalysis *CRA = nullptr;

  TSDataLayout *TDL = nullptr;

  ExternalMemorySpec *MemSepc = nullptr;

  ExternalIOSpec *IOSpec = nullptr;

  ExternalTaintSpec *TaintSpec = nullptr;


  DebugInfoAnalysis *DIA = nullptr;

  InstResolver *IResolver = nullptr;

  ControlDependenceAnalysis *CDGs = nullptr;

  TypeInference *Infer = nullptr;


  SMTAdvisor4Inlining SMTAdvisor;


  std::map<const Function *, SailfishSummary *> FuncSummaryMap;


  std::shared_ptr<VulnerabilityWrapper> Vuln;


public:

  static char ID;

  SailfishChecker();

  virtual ~SailfishChecker();


public:

  /*==- interfaces extended from BotUpParallelPass -==*/


  virtual void getAnalysisUsage(AnalysisUsage &AU) const override;


  virtual bool runOnModule(Module &M) override;


  virtual bool internallyDepends(unsigned TaskAID, unsigned TaskBID) override;


  virtual bool externallyDepends(unsigned CallerTaskID,

                                 unsigned CalleeTaskID) override;


  virtual bool runOnFunction(Function &F) override;


  virtual bool runOnFunction(Function &F, unsigned TaskID) override;


  virtual bool releaseMemory(Function &F) override;


  virtual std::string getName() { return "PSA-PPL"; }


  virtual SymbolicExprGraphBuilder *getSEGs() override { return SEGBuilder; }


  virtual CBCallGraph *getCG() override { return CG; }


  virtual DomTreePass *getDTP() override { return DTP; }


  virtual TSDataLayout *getDL() override { return TDL; };


  virtual DebugInfoAnalysis *getDIA() override { return DIA; };


  ExternalMemorySpec *getMemSpec() override { return MemSepc; };


  ExternalIOSpec *getIOSpec() override { return IOSpec; };


  ExternalTaintSpec *getTaintSpec() override { return TaintSpec; };


private:

  bool initialization(Module &);


  bool finalization(Module &);


  bool releaseMemory4Summary(SailfishSummary *Summary);


  void buildVFFromRet(Function &F);


  void buildVFFromParam(Function &F);


  void buildVFFromErSrc(Function &F);


  void buildVFFromSrcWp(Function &F);


  void buildVFFromCSOut(Function &F);

};


#endif // CLEARBLUE_YAPSACHECKER_H