ClearBlue
SailfishFunctionChecker.h
1 //
2 // Created by yongchao on 12/20/22.
3 //
4 
5 #ifndef CLEARBLUE_YAPSAFUNCTIONCHECKER_H
6 #define CLEARBLUE_YAPSAFUNCTIONCHECKER_H
7 
8 #include <map>
9 
10 #include "Analysis/Graph/DomTreePass.h"
11 #include "Checker/PSA/TraceSummary.h"
12 #include "Checker/PSA/VulnerabilityTrace.h"
13 #include "Checker/PSA/VulnerabilityTraceBuilder.h"
14 #include "Checker/Sailfish/SailfishChecker.h"
15 #include "Checker/Sailfish/SailfishStateBuilder.h"
16 #include "Checker/Sailfish/SummaryMapper.h"
17 #include "IR/SEG/SymbolicExprGraphSolver.h"
18 #include "Utils/Timer.h"
19 
20 using namespace llvm;
21 
22 class SailfishFunctionChecker {
23 protected:
25  SailfishChecker *Parent;
26 
28  Function *F;
29 
31  SailfishSummary *Smry;
32 
34  const DomTree *DT, *PDT;
35 
37  const SymbolicExprGraph *SEG;
38 
40  SMTFactory ConstraintFactory;
41 
46  SailfishStateBuilder *StateBuilder;
47 
50  Timer *TimeChecker;
51 
53  std::shared_ptr<Vulnerability> TSV;
54 
56  std::map<const SEGSiteBase *, std::set<const SEGOperandNode *>> Sources;
57 
58  ParallelThreadLocal *PTL;
59 
60 public:
61  SailfishFunctionChecker(SailfishChecker *P, Function *F);
62 
63  virtual ~SailfishFunctionChecker();
64 
65  virtual void run() = 0;
66 
67  virtual void handleException() {}
68 
69  virtual void storeSummary(SummaryBase *) = 0;
70 
71 protected:
79  void downstreamSearch(const SEGNodeBase *CurrentNode,
80  const SEGNodeBase *PreviousNode,
81  Vulnerability::ValueSitePairType Src,
82  unsigned InlineDepth);
83 
88  void search(const SEGNodeBase *CurrentNode, const SEGNodeBase *PreviousNode,
89  Vulnerability::ValueSitePairType Src, unsigned InlineDepth);
90 
92  void matchFormalActual(SummaryBase *Smry, const SEGCallSite *CS,
93  std::unordered_map<std::string, SMTExpr> &);
94 
98  bool inlineReturnSymbolicSummary(const SEGCallSiteOutputNode *Symbol);
99  bool inlineReturnSymbolicSummary(Vulnerability::ValueSitePairType Src);
100 
109  void inlineCalleeSummaryStartWithParam(const SEGCallSite *CS,
110  TraceSummary *Smry,
111  Vulnerability::ValueSitePairType Src,
112  const SEGOperandNode *ActualNode,
113  unsigned InlineDepth, int Case = 0);
114 
119  void
120  inlineCalleeSummaryEndWithReturn(const SEGCallSite *CS, TraceSummary *Smry,
121  const SEGCallSiteOutputNode *CallSiteOutput,
122  Vulnerability::ValueSitePairType Src,
123  unsigned InlineDepth, int Case = 0);
124 
125  // Return true, if a trace, having *Src* as source pair (Value and Site), can
126  // be reported
127  bool canReport(Vulnerability::ValueSitePairType Src) const;
128 
131  int checkUseSite(
132  const SEGOperandNode *Node, const SEGSiteBase *UseSite,
133  std::unordered_map<const BasicBlock *, SMTSolver::SMTResultType> &,
134  bool UpdateCache);
135 
137  void processUseSite(Vulnerability::ValueSitePairType Src,
138  const SEGOperandNode *Node, const SEGSiteBase *UseSite,
139  Vulnerability::SiteType USTy, unsigned InlineDepth);
140 
141  template <class TraceSummaryType>
142  TraceSummaryType *
143  createTraceSummary(SMTExprVec Constraints,
144  std::shared_ptr<VulnerabilityTrace> Trace,
145  const std::unordered_set<const SEGArgumentNode *> *Inputs,
146  unsigned InlineDepth) {
147  TraceSummaryType *Smry = new TraceSummaryType(F, Trace, InlineDepth);
148  Smry->setVulnerabilityMask(-1);
149  auto NonSymDep = Constraints.toAndExpr();
150  Smry->addNonSymDeps(SummaryCacheItem(&NonSymDep, "", 0));
151  if (Inputs)
152  Smry->setInputs(*Inputs);
153 
154  return Smry;
155  }
156 
160  void
161  collectVarMapping(const std::vector<SummaryCacheItem> &ConstraintsCache,
162  std::string Suffix,
163  std::unordered_map<std::string, SMTExpr> &VariableMapping);
164 
166  void addCachedConstraintsToSummary(SummaryBase *S);
167 
168  void tryReport(std::shared_ptr<VulnerabilityTrace> Trace, unsigned Depth);
169 };
170 
171 #endif // CLEARBLUE_YAPSAFUNCTIONCHECKER_H
SailfishFunctionChecker::Sources
std::map< const SEGSiteBase *, std::set< const SEGOperandNode * > > Sources
Taint sources.
Definition: SailfishFunctionChecker.h:56
SEGOperandNode
Definition: SymbolicExprGraph.h:456
Vulnerability::ValueSitePairType
std::pair< const SEGOperandNode *, const SEGSiteBase * > ValueSitePairType
Definition: Vulnerability.h:90
SEGCallSiteOutputNode
Definition: SEGCallSiteOutputNode.h:19
SEGCallSite
Definition: SEGCallSite.h:51
SailfishStateBuilder
Definition: SailfishStateBuilder.h:12
SymbolicExprGraph
Definition: SymbolicExprGraph.h:708
SailfishFunctionChecker::Smry
SailfishSummary * Smry
the summary of this function
Definition: SailfishFunctionChecker.h:31
Vulnerability::SiteType
SiteType
Definition: Vulnerability.h:58
SailfishFunctionChecker::TSV
std::shared_ptr< Vulnerability > TSV
The vulnerability instance.
Definition: SailfishFunctionChecker.h:53
SailfishFunctionChecker::DT
const DomTree * DT
dom tree and post-dom tree
Definition: SailfishFunctionChecker.h:34
SailfishFunctionChecker::TimeChecker
Timer * TimeChecker
Definition: SailfishFunctionChecker.h:50
SailfishChecker
Definition: SailfishChecker.h:42
SailfishFunctionChecker::StateBuilder
SailfishStateBuilder * StateBuilder
Definition: SailfishFunctionChecker.h:46
SailfishFunctionChecker
Definition: SailfishFunctionChecker.h:22
SailfishFunctionChecker::SEG
const SymbolicExprGraph * SEG
the symbolic expr graph IR
Definition: SailfishFunctionChecker.h:37
ParallelThreadLocal
Definition: SailfishChecker.h:37
SEGSiteBase
Definition: SymbolicExprGraph.h:663
SailfishFunctionChecker::ConstraintFactory
SMTFactory ConstraintFactory
the factory to create constraints
Definition: SailfishFunctionChecker.h:40
SailfishFunctionChecker::F
Function * F
current function
Definition: SailfishFunctionChecker.h:28
SEGNodeBase
The node base of symbolic expression graph.
Definition: SymbolicExprGraph.h:244
SailfishSummary
Various summaries generated for each function in pipelined PSA checker.
Definition: SummaryMapper.h:19
SailfishFunctionChecker::Parent
SailfishChecker * Parent
the parent checker
Definition: SailfishFunctionChecker.h:25
Generated by   doxygen 1.8.17