Public Member Functions | |
| SailfishFunctionChecker (SailfishChecker *P, Function *F) | |
| virtual void | run ()=0 |
| virtual void | handleException () |
| virtual void | storeSummary (SummaryBase *)=0 |
Protected Member Functions | |
| void | downstreamSearch (const SEGNodeBase *CurrentNode, const SEGNodeBase *PreviousNode, Vulnerability::ValueSitePairType Src, unsigned InlineDepth) |
| void | search (const SEGNodeBase *CurrentNode, const SEGNodeBase *PreviousNode, Vulnerability::ValueSitePairType Src, unsigned InlineDepth) |
| void | matchFormalActual (SummaryBase *Smry, const SEGCallSite *CS, std::unordered_map< std::string, SMTExpr > &) |
| Add constraints: "formal == actual". | |
| bool | inlineReturnSymbolicSummary (const SEGCallSiteOutputNode *Symbol) |
| bool | inlineReturnSymbolicSummary (Vulnerability::ValueSitePairType Src) |
| void | inlineCalleeSummaryStartWithParam (const SEGCallSite *CS, TraceSummary *Smry, Vulnerability::ValueSitePairType Src, const SEGOperandNode *ActualNode, unsigned InlineDepth, int Case=0) |
| void | inlineCalleeSummaryEndWithReturn (const SEGCallSite *CS, TraceSummary *Smry, const SEGCallSiteOutputNode *CallSiteOutput, Vulnerability::ValueSitePairType Src, unsigned InlineDepth, int Case=0) |
| bool | canReport (Vulnerability::ValueSitePairType Src) const |
| int | checkUseSite (const SEGOperandNode *Node, const SEGSiteBase *UseSite, std::unordered_map< const BasicBlock *, SMTSolver::SMTResultType > &, bool UpdateCache) |
| void | processUseSite (Vulnerability::ValueSitePairType Src, const SEGOperandNode *Node, const SEGSiteBase *UseSite, Vulnerability::SiteType USTy, unsigned InlineDepth) |
| It processes use sites according to the type of use sites. | |
| template<class TraceSummaryType > | |
| TraceSummaryType * | createTraceSummary (SMTExprVec Constraints, std::shared_ptr< VulnerabilityTrace > Trace, const std::unordered_set< const SEGArgumentNode * > *Inputs, unsigned InlineDepth) |
| void | collectVarMapping (const std::vector< SummaryCacheItem > &ConstraintsCache, std::string Suffix, std::unordered_map< std::string, SMTExpr > &VariableMapping) |
| void | addCachedConstraintsToSummary (SummaryBase *S) |
| Add the cached constraints to build summary. | |
| void | tryReport (std::shared_ptr< VulnerabilityTrace > Trace, unsigned Depth) |
Protected Attributes | |
| SailfishChecker * | Parent |
| the parent checker | |
| Function * | F |
| current function | |
| SailfishSummary * | Smry |
| the summary of this function | |
| const DomTree * | DT |
| dom tree and post-dom tree | |
| const DomTree * | PDT |
| const SymbolicExprGraph * | SEG |
| the symbolic expr graph IR | |
| SMTFactory | ConstraintFactory |
| the factory to create constraints | |
| SailfishStateBuilder * | StateBuilder |
| Timer * | TimeChecker |
| std::shared_ptr< Vulnerability > | TSV |
| The vulnerability instance. | |
| std::map< const SEGSiteBase *, std::set< const SEGOperandNode * > > | Sources |
| Taint sources. | |
| ParallelThreadLocal * | PTL |
Member Function Documentation
◆ checkUseSite()
|
protected |
This function is to process a use site of a node w.r.t. the vulnerability type.
◆ collectVarMapping()
|
protected |
Collect the variable mapping from the targeting cached constraints cache, for generating complete variable mapping for matching formal and actual arguments when inlining summaries
◆ downstreamSearch()
|
protected |
Search the SEG along with value flows in a depth-first order.
CurrentNode is the node that is visiting; PreviousNode is the node visited before; Src is where we start searching in current function; InlineDepth indicates the inline depth for the trace built during the search.
◆ inlineCalleeSummaryEndWithReturn()
|
protected |
Inline the output summary Smry at call site CS. The source of current trace is Src. The current inline depth is InlineDepth. Case = 0: Search from input to output Case = 1: Search from output to input
◆ inlineCalleeSummaryStartWithParam()
|
protected |
Inline the input summary Smry at call site CS. The source node of current trace is SrcNode. The current inline depth is InlineDepth. Case = 0: A tainted pointer reach a call site that has an input summary. It may report a bug. Case = 1: Inlining the taint source wrapper, then it starts to search from the call site of the wrapper function. Case = 2: Searching from an argument and reaching a call site that is a taint source (or source wrapper), thereby producing a source wrapper summary.
◆ inlineReturnSymbolicSummary()
|
protected |
Inline the symbolic summary of Symbol, which should be a CallSiteOutputNode. Where, the index of a basic block, indicates the basic block where we decide to inline the symbolic summary.
◆ search()
|
protected |
This is a bi-direction search: it first searches the SEG in a reverse direction of value flows in a depth-first order (upstream searching). Whenever visiting a node, it will continue the downstream searching from the node by calling downstreamSearch(...)
Field Documentation
◆ StateBuilder
|
protected |
A stack-based state recorder that records useful information during the depth-first search on SEG Not only does it records info, we can also use it to generate/record/check constraints and does other jobs according to the recorded info.
◆ TimeChecker
|
protected |
This is to record the time executed by the function checker in case it is timeout.
The documentation for this class was generated from the following files:
- /builds/prismers/clearblue/include/Checker/Sailfish/SailfishFunctionChecker.h
- /builds/prismers/clearblue/lib/Checker/Sailfish/SailfishFunctionChecker.cpp
