Add config options to pointer inference analysis

4beae232 · Enkelmann · Enkelmann · 1e9e4ab9 · 4beae232 · 4beae232
Commit 4beae232 authored 4 years ago by Enkelmann Committed by Enkelmann 4 years ago
8 changed files
--- a/Makefile
+++ b/Makefile
@@ -12,6 +12,7 @@ all:
 	cd plugins/cwe_checker_pointer_inference_debug && make all
 	mkdir -p ${HOME}/.config/cwe_checker
 	cp src/utils/registers.json ${HOME}/.config/cwe_checker/registers.json
+	cp src/config.json ${HOME}/.config/cwe_checker/config.json
 test:
 	cargo test

--- a/cwe_checker_rs/src/analysis/pointer_inference/context/mod.rs
+++ b/cwe_checker_rs/src/analysis/pointer_inference/context/mod.rs
@@ -7,7 +7,7 @@ use crate::utils::log::*;
 use std::collections::{BTreeMap, BTreeSet, HashSet};
 use super::state::State;
-use super::{Data, VERSION};
+use super::{Config, Data, VERSION};
 // contains trait implementations for the `Context` struct,
 // especially the implementation of the `interprocedural_fixpoint::Context` trait.
@@ -31,6 +31,10 @@ pub struct Context<'a> {
    pub cwe_collector: crossbeam_channel::Sender<CweWarning>,
    /// A channel where log messages should be sent to.
    pub log_collector: crossbeam_channel::Sender<LogMessage>,
+    /// Names of `malloc`-like extern functions.
+    pub allocation_symbols: Vec<String>,
+    /// Names of `free`-like extern functions.
+    pub deallocation_symbols: Vec<String>,
 }
 impl<'a> Context<'a> {
@@ -38,6 +42,7 @@ impl<'a> Context<'a> {
    /// Also needs two channels as input to know where CWE warnings and log messages should be sent to.
    pub fn new(
        project: &Project,
+        config: Config,
        cwe_collector: crossbeam_channel::Sender<CweWarning>,
        log_collector: crossbeam_channel::Sender<LogMessage>,
    ) -> Context {
@@ -60,6 +65,8 @@ impl<'a> Context<'a> {
            extern_symbol_map,
            cwe_collector,
            log_collector,
+            allocation_symbols: config.allocation_symbols,
+            deallocation_symbols: config.deallocation_symbols,
        }
    }

--- a/cwe_checker_rs/src/analysis/pointer_inference/context/tests.rs
+++ b/cwe_checker_rs/src/analysis/pointer_inference/context/tests.rs
@@ -66,7 +66,7 @@ fn return_term(target_name: &str) -> Term<Jmp> {
    }
 }
-fn mock_project() -> Project {
+fn mock_project() -> (Project, Config) {
    let program = Program {
        subs: Vec::new(),
        extern_symbols: vec![
@@ -80,13 +80,19 @@ fn mock_project() -> Project {
        tid: Tid::new("program"),
        term: program,
    };
-    Project {
+    (
-        program: program_term,
+        Project {
-        cpu_architecture: "x86_64".to_string(),
+            program: program_term,
-        stack_pointer_register: register("RSP"),
+            cpu_architecture: "x86_64".to_string(),
-        callee_saved_registers: vec!["callee_saved_reg".to_string()],
+            stack_pointer_register: register("RSP"),
-        parameter_registers: vec!["RAX".to_string()],
+            callee_saved_registers: vec!["callee_saved_reg".to_string()],
-    }
+            parameter_registers: vec!["RAX".to_string()],
+        },
+        Config {
+            allocation_symbols: vec!["malloc".into()],
+            deallocation_symbols: vec!["free".into()],
+        },
+    )
 }
 #[test]
@@ -95,10 +101,10 @@ fn context_problem_implementation() {
    use crate::analysis::pointer_inference::Data;
    use Expression::*;
-    let project = mock_project();
+    let (project, config) = mock_project();
    let (cwe_sender, _cwe_receiver) = crossbeam_channel::unbounded();
    let (log_sender, _log_receiver) = crossbeam_channel::unbounded();
-    let context = Context::new(&project, cwe_sender, log_sender);
+    let context = Context::new(&project, config, cwe_sender, log_sender);
    let mut state = State::new(&register("RSP"), Tid::new("main"));
    let def = Term {
@@ -251,10 +257,10 @@ fn update_return() {
    use crate::analysis::interprocedural_fixpoint::Context as IpFpContext;
    use crate::analysis::pointer_inference::object::ObjectType;
    use crate::analysis::pointer_inference::Data;
-    let project = mock_project();
+    let (project, config) = mock_project();
    let (cwe_sender, _cwe_receiver) = crossbeam_channel::unbounded();
    let (log_sender, _log_receiver) = crossbeam_channel::unbounded();
-    let context = Context::new(&project, cwe_sender, log_sender);
+    let context = Context::new(&project, config, cwe_sender, log_sender);
    let state_before_return = State::new(&register("RSP"), Tid::new("callee"));
    let mut state_before_return = context
        .update_def(

--- a/cwe_checker_rs/src/analysis/pointer_inference/context/trait_impls.rs
+++ b/cwe_checker_rs/src/analysis/pointer_inference/context/trait_impls.rs
@@ -233,10 +233,10 @@ impl<'a> crate::analysis::interprocedural_fixpoint::Context<'a> for Context<'a> 
            self.check_parameter_register_for_dangling_pointer(state, call, extern_symbol);
            match extern_symbol.name.as_str() {
-                "malloc" | "calloc" | "realloc" | "xmalloc" => {
+                malloc_like_fn if self.allocation_symbols.iter().any(|x| x == malloc_like_fn) => {
                    self.add_new_object_in_call_return_register(new_state, call, extern_symbol)
                }
-                "free" => {
+                free_like_fn if self.deallocation_symbols.iter().any(|x| x == free_like_fn) => {
                    self.mark_parameter_object_as_freed(state, new_state, call, extern_symbol)
                }
                _ => self.handle_generic_extern_call(state, new_state, call, extern_symbol),

--- a/cwe_checker_rs/src/analysis/pointer_inference/mod.rs
+++ b/cwe_checker_rs/src/analysis/pointer_inference/mod.rs
@@ -10,11 +10,14 @@
 //! whether an error is due to an error in the memory management of the program under analysis
 //! or due to inexactness of the pointer inference analysis itself,
 //! we try to treat is as the more likely (but not necessarily true) case of the two.
+//!
+//! See the `Config` struct for configurable analysis parameters.
 use super::interprocedural_fixpoint::{Computation, NodeValue};
 use crate::abstract_domain::{BitvectorDomain, DataDomain};
 use crate::analysis::graph::{Graph, Node};
 use crate::intermediate_representation::*;
+use crate::prelude::*;
 use crate::utils::log::*;
 use petgraph::graph::NodeIndex;
 use petgraph::visit::IntoNodeReferences;
@@ -35,6 +38,19 @@ const VERSION: &str = "0.1";
 /// The abstract domain type for representing register values.
 type Data = DataDomain<BitvectorDomain>;
+/// Configurable parameters for the analysis.
+#[derive(Serialize, Deserialize, Debug, PartialEq, Eq, Hash, Clone)]
+pub struct Config {
+    /// Names of extern functions that are `malloc`-like,
+    /// i.e. the unique return value is a pointer to a newly allocated chunk of memory or a NULL pointer.
+    allocation_symbols: Vec<String>,
+    /// Names of extern functions that are `free`-like,
+    /// i.e. the memory chunk that the unique parameter of the function points to gets deallocated.
+    /// Note that the analysis currently does not detect mismatching allocation-deallocation pairs,
+    /// i.e. it cannot distinguish between memory allocated by `malloc` and memory allocated by `new`.
+    deallocation_symbols: Vec<String>,
+}
 /// A wrapper struct for the pointer inference computation object.
 pub struct PointerInference<'a> {
    computation: Computation<'a, Context<'a>>,
@@ -45,10 +61,11 @@ impl<'a> PointerInference<'a> {
    /// Generate a new pointer inference compuation for a project.
    pub fn new(
        project: &'a Project,
+        config: Config,
        cwe_sender: crossbeam_channel::Sender<CweWarning>,
        log_sender: crossbeam_channel::Sender<LogMessage>,
    ) -> PointerInference<'a> {
-        let context = Context::new(project, cwe_sender, log_sender.clone());
+        let context = Context::new(project, config, cwe_sender, log_sender.clone());
        let mut entry_sub_to_entry_blocks_map = HashMap::new();
        let subs: HashMap<Tid, &Term<Sub>> = project
@@ -247,7 +264,7 @@ impl<'a> PointerInference<'a> {
 /// Generate and execute the pointer inference analysis.
 /// Returns a vector of all found CWE warnings and a vector of all log messages generated during analysis.
-pub fn run(project: &Project, print_debug: bool) -> (Vec<CweWarning>, Vec<String>) {
+pub fn run(project: &Project, config: Config, print_debug: bool) -> (Vec<CweWarning>, Vec<String>) {
    let (cwe_sender, cwe_receiver) = crossbeam_channel::unbounded();
    let (log_sender, log_receiver) = crossbeam_channel::unbounded();
@@ -257,7 +274,7 @@ pub fn run(project: &Project, print_debug: bool) -> (Vec<CweWarning>, Vec<String
    {
        // Scope the computation object so that it is dropped before the warning collector thread is joined.
        // Else the warning collector thread will not terminate (the cwe_sender needs to be dropped for it to terminate).
-        let mut computation = PointerInference::new(project, cwe_sender, log_sender);
+        let mut computation = PointerInference::new(project, config, cwe_sender, log_sender);
        computation.compute();
        computation.count_blocks_with_state();

--- a/cwe_checker_rs/src/ffi/analysis.rs
+++ b/cwe_checker_rs/src/ffi/analysis.rs
@@ -12,7 +12,10 @@ fn run_pointer_inference(program_jsonbuilder_val: ocaml::Value) -> (Vec<CweWarni
        serde_json::from_value(program_json).expect("Project deserialization failed");
    project.replace_let_bindings();
-    crate::analysis::pointer_inference::run(&project.into(), false)
+    let config: crate::analysis::pointer_inference::Config =
+        serde_json::from_value(crate::utils::read_config_file()["pointer_inference"].clone())
+            .unwrap();
+    crate::analysis::pointer_inference::run(&project.into(), config, false)
 }
 caml!(rs_run_pointer_inference(program_jsonbuilder_val) {
@@ -31,7 +34,10 @@ fn run_pointer_inference_and_print_debug(program_jsonbuilder_val: ocaml::Value) 
        serde_json::from_value(program_json).expect("Project deserialization failed");
    project.replace_let_bindings();
-    crate::analysis::pointer_inference::run(&project.into(), true); // Note: This discard all CweWarnings and log messages.
+    let config: crate::analysis::pointer_inference::Config =
+        serde_json::from_value(crate::utils::read_config_file()["pointer_inference"].clone())
+            .unwrap();
+    crate::analysis::pointer_inference::run(&project.into(), config, true); // Note: This discard all CweWarnings and log messages.
 }
 caml!(rs_run_pointer_inference_and_print_debug(program_jsonbuilder_val) {

--- a/cwe_checker_rs/src/utils/mod.rs
+++ b/cwe_checker_rs/src/utils/mod.rs
@@ -30,3 +30,14 @@ pub fn get_generic_parameter_and_callee_saved_register(
    params.append(&mut params_float);
    (params, callee_saved)
 }
+/// Get the contents of the main configuration file.
+pub fn read_config_file() -> serde_json::Value {
+    let project_dirs = directories::ProjectDirs::from("", "", "cwe_checker")
+        .expect("Could not discern location of configuration files.");
+    let config_dir = project_dirs.config_dir();
+    let config_path = config_dir.join("config.json");
+    let config_file =
+        std::fs::read_to_string(config_path).expect("Could not read register configuration file");
+    serde_json::from_str(&config_file).unwrap()
+}
--- a/src/config.json
+++ b/src/config.json
@@ -190,5 +190,16 @@
      "fgets",
      "scanf"
    ]
+  },
+  "pointer_inference": {
+    "allocation_symbols": [
+      "malloc",
+      "calloc",
+      "realloc",
+      "xmalloc"
+    ],
+    "deallocation_symbols": [
+      "free"
+    ]
  }
 }