/** Makes a CFG edge, adding appropriate labels. */
void makeEdge(SgAsmInstruction* from, SgAsmInstruction* to, const AuxiliaryInformation* info, vector<CFGEdge>& result) {
#if 0
SgAsmNode* fromNode = from.getNode();
unsigned int fromIndex = from.getIndex();
SgAsmNode* toNode = to.getNode();
unsigned int toIndex = to.getIndex();
#if 0
// Exit early if the edge should not exist because of a control flow discontinuity
if (fromIndex == 1 && (isSgGotoStatement(fromNode) || isSgBreakStmt(fromNode) || isSgContinueStmt(fromNode))) {
return;
}
if (isSgReturnStmt(fromNode) && toNode == fromNode->get_parent()) {
SgReturnStmt* rs = isSgReturnStmt(fromNode);
if (fromIndex == 1 || fromIndex == 0 && !rs->get_expression()) return;
}
if (fromIndex == 1 && isSgSwitchStatement(fromNode) &&
isSgSwitchStatement(fromNode)->get_body() == toNode) return;
#endif
#endif
// Create the edge
result.push_back(CFGEdge(CFGNode(from, info), CFGNode(to, info), info));
}
bool
TaintAnalysis::transfer(const Function& func, const DataflowNode& node_, NodeState& state, const std::vector<Lattice*>& dfInfo) {
static size_t ncalls = 0;
if (debug) {
*debug <<"TaintAnalysis::transfer-" <<++ncalls <<"(func=" <<func.get_name() <<",\n"
<<" node={" <<StringUtility::makeOneLine(node_.toString()) <<"},\n"
<<" state={" <<state.str(this, " ") <<",\n"
<<" dfInfo[" <<dfInfo.size() <<"]={...})\n";
}
SgNode *node = node_.getNode();
assert(!dfInfo.empty());
FiniteVarsExprsProductLattice *prodLat = dynamic_cast<FiniteVarsExprsProductLattice*>(dfInfo.front());
bool modified = magic_tainted(node, prodLat); // some values are automatically tainted based on their name
// Process AST nodes that transfer taintedness. Most of these operations have one or more inputs from which a result
// is always calculated the same way. So we just gather up the inputs and do the calculation at the very end of this
// function. The other operations are handled individually within their "if" bodies.
TaintLattice *result = NULL; // result pointer into the taint lattice
std::vector<TaintLattice*> inputs; // input pointers into the taint lattice
if (isSgAssignInitializer(node)) {
// as in "int a = b"
SgAssignInitializer *xop = isSgAssignInitializer(node);
TaintLattice *in1 = dynamic_cast<TaintLattice*>(prodLat->getVarLattice(SgExpr2Var(xop->get_operand())));
inputs.push_back(in1);
} else if (isSgAggregateInitializer(node)) {
// as in "int a[1] = {b}"
SgAggregateInitializer *xop = isSgAggregateInitializer(node);
const SgExpressionPtrList &exprs = xop->get_initializers()->get_expressions();
for (size_t i=0; i<exprs.size(); ++i) {
varID in_id = SgExpr2Var(exprs[i]);
TaintLattice *in = dynamic_cast<TaintLattice*>(prodLat->getVarLattice(in_id));
inputs.push_back(in);
}
} else if (isSgInitializedName(node)) {
SgInitializedName *xop = isSgInitializedName(node);
if (xop->get_initializer()) {
varID in1_id = SgExpr2Var(xop->get_initializer());
TaintLattice *in1 = dynamic_cast<TaintLattice*>(prodLat->getVarLattice(in1_id));
inputs.push_back(in1);
}
} else if (isSgValueExp(node)) {
// numeric and character constants
SgValueExp *xop = isSgValueExp(node);
result = dynamic_cast<TaintLattice*>(prodLat->getVarLattice(SgExpr2Var(xop)));
if (result)
modified = result->set_vertex(TaintLattice::VERTEX_UNTAINTED);
} else if (isSgAddressOfOp(node)) {
// as in "&x". The result taintedness has nothing to do with the value in x.
/*void*/
} else if (isSgBinaryOp(node)) {
// as in "a + b"
SgBinaryOp *xop = isSgBinaryOp(node);
varID in1_id = SgExpr2Var(isSgExpression(xop->get_lhs_operand()));
TaintLattice *in1 = dynamic_cast<TaintLattice*>(prodLat->getVarLattice(in1_id));
inputs.push_back(in1);
varID in2_id = SgExpr2Var(isSgExpression(xop->get_rhs_operand()));
TaintLattice *in2 = dynamic_cast<TaintLattice*>(prodLat->getVarLattice(in2_id));
inputs.push_back(in2);
if (isSgAssignOp(node)) { // copy the rhs lattice to the lhs lattice (as well as the entire '=' expression result)
assert(in1 && in2);
modified = in1->meetUpdate(in2);
}
} else if (isSgUnaryOp(node)) {
// as in "-a"
SgUnaryOp *xop = isSgUnaryOp(node);
varID in1_id = SgExpr2Var(xop->get_operand());
TaintLattice *in1 = dynamic_cast<TaintLattice*>(prodLat->getVarLattice(in1_id));
inputs.push_back(in1);
} else if (isSgReturnStmt(node)) {
// as in "return a". The result will always be dead, so we're just doing this to get some debugging output. Most
// of our test inputs are functions, and the test examines the function's returned taintedness.
SgReturnStmt *xop = isSgReturnStmt(node);
varID in1_id = SgExpr2Var(xop->get_expression());
TaintLattice *in1 = dynamic_cast<TaintLattice*>(prodLat->getVarLattice(in1_id));
inputs.push_back(in1);
}
// Update the result lattice (unless dead) with the inputs (unless dead) by using the meedUpdate() method. All this
// means is that the new result will be the maximum of the old result and all inputs, where "maximum" is defined such
// that "tainted" is greater than "untainted" (and both of them are greater than bottom/unknown).
for (size_t i=0; i<inputs.size(); ++i)
if (debug)
*debug <<"TaintAnalysis::transfer: input " <<(i+1) <<" is " <<lattice_info(inputs[i]) <<"\n";
if (!result && varID::isValidVarExp(node)) {
varID result_id(node); // NOTE: constructor doesn't handle all SgExpression nodes, thus the next "if"
result = dynamic_cast<TaintLattice*>(prodLat->getVarLattice(result_id));
}
if (!result && isSgExpression(node)) {
varID result_id = SgExpr2Var(isSgExpression(node));
result = dynamic_cast<TaintLattice*>(prodLat->getVarLattice(result_id));
}
if (result) {
for (size_t i=0; i<inputs.size(); ++i) {
if (inputs[i])
modified = result->meetUpdate(inputs[i]) || modified;
}
}
if (debug)
*debug <<"TaintAnalysis::transfer: result is " <<lattice_info(result) <<(modified?" (modified)":" (not modified)") <<"\n";
return modified;
}
void instr(SgGlobal* global) {
// Create the lock and key variables in global scope.
// In main:
// EnterScope();
// lock = getTopLock();
// key = getTopKey();
// .... rest of main
// ExitScope();
// return;
// FIXME: Add case where we handle arbitrary exits from main
// This can be handled similar to the way returns are handled
// for basic blocks.
SgScopeStatement* scope = isSgScopeStatement(global);
// Insert lock and key variables at the top of the global scope
// lock variable
std::cout << "VarCounter: " << Util::VarCounter << std::endl;
SgName lock_name("lock_var" + boost::lexical_cast<std::string>(Util::VarCounter));
SgVariableDeclaration* lock_var = Util::createLocalVariable(lock_name, getLockType(), NULL, scope);
// Add declaration at the top of the scope
scope->prepend_statement(lock_var);
// key variable
// **** IMPORTANT: Using same counter value for lock and key
SgName key_name("key_var" + boost::lexical_cast<std::string>(Util::VarCounter));
Util::VarCounter++;
SgVariableDeclaration* key_var = Util::createLocalVariable(key_name, getKeyType(), NULL, scope);
// Insert this key decl after the lock decl
SI::insertStatementAfter(lock_var, key_var);
// Now, find the main function and insert...
// EnterScope();
// lock = getTopLock();
// key = getTopKey();
// .... rest of main
// ExitScope()
// return; -- this already exists...
// see FIXME above
// find main function...
SgFunctionDeclaration* MainFn = SI::findMain(global);
if(!MainFn) {
#ifdef HANDLE_GLOBAL_SCOPE_DEBUG
printf("Can't find Main function. Not inserting Global Enter and Exit Scopes\n");
#endif
return;
}
SgBasicBlock *bb = Util::getBBForFn(MainFn);
// insert EnterScope()
#if 0
SgExpression* overload = buildOverloadFn("EnterScope", NULL, NULL, SgTypeVoid::createType(), scope,
GEFD(bb));
#endif
SgExpression* overload = buildMultArgOverloadFn("EnterScope", SB::buildExprListExp(), SgTypeVoid::createType(), scope,
GEFD(bb));
SgStatement* enter_scope = SB::buildExprStatement(overload);
Util::insertAtTopOfBB(bb, enter_scope);
// insert lock = getTopLock();
//overload = buildOverloadFn("getTopLock", NULL, NULL, getLockType(), scope, GEFD(bb));
overload = buildMultArgOverloadFn("getTopLock", SB::buildExprListExp(), getLockType(), scope, GEFD(bb));
//SgStatement* lock_assign = SB::buildExprStatement(SB::buildAssignOp(SB::buildVarRefExp(lock_var), overload));
//SI::insertStatementAfter(enter_scope, lock_assign); //RMM COMMENTED OUT
// insert key = getTopKey();
// overload = buildOverloadFn("getTopKey", NULL, NULL, getKeyType(), scope, GEFD(bb));
overload = buildMultArgOverloadFn("getTopKey", SB::buildExprListExp(), getKeyType(), scope, GEFD(bb));
//SgStatement* key_assign = SB::buildExprStatement(SB::buildAssignOp(SB::buildVarRefExp(key_var), overload));
//SI::insertStatementAfter(lock_assign, key_assign); //RMM COMMENTED OUT
// add to scope -> lock and key map... SLKM
LockKeyPair lock_key = std::make_pair(lock_var, key_var);
scopeLockMap[scope] = lock_key;
ROSE_ASSERT(existsInSLKM(scope));
// Insert ExitScope if last stmt is not return.
SgStatementPtrList& stmts = bb->get_statements();
SgStatementPtrList::iterator it = stmts.begin();
it += (stmts.size() - 1);
// A little iffy on the scope part here... lets check that.
if(!isSgReturnStmt(*it)) {
// Last statement is not return. So, add exit scope...
// If its a break/continue statement, insert statement before,
// otherwise, add exit_scope afterwards.
//SgExpression* overload = buildOverloadFn("ExitScope", NULL, NULL, SgTypeVoid::createType(), scope, GEFD(bb));
SgExpression* overload = buildMultArgOverloadFn("ExitScope", SB::buildExprListExp(), SgTypeVoid::createType(), scope, GEFD(bb));
// check if its break/continue
if(isSgBreakStmt(*it) || isSgContinueStmt(*it)) {
SI::insertStatementBefore(*it, SB::buildExprStatement(overload));
}
else {
SI::insertStatementAfter(*it, SB::buildExprStatement(overload));
}
}
}
std::string getSgStatement(SgStatement* stat) {
VariantT var = stat->variantT();
std::string statStr = "";
if (isSgDeclarationStatement(stat)) {
getSgDeclarationStatement(isSgDeclarationStatement(stat));
}
else if (isSgScopeStatement(stat)) {
getSgScopeStatement(isSgScopeStatement(stat));
}
else if (isSgIOStatement(stat)) {
statStr = getSgIOStatement(isSgIOStatement(stat));
}
else {
switch (var) {
case V_SgAllocateStatement:
{
std::cout << "SgAllocateStatement is not yet implemented" << std::endl;
ROSE_ASSERT(false);
break;
}
case V_SgArithmeticIfStatement:
{
std::cout << "SgArithmeticIfStatement is not yet implemented" << std::endl;
ROSE_ASSERT(false);
break;
}
case V_SgAssertStmt:
{
std::cout << "SgAssertStmt is not yet implemented" << std::endl;
ROSE_ASSERT(false);
break;
}
case V_SgAssignedGotoStatement:
{
std::cout << "SgAssignedGotoStatement is not yet implemented" << std::endl;
ROSE_ASSERT(false);
break;
}
case V_SgAssignStatement:
{
std::cout << "SgAssignStatement is not yet implemented" << std::endl;
ROSE_ASSERT(false);
break;
}
case V_SgBreakStmt:
{
std::cout << "SgBreakStmt is not yet implemented" << std::endl;
ROSE_ASSERT(false);
break;
}
case V_SgCaseOptionStmt:
{
std::cout << "SgCaseOptionStmt is not yet implemented" << std::endl;
ROSE_ASSERT(false);
break;
}
case V_SgCatchStatementSeq:
{
std::cout << "SgCatchStatementSeq is not yet implemented" << std::endl;
ROSE_ASSERT(false);
break;
}
case V_SgComputedGotoStatement:
{
std::cout << "SgComputedGotoStatement is not yet implemented" << std::endl;
ROSE_ASSERT(false);
break;
}
case V_SgContinueStmt:
{
std::cout << "SgContinueStmt is not yet implemented" << std::endl;
ROSE_ASSERT(false);
break;
}
case V_SgDeallocateStatement:
{
std::cout << "SgDeallocateStatement is not yet implemented" << std::endl;
ROSE_ASSERT(false);
break;
}
case V_SgDefaultOptionStmt:
{
std::cout << "SgDefaultOptionStmt is not yet implemented" << std::endl;
ROSE_ASSERT(false);
break;
}
case V_SgExprStatement:
{
statStr = getSgExprStatement(isSgExprStatement(stat));
break;
}
case V_SgForInitStatement:
{
std::cout << "SgForInitStatement is not yet implemented" << std::endl;
ROSE_ASSERT(false);
break;
}
case V_SgFunctionTypeTable:
{
std::cout << "SgFunctionTypeTable is not yet implemented" << std::endl;
ROSE_ASSERT(false);
break;
}
case V_SgGotoStatement:
{
std::cout << "SgGotoStatement is not yet implemented" << std::endl;
ROSE_ASSERT(false);
break;
}
case V_SgLabelStatement:
{
std::cout << "SgLabelStatement is not yet implemented" << std::endl;
ROSE_ASSERT(false);
break;
}
case V_SgReturnStmt:
{
SgReturnStmt* ret = isSgReturnStmt(stat);
SgExpression* retExp = ret->get_expression();
std::string retExpStr = getSgExpressionString(retExp);
statStr = "; return statement not yet linked to function\n ;" + retExpStr + "\n";
break;
}
case V_SgSequenceStatement:
{
std::cout << "SgSequenceStatement is not yet implemented" << std::endl; ;
ROSE_ASSERT(false);
break;
}
case V_SgPassStatement:
{
std::cout << "SgPassStatement is not yet implemented" << std::endl; ;
ROSE_ASSERT(false);
break;
}
case V_SgNullStatement:
{
std::cout << "SgNullStatement is not yet implemented" << std::endl; ;
ROSE_ASSERT(false);
break;
}
case V_SgNullifyStatement:
{
std::cout << "SgNullifyStatement is not yet implemented" << std::endl; ;
ROSE_ASSERT(false);
break;
}
case V_SgExecStatement:
{
std::cout << "SgExecStatement is not yet implemented" << std::endl; ;
ROSE_ASSERT(false);
break;
}
case V_SgElseWhereStatement:
{
std::cout << "SgElseWhereStatement is not yet implemented" << std::endl; ;
ROSE_ASSERT(false);
break;
}
case V_SgScopeStatement:
{
std::cout << "SgScopeStatement should not be found here! " << std::endl;
ROSE_ASSERT(false);
break;
}
case V_SgDeclarationStatement:
{
std::cout << "SgDeclarationStatement should not be found here! " << std::endl;
ROSE_ASSERT(false);
break;
}
case V_SgIOStatement:
{
std::cout << "SgIOStatement should not be found here! " << std::endl;
ROSE_ASSERT(false);
break;
}
case V_SgJavaThrowStatement:
{
std::cout << "SgJavaThrowStatement should not be found here! " << std::endl;
ROSE_ASSERT(false);
break;
}
case V_SgJavaSynchronizedStatement:
{
std::cout << "SgJavaSynchronizedStatement should not be found here! " << std::endl;
ROSE_ASSERT(false);
break;
}
case V_SgOmpBarrierStatement:
{
std::cout << "SgOmpBarrierStatement should not be found here! " << std::endl;
ROSE_ASSERT(false);
break;
}
case V_SgOmpBodyStatement:
{
std::cout << "SgOmpBodyStatement should not be found here! " << std::endl;
ROSE_ASSERT(false);
break;
}
case V_SgOmpFlushStatement:
{
std::cout << "SgOmpFlushStatement should not be found here! " << std::endl;
ROSE_ASSERT(false);
break;
}
case V_SgOmpTaskwaitStatement:
{
std::cout << "SgOmpTaskwaitStatement should not be found here! " << std::endl;
ROSE_ASSERT(false);
break;
}
default:
std::cout << "unknown SgStatement type!: " << stat->class_name() << std::endl;
ROSE_ASSERT(false);
}
}
return statStr;
}
void instr(SgBasicBlock* bb) {
// 1. Add Enter Scope -- This will be removed when RTED ScopeGuard is used
// 2. Insert lock and key variables at the top of stack.
// 3. Create a map for lock and key with each scope
// 4. Insert ExitScope statement if the last statement in the list isn't
// a return stmt. Return stmts are handled in handleReturnStmts
SgScopeStatement* scope = isSgScopeStatement(bb);
// 1. Add Enter Scope
#if 0
SgExpression* overload = buildOverloadFn("EnterScope", NULL, NULL, SgTypeVoid::createType(), scope,
GEFD(bb));
#endif
SgExpression* overload = buildMultArgOverloadFn("EnterScope", SB::buildExprListExp(), SgTypeVoid::createType(), scope,
GEFD(bb));
SgStatement* enter_scope = SB::buildExprStatement(overload);
Util::insertAtTopOfBB(bb, enter_scope);
// 2. Insert lock and key variables
// lock calls "getTopLock"
// key calls "getTopKey"
#if 0
overload = buildOverloadFn("getTopLock", NULL, NULL, getLockType(), scope,
GEFD(bb));
#endif
overload = buildMultArgOverloadFn("getTopLock", SB::buildExprListExp(), getLockType(), scope,
GEFD(bb));
// **** IMPORTANT: Using same counter value for lock and key
SgName lock_name("lock_var" + boost::lexical_cast<std::string>(Util::VarCounter));
//SgVariableDeclaration* lock_var = Util::createLocalVariable(lock_name, getLockType(), overload, scope);
// Insert this lock declaration after the EnterScope
//SI::insertStatementAfter(enter_scope, lock_var); //RMM COMMENTED OUT
// For the key...
#if 0
overload = buildOverloadFn("getTopKey", NULL, NULL, getKeyType(), scope,
GEFD(bb));
#endif
overload = buildMultArgOverloadFn("getTopKey", SB::buildExprListExp(), getKeyType(), scope,
GEFD(bb));
// **** IMPORTANT: Using same counter value for lock and key
SgName key_name("key_var" + boost::lexical_cast<std::string>(Util::VarCounter++));
//SgVariableDeclaration* key_var = Util::createLocalVariable(key_name, getKeyType(), overload, scope);
// Insert this key decl after the lock decl
//SI::insertStatementAfter(lock_var, key_var); //RMM COMMENTED OUT
// Add to scope -> lock and key map
//LockKeyPair lock_key = std::make_pair(lock_var, key_var);
//SLKM[scope] = lock_key;
//ROSE_ASSERT(existsInSLKM(scope));
// 4. Insert ExitScope if last stmt is not return.
SgStatementPtrList& stmts = bb->get_statements();
SgStatementPtrList::iterator it = stmts.begin();
it += (stmts.size() - 1);
if(!isSgReturnStmt(*it)) {
// Last statement is not return. So, add exit scope...
// If its a break/continue statement, insert statement before,
// otherwise, add exit_scope afterwards.
//SgExpression* overload = buildOverloadFn("ExitScope", NULL, NULL, SgTypeVoid::createType(), scope, GEFD(bb));
SgExpression* overload = buildMultArgOverloadFn("ExitScope", SB::buildExprListExp(), SgTypeVoid::createType(), scope, GEFD(bb));
// check if its break/continue
if(isSgBreakStmt(*it) || isSgContinueStmt(*it)) {
SI::insertStatementBefore(*it, SB::buildExprStatement(overload));
}
else {
SI::insertStatementAfter(*it, SB::buildExprStatement(overload));
}
}
return;
}