/**
* class: SgArrayType
* term: array_type(nested,index)
* arg nested: nested type
* arg index: index (a SgExpression)
*/
PrologCompTerm*
RoseToTerm::getArrayTypeSpecific(SgType* mtype) {
/*make sure we are actually dealing with an array type*/
SgArrayType* a = isSgArrayType(mtype);
ROSE_ASSERT(a != NULL);
return new PrologCompTerm
("array_type", //2,
getTypeSpecific(a->get_base_type()), /* get nested type*/
(a->get_index() /* get expression*/
? traverseSingleNode(a->get_index())
: new PrologAtom("null")));
}
void examineType(SgType *type, ostream &out) {
int nr_stars = 0;
stringstream ss1;
if (NULL == type) {
out << "void";
return;
}
while (isSgArrayType(type) ||
isSgPointerType(type)) {
if (isSgArrayType(type)) {
SgArrayType *atype = isSgArrayType(type);
SgExpression *expr = atype->get_index();
type = atype->get_base_type();
/*
ss1 << "[";
if (expr)
examineExpr(expr, ss1);
ss1 << "]";
*/
nr_stars++;
} else {
SgPointerType *ttype = isSgPointerType(type);
type = ttype->get_base_type();
nr_stars++;
}
}
examinePrimTypeName(type, out);
out << " ";
for (int i = 0; i < nr_stars; ++i)
out << "*";
out << ss1.str();
}
InheritedAttribute
BugSeeding::evaluateInheritedAttribute (
SgNode* astNode,
InheritedAttribute inheritedAttribute )
{
// Use this if we only want to seed bugs in loops
bool isLoop = inheritedAttribute.isLoop ||
(isSgForStatement(astNode) != NULL) ||
(isSgWhileStmt(astNode) != NULL) ||
(isSgDoWhileStmt(astNode) != NULL);
// Add Fortran support
isLoop = isLoop || (isSgFortranDo(astNode) != NULL);
// Mark future noes in this subtree as being part of a loop
inheritedAttribute.isLoop = isLoop;
// To test this on simple codes, optionally allow it to be applied everywhere
bool applyEveryWhere = true;
if (isLoop == true || applyEveryWhere == true)
{
// The inherited attribute is true iff we are inside a loop and this is a SgPntrArrRefExp.
SgPntrArrRefExp *arrayReference = isSgPntrArrRefExp(astNode);
if (arrayReference != NULL)
{
// Mark as a vulnerability
inheritedAttribute.isVulnerability = true;
// Now change the array index (to seed the buffer overflow bug)
SgVarRefExp* arrayVarRef = isSgVarRefExp(arrayReference->get_lhs_operand());
ROSE_ASSERT(arrayVarRef != NULL);
ROSE_ASSERT(arrayVarRef->get_symbol() != NULL);
SgInitializedName* arrayName = isSgInitializedName(arrayVarRef->get_symbol()->get_declaration());
ROSE_ASSERT(arrayName != NULL);
SgArrayType* arrayType = isSgArrayType(arrayName->get_type());
ROSE_ASSERT(arrayType != NULL);
SgExpression* arraySize = arrayType->get_index();
SgTreeCopy copyHelp;
// Make a copy of the expression used to hold the array size in the array declaration.
SgExpression* arraySizeCopy = isSgExpression(arraySize->copy(copyHelp));
ROSE_ASSERT(arraySizeCopy != NULL);
// This is the existing index expression
SgExpression* indexExpression = arrayReference->get_rhs_operand();
ROSE_ASSERT(indexExpression != NULL);
// Build a new expression: "array[n]" --> "array[n+arraySizeCopy]", where the arraySizeCopy is a size of "array"
SgExpression* newIndexExpression = buildAddOp(indexExpression,arraySizeCopy);
// Substitute the new expression for the old expression
arrayReference->set_rhs_operand(newIndexExpression);
}
}
return inheritedAttribute;
}
void examineInitializedName(SgInitializedName *name, ostream &out) {
SgSymbol* symbol = name->get_symbol_from_symbol_table();
if (NULL == symbol)
return;
SgType *type = symbol->get_type();
int nr_stars = 0;
stringstream ss1;
while (isSgArrayType(type) ||
isSgPointerType(type)) {
if (isSgArrayType(type)) {
SgArrayType *atype = isSgArrayType(type);
SgExpression *expr = atype->get_index();
type = atype->get_base_type();
ss1 << "[";
if (expr)
examineExpr(expr, ss1);
ss1 << "]";
} else {
SgPointerType *ttype = isSgPointerType(type);
type = ttype->get_base_type();
nr_stars++;
}
}
examinePrimTypeName(type, out);
out << " ";
for (int i = 0; i < nr_stars; ++i)
out << "*";
out << symbol->get_name().getString();
out << ss1.str();
SgInitializer *initer = name->get_initializer();
if (initer) {
switch (initer->variantT()) {
case V_SgAssignInitializer:
SgAssignInitializer *ai = isSgAssignInitializer(initer);
SgExpression *expr = ai->get_operand();
if (expr) {
out << "=";
examineExpr(expr, out);
}
break;
default:
break;
}
}
}
void
DetectHiddenOriginalExpressionTreeTraversal::visit ( SgNode* node )
{
// We only want to search for original expression trees where they can be hidden.
ROSE_ASSERT(node != NULL);
SgArrayType* arrayType = isSgArrayType(node);
if (arrayType != NULL)
{
#if 0
printf ("Found an array type arrayType = %p (looking for original expression tree) \n",arrayType);
#endif
SgExpression* index = arrayType->get_index();
if (index != NULL)
{
DetectOriginalExpressionTreeTraversal t;
t.traverse(index,preorder);
}
}
#if 0
// DQ (9/18/2011): This code will not work since the bitfile data member in SgVariableDefinition is a SgUnsignedLongVal instead of a SgExpression.
SgVariableDefinition* variableDefinition = isSgVariableDefinition(node);
if (variableDefinition != NULL)
{
#if 0
printf ("Found a SgVariableDefinition (looking for original expression tree) \n");
#endif
SgExpression* bitfieldExp = variableDefinition->get_bitfield();
if (bitfieldExp != NULL)
{
DetectOriginalExpressionTreeTraversal t;
t.traverse(bitfieldExp,preorder);
}
}
#endif
}
void
RemoveConstantFoldedValueViaParent::visit ( SgNode* node )
{
// This is an alternative implementation that allows us to handle expression that are not
// traversed in the AST (e.g. types like SgArrayType which can contain expressions).
ROSE_ASSERT(node != NULL);
// DQ (3/11/2006): Set NULL pointers where we would like to have none.
#if 0
printf ("In RemoveConstantFoldedValueViaParent::visit(): node = %p = %s \n",node,node->class_name().c_str());
#endif
// DQ (10/12/2012): Turn this on so that we can detect failing IR nodes (failing later) that have valid originalExpressionTrees.
// DQ (10/12/2012): Turn this back off because it appears to fail...
#if 0
SgExpression* exp = isSgExpression(node);
if (exp != NULL)
{
SgExpression* originalExpressionTree = exp->get_originalExpressionTree();
if (originalExpressionTree != NULL)
{
SgNode* parent = exp->get_parent();
if (parent != NULL)
{
printf ("Current IR node with SgExpression parent = %p = %s child = %p = %s originalExpressionTree = %p = %s \n",parent,parent->class_name().c_str(),node,node->class_name().c_str(),originalExpressionTree,originalExpressionTree->class_name().c_str());
bool traceReplacement = true;
ConstantFoldedValueReplacer r(traceReplacement, exp);
parent->processDataMemberReferenceToPointers(&r);
// node->processDataMemberReferenceToPointers(&r);
}
// Set the originalExpressionTree to NULL.
exp->set_originalExpressionTree(NULL);
// Set the parent of originalExpressionTree to be the parent of exp.
originalExpressionTree->set_parent(parent);
// And then delete the folded constant.
SageInterface::deleteAST(exp);
}
}
#endif
SgArrayType* arrayType = isSgArrayType(node);
if (arrayType != NULL)
{
#if 0
printf ("Found an array type arrayType = %p arrayType->get_index() = %p \n",arrayType,arrayType->get_index());
#endif
SgExpression* index = arrayType->get_index();
if (index != NULL)
{
#if 0
printf ("Fixup array index = %p = %s (traverse index AST subtree) \n",index,index->class_name().c_str());
#endif
RemoveConstantFoldedValue astFixupTraversal;
astFixupTraversal.traverse(index);
#if 0
printf ("DONE: Fixup array index = %p (traverse index AST) \n\n\n\n",index);
#endif
#if 0
printf ("Found an array index = %p (fixup index directly) \n",index);
#endif
// Handle the case where the original expression tree is at the root of the subtree.
SgExpression* originalExpressionTree = index->get_originalExpressionTree();
if (originalExpressionTree != NULL)
{
#if 0
printf ("Found an originalExpressionTree in the array index originalExpressionTree = %p \n",originalExpressionTree);
#endif
// DQ (6/12/2013): This appears to be a problem in EDG 4.7 (see test2011_117.C).
std::vector<SgExpression*> redundantChainOfOriginalExpressionTrees;
if (originalExpressionTree->get_originalExpressionTree() != NULL)
{
#if 0
printf ("Detected originalExpressionTree nested directly within the originalExpressionTree \n",
originalExpressionTree,originalExpressionTree->class_name().c_str(),
originalExpressionTree->get_originalExpressionTree(),originalExpressionTree->get_originalExpressionTree()->class_name().c_str());
#endif
// Loop to the end of the chain of original expressions (which EDG 4.7 should never have constructed).
while (originalExpressionTree->get_originalExpressionTree() != NULL)
{
#if 0
printf ("Looping through a chain of originalExpressionTrees \n");
#endif
// Save the list of redundnat nodes so that we can delete them properly.
redundantChainOfOriginalExpressionTrees.push_back(originalExpressionTree);
originalExpressionTree = originalExpressionTree->get_originalExpressionTree();
}
#if 0
printf ("Exiting as a test! \n");
ROSE_ASSERT(false);
#endif
}
arrayType->set_index(originalExpressionTree);
originalExpressionTree->set_parent(arrayType);
index->set_originalExpressionTree(NULL);
// printf ("DEBUGING: skip delete of index in array type \n");
delete index;
// DQ (6/12/2013): Delete the nodes that we had to skip over (caused by chain of redundant entries from EDG 4.7).
std::vector<SgExpression*>::iterator i = redundantChainOfOriginalExpressionTrees.begin();
while (i != redundantChainOfOriginalExpressionTrees.end())
{
#if 0
printf ("deleting the redundnat originalExpressionTree chain caused by EDG 4.7 (delete %p = %s) \n",*i,(*i)->class_name().c_str());
#endif
delete *i;
i++;
}
index = NULL;
}
}
}
SgVariableDefinition* variableDefinition = isSgVariableDefinition(node);
if (variableDefinition != NULL)
{
#if 0
printf ("Found a SgVariableDefinition \n");
#endif
SgExpression* bitfieldExp = variableDefinition->get_bitfield();
if (bitfieldExp != NULL)
{
#if 0
printf ("Fixup bitfieldExp = %p (traverse bitfieldExp AST subtree) \n",bitfieldExp);
#endif
RemoveConstantFoldedValue astFixupTraversal;
astFixupTraversal.traverse(bitfieldExp);
// Handle the case where the original expression tree is at the root of the subtree.
SgExpression* originalExpressionTree = bitfieldExp->get_originalExpressionTree();
if (originalExpressionTree != NULL)
{
#if 0
// DQ (9/18/2011): This code will not work since the bitfile data member in SgVariableDefinition is a SgUnsignedLongVal instead of a SgExpression.
variableDefinition->set_bitfield(originalExpressionTree);
originalExpressionTree->set_parent(variableDefinition);
bitfieldExp->set_originalExpressionTree(NULL);
delete bitfieldExp;
bitfieldExp = NULL;
#else
// The ROSE AST needs to be fixed to handle more general expressions for bitfield widths (this does not effect the CFG).
// TODO: Change the data type of the bitfield data member in SgVariableDefinition.
// DQ (1/20/2014): This has been done now.
// printf ("Member data bitfield widths need to be changed (in the ROSE IR) to support more general expressions (can't fix this original expression tree) \n");
#endif
#if 0
// This case is not handled yet!
printf ("Found an original expression tree in a bitfield expression \n");
ROSE_ASSERT(false);
#endif
}
}
}
}
ExprSynAttr *examineVariableDeclaration(SgVariableDeclaration* decl, ostream &out) {
SgInitializedNamePtrList& name_list = decl->get_variables();
SgInitializedNamePtrList::const_iterator name_iter;
ExprSynAttr *ret = NULL;
ExprSynAttr *gc = NULL;
ret = new ExprSynAttr();
for (name_iter = name_list.begin();
name_iter != name_list.end();
name_iter++) {
SgInitializedName* name = *name_iter;
SgSymbol* symbol = name->get_symbol_from_symbol_table();
SgType *type = symbol->get_type();
int nr_stars = 0;
stringstream ss1;
while (isSgArrayType(type) ||
isSgPointerType(type)) {
if (isSgArrayType(type)) {
SgArrayType *atype = isSgArrayType(type);
SgExpression *expr = atype->get_index();
type = atype->get_base_type();
ss1 << "[";
if (expr)
examineExpr(expr, ss1);
ss1 << "]";
} else {
SgPointerType *ttype = isSgPointerType(type);
type = ttype->get_base_type();
nr_stars++;
}
}
examinePrimTypeName(type, ret->code);
ret->code << " ";
for (int i = 0; i < nr_stars; ++i)
ret->code << "*";
ret->code << symbol->get_name().getString();
ret->code << ss1.str();
ss1.str("");
SgInitializer *initer = name->get_initializer();
if (initer) {
switch (initer->variantT()) {
case V_SgAssignInitializer:
SgAssignInitializer *ai = isSgAssignInitializer(initer);
SgExpression *expr = ai->get_operand();
if (expr) {
ret->code << "=";
gc = examineExpr(expr, ret->code);
if (gc != NULL)
delete gc;
}
break;
default:
break;
}
}
/* end of this decl */
ret->code << ";";
out << ret->code.str();
return ret;
/*
cout << "[Decl] Variable (name:"<<symbol->get_name().getString();
cout << ",type:"<<symbol->get_type()->class_name();
cout << ",init:";
SgInitializer* init_expr = name->get_initializer();
if (init_expr)
cout << init_expr->class_name();
else
cout << "none";
cout << ")" << endl;
*/
}
}
std::string initializeVariable(SgInitializedName* initName) {
//if array type we need to get the index expression
std::string index_expression_string;
std::stringstream nameStringStream;
SgName initNameName = initName->get_qualified_name();
SgSymbol* initNameSym = initName->search_for_symbol_from_symbol_table();
if (variablesOfNameX.find(initNameName.getString()) == variablesOfNameX.end()) {
nameStringStream << initNameName.getString() << "_0";
variablesOfNameX[initNameName.getString()] = 1;
}
else {
int occurrence = variablesOfNameX[initNameName.getString()];
nameStringStream << initNameName.getString() << "_" << occurrence;
variablesOfNameX[initNameName.getString()] = occurrence+1;
}
SymbolToZ3[initNameSym] = nameStringStream.str();
SymbolToInstances[initNameSym] = 0;
SgType* initNameType = initName->get_type();
std::string typeZ3;
if (initNameType->isIntegerType()) {
typeZ3 = "Int";
}
else if (initNameType->isFloatType()) {
typeZ3 = "Real";
}
else if (isSgArrayType(initNameType)) {
SgArrayType* arrTyp = isSgArrayType(initNameType);
ROSE_ASSERT(arrTyp != NULL);
SgType* underlying_type = arrTyp->get_base_type();
std::string array_typeZ3;
if (underlying_type->isIntegerType()) {
array_typeZ3 = "Int";
}
else if (underlying_type->isFloatType()) {
array_typeZ3 = "Real";
}
else {
std::cout << "unknown underlying type of array!" << std::endl;
std::cout << underlying_type->class_name() << std::endl;
ROSE_ASSERT(false);
}
SgExpression* ind = arrTyp->get_index();
std::stringstream arrStr;
index_expression_string = getSgExpressionString(ind);
typeZ3 = "(Array Int " + array_typeZ3 + ")";
}
else if (isSgClassType(initNameType)) {
std::cout << "structs are not yet implemented" << std::endl;
ROSE_ASSERT(false);
}
else if (isSgPointerType(initNameType)) {
std::cout << "pointers are not yet implemented" << std::endl;
ROSE_ASSERT(false);
}
else if (isSgEnumType(initNameType)) {
SgEnumType* et = isSgEnumType(initNameType);
SgEnumDeclaration* enum_d = isSgEnumDeclaration(et->getAssociatedDeclaration());
getSgDeclarationStatement(enum_d);
typeZ3 = et->get_name().getString();
}
else {
std::cout << "unknown type: " << initNameType->class_name() << std::endl;
ROSE_ASSERT(false);
}
std::string name = nameStringStream.str() + "_0";
std::stringstream streamZ3;
if (isSgArrayType(initNameType)) {
streamZ3 << "(declare-const " << name << " " << typeZ3 << ")";
streamZ3 << "\n(declare-fun " << name << "_len () Int)";
streamZ3 << "\n(assert (= " << name << "_len " << index_expression_string << "))";
#ifdef ARRAY_TEST
std::cout << "arrStream: " << streamZ3.str() << std::endl;
#endif
}
else if (isSgEnumType(initNameType)) {
streamZ3 << "(declare-const " << name << " " << typeZ3 << ")";
}
else {
streamZ3 << "(declare-fun " << name << " () " << typeZ3 << ")";
}
return streamZ3.str();
}
int
main( int argc, char* argv[] )
{
// Initialize and check compatibility. See rose::initialize
ROSE_INITIALIZE;
SgProject* project = frontend(argc,argv);
AstTests::runAllTests(project);
#if 0
// Output the graph so that we can see the whole AST graph, for debugging.
generateAstGraph(project, 4000);
#endif
#if 1
printf ("Generate the dot output of the SAGE III AST \n");
generateDOT ( *project );
printf ("DONE: Generate the dot output of the SAGE III AST \n");
#endif
// There are lots of way to write this, this is one simple approach; get all the function calls.
std::vector<SgNode*> functionCalls = NodeQuery::querySubTree (project,V_SgFunctionCallExp);
// Find the SgFunctionSymbol for snprintf so that we can reset references to "sprintf" to "snprintf" instead.
// SgGlobal* globalScope = (*project)[0]->get_globalScope();
SgSourceFile* sourceFile = isSgSourceFile(project->get_fileList()[0]);
ROSE_ASSERT(sourceFile != NULL);
SgGlobal* globalScope = sourceFile->get_globalScope();
SgFunctionSymbol* snprintf_functionSymbol = globalScope->lookup_function_symbol("snprintf");
ROSE_ASSERT(snprintf_functionSymbol != NULL);
// Iterate over the function calls to find the calls to "sprintf"
for (unsigned long i = 0; i < functionCalls.size(); i++)
{
SgFunctionCallExp* functionCallExp = isSgFunctionCallExp(functionCalls[i]);
ROSE_ASSERT(functionCallExp != NULL);
SgFunctionRefExp* functionRefExp = isSgFunctionRefExp(functionCallExp->get_function());
if (functionRefExp != NULL)
{
SgFunctionSymbol* functionSymbol = functionRefExp->get_symbol();
if (functionSymbol != NULL)
{
SgName functionName = functionSymbol->get_name();
// printf ("Function being called: %s \n",functionName.str());
if (functionName == "sprintf")
{
// Now we have something to do!
functionRefExp->set_symbol(snprintf_functionSymbol);
// Now add the "n" argument
SgExprListExp* functionArguments = functionCallExp->get_args();
SgExpressionPtrList & functionArgumentList = functionArguments->get_expressions();
// "sprintf" shuld have exactly 2 arguments (I guess the "..." don't count)
printf ("functionArgumentList.size() = %zu \n",functionArgumentList.size());
// ROSE_ASSERT(functionArgumentList.size() == 2);
SgExpressionPtrList::iterator i = functionArgumentList.begin();
// printf ("(*i) = %p = %s = %s \n",*i,(*i)->class_name().c_str(),SageInterface::get_name(*i).c_str());
SgVarRefExp* variableRefExp = isSgVarRefExp(*i);
ROSE_ASSERT(variableRefExp != NULL);
// printf ("variableRefExp->get_type() = %p = %s = %s \n",variableRefExp->get_type(),variableRefExp->get_type()->class_name().c_str(),SageInterface::get_name(variableRefExp->get_type()).c_str());
SgType* bufferType = variableRefExp->get_type();
SgExpression* bufferLengthExpression = NULL;
switch(bufferType->variantT())
{
case V_SgArrayType:
{
SgArrayType* arrayType = isSgArrayType(bufferType);
bufferLengthExpression = arrayType->get_index();
break;
}
case V_SgPointerType:
{
// SgPointerType* pointerType = isSgPointerType(bufferType);
SgInitializedName* variableDeclaration = variableRefExp->get_symbol()->get_declaration();
ROSE_ASSERT(variableDeclaration != NULL);
SgExpression* initializer = variableDeclaration->get_initializer();
if (initializer != NULL)
{
SgAssignInitializer* assignmentInitializer = isSgAssignInitializer(initializer);
ROSE_ASSERT(assignmentInitializer != NULL);
// This is the rhs of the initialization of the pointer (likely a malloc through a cast).
// This assumes: buffer = (char*) malloc(bufferLengthExpression);
SgExpression* initializationExpression = assignmentInitializer->get_operand();
ROSE_ASSERT(initializationExpression != NULL);
SgCastExp* castExp = isSgCastExp(initializationExpression);
ROSE_ASSERT(castExp != NULL);
SgFunctionCallExp* functionCall = isSgFunctionCallExp(castExp->get_operand());
ROSE_ASSERT(functionCall != NULL);
SgExprListExp* functionArguments = isSgExprListExp(functionCall->get_args());
bufferLengthExpression = functionArguments->get_expressions()[0];
ROSE_ASSERT(bufferLengthExpression != NULL);
}
else
{
printf ("Initializer not found, so no value for n in snprintf can be computed currently \n");
}
break;
}
default:
{
printf ("Error: default reached in evaluation of buffer type = %p = %s \n",bufferType,bufferType->class_name().c_str());
ROSE_ASSERT(false);
}
}
ROSE_ASSERT(bufferLengthExpression != NULL);
// printf ("bufferLengthExpression = %p = %s = %s \n",bufferLengthExpression,bufferLengthExpression->class_name().c_str(),SageInterface::get_name(bufferLengthExpression).c_str());
// Jump over the first argument, the "n" is defined to be the 2nd argument (the rest are shifted one position).
i++;
// Build a deep copy of the expression used to define the static buffer (could be any complex expression).
SgTreeCopy copy_help;
SgExpression* bufferLengthExpression_copy = isSgExpression(bufferLengthExpression->copy(copy_help));
// Insert the "n" for the parameter list to work with "snprintf" instead of "sprintf"
functionArgumentList.insert(i,bufferLengthExpression_copy);
}
}
}
}
return backend(project);
}
