Add handlers and fix

Author: mamaria-k

include/klee/Module/TaintAnnotation.h

@@ -14,19 +14,10 @@ using source_ty = size_t;
 using sink_ty = size_t;
 using rule_ty = size_t;
 
-struct TaintHitInfo final {
-  source_ty source;
-  sink_ty sink;
-
-  explicit TaintHitInfo(source_ty source, sink_ty sink);
-
-  bool operator<(const TaintHitInfo &other) const;
-  bool operator==(const TaintHitInfo &other) const;
-};
-
-using TaintHitsMap = std::map<TaintHitInfo, rule_ty>;
-
 struct TaintAnnotation final {
+  using TaintHitsSink = std::map<source_ty, rule_ty>;
+  using TaintHitsMap = std::map<sink_ty, TaintHitsSink>;
+
   TaintHitsMap hits;
 
   std::unordered_map<std::string, source_ty> sources;

include/klee/klee.h

@@ -67,7 +67,7 @@ bool klee_check_taint_source(void *array, size_t taint_source);
  * \arg addr - The start of the object.
  * \arg taint_sink - Taint sink.
  */
-size_t klee_get_taint_rule(void *array, size_t taint_sink);
+uint64_t klee_get_taint_rule(void *array, size_t taint_sink);
 
 /* klee_taint_hit - Execute taint hit with rule.
  *

lib/Core/Executor.cpp

@@ -5028,7 +5028,7 @@ void Executor::terminateStateOnTargetError(ExecutionState &state,
 }
 
 void Executor::terminateStateOnTargetTaintError(ExecutionState &state,
-                                                size_t rule) {
+                                                uint64_t rule) {
   if (rule >= annotationsData.taintAnnotation.rules.size()) {
     terminateStateOnUserError(state, "Incorrect rule id");
   }
@@ -5541,6 +5541,133 @@ void Executor::executeFree(ExecutionState &state, ref<PointerExpr> address,
   }
 }
 
+void Executor::executeChangeTaintSource(ExecutionState &state,
+                                        klee::KInstruction *target,
+                                        ref<PointerExpr> address,
+                                        uint64_t source, bool isAdd) {
+  address = optimizer.optimizeExpr(address, true);
+  ref<Expr> isNullPointer = Expr::createIsZero(address->getValue());
+  StatePair zeroPointer =
+      forkInternal(state, isNullPointer, BranchType::ResolvePointer);
+  if (zeroPointer.first) {
+    auto error =
+        (isReadFromSymbolicArray(address->getBase()) && zeroPointer.second)
+            ? ReachWithErrorType::MayBeNullPointerException
+            : ReachWithErrorType::MustBeNullPointerException;
+    terminateStateOnTargetError(*zeroPointer.first, ReachWithError(error));
+  }
+  if (zeroPointer.second) { // address != 0
+    ExactResolutionList rl;
+    resolveExact(*zeroPointer.second, address,
+                 typeSystemManager->getUnknownType(), rl, "сhangeTaintSource");
+    for (Executor::ExactResolutionList::iterator it = rl.begin(), ie = rl.end();
+         it != ie; ++it) {
+      const MemoryObject *mo = it->first;
+      RefObjectPair op =
+          it->second->addressSpace.findOrLazyInitializeObject(mo);
+      ref<const ObjectState> os = op.second;
+
+      ObjectState *wos = it->second->addressSpace.getWriteable(mo, os.get());
+      if (wos->readOnly) {
+        terminateStateOnProgramError(*(it->second),
+                                     "memory error: object read only",
+                                     StateTerminationType::ReadOnly);
+      } else {
+        wos->updateTaint(Expr::createTaintBySource(source), isAdd);
+      }
+    }
+  }
+}
+
+void Executor::executeCheckTaintSource(ExecutionState &state,
+                                       klee::KInstruction *target,
+                                       ref<PointerExpr> address,
+                                       uint64_t source) {
+  address = optimizer.optimizeExpr(address, true);
+  ref<Expr> isNullPointer = Expr::createIsZero(address->getValue());
+  StatePair zeroPointer =
+      forkInternal(state, isNullPointer, BranchType::ResolvePointer);
+  if (zeroPointer.first) {
+    auto error =
+        (isReadFromSymbolicArray(address->getBase()) && zeroPointer.second)
+            ? ReachWithErrorType::MayBeNullPointerException
+            : ReachWithErrorType::MustBeNullPointerException;
+    terminateStateOnTargetError(*zeroPointer.first, ReachWithError(error));
+  }
+  if (zeroPointer.second) {
+    ExactResolutionList rl;
+    resolveExact(*zeroPointer.second, address,
+                 typeSystemManager->getUnknownType(), rl, "checkTaintSource");
+
+    for (Executor::ExactResolutionList::iterator it = rl.begin(), ie = rl.end();
+         it != ie; ++it) {
+      const MemoryObject *mo = it->first;
+      RefObjectPair op =
+          it->second->addressSpace.findOrLazyInitializeObject(mo);
+      ref<const ObjectState> os = op.second;
+
+      ref<Expr> taintSource =
+          ExtractExpr::create(os->readTaint(), source, Expr::Bool);
+      bindLocal(target, *it->second, taintSource);
+    }
+  }
+}
+
+void Executor::executeGetTaintRule(ExecutionState &state,
+                                   klee::KInstruction *target,
+                                   ref<PointerExpr> address, uint64_t sink) {
+  const auto &hitsBySink = annotationsData.taintAnnotation.hits[sink];
+  ref<Expr> hitsBySinkTaint = Expr::createEmptyTaint();
+  for (const auto [source, rule] : hitsBySink) {
+    hitsBySinkTaint =
+        OrExpr::create(hitsBySinkTaint, Expr::createTaintBySource(source));
+  }
+
+  address = optimizer.optimizeExpr(address, true);
+  ref<Expr> isNullPointer = Expr::createIsZero(address->getValue());
+  StatePair zeroPointer =
+      forkInternal(state, isNullPointer, BranchType::ResolvePointer);
+  if (zeroPointer.first) {
+    auto error =
+        (isReadFromSymbolicArray(address->getBase()) && zeroPointer.second)
+            ? ReachWithErrorType::MayBeNullPointerException
+            : ReachWithErrorType::MustBeNullPointerException;
+    terminateStateOnTargetError(*zeroPointer.first, ReachWithError(error));
+  }
+  if (zeroPointer.second) {
+    ExactResolutionList rl;
+    resolveExact(*zeroPointer.second, address,
+                 typeSystemManager->getUnknownType(), rl, "getTaintRule");
+
+    for (Executor::ExactResolutionList::iterator it = rl.begin(), ie = rl.end();
+         it != ie; ++it) {
+      const MemoryObject *mo = it->first;
+      RefObjectPair op =
+          it->second->addressSpace.findOrLazyInitializeObject(mo);
+      ref<const ObjectState> os = op.second;
+
+      ref<Expr> hits = AndExpr::create(os->readTaint(), hitsBySinkTaint);
+
+      auto curState = it->second;
+      for (size_t source = 0;
+           source < annotationsData.taintAnnotation.sources.size(); source++) {
+        ref<Expr> taintSource = ExtractExpr::create(hits, source, Expr::Bool);
+        StatePair taintSourceStates =
+            forkInternal(*curState, taintSource, BranchType::Taint);
+        if (taintSourceStates.first) {
+          bindLocal(target, *taintSourceStates.first,
+                    ConstantExpr::create(hitsBySink.at(source) + 1,
+                                         Expr::Int64)); // return (rule + 1)
+        }
+        if (taintSourceStates.second) {
+          curState = taintSourceStates.second;
+        }
+      }
+      bindLocal(target, *curState, ConstantExpr::create(0, Expr::Int64));
+    }
+  }
+}
+
 bool Executor::resolveExact(ExecutionState &estate, ref<Expr> address,
                             KType *type, ExactResolutionList &results,
                             const std::string &name) {

lib/Core/Executor.h

@@ -361,6 +361,18 @@ class Executor : public Interpreter {
   void executeFree(ExecutionState &state, ref<PointerExpr> address,
                    KInstruction *target = 0);
 
+  void executeChangeTaintSource(ExecutionState &state,
+                                klee::KInstruction *target,
+                                ref<PointerExpr> address, uint64_t source,
+                                bool isAdd);
+
+  void executeCheckTaintSource(ExecutionState &state,
+                               klee::KInstruction *target,
+                               ref<PointerExpr> address, uint64_t source);
+
+  void executeGetTaintRule(ExecutionState &state, klee::KInstruction *target,
+                           ref<PointerExpr> address, uint64_t sink);
+
   /// Serialize a landingpad instruction so it can be handled by the
   /// libcxxabi-runtime
   MemoryObject *serializeLandingpad(ExecutionState &state,
@@ -634,7 +646,7 @@ class Executor : public Interpreter {
   /// Then just call `terminateStateOnError`
   void terminateStateOnTargetError(ExecutionState &state, ReachWithError error);
 
-  void terminateStateOnTargetTaintError(ExecutionState &state, size_t rule);
+  void terminateStateOnTargetTaintError(ExecutionState &state, uint64_t rule);
 
   /// Call error handler and terminate state in case of program errors
   /// (e.g. free()ing globals, out-of-bound accesses)

lib/Core/Memory.cpp

@@ -476,8 +476,7 @@ ref<Expr> ObjectState::readTaint(ref<Expr> offset, Expr::Width width) const {
   // Otherwise, follow the slow general case.
   unsigned NumBytes = width / 8;
   assert(width == NumBytes * 8 && "Invalid read size!");
-  ref<Expr> Res(0);
-  ref<Expr> null = Expr::createPointer(0);
+  ref<Expr> Res = Expr::createEmptyTaint();
   for (unsigned i = 0; i != NumBytes; ++i) {
     unsigned idx = Context::get().isLittleEndian() ? i : (NumBytes - i - 1);
     ref<Expr> Byte = readTaint8(
@@ -496,8 +495,7 @@ ref<Expr> ObjectState::readTaint(unsigned offset, Expr::Width width) const {
   // Otherwise, follow the slow general case.
   unsigned NumBytes = width / 8;
   assert(width == NumBytes * 8 && "Invalid width for read size!");
-  ref<Expr> Res(0);
-  ref<Expr> null = Expr::createPointer(0);
+  ref<Expr> Res = Expr::createEmptyTaint();
   for (unsigned i = 0; i != NumBytes; ++i) {
     unsigned idx = Context::get().isLittleEndian() ? i : (NumBytes - i - 1);
     ref<Expr> Byte = readTaint8(offset + idx);

lib/Core/MockBuilder.cpp

@@ -611,7 +611,7 @@ void MockBuilder::buildAnnotationForExternalFunctionArgs(
       Statement::InitNull *initNullPtr = nullptr;
 
       bool isMocked = false;
-      std::string mockName = "klee_mock" + func->getName().str() + "_arg_" +
+      std::string mockName = "klee_mock_" + func->getName().str() + "_arg_" +
                              std::to_string(i) + "_" +
                              std::to_string(offsetIndex);
 
@@ -681,10 +681,10 @@ void MockBuilder::buildAnnotationForExternalFunctionArgs(
             klee_error("Annotation: TaintOutput arg is not pointer");
           }
 
-          if (!isMocked) {
-            buildCallKleeMakeMockAll(elem, mockName);
-            isMocked = true;
-          }
+//          if (!isMocked) {
+//            buildCallKleeMakeMockAll(elem, mockName);
+//            isMocked = true;
+//          }
           buildAnnotationTaintOutput(elem, statement);
           break;
         }
@@ -693,10 +693,10 @@ void MockBuilder::buildAnnotationForExternalFunctionArgs(
             klee_error("Annotation: TaintPropagation arg is not pointer");
           }
 
-          if (!isMocked) {
-            buildCallKleeMakeMockAll(elem, mockName);
-            isMocked = true;
-          }
+//          if (!isMocked) {
+//            buildCallKleeMakeMockAll(elem, mockName);
+//            isMocked = true;
+//          }
           buildAnnotationTaintPropagation(elem, statement, func,
                                           "_arg_" + std::to_string(i) + "_");
           break;

lib/Core/SpecialFunctionHandler.cpp

@@ -1298,10 +1298,10 @@ void SpecialFunctionHandler::handleAddTaint(klee::ExecutionState &state,
     return;
   }
 
-//  uint64_t taintSource = dyn_cast<ConstantExpr>(arguments[1])->getZExtValue();
-//  printf("klee_add_taint source: %zu\n", taintSource);
-//  executor.executeChangeTaintSource(
-//      state, target, executor.makePointer(arguments[0]), taintSource, true);
+  uint64_t taintSource = dyn_cast<ConstantExpr>(arguments[1])->getZExtValue();
+  printf("klee_add_taint source: %zu\n", taintSource);
+  executor.executeChangeTaintSource(
+      state, target, executor.makePointer(arguments[0]), taintSource, true);
 }
 
 void SpecialFunctionHandler::handleClearTaint(
@@ -1314,10 +1314,10 @@ void SpecialFunctionHandler::handleClearTaint(
     return;
   }
 
-//  uint64_t taintSource = dyn_cast<ConstantExpr>(arguments[1])->getZExtValue();
-//  printf("klee_clear_taint source: %zu\n", taintSource);
-//  executor.executeChangeTaintSource(
-//      state, target, executor.makePointer(arguments[0]), taintSource, false);
+  uint64_t taintSource = dyn_cast<ConstantExpr>(arguments[1])->getZExtValue();
+  printf("klee_clear_taint source: %zu\n", taintSource);
+  executor.executeChangeTaintSource(
+      state, target, executor.makePointer(arguments[0]), taintSource, false);
 }
 
 void SpecialFunctionHandler::handleCheckTaintSource(
@@ -1330,10 +1330,10 @@ void SpecialFunctionHandler::handleCheckTaintSource(
     return;
   }
 
-//  uint64_t taintSource = dyn_cast<ConstantExpr>(arguments[1])->getZExtValue();
-//  printf("klee_check_taint_source source: %zu\n", taintSource);
-//  executor.executeCheckTaintSource(
-//      state, target, executor.makePointer(arguments[0]), taintSource);
+  uint64_t taintSource = dyn_cast<ConstantExpr>(arguments[1])->getZExtValue();
+  printf("klee_check_taint_source source: %zu\n", taintSource);
+  executor.executeCheckTaintSource(
+      state, target, executor.makePointer(arguments[0]), taintSource);
 }
 
 void SpecialFunctionHandler::handleGetTaintRule(
@@ -1346,14 +1346,14 @@ void SpecialFunctionHandler::handleGetTaintRule(
     return;
   }
 
-  //  // TODO: now mock
-    ref<Expr> result = ConstantExpr::create(1, Expr::Int64);
-    executor.bindLocal(target, state, result);
+//  //  // TODO: now mock
+//    ref<Expr> result = ConstantExpr::create(1, Expr::Int64);
+//    executor.bindLocal(target, state, result);
 
-//  uint64_t taintSink = dyn_cast<ConstantExpr>(arguments[1])->getZExtValue();
-//  printf("klee_get_taint_rule source: %zu\n", taintSink);
-//  executor.executeGetTaintRule(state, target,
-//                               executor.makePointer(arguments[0]), taintSink);
+  uint64_t taintSink = dyn_cast<ConstantExpr>(arguments[1])->getZExtValue();
+  printf("klee_get_taint_rule sink: %zu\n", taintSink);
+  executor.executeGetTaintRule(state, target,
+                               executor.makePointer(arguments[0]), taintSink);
 }
 
 void SpecialFunctionHandler::handleTaintHit(klee::ExecutionState &state,

lib/Expr/Expr.cpp

@@ -559,18 +559,18 @@ ref<ConstantExpr> Expr::createTaintBySource(uint64_t source) {
 
 ref<Expr> Expr::combineTaints(const ref<Expr> &taintL,
                               const ref<Expr> &taintR) {
-  if (SelectExpr *sel = dyn_cast<SelectExpr>(taintL)) {
-    taintL->dump();
-  }
-  if (PointerExpr *sel = dyn_cast<PointerExpr>(taintL)) {
-    taintR->dump();
-  }
-  if (ConstantExpr *sel = dyn_cast<ConstantExpr>(taintL)) {
-    if (ConstantExpr *ser = dyn_cast<ConstantExpr>(taintR)) {
-      sel->getAPValue().dump();
-      ser->getAPValue().dump();
-    }
-  }
+//  if (SelectExpr *sel = dyn_cast<SelectExpr>(taintL)) {
+//    taintL->dump();
+//  }
+//  if (PointerExpr *sel = dyn_cast<PointerExpr>(taintL)) {
+//    taintR->dump();
+//  }
+//  if (ConstantExpr *sel = dyn_cast<ConstantExpr>(taintL)) {
+//    if (ConstantExpr *ser = dyn_cast<ConstantExpr>(taintR)) {
+//      sel->getAPValue().dump();
+//      ser->getAPValue().dump();
+//    }
+//  }
   return OrExpr::create(taintL, taintR);
 }
 

lib/Module/TaintAnnotation.cpp

@@ -5,16 +5,6 @@
 
 namespace klee {
 
-TaintHitInfo::TaintHitInfo(source_ty source, sink_ty sink)
-    : source(source), sink(sink) {}
-
-bool TaintHitInfo::operator<(const TaintHitInfo &other) const {
-  return (sink < other.sink) || (source < other.source);
-}
-bool TaintHitInfo::operator==(const TaintHitInfo &other) const {
-  return (source == other.source) && (sink == other.sink);
-}
-
 TaintAnnotation::TaintAnnotation(const std::string &path) {
   if (path.empty()) {
     return;
@@ -60,11 +50,12 @@ TaintAnnotation::TaintAnnotation(const std::string &path) {
       klee_error("Taint annotations: Incorrect file format");
     }
 
+    std::map<source_ty, rule_ty> hitsForSink;
     for (auto &taintHitJson : item.value()) {
-      hits[TaintHitInfo(sources[taintHitJson["source"]], sinksCounter)] =
+      hitsForSink[sources[taintHitJson["source"]]] =
           rulesMap[taintHitJson["rule"]];
     }
-
+    hits[sinksCounter] = hitsForSink;
     sinksCounter++;
   }
 }