Skip to content

Commit

Permalink
Set extra trace in backward analysis
Browse files Browse the repository at this point in the history 
Summary: This diff updates the BackTaintTransfer to populate the ExtraTrace field of the frame when we apply a PropagationWithTrace. The extra trace will be the same as the "origin" or "callsite" of the taint but nested within per kind.

Reviewed By: arthaud

Differential Revision: D48002721

fbshipit-source-id: 59c82de33b66f42289743a4839c1081b76398931
  • Loading branch information
@facebook-github-bot
Anwesh Tuladhar authored and facebook-github-bot committed Aug 9, 2023
1 parent d82642e commit 3d31385
Show file tree
Hide file tree
Showing 7 changed files with 149 additions and 29 deletions.
9 changes: 7 additions & 2 deletions source/CalleeFrames.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,8 +109,13 @@ CalleeFrames CalleeFrames::update_with_propagation_trace(
// "callee" so we do not need to "propagate" these calls.
// All these (prior) transform hops are tracked as ExtraTrace hop
// frames to create a subtrace.
// TODO: T158087152 Add extra trace hops for subtraces.
return *this;
CalleeFrames result = *this;
result.map([&propagation_frame](Frame frame) {
frame.add_extra_trace(propagation_frame);
return frame;
});

return result;
}

mt_assert(callee_call_info.is_propagation_without_trace());
Expand Down
5 changes: 0 additions & 5 deletions source/ForwardTaintTransfer.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -288,11 +288,6 @@ void apply_propagations(
auto transformed_taint_tree =
transforms::apply_propagation(context, propagation, input_taint_tree);

if (propagation.call_info().is_propagation_with_trace()) {
// Add ExtraTrace first hop
transformed_taint_tree.add_extra_trace(propagation);
}

auto output_root = propagation_kind->root();
FeatureMayAlwaysSet features = FeatureMayAlwaysSet::make_always(
callee.model.add_features_to_arguments(output_root));
Expand Down
7 changes: 0 additions & 7 deletions source/Taint.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,13 +120,6 @@ void Taint::add_locally_inferred_features_and_local_position(
}
}

void Taint::add_extra_trace(const Frame& propagation_frame) {
map([&propagation_frame](Frame frame) {
frame.add_extra_trace(propagation_frame);
return frame;
});
}

Taint Taint::propagate(
const Method* callee,
const AccessPath& callee_port,
Expand Down
2 changes: 0 additions & 2 deletions source/Taint.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,8 +133,6 @@ class Taint final : public sparta::AbstractDomain<Taint> {
const FeatureMayAlwaysSet& features,
const Position* MT_NULLABLE position);

void add_extra_trace(const Frame& propagation_frame);

/**
* Propagate the taint from the callee to the caller.
*
Expand Down
8 changes: 1 addition & 7 deletions source/TaintTree.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,13 +73,6 @@ void TaintTree::add_locally_inferred_features_and_local_position(
});
}

void TaintTree::add_extra_trace(const Frame& propagation_frame) {
tree_.map([&propagation_frame](Taint taint) {
taint.add_extra_trace(propagation_frame);
return taint;
});
}

void TaintTree::attach_position(const Position* position) {
tree_.map(
[position](Taint taint) { return taint.attach_position(position); });
Expand Down Expand Up @@ -122,6 +115,7 @@ void TaintTree::update_maximum_collapse_depth(CollapseDepth collapse_depth) {
}

void TaintTree::update_with_propagation_trace(const Frame& propagation_frame) {
mt_assert(propagation_frame.call_info().is_propagation_with_trace());
tree_.map([&propagation_frame](const Taint& taint) {
return taint.update_with_propagation_trace(propagation_frame);
});
Expand Down
2 changes: 0 additions & 2 deletions source/TaintTree.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,8 +107,6 @@ class TaintTree final : public sparta::AbstractDomain<TaintTree> {
const FeatureMayAlwaysSet& features,
const Position* MT_NULLABLE position);

void add_extra_trace(const Frame& propagation_frame);

void attach_position(const Position* position);

/* Return all taint in the tree. */
Expand Down
145 changes: 141 additions & 4 deletions source/tests/integration/end-to-end/code/taint_transforms/expected_output.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -988,6 +988,20 @@
{
"call_info" : "PropagationWithTrace:CallSite",
"distance" : 2,
"extra_traces" :
[
{
"kind" : "T2:LocalReturn",
"origin" :
{
"position" :
{
"line" : 33,
"path" : "ExtraTraces.java"
}
}
}
],
"kind" : "T2@T1:LocalReturn",
"origins" :
[
Expand All @@ -1001,6 +1015,20 @@
{
"call_info" : "PropagationWithTrace:CallSite",
"distance" : 2,
"extra_traces" :
[
{
"kind" : "T2:LocalReturn",
"origin" :
{
"position" :
{
"line" : 33,
"path" : "ExtraTraces.java"
}
}
}
],
"kind" : "T2@T2:LocalReturn",
"origins" :
[
Expand Down Expand Up @@ -1355,6 +1383,20 @@
{
"call_info" : "CallSite",
"distance" : 1,
"extra_traces" :
[
{
"kind" : "T1:LocalReturn",
"origin" :
{
"position" :
{
"line" : 65,
"path" : "ExtraTraces.java"
}
}
}
],
"kind" : "T1@Sink",
"origins" :
[
Expand All @@ -1364,6 +1406,20 @@
{
"call_info" : "CallSite",
"distance" : 1,
"extra_traces" :
[
{
"kind" : "T2:LocalReturn",
"origin" :
{
"position" :
{
"line" : 68,
"path" : "ExtraTraces.java"
}
}
}
],
"kind" : "T2@Sink",
"origins" :
[
Expand Down Expand Up @@ -1880,7 +1936,7 @@
{
"call_info" : "CallSite",
"distance" : 1,
"kind" : "T1@T2:Sink",
"kind" : "T2:Sink",
"origins" :
[
"Lcom/facebook/marianatrench/integrationtests/Origin;.sink:(Ljava/lang/Object;)V"
Expand All @@ -1889,7 +1945,21 @@
{
"call_info" : "CallSite",
"distance" : 1,
"kind" : "T2:Sink",
"extra_traces" :
[
{
"kind" : "T1:LocalReturn",
"origin" :
{
"position" :
{
"line" : 159,
"path" : "TaintTransforms.java"
}
}
}
],
"kind" : "T1@T2:Sink",
"origins" :
[
"Lcom/facebook/marianatrench/integrationtests/Origin;.sink:(Ljava/lang/Object;)V"
Expand Down Expand Up @@ -2315,6 +2385,20 @@
},
{
"call_info" : "Origin",
"extra_traces" :
[
{
"kind" : "T1:LocalReturn",
"origin" :
{
"position" :
{
"line" : 135,
"path" : "TaintTransforms.java"
}
}
}
],
"kind" : "T1@Sink",
"origins" :
[
Expand Down Expand Up @@ -2364,6 +2448,20 @@
[
{
"call_info" : "Origin",
"extra_traces" :
[
{
"kind" : "T2:LocalReturn",
"origin" :
{
"position" :
{
"line" : 142,
"path" : "TaintTransforms.java"
}
}
}
],
"kind" : "T2@Sink",
"origins" :
[
Expand Down Expand Up @@ -2413,15 +2511,54 @@
[
{
"call_info" : "Origin",
"kind" : "T1:T2@Sink",
"extra_traces" :
[
{
"kind" : "T2:LocalReturn",
"origin" :
{
"position" :
{
"line" : 151,
"path" : "TaintTransforms.java"
}
}
}
],
"kind" : "T2@Sink",
"origins" :
[
"Lcom/facebook/marianatrench/integrationtests/Origin;.sink:(Ljava/lang/Object;)V"
]
},
{
"call_info" : "Origin",
"kind" : "T2@Sink",
"extra_traces" :
[
{
"kind" : "T1:LocalReturn",
"origin" :
{
"position" :
{
"line" : 150,
"path" : "TaintTransforms.java"
}
}
},
{
"kind" : "T2:LocalReturn",
"origin" :
{
"position" :
{
"line" : 151,
"path" : "TaintTransforms.java"
}
}
}
],
"kind" : "T1:T2@Sink",
"origins" :
[
"Lcom/facebook/marianatrench/integrationtests/Origin;.sink:(Ljava/lang/Object;)V"
Expand Down

0 comments on commit 3d31385

Please sign in to comment.