update log format, added senapi keyword to branch cases

Author: ARISTODE

CMakeLists.txt

@@ -33,7 +33,7 @@ endif()
 
 # Compiler flags
 set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wall\
-    -fdiagnostics-color=always -Wno-everything")
+    -fdiagnostics-color=always")
 
 include_directories("include")
 include_directories("src")

include/LockAttackAnalysis.hh

@@ -53,8 +53,10 @@ namespace pdg
     void computeCorruptedCallBackRetVal();
     // semantic violation
     void computeBugOnLoc();
-    void computeRiskyDirectRefCount();
-    bool isAtomicRefCountCall(llvm::CallInst &CI);
+    void computeRiskyDirectRefCount(nlohmann::ordered_json &riskyRefCJsons);
+    bool isRefCountCall(llvm::CallInst &CI);
+    bool isAtomicTRefCount(llvm::CallInst &CI);
+    bool isRefCntTRefCount(llvm::CallInst &CI);
 
   private:
     llvm::Module *_module;

include/PDGUtils.hh

@@ -27,6 +27,7 @@ namespace pdg
     bool hasReadAccess(llvm::Value &v);
     bool hasWriteAccess(llvm::Value &v);
     bool hasPtrDereference(llvm::Value &v);
+    bool hasDoubleLoad(llvm::Value &v);
     bool isSentinelType(llvm::GlobalVariable &gv);
     bool isUserOfSentinelTypeVal(llvm::Value &v);
     bool isVoidPointerHasMultipleCasts(TreeNode &treeNode);
@@ -69,8 +70,10 @@ namespace pdg
     std::string getDemangledName(const char *mangledName);
     void readLinesFromFile(std::set<std::string> &lines, std::string fileName);
     void printSourceLocation(llvm::Instruction &I, llvm::raw_ostream &OutputStream = llvm::errs());
+    unsigned getSourceLineNo(llvm::Instruction &I);
     std::string getSourceLocationStr(llvm::Instruction &I);
     std::string getSourceLocationStrForInlineInst(llvm::Instruction &I);
+    std::string getInstructionString(llvm::Instruction &I);
     llvm::DILocation* getTopDebugLocation(llvm::DILocation *DL);
     std::string getFuncSourceLocStr(llvm::Function &F);
     unsigned getFuncUniqueId(const llvm::Function &F);

include/RiskyAPIAnalysis.hh

@@ -14,28 +14,19 @@ namespace pdg
             void getAnalysisUsage(llvm::AnalysisUsage &AU) const override;
             llvm::StringRef getPassName() const override { return "Risky Field Analysis"; }
             bool runOnModule(llvm::Module &M) override;
+            void propagateTaints(std::set<llvm::Function *> &kernelInterfaceAPIs);
+            void classifyRiskySharedFields();
+            void classifyRiskyBoundaryParams(std::set<llvm::Function *> &kernelInterfaceAPIs);
+            void classifyDrvCallBackRetval();
+
             bool isDriverControlledField(TreeNode &tn);
             llvm::Function *canReachSensitiveOperations(Node &srcFuncNode);
             void classifyRiskyFieldDirectUse(TreeNode &tn);
             void classifyRiskyFieldTaint(TreeNode &tn);
-            void classifyRiskyField(TreeNode &tn, std::set<RiskyDataType> &riskyClassifications, nlohmann::ordered_json &taintJsonObjs, unsigned &caseID);
-            bool classifyRiskyPtrField(TreeNode &tn, std::set<RiskyDataType> &riskyClassifications, nlohmann::ordered_json &taintJsonObjs, unsigned &caseID);
-            bool classifyRiskyNonPtrField(TreeNode &tn, std::set<RiskyDataType> &riskyClassifications, nlohmann::ordered_json &taintJsonObjs, unsigned &caseID);
-            // checks for atomic_t type field
-            bool isSharedAtomicField(TreeNode &tn);
-
-            // pointer field checks
-            bool checkPtrValUsedInPtrArithOp(Node &n);
-            // scalar field checks
-            bool checkValUsedAsArrayIndex(Node &n);
-            bool checkIsArrayAccess(llvm::Instruction &inst);
-            // generic field checks
-            static bool checkValUsedInPtrArithOp(Node &n);
-            bool checkValUsedInSenBranchCond(Node &n, llvm::raw_fd_ostream &OS, std::string &senTypeStr);
-            bool checkValInSecurityChecks(Node &n);
-            static bool checkValUsedInSensitiveOperations(Node &n, std::string &senOpName);
-            bool checkValUsedInInlineAsm(Node &n);
-            bool isSensitiveOperation(llvm::Function &F);
+            void classifyRiskyField(TreeNode &tn, std::set<RiskyDataType> &riskyClassifications, nlohmann::ordered_json &taintJsonObjs);
+            bool classifyRiskyPtrField(TreeNode &tn, std::set<RiskyDataType> &riskyClassifications, nlohmann::ordered_json &taintJsonObjs);
+            bool classifyRiskyNonPtrField(TreeNode &tn, std::set<RiskyDataType> &riskyClassifications, nlohmann::ordered_json &taintJsonObjs);
+            // helper funcs
             bool hasUpdateInDrv(TreeNode &n);
             // print helpers
             void printRiskyFieldInfo(llvm::raw_ostream &os, const std::string &category, TreeNode &treeNode, llvm::Function &func, llvm::Instruction &inst);
@@ -58,6 +49,7 @@ namespace pdg
             // store taint source/sink pair
             std::set<std::tuple<Node *, Node *, std::string, std::string>> _taintTuples;
             std::set<std::tuple<Node *, Node *, std::string, std::string>> _structTaintTuples; // used to store taint for struct field
+            unsigned _caseID = 0;
             // stats counting
             unsigned _numKernelReadDriverUpdatedFields = 0;
             unsigned _numSharedFields = 0;
@@ -72,7 +64,6 @@ namespace pdg
             std::unordered_map<RiskyDataType, int> totalRiskyFieldCounters;
             std::unordered_map<RiskyDataType, int> totalRiskyParamCounters;
             nlohmann::ordered_json taintTracesJson = nlohmann::ordered_json::array();
-            nlohmann::ordered_json taintTracesJsonNoConds = nlohmann::ordered_json::array();
             nlohmann::ordered_json unclassifiedFieldsJson = nlohmann::ordered_json::array();
     };
 }