Import null pointer information from PDG into static analysis #1086
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ahomescu
force-pushed
the
ahomescu/non_null
branch
from
ac9abd6
to
0a55190
Compare
|
I still need to test this on some actual code (maybe lighttpd?) |
kkysen
changed the title
spernsteiner
approved these changes
Apr 26, 2024
ahomescu
force-pushed
the
ahomescu/non_null
branch
from
0a55190
to
1f4aa09
Compare
ahomescu
commented
Apr 30, 2024
ahomescu
force-pushed
the
ahomescu/non_null
branch
from
1f4aa09
to
2b30b48
Compare
|
Is this waiting on anything, other than needing a |
fw-immunant
reviewed
Jun 3, 2024
fw-immunant
approved these changes
Jun 3, 2024
ahomescu
force-pushed
the
ahomescu/non_null
branch
9 times, most recently
from
f0cadd4
to
de844f5
Compare
ahomescu
force-pushed
the
ahomescu/non_null
branch
4 times, most recently
from
3a5ab91
to
710b626
Compare
|
@ahomescu Don't forget to fix the CI. Currently it's failing on the |
There was a problem hiding this comment.
Seems generally reasonable. This approach of collapsing nested projections down to a single byte offset will limit our ability to extract borrowchecker aliasing information from the PDG, if we end up wanting to do that in the future.
Are there any automated tests related to instrumentation or the PDG? I thought we had one or two, but I could be wrong.
| CopyRef => unimplemented!(), | ||
| AddrOfLocal(ptr, _, size) => { | ||
| // TODO: is this a local from another function? | ||
| mapping.size = size.try_into().ok(); |
There was a problem hiding this comment.
Can this conversion ever fail? If not, it seems like you could make the field size: usize instead of Option<usize> and avoid the None case above.
There was a problem hiding this comment.
The field would still need to be size: Option<usize> because we have other cases where we get a pointer without a known size. That comes from the None on line 268.
Some of this is happening because we get pointers from native libraries (e.g. glibc) which we have no control over. I think the best we can do right now is say "this is a pointer we know nothing about", and maybe add some clever heuristics later.
Re the conversion: I could do Some(size.try_into().unwrap()), that might be better for debugging?
ahomescu
force-pushed
the
ahomescu/non_null
branch
from
710b626
to
31c703a
Compare
ahomescu
force-pushed
the
ahomescu/non_null
branch
2 times, most recently
from
bcfaceb
to
2a94d8f
Compare
Record field and index projections for pointers by recording a Project event with a base and target pointer pair.
ahomescu
force-pushed
the
ahomescu/non_null
branch
2 times, most recently
from
db8c192
to
e9b6204
Compare
spernsteiner
approved these changes
Aug 14, 2024
ahomescu
force-pushed
the
ahomescu/non_null
branch
5 times, most recently
from
34ddf68
to
b0351bf
Compare
ahomescu
force-pushed
the
ahomescu/non_null
branch
from
b0351bf
to
c86dd94
Compare
Add an index value to Project events to differentiate between different projections with the same pointer offset, e.g., (*p).x and (*p).x.a if a is the first field of the structure. This is implemented as a HashMap<u64, Vec<usize>> where each element is a unique combination of field projections. The Project key points to an element in this map. The keys are randomly-generated 64-bit keys with very low probability of collision.
The event assignment-based PDG construction steps were giving incorrect results for indirect accesses, so remove them completely.
Track the provenance of pointers with finer granularity by storing the size of every allocation, local, and constant inside the corresponding events. With this information, we can keep track of the boundaries of every object and track whether a projected pointer falls inside the original allocation.
Keep track of the size of every local for the new provenance algorithm.
Add a new arg_ptr() method that allows passing
a pointer directly to an event handler.
The handler needs to be generic on the pointee type:
fn foo_handler<T: ?Sized>(ptr: *const T) { ... }
This change allows us to get more information about
the pointees from the event handler body, e.g.,
call std::mem::size_of_val().
Add a new AddrOfSized event and use it to keep track of the sizes of all constant operands for the new provenance algorithm.
Handle Offset nodes with a base pointer of 0
where the offset is non-zero, potentially resulting
in a brand new pointer.
One such case occurs in mod_cgi from lighttpd:
const uintptr_t baseptr = (uintptr_t)env->b->ptr;
for (i = 0; i < env->oused; ++i)
envp[i] += baseptr;
Mark each PDG graph with a boolean flag that represents whether that graph corresponds to the null pointer or not. The PDG construction algorithm seems to build one unique graph for all null pointers in the entire program.
Add one test where a function argument can be either null or non-null in the recur() function of the analysis/tests/misc example code.
The dynamic instrumentation code inserts additional locals for its own instrumentation code.
Remove the NON_NULL permission from all nodes in the null graph from the PDG.
If the dynamic analysis tells us a pointer is never NULL (i.e. it never shows up in an is_null graph), then force the NON_NULL permission on it using updates_forbidden. This is potentially an unsound transformation because the pointer may actually be NULL on other inputs not covered by the sample ones.
ahomescu
force-pushed
the
ahomescu/non_null
branch
from
c86dd94
to
36ed671
Compare
ahomescu
force-pushed
the
ahomescu/non_null
branch
from
39acd9d
to
f898e86
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.