Fraunhofer-AISEC · oxisto · Nov 23, 2023 · Nov 23, 2023 · Sep 29, 2023 · Oct 2, 2023
@@ -35,13 +35,14 @@ import de.fraunhofer.aisec.cpg.graph.edges.flows.EvaluationOrder
 import de.fraunhofer.aisec.cpg.graph.statements.IfStatement
 import de.fraunhofer.aisec.cpg.graph.statements.WhileStatement
 import de.fraunhofer.aisec.cpg.helpers.*
+import de.fraunhofer.aisec.cpg.helpers.LatticeElement
 import de.fraunhofer.aisec.cpg.passes.configuration.DependsOn
 
 /**
  * A [Pass] which uses a simple logic to determine constant values and mark unreachable code regions
  * by setting the [EvaluationOrder.unreachable] property to true.
  */
-@DependsOn(ControlFlowSensitiveDFGPass::class)
+@DependsOn(ControlFlowSensitiveDFGPass::class, softDependency = true)
 class UnreachableEOGPass(ctx: TranslationContext) : TranslationUnitPass(ctx) {
     override fun cleanup() {
         // Nothing to do

@@ -219,10 +219,16 @@ fun dataFlow(
     from: Node,
     predicate: (Node) -> Boolean,
     collectFailedPaths: Boolean = true,
-    findAllPossiblePaths: Boolean = true
+    findAllPossiblePaths: Boolean = true,
+    continueAfterHit: Boolean = false
 ): QueryTree<Boolean> {
     val evalRes =
-        from.followNextFullDFGEdgesUntilHit(collectFailedPaths, findAllPossiblePaths, predicate)
+        from.followNextFullDFGEdgesUntilHit(
+            collectFailedPaths,
+            findAllPossiblePaths,
+            continueAfterHit,
+            predicate
+        )
     val allPaths = evalRes.fulfilled.map { QueryTree(it) }.toMutableList()
     if (collectFailedPaths) allPaths.addAll(evalRes.failed.map { QueryTree(it) })
     return QueryTree(

@@ -539,7 +539,7 @@ private constructor(
             registerPass<DynamicInvokeResolver>()
             registerPass<EvaluationOrderGraphPass>() // creates EOG
             registerPass<TypeResolver>()
-            registerPass<ControlFlowSensitiveDFGPass>()
+            //            registerPass<ControlFlowSensitiveDFGPass>()
             registerPass<FilenameMapper>()
             registerPass<ResolveCallExpressionAmbiguityPass>()
             registerPass<ResolveMemberExpressionAmbiguityPass>()

@@ -477,6 +477,48 @@ fun MetadataProvider.newReference(
     return node
 }
 
+/**
+ * Creates a new [PointerReference]. The [MetadataProvider] receiver will be used to fill different
+ * meta-data using [Node.applyMetadata]. Calling this extension function outside of Kotlin requires
+ * an appropriate [MetadataProvider], such as a [LanguageFrontend] as an additional prepended
+ * argument.
+ */
+@JvmOverloads
+fun MetadataProvider.newPointerReference(
+    name: CharSequence?,
+    type: Type = unknownType(),
+    rawNode: Any? = null
+): PointerReference {
+    val node = PointerReference()
+    node.applyMetadata(this, name, rawNode, true)
+
+    node.type = type
+
+    log(node)
+    return node
+}
+
+/**
+ * Creates a new [PointerReference]. The [MetadataProvider] receiver will be used to fill different
+ * meta-data using [Node.applyMetadata]. Calling this extension function outside of Kotlin requires
+ * an appropriate [MetadataProvider], such as a [LanguageFrontend] as an additional prepended
+ * argument.
+ */
+@JvmOverloads
+fun MetadataProvider.newPointerDereference(
+    name: CharSequence?,
+    type: Type = unknownType(),
+    rawNode: Any? = null
+): PointerDereference {
+    val node = PointerDereference()
+    node.applyMetadata(this, name, rawNode, true)
+
+    node.type = type
+
+    log(node)
+    return node
+}
+
 /**
  * Creates a new [DeleteExpression]. The [MetadataProvider] receiver will be used to fill different
  * meta-data using [Node.applyMetadata]. Calling this extension function outside of Kotlin requires

@@ -480,6 +480,7 @@ fun Node.followXUntilHit(
     x: (Node) -> List<Node>,
     collectFailedPaths: Boolean = true,
     findAllPossiblePaths: Boolean = true,
+    continueAfterHit: Boolean = false,
     predicate: (Node) -> Boolean
 ): FulfilledAndFailedPaths {
     // Looks complicated but at least it's not recursive...
@@ -517,9 +518,18 @@ fun Node.followXUntilHit(
             }
             // The next node is new in the current path (i.e., there's no loop), so we add the path
             // with the next step to the worklist.
+            // For our daily dose of special magic, we check that the path reaching the next node
+            // differs. If the path is different, we do accept seeing the same node multiple times.
+            val indexedPath =
+                currentPath
+                    .mapIndexed { index, node -> if (node == next) Pair(index, node) else null }
+                    .filterNotNull()
             if (
-                next !in currentPath &&
-                    (findAllPossiblePaths ||
+                (indexedPath.isEmpty() ||
+                    indexedPath.all {
+                        it.first == 0 || currentNode != currentPath[it.first - 1]
+                    }) &&
+                    ((findAllPossiblePaths && currentPath.count { it == next } <= 2) ||
                         (next !in alreadySeenNodes && worklist.none { next in it }))
             ) {
                 worklist.add(nextPath)
@@ -542,12 +552,14 @@ fun Node.followXUntilHit(
 fun Node.followNextFullDFGEdgesUntilHit(
     collectFailedPaths: Boolean = true,
     findAllPossiblePaths: Boolean = true,
+    continueAfterHit: Boolean = true,
     predicate: (Node) -> Boolean
 ): FulfilledAndFailedPaths {
     return followXUntilHit(
         x = { currentNode -> currentNode.nextFullDFG },
         collectFailedPaths = collectFailedPaths,
         findAllPossiblePaths = findAllPossiblePaths,
+        continueAfterHit = continueAfterHit,
         predicate = predicate
     )
 }
@@ -1001,8 +1013,8 @@ private fun Node.eogDistanceTo(to: Node): Int {
 fun Expression?.unwrapReference(): Reference? {
     return when {
         this is Reference -> this
-        this is UnaryOperator && (this.operatorCode == "*" || this.operatorCode == "&") ->
-            this.input.unwrapReference()
+        this is PointerReference -> this
+        this is PointerDereference -> this
         this is CastExpression -> this.expression.unwrapReference()
         else -> null
     }

@@ -28,6 +28,7 @@ package de.fraunhofer.aisec.cpg.graph
 import de.fraunhofer.aisec.cpg.graph.edges.Edge
 import de.fraunhofer.aisec.cpg.graph.edges.flows.Dataflow
 import de.fraunhofer.aisec.cpg.graph.edges.flows.PartialDataflowGranularity
+import de.fraunhofer.aisec.cpg.graph.edges.flows.PointerDataflowGranularity
 import de.fraunhofer.aisec.cpg.helpers.identitySetOf
 import kotlin.reflect.KProperty1
 
@@ -115,6 +116,8 @@ private fun Edge<Node>.label(): String {
         var granularity = this.granularity
         if (granularity is PartialDataflowGranularity) {
             builder.append(" (partial, ${granularity.partialTarget?.name})")
+        } else if (granularity is PointerDataflowGranularity) {
+            builder.append(" (pointer, ${granularity.pointerTarget.name})")
         } else {
             builder.append(" (full)")
         }

@@ -38,7 +38,7 @@ import kotlin.uuid.Uuid
  */
 class Name(
     /** The local name (sometimes also called simple name) without any namespace information. */
-    val localName: String,
+    var localName: String,
     /** The parent name, e.g., the namespace this name lives in. */
     val parent: Name? = null,
     /** A potential namespace delimiter, usually either `.` or `::`. */

@@ -178,21 +178,21 @@ abstract class Node :
 
     /** Incoming data flow edges */
     @Relationship(value = "DFG", direction = Relationship.Direction.INCOMING)
-    @PopulatedByPass(DFGPass::class, ControlFlowSensitiveDFGPass::class)
+    @PopulatedByPass(DFGPass::class, PointsToPass::class)
     var prevDFGEdges: Dataflows<Node> =
         Dataflows<Node>(this, mirrorProperty = Node::nextDFGEdges, outgoing = false)
         protected set
 
     /** Virtual property for accessing [prevDFGEdges] without property edges. */
-    @PopulatedByPass(DFGPass::class, ControlFlowSensitiveDFGPass::class)
+    @PopulatedByPass(DFGPass::class, PointsToPass::class)
     var prevDFG by unwrapping(Node::prevDFGEdges)
 
     /**
      * Virtual property for accessing [nextDFGEdges] that have a
      * [de.fraunhofer.aisec.cpg.graph.edges.flows.FullDataflowGranularity].
      */
     @DoNotPersist
-    @PopulatedByPass(DFGPass::class, ControlFlowSensitiveDFGPass::class)
+    @PopulatedByPass(DFGPass::class, PointsToPass::class, ControlFlowSensitiveDFGPass::class)
     val prevFullDFG: List<Node>
         get() {
             return prevDFGEdges
@@ -201,22 +201,22 @@ abstract class Node :
         }
 
     /** Outgoing data flow edges */
-    @PopulatedByPass(DFGPass::class, ControlFlowSensitiveDFGPass::class)
+    @PopulatedByPass(DFGPass::class, PointsToPass::class)
     @Relationship(value = "DFG", direction = Relationship.Direction.OUTGOING)
     var nextDFGEdges: Dataflows<Node> =
         Dataflows<Node>(this, mirrorProperty = Node::prevDFGEdges, outgoing = true)
         protected set
 
     /** Virtual property for accessing [nextDFGEdges] without property edges. */
-    @PopulatedByPass(DFGPass::class, ControlFlowSensitiveDFGPass::class)
+    @PopulatedByPass(DFGPass::class, PointsToPass::class)
     var nextDFG by unwrapping(Node::nextDFGEdges)
 
     /**
      * Virtual property for accessing [nextDFGEdges] that have a
      * [de.fraunhofer.aisec.cpg.graph.edges.flows.FullDataflowGranularity].
      */
     @DoNotPersist
-    @PopulatedByPass(DFGPass::class, ControlFlowSensitiveDFGPass::class)
+    @PopulatedByPass(DFGPass::class, PointsToPass::class, ControlFlowSensitiveDFGPass::class)
     val nextFullDFG: List<Node>
         get() {
             return nextDFGEdges.filter { it.granularity is FullDataflowGranularity }.map { it.end }

@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) 2021, Fraunhofer AISEC. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ *                    $$$$$$\  $$$$$$$\   $$$$$$\
+ *                   $$  __$$\ $$  __$$\ $$  __$$\
+ *                   $$ /  \__|$$ |  $$ |$$ /  \__|
+ *                   $$ |      $$$$$$$  |$$ |$$$$\
+ *                   $$ |      $$  ____/ $$ |\_$$ |
+ *                   $$ |  $$\ $$ |      $$ |  $$ |
+ *                   \$$$$$   |$$ |      \$$$$$   |
+ *                    \______/ \__|       \______/
+ *
+ */
+package de.fraunhofer.aisec.cpg.graph
+
+/** A Dataflow for a pointer can have different types: Either to its address, or to its value. */
+enum class PointerAccess {
+    ADDRESS,
+    VALUE
+}
@@ -46,7 +46,7 @@ fun LanguageProvider.autoType(): Type {
 }
 
 fun MetadataProvider?.incompleteType(): Type {
-    return IncompleteType()
+    return IncompleteType((this as? LanguageProvider)?.language)
 }
 
 /** Returns a [PointerType] that describes an array reference to the current type. */

@@ -27,6 +27,7 @@ package de.fraunhofer.aisec.cpg.graph.declarations
 
 import de.fraunhofer.aisec.cpg.graph.Node
 import de.fraunhofer.aisec.cpg.graph.scopes.Symbol
+import de.fraunhofer.aisec.cpg.graph.statements.expressions.MemoryAddress
 import de.fraunhofer.aisec.cpg.persistence.DoNotPersist
 import org.neo4j.ogm.annotation.NodeEntity
 
@@ -46,4 +47,12 @@ abstract class Declaration : Node() {
         get() {
             return this.name.localName
         }
+
+    /**
+     * Each Declaration allocates new memory, AKA a new address, so we create a new MemoryAddress
+     * node
+     */
+    open lateinit var memoryAddress: MemoryAddress
+
+    fun memoryAddressIsInitialized() = ::memoryAddress.isInitialized
 }
@@ -76,6 +76,18 @@ open class FunctionDeclaration : ValueDeclaration(), DeclarationHolder, EOGStart
             return if (isDefinition) this else field
         }
 
+    /**
+     * Saves the information on which parameter(s) of the function are modified by the function.
+     * This is interesting since we need to add DFG edges between the modified parameter and the
+     * respective argument(s). For each [ParameterDeclaration] as well as the
+     * [MethodDeclaration.receiver] that has some incoming DFG-edge within this
+     * [FunctionDeclaration], we store all previous DFG nodes. The map stores a Pair of Nodes and
+     * Booleans. The Node indicates the new source value, and the Boolean indicates if the node
+     * should be dereferenced. Additionally, we use the String to indicate sub-accesses, i.e. to
+     * parts of a struct or to array-expressions
+     */
+    var functionSummary = mutableMapOf<Node, MutableSet<Triple<Node, Boolean, String>>>()
+
     /** Returns true, if this function has a [body] statement. */
     fun hasBody(): Boolean {
         return body != null

@@ -26,16 +26,22 @@
 package de.fraunhofer.aisec.cpg.graph.declarations
 
 import de.fraunhofer.aisec.cpg.graph.HasDefault
+import de.fraunhofer.aisec.cpg.graph.Name
 import de.fraunhofer.aisec.cpg.graph.edges.ast.astOptionalEdgeOf
 import de.fraunhofer.aisec.cpg.graph.edges.unwrapping
 import de.fraunhofer.aisec.cpg.graph.statements.expressions.Expression
+import de.fraunhofer.aisec.cpg.graph.statements.expressions.ParameterMemoryValue
 import java.util.*
 import org.neo4j.ogm.annotation.Relationship
 
 /** A declaration of a function or nontype template parameter. */
 class ParameterDeclaration : ValueDeclaration(), HasDefault<Expression?> {
     var isVariadic = false
 
+    var memoryValue: ParameterMemoryValue = ParameterMemoryValue(Name("value")) /*.apply {
+            memoryAddress = this@ParameterDeclaration.memoryAddress
+        }*/
+
     @Relationship(value = "DEFAULT", direction = Relationship.Direction.OUTGOING)
     var defaultValueEdge = astOptionalEdgeOf<Expression>()
     private var defaultValue by unwrapping(ParameterDeclaration::defaultValueEdge)

@@ -30,9 +30,7 @@ import de.fraunhofer.aisec.cpg.graph.edges.ast.astEdgesOf
 import de.fraunhofer.aisec.cpg.graph.edges.ast.astOptionalEdgeOf
 import de.fraunhofer.aisec.cpg.graph.edges.unwrapping
 import de.fraunhofer.aisec.cpg.graph.scopes.GlobalScope
-import de.fraunhofer.aisec.cpg.graph.statements.expressions.ConstructExpression
-import de.fraunhofer.aisec.cpg.graph.statements.expressions.Expression
-import de.fraunhofer.aisec.cpg.graph.statements.expressions.Reference
+import de.fraunhofer.aisec.cpg.graph.statements.expressions.*
 import de.fraunhofer.aisec.cpg.graph.types.AutoType
 import de.fraunhofer.aisec.cpg.graph.types.HasType
 import de.fraunhofer.aisec.cpg.graph.types.TupleType

@@ -27,11 +27,18 @@ package de.fraunhofer.aisec.cpg.graph.edges.flows
 
 import com.fasterxml.jackson.annotation.JsonIgnore
 import de.fraunhofer.aisec.cpg.graph.Node
+import de.fraunhofer.aisec.cpg.graph.PointerAccess
 import de.fraunhofer.aisec.cpg.graph.declarations.*
+import de.fraunhofer.aisec.cpg.graph.declarations.Declaration
+import de.fraunhofer.aisec.cpg.graph.declarations.FieldDeclaration
+import de.fraunhofer.aisec.cpg.graph.declarations.TupleDeclaration
+import de.fraunhofer.aisec.cpg.graph.declarations.VariableDeclaration
 import de.fraunhofer.aisec.cpg.graph.edges.Edge
 import de.fraunhofer.aisec.cpg.graph.edges.collections.EdgeSet
 import de.fraunhofer.aisec.cpg.graph.edges.collections.MirroredEdgeCollection
 import de.fraunhofer.aisec.cpg.graph.statements.expressions.*
+import de.fraunhofer.aisec.cpg.graph.statements.expressions.CallExpression
+import de.fraunhofer.aisec.cpg.graph.statements.expressions.MemberExpression
 import de.fraunhofer.aisec.cpg.graph.types.HasType
 import de.fraunhofer.aisec.cpg.helpers.neo4j.DataflowGranularityConverter
 import kotlin.reflect.KProperty
@@ -53,12 +60,21 @@ sealed interface Granularity
  */
 data object FullDataflowGranularity : Granularity
 
+/**
+ * This dataflow granularity denotes that the value or address of a pointer is flowing from
+ * [Dataflow.start] to [Dataflow.end].
+ */
+data class PointerDataflowGranularity(
+    /** Does the Dataflow affect the pointer's address or its value? */
+    val pointerTarget: PointerAccess
+) : Granularity
+
 /**
  * This dataflow granularity denotes that not the "whole" object is flowing from [Dataflow.start] to
  * [Dataflow.end] but only parts of it. Common examples include [MemberExpression] nodes, where we
  * model a dataflow to the base, but only partially scoped to a particular field.
  */
-class PartialDataflowGranularity(
+data class PartialDataflowGranularity(
     /** The target that is affected by this partial dataflow. */
     val partialTarget: Declaration?
 ) : Granularity
@@ -80,6 +96,14 @@ fun partial(target: Declaration?): PartialDataflowGranularity {
     return PartialDataflowGranularity(target)
 }
 
+/**
+ * Creates a new [PointerDataflowGranularity]. The [ValueAccess] is specified if the pointer's value
+ * is accessed, or its address.
+ */
+fun pointer(access: PointerAccess): PointerDataflowGranularity {
+    return PointerDataflowGranularity(access)
+}
+
 /**
  * This edge class defines a flow of data between [start] and [end]. The flow can have a certain
  * [granularity].