Add taint analysis

Author: mmvpm

gradle.properties

@@ -62,6 +62,7 @@ testNgVersion=7.6.0
 mockitoInlineVersion=4.0.0
 kamlVersion = 0.51.0
 jacksonVersion = 2.12.3
+kotlinxSerializationVersion=1.5.0
 javasmtSolverZ3Version=4.8.9-sosy1
 slf4jVersion=1.7.36
 eclipseAetherVersion=1.1.0

utbot-analytics/src/main/kotlin/org/utbot/features/UtExpressionStructureCounter.kt

@@ -153,6 +153,13 @@ class UtExpressionStructureCounter(private val input: Iterable<UtExpression>) :
         return stat
     }
 
+    override fun visit(expr: UtBvNotExpression): NestStat {
+        val stat = buildState(expr.variable.expr)
+        stat.level++
+        stat.nodes++
+        return stat
+    }
+
     override fun visit(expr: UtCastExpression): NestStat {
         val stat = buildState(expr.variable.expr)
         stat.level++

utbot-framework-api/src/main/kotlin/org/utbot/framework/UtSettings.kt

@@ -265,6 +265,21 @@ object UtSettings : AbstractSettings(logger, defaultKeyForSettingsPath, defaultS
         DEFAULT_EXECUTION_TIMEOUT_IN_INSTRUMENTED_PROCESS_MS
     )
 
+    /**
+     * Enable taint analysis or not.
+     */
+    var useTaintAnalysis by getBooleanProperty(false)
+
+    /**
+     * How deep we should analyze the exceptions.
+     */
+    val exploreExceptionsDepth: ExploreExceptionsDepth
+        get() =
+            if (useTaintAnalysis)
+                ExploreExceptionsDepth.EXPLORE_ALL_STATEMENTS
+            else
+                ExploreExceptionsDepth.SKIP_ALL_STATEMENTS
+
 // region engine process debug
 
     /**
@@ -645,3 +660,24 @@ enum class SummariesGenerationType {
      */
     NONE,
 }
+
+/**
+ * Enum to describe how deep we should analyze the exceptions.
+ */
+enum class ExploreExceptionsDepth {
+
+    /**
+     * Skip all statements between exception's `new` and `<init>` statements.
+     */
+    SKIP_ALL_STATEMENTS,
+
+    /**
+     * Skip only exception's <init> statement.
+     */
+    SKIP_INIT_STATEMENT,
+
+    /**
+     * Do not skip statements.
+     */
+    EXPLORE_ALL_STATEMENTS
+}

utbot-framework-api/src/main/kotlin/org/utbot/framework/plugin/api/ArtificialErrors.kt

@@ -15,4 +15,14 @@ sealed class ArtificialError(message: String): Error(message)
  *
  * See [TraversalContext.intOverflowCheck] for more details.
  */
-class OverflowDetectionError(message: String): ArtificialError(message)
+class OverflowDetectionError(message: String): ArtificialError(message)
+
+/**
+ * An artificial error that could be implicitly thrown by the symbolic engine during taint sink processing.
+ */
+class TaintAnalysisError(
+    sinkFqn: String,
+    taintedVar: String,
+    taintMark: String,
+    message: String = "'$taintedVar' marked '$taintMark' was passed into '$sinkFqn' method"
+) : ArtificialError(message)

utbot-framework-api/src/main/kotlin/org/utbot/framework/plugin/api/UtExecutionResult.kt

@@ -23,6 +23,10 @@ data class UtOverflowFailure(
     override val exception: Throwable,
 ) : UtExecutionFailure()
 
+data class UtTaintAnalysisFailure(
+    override val exception: Throwable
+) : UtExecutionFailure()
+
 data class UtSandboxFailure(
     override val exception: Throwable
 ) : UtExecutionFailure()

utbot-framework-test/src/test/kotlin/org/utbot/taint/parser/TaintAnalysisConfigurationParserTest.kt renamed to utbot-framework-test/src/test/kotlin/org/utbot/taint/parser/TaintYamlParserTest.kt

@@ -8,27 +8,27 @@ import org.utbot.taint.parser.constants.*
 import org.utbot.taint.parser.model.*
 import org.utbot.taint.parser.yaml.TaintParseError
 
-class TaintAnalysisConfigurationParserTest {
+class TaintYamlParserTest {
 
     @Test
     fun `parse should parse correct yaml`() {
-        val actualConfiguration = TaintAnalysisConfigurationParser.parse(yamlInput)
+        val actualConfiguration = TaintYamlParser.parse(yamlInput)
         assertEquals(expectedConfiguration, actualConfiguration)
     }
 
     @Test
     fun `parse should throw exception on malformed yaml`() {
         val malformedYamlInput = yamlInput.replace("{", "")
         assertThrows<YamlException> {
-            TaintAnalysisConfigurationParser.parse(malformedYamlInput)
+            TaintYamlParser.parse(malformedYamlInput)
         }
     }
 
     @Test
     fun `parse should throw exception on incorrect yaml`() {
         val incorrectYamlInput = yamlInput.replace(k_not, "net")
         assertThrows<TaintParseError> {
-            TaintAnalysisConfigurationParser.parse(incorrectYamlInput)
+            TaintYamlParser.parse(incorrectYamlInput)
         }
     }
 

utbot-framework/build.gradle

@@ -8,6 +8,10 @@ configurations {
     z3native
 }
 
+plugins {
+    id 'org.jetbrains.kotlin.plugin.serialization' version '1.7.20'
+}
+
 dependencies {
 
     api project(':utbot-fuzzers')
@@ -30,6 +34,7 @@ dependencies {
     implementation group: 'com.charleskorn.kaml', name: 'kaml', version: kamlVersion
     implementation group: 'com.fasterxml.jackson.module', name: 'jackson-module-kotlin', version: jacksonVersion
     implementation group: 'org.sosy-lab', name: 'javasmt-solver-z3', version: javasmtSolverZ3Version
+    implementation group: 'org.jetbrains.kotlinx', name: 'kotlinx-serialization-cbor', version: kotlinxSerializationVersion
     implementation group: 'com.github.curious-odd-man', name: 'rgxgen', version: rgxgenVersion
     implementation group: 'org.apache.logging.log4j', name: 'log4j-slf4j-impl', version: log4j2Version
     implementation group: 'io.github.microutils', name: 'kotlin-logging', version: kotlinLoggingVersion

utbot-framework/src/main/kotlin/org/utbot/engine/Extensions.kt

@@ -45,11 +45,6 @@ import soot.SootField
 import soot.SootMethod
 import soot.Type
 import soot.Value
-import soot.jimple.Expr
-import soot.jimple.InvokeExpr
-import soot.jimple.JimpleBody
-import soot.jimple.StaticFieldRef
-import soot.jimple.Stmt
 import soot.jimple.internal.JDynamicInvokeExpr
 import soot.jimple.internal.JIdentityStmt
 import soot.jimple.internal.JInterfaceInvokeExpr
@@ -69,6 +64,7 @@ import kotlinx.collections.immutable.PersistentMap
 import kotlinx.collections.immutable.persistentHashMapOf
 import org.utbot.engine.types.OBJECT_TYPE
 import org.utbot.framework.plugin.api.util.enumConstants
+import soot.jimple.*
 
 val JIdentityStmt.lines: String
     get() = tags.joinToString { "$it" }
@@ -85,6 +81,15 @@ fun Expr.isInvokeExpr() = this is JDynamicInvokeExpr
         || this is JVirtualInvokeExpr
         || this is JSpecialInvokeExpr
 
+fun InvokeExpr.baseOrNull(): Value? =
+    when (this) {
+        is StaticInvokeExpr -> null
+        is SpecialInvokeExpr -> base
+        is VirtualInvokeExpr -> base
+        is InterfaceInvokeExpr -> base
+        else -> null
+    }
+
 val SootMethod.pureJavaSignature
     get() = bytecodeSignature.substringAfter(' ').dropLast(1)
 

utbot-framework/src/main/kotlin/org/utbot/engine/Memory.kt

@@ -14,13 +14,15 @@ import org.utbot.engine.pc.UtExpression
 import org.utbot.engine.pc.UtFalse
 import org.utbot.engine.pc.UtInt32Sort
 import org.utbot.engine.pc.UtIntSort
+import org.utbot.engine.pc.UtLongSort
 import org.utbot.engine.pc.UtMkArrayExpression
 import org.utbot.engine.pc.UtMkTermArrayExpression
 import org.utbot.engine.pc.UtSeqSort
 import org.utbot.engine.pc.UtSort
 import org.utbot.engine.pc.UtTrue
 import org.utbot.engine.pc.mkArrayConst
 import org.utbot.engine.pc.mkInt
+import org.utbot.engine.pc.mkLong
 import org.utbot.engine.pc.select
 import org.utbot.engine.pc.store
 import org.utbot.engine.pc.toSort
@@ -109,6 +111,12 @@ data class Memory( // TODO: split purely symbolic memory and information about s
         UtFalse,
         UtArraySort(UtAddrSort, UtBoolSort)
     ),
+    // const array here is because even in the situation when MUT is marked as a `PassThrough` we will
+    // process this information in a current state, not initial one
+    private var taintArray: UtArrayExpressionBase = UtConstArrayExpression(
+        mkLong(value = 0L),
+        UtArraySort(indexSort = UtAddrSort, itemSort = UtLongSort)
+    ),
     private val symbolicEnumValues: PersistentList<ObjectValue> = persistentListOf()
 ) {
     val chunkIds: Set<ChunkId>
@@ -163,6 +171,8 @@ data class Memory( // TODO: split purely symbolic memory and information about s
      */
     fun isSpeculativelyNotNull(addr: UtAddrExpression): UtArraySelectExpression = speculativelyNotNullAddresses.select(addr)
 
+    fun taintVector(addr: UtAddrExpression): UtArraySelectExpression = taintArray.select(addr)
+
     /**
      * @return ImmutableCollection of the initial values for all the arrays we touched during the execution
      */
@@ -268,6 +278,17 @@ data class Memory( // TODO: split purely symbolic memory and information about s
             acc.store(addr, UtTrue)
         }
 
+        val updTaintArray = update.taintArrayUpdate
+            .groupBy { (addr, _) ->
+                addr
+            }.map { (addr, listUpdates) ->
+                addr to listUpdates.fold(mkLong(0).toLongValue()) { acc, (_, taintVector) ->
+                    Or(acc, taintVector.toLongValue()).toLongValue()
+                }
+            }.fold(taintArray) { acc, (addr, taintVector) ->
+                acc.store(addr, taintVector.expr)
+            }
+
         // We have a list with updates for generic type info, and we want to apply
         // them in such way that only updates with more precise type information
         // should be applied.
@@ -304,6 +325,7 @@ data class Memory( // TODO: split purely symbolic memory and information about s
             touchedAddresses = updTouchedAddresses,
             instanceFieldReadOperations = instanceFieldReadOperations.addAll(update.instanceFieldReads),
             speculativelyNotNullAddresses = updSpeculativelyNotNullAddresses,
+            taintArray = updTaintArray,
             symbolicEnumValues = symbolicEnumValues.addAll(update.symbolicEnumValues)
         )
     }
@@ -406,6 +428,7 @@ data class MemoryUpdate(
     val classIdToClearStatics: ClassId? = null,
     val instanceFieldReads: PersistentSet<InstanceFieldReadOperation> = persistentHashSetOf(),
     val speculativelyNotNullAddresses: PersistentList<UtAddrExpression> = persistentListOf(),
+    val taintArrayUpdate: PersistentList<Pair<UtAddrExpression, UtExpression>> = persistentListOf(),
     val symbolicEnumValues: PersistentList<ObjectValue> = persistentListOf()
 ) {
     operator fun plus(other: MemoryUpdate) =
@@ -427,6 +450,7 @@ data class MemoryUpdate(
             classIdToClearStatics = other.classIdToClearStatics,
             instanceFieldReads = instanceFieldReads.addAll(other.instanceFieldReads),
             speculativelyNotNullAddresses = speculativelyNotNullAddresses.addAll(other.speculativelyNotNullAddresses),
+            taintArrayUpdate = taintArrayUpdate.addAll(other.taintArrayUpdate),
             symbolicEnumValues = symbolicEnumValues.addAll(other.symbolicEnumValues),
         )
 

utbot-framework/src/main/kotlin/org/utbot/engine/Resolver.kt

@@ -55,6 +55,7 @@ import org.utbot.framework.plugin.api.UtOverflowFailure
 import org.utbot.framework.plugin.api.UtPrimitiveModel
 import org.utbot.framework.plugin.api.UtSandboxFailure
 import org.utbot.framework.plugin.api.UtStaticMethodInstrumentation
+import org.utbot.framework.plugin.api.UtTaintAnalysisFailure
 import org.utbot.framework.plugin.api.UtVoidModel
 import org.utbot.framework.plugin.api.classId
 import org.utbot.framework.plugin.api.id
@@ -91,6 +92,7 @@ import kotlin.math.min
 import kotlinx.collections.immutable.persistentListOf
 import kotlinx.collections.immutable.persistentSetOf
 import org.utbot.framework.plugin.api.OverflowDetectionError
+import org.utbot.framework.plugin.api.TaintAnalysisError
 import org.utbot.engine.types.CLASS_REF_CLASSNAME
 import org.utbot.engine.types.CLASS_REF_CLASS_ID
 import org.utbot.engine.types.CLASS_REF_NUM_DIMENSIONS_DESCRIPTOR
@@ -397,6 +399,7 @@ class Resolver(
             when (exception) {
                 is OverflowDetectionError -> UtOverflowFailure(exception)
                 is AccessControlException -> UtSandboxFailure(exception)
+                is TaintAnalysisError -> UtTaintAnalysisFailure(exception)
                 else -> UtImplicitlyThrownException(exception, inNestedMethod)
             }
         }

utbot-framework/src/main/kotlin/org/utbot/engine/SymbolicValue.kt

@@ -166,6 +166,12 @@ val SymbolicValue.addr
         is PrimitiveValue -> error("PrimitiveValue $this doesn't have an address")
     }
 
+val SymbolicValue.addrOrNull
+    get() = when (this) {
+        is ReferenceValue -> addr
+        is PrimitiveValue -> null
+    }
+
 val SymbolicValue.isConcrete: Boolean
     get() = when (this) {
         is PrimitiveValue -> this.expr.isConcrete