Add taint analysis

Author: CaelmBleidd

build.gradle.kts

@@ -109,6 +109,10 @@ subprojects {
     group = rootProject.group
     version = rootProject.version
 
+    java {
+        withSourcesJar()
+    }
+
     publishing {
         publications {
             create<MavenPublication>("jar") {
@@ -137,6 +141,10 @@ configure(
         project(":utbot-summary")
     )
 ) {
+    java {
+        withSourcesJar()
+    }
+
     publishing {
         repositories {
             maven {

utbot-analytics/src/main/kotlin/org/utbot/features/UtExpressionStructureCounter.kt

@@ -153,6 +153,13 @@ class UtExpressionStructureCounter(private val input: Iterable<UtExpression>) :
         return stat
     }
 
+    override fun visit(expr: UtBvNotExpression): NestStat {
+        val stat = buildState(expr.variable.expr)
+        stat.level++
+        stat.nodes++
+        return stat
+    }
+
     override fun visit(expr: UtCastExpression): NestStat {
         val stat = buildState(expr.variable.expr)
         stat.level++

utbot-core/src/main/kotlin/org/utbot/common/HackUtil.kt

@@ -76,4 +76,8 @@ enum class WorkaroundReason {
      * construct `toArray` invocation (because streams cannot be consumed twice).
      */
     CONSUME_DIRTY_STREAMS,
+    /**
+     * Poor quality code in the prototype of taint analysis tool. Should be rewritten before merging to the main product.
+     */
+    TAINT,
 }

utbot-framework-api/src/main/kotlin/org/utbot/framework/UtSettings.kt

@@ -4,6 +4,8 @@ import com.jetbrains.rd.util.LogLevel
 import mu.KotlinLogging
 import org.utbot.common.AbstractSettings
 import java.lang.reflect.Executable
+import kotlin.reflect.KMutableProperty0
+
 private val logger = KotlinLogging.logger {}
 
 /**
@@ -99,6 +101,8 @@ object UtSettings : AbstractSettings(
      */
     val copyVisualizationPathToClipboard get() = useDebugVisualization
 
+    var useOnlyTaintAnalysis by getBooleanProperty(false)
+
     /**
      * Set the value to true to show library classes' graphs in visualization.
      *
@@ -477,6 +481,70 @@ object UtSettings : AbstractSettings(
      * It is used to do not encode big type storages due to significand performance degradation.
      */
     var maxNumberOfTypesToEncode by getIntProperty(512)
+
+    /**
+     * If this value is positive, the symbolic engine will treat results of all method invocations, which depth in call
+     * stack is more than or equals than this value, as unbounded symbolic variables.
+     *
+     * 0 by default (do not "mock" deep methods).
+     */
+    var callDepthToMock by getIntProperty(0)
+
+    /**
+     * Value for [callDepthToMock] in case [useTaintAnalysisMode] is true.
+     */
+    var taintAnalysisCallDepthToMock by getIntProperty(8)
+
+    /**
+     * If this value is positive, a path selector for the symbolic engine will strictly drop loop states
+     * if current step is more than this limit.
+     *
+     * 0 by default (do not strictly drop such states).
+     */
+    var loopStepsLimit by getIntProperty(0)
+
+    /**
+     * Value for [loopStepsLimit] in case [useTaintAnalysisMode] is true.
+     */
+    var taintLoopStepsLimit by getIntProperty(3)
+
+    /**
+     * Being set to true, this option sets some settings to specific for taint analysis values.
+     *
+     * False by default.
+     */
+    var useTaintAnalysisMode by getBooleanProperty(false)
+
+    init {
+        turnOnAnalysisModes()
+    }
+
+    private fun turnOnAnalysisModes() {
+        AnalysisMode.values().forEach {
+            it.applyMode()
+        }
+    }
+}
+
+enum class AnalysisMode(private val triggerOption: KMutableProperty0<Boolean>) {
+    TAINT(UtSettings::useTaintAnalysisMode) {
+        override fun settingsAction(): UtSettings.() -> Unit =
+            {
+                useConcreteExecution = false
+                useSandbox = false
+                callDepthToMock = taintAnalysisCallDepthToMock
+                loopStepsLimit = taintLoopStepsLimit
+                pathSelectorType = PathSelectorType.INHERITORS_SELECTOR
+            }
+    };
+
+    abstract fun settingsAction(): UtSettings.() -> Unit
+
+    fun applyMode() {
+        if (triggerOption.get()) {
+            settingsAction().invoke(UtSettings)
+        }
+    }
 }
 
 /**
@@ -526,7 +594,12 @@ enum class PathSelectorType {
     /**
      * [RandomPathSelector]
      */
-    RANDOM_PATH_SELECTOR
+    RANDOM_PATH_SELECTOR,
+
+    /**
+     * [RandomSelectorWithLoopIterationsThreshold]
+     */
+    RANDOM_SELECTOR_WITH_LOOP_ITERATIONS_THRESHOLD
 }
 
 enum class TestSelectionStrategyType {

utbot-framework-api/src/main/kotlin/org/utbot/framework/plugin/api/Api.kt

@@ -209,7 +209,9 @@ class UtFailedExecution(
     summary: List<DocStatement>? = null,
     testMethodName: String? = null,
     displayName: String? = null
-) : UtExecution(stateBefore, MissingState, result, coverage, summary, testMethodName, displayName)
+) : UtExecution(stateBefore, MissingState, result, coverage, summary, testMethodName, displayName) {
+    override fun toString(): String = "StateBefore: $stateBefore, result: $result"
+}
 
 open class EnvironmentModels(
     val thisInstance: UtModel?,

utbot-framework-api/src/main/kotlin/org/utbot/framework/plugin/api/util/IdUtil.kt

@@ -274,6 +274,11 @@ val floatArrayClassId = ClassId("[F", floatClassId)
 val doubleArrayClassId = ClassId("[D", doubleClassId)
 
 val stringClassId = java.lang.String::class.id
+val stringBuilderClassId = java.lang.StringBuilder::class.id
+val stringBufferClassId = java.lang.StringBuffer::class.id
+val charSequenceClassId: ClassId = java.lang.CharSequence::class.id
+
+val localeClassId: ClassId = java.util.Locale::class.id
 
 val objectClassId = java.lang.Object::class.id
 
@@ -300,6 +305,15 @@ val streamToArrayMethodId = methodId(streamClassId, "toArray", objectArrayClassI
 
 val dateClassId = java.util.Date::class.id
 
+val systemCLassId: ClassId = java.lang.System::class.id
+val propertiesClassId: ClassId = java.util.Properties::class.id
+@Suppress("unused")
+val inputStreamClassId: ClassId = java.io.InputStream::class.id
+@Suppress("unused")
+val readerClassId: ClassId = java.io.Reader::class.id
+@Suppress("unused")
+val arraysCLassId: ClassId = java.util.Arrays::class.id
+
 @Suppress("RemoveRedundantQualifierName")
 val primitiveToId: Map<Class<*>, ClassId> = mapOf(
     java.lang.Void.TYPE to voidClassId,

utbot-framework-test/build.gradle

@@ -82,7 +82,8 @@ test {
     useJUnitPlatform() {
         excludeTags 'slow', 'IntegrationTest'
     }
+    jvmArgs '--add-opens', 'java.base/java.lang.reflect=ALL-UNNAMED'
     if (System.getProperty('DEBUG', 'false') == 'true') {
-        jvmArgs '-Xdebug', '-Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=9009'
+        jvmArgs += listOf('-Xdebug', '-Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=9009')
     }
 }

utbot-framework/src/main/java/org/utbot/engine/overrides/AutoCloseable.java

@@ -0,0 +1,10 @@
+package org.utbot.engine.overrides;
+
+import org.utbot.api.annotation.*;
+
+@UtClassMock(target = java.lang.AutoCloseable.class, internalUsage = true)
+public interface AutoCloseable {
+    default void close() throws Exception {
+        // Do nothing
+    }
+}

utbot-framework/src/main/java/org/utbot/engine/overrides/System.java

@@ -1,6 +1,9 @@
 package org.utbot.engine.overrides;
 
 import org.utbot.api.annotation.UtClassMock;
+import org.utbot.api.mock.*;
+
+import java.util.*;
 
 @UtClassMock(target = java.lang.System.class, internalUsage = true)
 public class System {
@@ -225,4 +228,17 @@ public static void arraycopy(Object src, int srcPos, Object dest, int destPos, i
             UtArrayMock.arraycopy(srcArray, srcPos, destArray, destPos, length);
         }
     }
+
+    // TODO probably, we should use nullable version since chinese colleagues expect null values sometimes
+    @SuppressWarnings("unused")
+    public String getenv(String name) {
+        // Prevent null for taint analysis
+        return UtMock.makeSymbolic();
+    }
+
+    @SuppressWarnings("unused")
+    public Map<String, String> getenv() {
+        // Prevent null for taint analysis
+        return UtMock.makeSymbolic();
+    }
 }

utbot-framework/src/main/java/org/utbot/engine/overrides/Throwable.java

@@ -0,0 +1,31 @@
+package org.utbot.engine.overrides;
+
+import org.utbot.api.annotation.*;
+import org.utbot.api.mock.*;
+
+@UtClassMock(target = java.lang.Throwable.class, internalUsage = true)
+public class Throwable {
+    public void printStackTrace() {
+        // Do nothing
+    }
+
+    public synchronized java.lang.Throwable fillInStackTrace() {
+        return UtMock.makeSymbolic();
+    }
+
+    public StackTraceElement[] getStackTrace() {
+        return UtMock.makeSymbolic();
+    }
+
+    public void setStackTrace(StackTraceElement[] stackTrace) {
+        // Do nothing
+    }
+
+    public final synchronized void addSuppressed(java.lang.Throwable exception) {
+        // Do nothing
+    }
+
+    public final synchronized java.lang.Throwable[] getSuppressed() {
+        return UtMock.makeSymbolic();
+    }
+}

utbot-framework/src/main/java/org/utbot/engine/overrides/strings/UtStringBuilder.java

@@ -5,7 +5,7 @@
 import java.util.Arrays;
 
 import static org.utbot.api.mock.UtMock.assume;
-import static org.utbot.engine.ResolverKt.MAX_STRING_SIZE;
+import static org.utbot.engine.ResolverKt.HARD_MAX_ARRAY_SIZE;
 import static org.utbot.engine.overrides.UtOverrideMock.alreadyVisited;
 import static org.utbot.engine.overrides.UtOverrideMock.parameter;
 import static org.utbot.engine.overrides.UtOverrideMock.visit;
@@ -18,13 +18,13 @@ public class UtStringBuilder implements Appendable, Serializable, CharSequence {
 
     public UtStringBuilder(int capacity) {
         visit(this);
-        value = new char[MAX_STRING_SIZE];
+        value = new char[HARD_MAX_ARRAY_SIZE];
         count = 0;
     }
 
     public UtStringBuilder() {
         visit(this);
-        value = new char[MAX_STRING_SIZE];
+        value = new char[HARD_MAX_ARRAY_SIZE];
         count = 0;
     }
 
@@ -34,7 +34,7 @@ void preconditionCheck() {
         }
         assume(value != null);
         parameter(value);
-        assume(value.length <= MAX_STRING_SIZE);
+        assume(value.length <= HARD_MAX_ARRAY_SIZE);
         assume(count <= value.length && count >= 0);
 
         visit(this);
@@ -557,14 +557,14 @@ final char[] getValue() {
 
     public UtStringBuilder(String str) {
         visit(this);
-        value = new char[MAX_STRING_SIZE];
+        value = new char[HARD_MAX_ARRAY_SIZE];
         count = 0;
         append(str);
     }
 
     public UtStringBuilder(CharSequence seq) {
         visit(this);
-        value = new char[MAX_STRING_SIZE];
+        value = new char[HARD_MAX_ARRAY_SIZE];
         count = 0;
         append(seq);
     }

utbot-framework/src/main/kotlin/org/utbot/engine/CollectionWrappers.kt

@@ -1,6 +1,8 @@
 package org.utbot.engine
 
+import org.utbot.common.WorkaroundReason
 import org.utbot.common.unreachableBranch
+import org.utbot.common.workaround
 import org.utbot.engine.overrides.collections.AssociativeArray
 import org.utbot.engine.overrides.collections.UtArrayList
 import org.utbot.engine.overrides.collections.UtGenericAssociative
@@ -14,6 +16,7 @@ import org.utbot.engine.pc.UtExpression
 import org.utbot.engine.pc.select
 import org.utbot.engine.symbolic.asHardConstraint
 import org.utbot.engine.z3.intValue
+import org.utbot.framework.UtSettings
 import org.utbot.framework.plugin.api.ClassId
 import org.utbot.framework.plugin.api.FieldId
 import org.utbot.framework.plugin.api.MethodId
@@ -92,9 +95,21 @@ abstract class BaseOverriddenWrapper(protected val overriddenClassName: String)
             ?.let { typeRegistry.findSubstitutionOrNull(it) ?: it }
 
         return if (overriddenMethod == null) {
-            // No overridden method has been found, switch to concrete execution
-            pathLogger.warn("Method ${overriddenClass.name}::${method.subSignature} not found, executing concretely")
-            emptyList()
+
+            // Usually, we'd process such situations concretely, but for taint analysis
+            // we can just `mock` them with an unbounded symbolic variable
+            val messagePrefix = "Method ${overriddenClass.name}::${method.subSignature} not found,"
+
+            if (UtSettings.useTaintAnalysisMode) {
+                pathLogger.warn("$messagePrefix mocking with an unbounded variable")
+                workaround(WorkaroundReason.TAINT) {
+                    treatMethodResultAsUnboundedVariable(name = "nativeConst", method)
+                }
+            } else {
+                // No overridden method has been found, switch to concrete execution
+                pathLogger.warn("$messagePrefix executing concretely")
+                emptyList()
+            }
         } else {
             val jimpleBody = overriddenMethod.jimpleBody()
             val graphResult = GraphResult(jimpleBody.graph())

utbot-framework/src/main/kotlin/org/utbot/engine/JimpleCreation.kt

@@ -76,6 +76,12 @@ fun createSootMethod(
     isStatic: Boolean = true
 ) = SootMethod(name, argsTypes, returnType, if (isStatic) Modifier.STATIC else 0)
     .also {
+        // Note that the order is critical important due to
+        // difference between different versions of Soot.
+        // In the latest versions there is no need to set up
+        // declaring class and graphBody.method by hand.
+        it.declaringClass = declaringClass
         declaringClass.addMethod(it)
+        graphBody.method = it
         it.activeBody = graphBody
     }