Add taint for PointerExpr

mamaria-k · mamaria-k · commit add9e41d1800 · 2024-05-26T02:13:09.000+03:00
diff --git a/include/klee/Expr/Expr.h b/include/klee/Expr/Expr.h
@@ -413,6 +413,8 @@ class Expr {
   static ref<ConstantExpr> createTrue();
   static ref<ConstantExpr> createFalse();
 
+  static ref<ConstantExpr> createEmptyTaint();
+
   /// Create a little endian read of the given type at offset 0 of the
   /// given object.
   static ref<Expr> createTempRead(const Array *array, Expr::Width w,
@@ -1676,25 +1678,33 @@ class ConstantExpr : public Expr {
 class PointerExpr : public NonConstantExpr {
 public:
   static const Kind kind = Expr::Pointer;
-  static const unsigned numKids = 2;
+  static const unsigned numKids = 3;
+
   ref<Expr> base;
   ref<Expr> value;
-  static ref<Expr> alloc(const ref<Expr> &b, const ref<Expr> &v) {
-    ref<Expr> r(new PointerExpr(b, v));
+  ref<Expr> taint;
+
+  static ref<Expr>
+  alloc(const ref<Expr> &b, const ref<Expr> &v,
+        const ref<Expr> &t = createEmptyTaint()) {
+    ref<Expr> r(new PointerExpr(b, v, t));
     r->computeHash();
     r->computeHeight();
     return r;
   }
-  static ref<Expr> create(const ref<Expr> &b, const ref<Expr> &o);
-  static ref<Expr> create(const ref<Expr> &v);
+  static ref<Expr> create(const ref<Expr> &b, const ref<Expr> &v,
+                          const ref<Expr> &t = createEmptyTaint());
+  static ref<Expr> create(const ref<Expr> &expr);
   static ref<Expr> createSymbolic(const ref<Expr> &expr,
                                   const ref<ReadExpr> &pointer,
                                   const ref<Expr> &off);
 
   Width getWidth() const { return value->getWidth(); }
   Kind getKind() const { return Expr::Pointer; }
+
   ref<Expr> getBase() const { return base; }
   ref<Expr> getValue() const { return value; }
+  ref<Expr> getTaint() const { return taint; }
   ref<Expr> getOffset() const {
     assert(value->getWidth() == base->getWidth() &&
            "Invalid getOffset() call!");
@@ -1707,12 +1717,14 @@ class PointerExpr : public NonConstantExpr {
       return base;
     if (i == 1)
       return value;
+    if (i == 2)
+      return taint;
     return 0;
   }
 
   int compareContents(const Expr &b) const { return 0; }
   virtual ref<Expr> rebuild(ref<Expr> kids[]) const {
-    return create(kids[0], kids[1]);
+    return create(kids[0], kids[1], kids[2]);
   }
   static bool classof(const Expr *E) {
     return E->getKind() == Expr::Pointer ||
@@ -1722,6 +1734,10 @@ class PointerExpr : public NonConstantExpr {
 
   bool isKnownValue() const { return getBase()->isZero(); }
 
+  ref<Expr> combineTaints(const ref<PointerExpr> &RHS) {
+    return OrExpr::create(getTaint(), RHS->getTaint());
+  }
+
   ref<Expr> Add(const ref<PointerExpr> &RHS);
   ref<Expr> Sub(const ref<PointerExpr> &RHS);
   ref<Expr> Mul(const ref<PointerExpr> &RHS);
@@ -1750,40 +1766,49 @@ class PointerExpr : public NonConstantExpr {
   ref<Expr> Not();
 
 protected:
-  PointerExpr(const ref<Expr> &b, const ref<Expr> &v) : base(b), value(v) {}
+  PointerExpr(const ref<Expr> &b, const ref<Expr> &v, const ref<Expr> &t)
+      : base(b), value(v), taint(t) {}
 };
 
 class ConstantPointerExpr : public PointerExpr {
 public:
   static const Kind kind = Expr::ConstantPointer;
-  static const unsigned numKids = 2;
-  static ref<ConstantPointerExpr> alloc(const ref<ConstantExpr> &b,
-                                        const ref<ConstantExpr> &o) {
-    ref<ConstantPointerExpr> r = new ConstantPointerExpr(b, o);
+  static const unsigned numKids = 3;
+
+  static ref<ConstantPointerExpr>
+  alloc(const ref<ConstantExpr> &b, const ref<ConstantExpr> &v,
+        const ref<ConstantExpr> &t = createEmptyTaint()) {
+    ref<ConstantPointerExpr> r = new ConstantPointerExpr(b, v, t);
     r->computeHash();
     r->computeHeight();
     return r;
   }
-  static ref<Expr> create(const ref<ConstantExpr> &b,
-                          const ref<ConstantExpr> &o);
+  static ref<Expr>
+  create(const ref<ConstantExpr> &b, const ref<ConstantExpr> &v,
+         const ref<ConstantExpr> &t = createEmptyTaint());
 
   Kind getKind() const { return Expr::ConstantPointer; }
+
   ref<ConstantExpr> getConstantBase() const { return cast<ConstantExpr>(base); }
   ref<ConstantExpr> getConstantOffset() const {
     return getConstantValue()->Sub(getConstantBase());
   }
   ref<ConstantExpr> getConstantValue() const {
     return cast<ConstantExpr>(value);
   }
+  ref<ConstantExpr> getConstantTaint() const {
+    return cast<ConstantExpr>(taint);
+  }
 
   static bool classof(const Expr *E) {
     return E->getKind() == Expr::ConstantPointer;
   }
   static bool classof(const ConstantPointerExpr *) { return true; }
 
 private:
-  ConstantPointerExpr(const ref<ConstantExpr> &b, const ref<ConstantExpr> &v)
-      : PointerExpr(b, v) {}
+  ConstantPointerExpr(const ref<ConstantExpr> &b, const ref<ConstantExpr> &v,
+                      const ref<ConstantExpr> &t)
+      : PointerExpr(b, v, t) {}
 };
 
 // Implementations
diff --git a/lib/Expr/Expr.cpp b/lib/Expr/Expr.cpp
@@ -549,6 +549,10 @@ ref<ConstantExpr> Expr::createFalse() {
   return ConstantExpr::create(0, Expr::Bool);
 }
 
+ref<ConstantExpr> Expr::createEmptyTaint() {
+  return ConstantExpr::create(0, Expr::Int64);
+}
+
 Expr::ByteWidth Expr::getByteWidth() const {
   return (getWidth() + CHAR_BIT - 1) / CHAR_BIT;
 }
@@ -1694,7 +1698,25 @@ ref<Expr> SelectExpr::create(ref<Expr> c, ref<Expr> t, ref<Expr> f) {
         SelectExpr::create(c, truePointer->getBase(), falsePointer->getBase());
     ref<Expr> value = SelectExpr::create(c, truePointer->getValue(),
                                          falsePointer->getValue());
-    return PointerExpr::create(base, value);
+    ref<Expr> taint = SelectExpr::create(c, truePointer->getTaint(),
+                                         falsePointer->getTaint());
+    return PointerExpr::create(base, value, taint);
+  } else if (isa<PointerExpr>(t) && !isa<PointerExpr>(f)) {
+    ref<PointerExpr> truePointer = cast<PointerExpr>(t);
+    ref<Expr> base = SelectExpr::create(c, truePointer->getBase(),
+                                        ConstantExpr::create(0, f->getWidth()));
+    ref<Expr> value = SelectExpr::create(c, truePointer->getValue(), f);
+    ref<Expr> taint =
+        SelectExpr::create(c, truePointer->getTaint(), createEmptyTaint());
+    return PointerExpr::create(base, value, taint);
+  } else if (!isa<PointerExpr>(t) && isa<PointerExpr>(f)) {
+    ref<PointerExpr> falsePointer = cast<PointerExpr>(f);
+    ref<Expr> base = SelectExpr::create(
+        c, ConstantExpr::create(0, t->getWidth()), falsePointer->getBase());
+    ref<Expr> value = SelectExpr::create(c, t, falsePointer->getValue());
+    ref<Expr> taint =
+        SelectExpr::create(c, createEmptyTaint(), falsePointer->getTaint());
+    return PointerExpr::create(base, value, taint);
   } else if (!isa<ConstantExpr>(t) && isa<ConstantExpr>(f)) {
     return SelectExpr::alloc(Expr::createIsZero(c), f, t);
   }
@@ -1797,7 +1819,8 @@ ref<Expr> ConcatExpr::create(const ref<Expr> &l, const ref<Expr> &r) {
     if (PointerExpr *ee_right = dyn_cast<PointerExpr>(r)) {
       return PointerExpr::create(
           convolution(ee_left->getBase(), ee_right->getBase()),
-          ConcatExpr::create(ee_left->getValue(), ee_right->getValue()));
+          ConcatExpr::create(ee_left->getValue(), ee_right->getValue()),
+          ee_left->combineTaints(ee_right));
     }
   }
 
@@ -1849,7 +1872,8 @@ ref<Expr> ExtractExpr::create(ref<Expr> expr, unsigned off, Width w) {
     return CE->Extract(off, w);
   } else if (PointerExpr *pe = dyn_cast<PointerExpr>(expr)) {
     return PointerExpr::create(pe->getBase(),
-                               ExtractExpr::create(pe->getValue(), off, w));
+                               ExtractExpr::create(pe->getValue(), off, w),
+                               pe->getTaint());
   } else {
     // Extract(Concat)
     if (ConcatExpr *ce = dyn_cast<ConcatExpr>(expr)) {
@@ -1916,8 +1940,8 @@ ref<Expr> ZExtExpr::create(const ref<Expr> &e, Width w) {
   } else if (ConstantExpr *CE = dyn_cast<ConstantExpr>(e)) {
     return CE->ZExt(w);
   } else if (PointerExpr *pe = dyn_cast<PointerExpr>(e)) {
-    return PointerExpr::create(pe->getBase(),
-                               ZExtExpr::create(pe->getValue(), w));
+    return PointerExpr::create(
+        pe->getBase(), ZExtExpr::create(pe->getValue(), w), pe->getTaint());
   } else if (SelectExpr *se = dyn_cast<SelectExpr>(e)) {
     if (isa<ConstantExpr>(se->trueExpr)) {
       return SelectExpr::create(se->cond, ZExtExpr::create(se->trueExpr, w),
@@ -1937,8 +1961,8 @@ ref<Expr> SExtExpr::create(const ref<Expr> &e, Width w) {
   } else if (ConstantExpr *CE = dyn_cast<ConstantExpr>(e)) {
     return CE->SExt(w);
   } else if (PointerExpr *pe = dyn_cast<PointerExpr>(e)) {
-    return PointerExpr::create(pe->getBase(),
-                               SExtExpr::create(pe->getValue(), w));
+    return PointerExpr::create(
+        pe->getBase(), SExtExpr::create(pe->getValue(), w), pe->getTaint());
   } else if (SelectExpr *se = dyn_cast<SelectExpr>(e)) {
     if (isa<ConstantExpr>(se->trueExpr)) {
       return SelectExpr::create(se->cond, SExtExpr::create(se->trueExpr, w),
@@ -2049,7 +2073,8 @@ static ref<Expr> AddExpr_createPartial(Expr *l, const ref<ConstantExpr> &cr) {
 }
 
 static ref<Expr> AddExpr_createPointerR(const ref<PointerExpr> &pl, Expr *r) {
-  return PointerExpr::create(pl->getBase(), AddExpr::create(pl->getValue(), r));
+  return PointerExpr::create(pl->getBase(), AddExpr::create(pl->getValue(), r),
+                             pl->getTaint());
 }
 
 static ref<Expr> AddExpr_createPointer(Expr *l, const ref<PointerExpr> &pr) {
@@ -2110,11 +2135,13 @@ static ref<Expr> SubExpr_createPartial(Expr *l, const ref<ConstantExpr> &cr) {
 }
 
 static ref<Expr> SubExpr_createPointerR(const ref<PointerExpr> &pl, Expr *r) {
-  return PointerExpr::create(pl->getBase(), SubExpr::create(pl->getValue(), r));
+  return PointerExpr::create(pl->getBase(), SubExpr::create(pl->getValue(), r),
+                             pl->getTaint());
 }
 
 static ref<Expr> SubExpr_createPointer(Expr *l, const ref<PointerExpr> &pr) {
-  return PointerExpr::create(pr->getBase(), SubExpr::create(l, pr->getValue()));
+  return PointerExpr::create(pr->getBase(), SubExpr::create(l, pr->getValue()),
+                             pr->getTaint());
 }
 
 static ref<Expr> SubExpr_create(Expr *l, Expr *r) {
@@ -2174,7 +2201,8 @@ static ref<Expr> MulExpr_createPartial(Expr *l, const ref<ConstantExpr> &cr) {
 }
 
 static ref<Expr> MulExpr_createPointerR(const ref<PointerExpr> &pl, Expr *r) {
-  return PointerExpr::create(pl->getBase(), MulExpr::create(pl->getValue(), r));
+  return PointerExpr::create(pl->getBase(), MulExpr::create(pl->getValue(), r),
+                             pl->getTaint());
 }
 
 static ref<Expr> MulExpr_createPointer(Expr *l, const ref<PointerExpr> &pr) {
@@ -2205,7 +2233,8 @@ static ref<Expr> AndExpr_createPartialR(const ref<ConstantExpr> &cl, Expr *r) {
 }
 
 static ref<Expr> AndExpr_createPointerR(const ref<PointerExpr> &pl, Expr *r) {
-  return PointerExpr::create(pl->getBase(), AndExpr::create(pl->getValue(), r));
+  return PointerExpr::create(pl->getBase(), AndExpr::create(pl->getValue(), r),
+                             pl->getTaint());
 }
 
 static ref<Expr> AndExpr_createPointer(Expr *l, const ref<PointerExpr> &pr) {
@@ -2233,7 +2262,8 @@ static ref<Expr> OrExpr_createPartialR(const ref<ConstantExpr> &cl, Expr *r) {
 }
 
 static ref<Expr> OrExpr_createPointerR(const ref<PointerExpr> &pl, Expr *r) {
-  return PointerExpr::create(pl->getBase(), OrExpr::create(pl->getValue(), r));
+  return PointerExpr::create(pl->getBase(), OrExpr::create(pl->getValue(), r),
+                             pl->getTaint());
 }
 
 static ref<Expr> OrExpr_createPointer(Expr *l, const ref<PointerExpr> &pr) {
@@ -2262,7 +2292,8 @@ static ref<Expr> XorExpr_createPartial(Expr *l, const ref<ConstantExpr> &cr) {
 }
 
 static ref<Expr> XorExpr_createPointerR(const ref<PointerExpr> &pl, Expr *r) {
-  return PointerExpr::create(pl->getBase(), XorExpr::create(pl->getValue(), r));
+  return PointerExpr::create(pl->getBase(), XorExpr::create(pl->getValue(), r),
+                             pl->getTaint());
 }
 
 static ref<Expr> XorExpr_createPointer(Expr *l, const ref<PointerExpr> &pr) {
@@ -2424,9 +2455,11 @@ static ref<Expr> AShrExpr_create(const ref<Expr> &l, const ref<Expr> &r) {
     if (PointerExpr *pl = dyn_cast<PointerExpr>(l)) {                          \
       if (PointerExpr *pr = dyn_cast<PointerExpr>(r))                          \
         return pl->_op(pr);                                                    \
-      return _e_op::create(pl->getValue(), r);                                 \
+      return PointerExpr::create(                                              \
+          pl->getBase(), _e_op::create(pl->getValue(), r), pl->getTaint());    \
     } else if (PointerExpr *pr = dyn_cast<PointerExpr>(r)) {                   \
-      return _e_op::create(l, pr->getValue());                                 \
+      return PointerExpr::create(                                              \
+          pr->getBase(), _e_op::create(l, pr->getValue()), pr->getTaint());    \
     }                                                                          \
     if (ConstantExpr *cl = dyn_cast<ConstantExpr>(l))                          \
       if (ConstantExpr *cr = dyn_cast<ConstantExpr>(r))                        \
@@ -2864,14 +2897,17 @@ ref<Expr> IsSubnormalExpr::either(const ref<Expr> &e0, const ref<Expr> &e1) {
 
 /***/
 
-ref<Expr> PointerExpr::create(const ref<Expr> &b, const ref<Expr> &v) {
+ref<Expr> PointerExpr::create(const ref<Expr> &b, const ref<Expr> &v,
+                              const ref<Expr> &t) {
   assert(!isa<PointerExpr>(b));
   assert(!isa<PointerExpr>(v));
-  if (isa<ConstantExpr>(b) && isa<ConstantExpr>(v)) {
-    return ConstantPointerExpr::create(cast<ConstantExpr>(b),
-                                       cast<ConstantExpr>(v));
+  assert(!isa<PointerExpr>(t));
+
+  if (isa<ConstantExpr>(b) && isa<ConstantExpr>(v) && isa<ConstantExpr>(t)) {
+    return ConstantPointerExpr::create(
+        cast<ConstantExpr>(b), cast<ConstantExpr>(v), cast<ConstantExpr>(t));
   } else {
-    return PointerExpr::alloc(b, v);
+    return PointerExpr::alloc(b, v, t);
   }
 }
 
@@ -2913,10 +2949,12 @@ ref<Expr> PointerExpr::create(const ref<Expr> &expr) {
 }
 
 ref<Expr> ConstantPointerExpr::create(const ref<ConstantExpr> &b,
-                                      const ref<ConstantExpr> &v) {
+                                      const ref<ConstantExpr> &v,
+                                      const ref<ConstantExpr> &t) {
   assert(!isa<PointerExpr>(b));
   assert(!isa<PointerExpr>(v));
-  return ConstantPointerExpr::alloc(b, v);
+  assert(!isa<PointerExpr>(t));
+  return ConstantPointerExpr::alloc(b, v, t);
 }
 
 #define BCREATE_P(_e_op, _op)                                                  \
@@ -2926,14 +2964,22 @@ ref<Expr> ConstantPointerExpr::create(const ref<ConstantExpr> &b,
       if (!RHS->isKnownValue()) {                                              \
         return _e_op::create(getValue(), RHS->getValue());                     \
       } else {                                                                 \
-        return PointerExpr::create(                                            \
-            getBase(), _e_op::create(getValue(), RHS->getValue()));            \
+        return PointerExpr::create(getBase(),                                  \
+                                   _e_op::create(getValue(), RHS->getValue()), \
+                                   combineTaints(RHS));                        \
       }                                                                        \
     } else if (!RHS->isKnownValue()) {                                         \
       return PointerExpr::create(RHS->getBase(),                               \
-                                 _e_op::create(getValue(), RHS->getValue()));  \
+                                 _e_op::create(getValue(), RHS->getValue()),   \
+                                 combineTaints(RHS));                          \
     } else {                                                                   \
-      return _e_op::create(getValue(), RHS->getValue());                       \
+      auto value = _e_op::create(getValue(), RHS->getValue());                 \
+      if (getTaint().isNull() && RHS->getTaint().isNull()) {                   \
+        return value;                                                          \
+      } else {                                                                 \
+        return PointerExpr::create(ConstantExpr::create(0, value->getWidth()), \
+                                   value, combineTaints(RHS));                 \
+      }                                                                        \
     }                                                                          \
   }
 
@@ -2952,7 +2998,8 @@ BCREATE_P(LShrExpr, LShr)
 BCREATE_P(AShrExpr, AShr)
 
 ref<Expr> PointerExpr::Not() {
-  return PointerExpr::create(getBase(), NotExpr::create(getValue()));
+  return PointerExpr::create(getBase(), NotExpr::create(getValue()),
+                             getTaint());
 }
 
 ref<Expr> PointerExpr::Eq(const ref<PointerExpr> &RHS) {
