@@ -818,14 +818,6 @@ private predicate storeCandFwd2(Content f, Configuration config) {
818818 store ( mid , f , node ) and
819819 readStoreCand1 ( f , unbind ( config ) )
820820 )
821- or
822- exists ( Node mid , Node node |
823- useFieldFlow ( config ) and
824- nodeCand1 ( node , unbind ( config ) ) and
825- nodeCandFwd2 ( mid , _, false , config ) and
826- argumentFlowsThrough ( mid , node , _, _, TSummaryTaintStore ( f ) , config ) and
827- readStoreCand1 ( f , unbind ( config ) )
828- )
829821}
830822
831823pragma [ nomagic]
@@ -846,6 +838,35 @@ private predicate nodeCandFwd2ReadTaint(Content f, Node node, boolean fromArg, C
846838 )
847839}
848840
841+ private predicate readCandFwd2 ( Content f , Configuration config ) {
842+ exists ( Node node |
843+ nodeCandFwd2Read ( f , node , _, config ) or
844+ nodeCandFwd2ReadTaint ( f , node , _, config )
845+ |
846+ nodeCandFwd2 ( node , _, _, config )
847+ )
848+ }
849+
850+ private predicate readStoreCandFwd2 ( Content f , Configuration config ) {
851+ readCandFwd2 ( f , config ) and
852+ storeCandFwd2 ( f , config )
853+ }
854+
855+ private predicate summaryFwd2 ( Summary s , Configuration config ) {
856+ s = TSummaryTaint ( )
857+ or
858+ exists ( Content f | s = TSummaryReadTaint ( f ) | readStoreCandFwd2 ( f , config ) )
859+ or
860+ exists ( Content f | s = TSummaryTaintStore ( f ) | readStoreCandFwd2 ( f , config ) )
861+ }
862+
863+ private predicate argumentFlowsThroughFwd2 ( Node n1 , Node n2 , Summary s , Configuration config ) {
864+ argumentFlowsThrough ( n1 , n2 , _, _, s , config ) and
865+ nodeCandFwd2 ( n1 , _, _, config ) and
866+ nodeCandFwd2 ( n2 , _, _, unbind ( config ) ) and
867+ summaryFwd2 ( s , unbind ( config ) )
868+ }
869+
849870/**
850871 * Holds if `node` is part of a path from a source to a sink in the given
851872 * configuration taking simple call contexts into consideration.
@@ -906,7 +927,7 @@ private predicate nodeCand2(Node node, boolean toReturn, boolean stored, Configu
906927 or
907928 // read taint
908929 exists ( Node mid , Content f |
909- argumentFlowsThrough ( node , mid , _ , _ , TSummaryReadTaint ( f ) , config ) and
930+ argumentFlowsThroughFwd2 ( node , mid , TSummaryReadTaint ( f ) , config ) and
910931 storeCandFwd2 ( f , unbind ( config ) ) and
911932 nodeCand2 ( mid , toReturn , false , config ) and
912933 stored = true
@@ -940,28 +961,20 @@ private predicate readCand2(Content f, Configuration config) {
940961 storeCandFwd2 ( f , unbind ( config ) ) and
941962 nodeCand2 ( mid , _, _, config )
942963 )
943- or
944- exists ( Node mid , Node node |
945- useFieldFlow ( config ) and
946- nodeCandFwd2 ( node , _, true , unbind ( config ) ) and
947- argumentFlowsThrough ( node , mid , _, _, TSummaryReadTaint ( f ) , config ) and
948- storeCandFwd2 ( f , unbind ( config ) ) and
949- nodeCand2 ( mid , _, false , config )
950- )
951964}
952965
953- pragma [ noinline ]
966+ pragma [ nomagic ]
954967private predicate nodeCand2Store ( Content f , Node node , boolean toReturn , Configuration config ) {
955968 exists ( Node mid |
956969 store ( node , f , mid ) and
957970 nodeCand2 ( mid , toReturn , true , config )
958971 )
959972}
960973
961- pragma [ noinline ]
974+ pragma [ nomagic ]
962975private predicate nodeCand2TaintStore ( Content f , Node node , boolean toReturn , Configuration config ) {
963976 exists ( Node mid |
964- argumentFlowsThrough ( node , mid , _ , _ , TSummaryTaintStore ( f ) , config ) and
977+ argumentFlowsThroughFwd2 ( node , mid , TSummaryTaintStore ( f ) , config ) and
965978 nodeCand2 ( mid , toReturn , true , config )
966979 )
967980}
@@ -988,6 +1001,23 @@ private predicate readStoreCand(Content f, Configuration conf) {
9881001
9891002private predicate nodeCand ( Node node , Configuration config ) { nodeCand2 ( node , _, _, config ) }
9901003
1004+ private predicate summary2 ( Summary s , Configuration config ) {
1005+ s = TSummaryTaint ( )
1006+ or
1007+ exists ( Content f | s = TSummaryReadTaint ( f ) | readStoreCand ( f , config ) )
1008+ or
1009+ exists ( Content f | s = TSummaryTaintStore ( f ) | readStoreCand ( f , config ) )
1010+ }
1011+
1012+ private predicate argumentFlowsThrough2 (
1013+ Node n1 , Node n2 , DataFlowType t1 , DataFlowType t2 , Summary s , Configuration config
1014+ ) {
1015+ argumentFlowsThrough ( n1 , n2 , t1 , t2 , s , config ) and
1016+ nodeCand ( n1 , config ) and
1017+ nodeCand ( n2 , unbind ( config ) ) and
1018+ summary2 ( s , unbind ( config ) )
1019+ }
1020+
9911021/**
9921022 * Holds if `node` can be the first node in a maximal subsequence of local
9931023 * flow steps in a dataflow path.
@@ -1016,7 +1046,7 @@ private predicate localFlowExit(Node node, Configuration config) {
10161046 additionalJumpStep ( node , next , config ) or
10171047 flowIntoCallable ( node , next , config ) or
10181048 flowOutOfCallable ( node , next , config ) or
1019- argumentFlowsThrough ( node , next , _, _, _, config ) or
1049+ argumentFlowsThrough2 ( node , next , _, _, _, config ) or
10201050 argumentValueFlowsThrough ( node , next , _) or
10211051 store ( node , _, next ) or
10221052 read ( node , _, next )
@@ -1204,7 +1234,7 @@ private predicate flowCandFwd0(Node node, boolean fromArg, AccessPathFront apf,
12041234 or
12051235 exists ( Node mid , AccessPathFrontNil nil , DataFlowType t |
12061236 flowCandFwd ( mid , fromArg , nil , config ) and
1207- argumentFlowsThrough ( mid , node , _, t , TSummaryTaint ( ) , config ) and
1237+ argumentFlowsThrough2 ( mid , node , _, t , TSummaryTaint ( ) , config ) and
12081238 apf = TFrontNil ( t )
12091239 )
12101240 )
@@ -1219,9 +1249,7 @@ private predicate flowCandFwd0(Node node, boolean fromArg, AccessPathFront apf,
12191249 or
12201250 exists ( Node mid , AccessPathFrontNil nil , Content f |
12211251 flowCandFwd ( mid , fromArg , nil , config ) and
1222- argumentFlowsThrough ( mid , node , _, _, TSummaryTaintStore ( f ) , config ) and
1223- nodeCand ( node , unbind ( config ) ) and
1224- readStoreCand ( f , unbind ( config ) ) and
1252+ argumentFlowsThrough2 ( mid , node , _, _, TSummaryTaintStore ( f ) , config ) and
12251253 apf .headUsesContent ( f )
12261254 )
12271255 or
@@ -1246,14 +1274,6 @@ private predicate consCandFwd(Content f, AccessPathFront apf, Configuration conf
12461274 readStoreCand ( f , unbind ( config ) ) and
12471275 compatibleTypes ( apf .getType ( ) , f .getType ( ) )
12481276 )
1249- or
1250- exists ( Node mid , Node n , AccessPathFrontNil nil , DataFlowType t |
1251- flowCandFwd ( mid , _, nil , config ) and
1252- argumentFlowsThrough ( mid , n , t , _, TSummaryTaintStore ( f ) , config ) and
1253- apf = TFrontNil ( t ) and
1254- nodeCand ( n , unbind ( config ) ) and
1255- readStoreCand ( f , unbind ( config ) )
1256- )
12571277}
12581278
12591279pragma [ nomagic]
@@ -1272,9 +1292,45 @@ private predicate flowCandFwdReadTaint(
12721292) {
12731293 exists ( Node mid , AccessPathFront apf |
12741294 flowCandFwd ( mid , fromArg , apf , config ) and
1275- argumentFlowsThrough ( mid , node , _, t , TSummaryReadTaint ( f ) , config ) and
1276- apf .headUsesContent ( f ) and
1277- nodeCand ( node , unbind ( config ) )
1295+ argumentFlowsThrough2 ( mid , node , _, t , TSummaryReadTaint ( f ) , config ) and
1296+ apf .headUsesContent ( f )
1297+ )
1298+ }
1299+
1300+ pragma [ noinline]
1301+ private predicate flowCandFwdEmptyAp ( Node node , Configuration config ) {
1302+ flowCandFwd ( node , _, any ( AccessPathFrontNil nil ) , config )
1303+ }
1304+
1305+ pragma [ noinline]
1306+ private predicate consCandFwdEmptyAp ( Content f , Configuration config ) {
1307+ consCandFwd ( f , any ( AccessPathFrontNil nil ) , config )
1308+ }
1309+
1310+ private predicate argumentFlowsThrough3 (
1311+ Node n1 , Node n2 , DataFlowType t1 , DataFlowType t2 , Summary s , Configuration config
1312+ ) {
1313+ argumentFlowsThrough2 ( n1 , n2 , t1 , t2 , s , config ) and
1314+ flowCandFwdEmptyAp ( n1 , config ) and
1315+ flowCandFwdEmptyAp ( n2 , unbind ( config ) ) and
1316+ s = TSummaryTaint ( )
1317+ or
1318+ exists ( Content f , AccessPathFront apf |
1319+ argumentFlowsThrough2 ( n1 , n2 , t1 , t2 , s , config ) and
1320+ flowCandFwdEmptyAp ( n1 , config ) and
1321+ flowCandFwd ( n2 , _, apf , unbind ( config ) ) and
1322+ s = TSummaryTaintStore ( f ) and
1323+ consCandFwdEmptyAp ( f , unbind ( config ) ) and
1324+ apf .headUsesContent ( f )
1325+ )
1326+ or
1327+ exists ( Content f , AccessPathFront apf |
1328+ argumentFlowsThrough2 ( n1 , n2 , t1 , t2 , s , config ) and
1329+ flowCandFwd ( n1 , _, apf , config ) and
1330+ flowCandFwdEmptyAp ( n2 , unbind ( config ) ) and
1331+ s = TSummaryReadTaint ( f ) and
1332+ consCandFwdEmptyAp ( f , unbind ( config ) ) and
1333+ apf .headUsesContent ( f )
12781334 )
12791335}
12801336
@@ -1339,7 +1395,7 @@ private predicate flowCand0(Node node, boolean toReturn, AccessPathFront apf, Co
13391395 )
13401396 or
13411397 exists ( Node mid , AccessPathFrontNil nil |
1342- argumentFlowsThrough ( node , mid , _, _, TSummaryTaint ( ) , config ) and
1398+ argumentFlowsThrough3 ( node , mid , _, _, TSummaryTaint ( ) , config ) and
13431399 flowCand ( mid , toReturn , nil , config ) and
13441400 apf instanceof AccessPathFrontNil and
13451401 flowCandFwd ( node , _, apf , config )
@@ -1354,7 +1410,7 @@ private predicate flowCand0(Node node, boolean toReturn, AccessPathFront apf, Co
13541410 exists ( Node mid , Content f , AccessPathFront apf0 , AccessPathFrontNil nil |
13551411 flowCandFwd ( node , _, apf , config ) and
13561412 apf instanceof AccessPathFrontNil and
1357- argumentFlowsThrough ( node , mid , _, _, TSummaryTaintStore ( f ) , config ) and
1413+ argumentFlowsThrough3 ( node , mid , _, _, TSummaryTaintStore ( f ) , config ) and
13581414 flowCand ( mid , toReturn , apf0 , config ) and
13591415 apf0 .headUsesContent ( f ) and
13601416 consCand ( f , nil , unbind ( config ) )
@@ -1367,7 +1423,7 @@ private predicate flowCand0(Node node, boolean toReturn, AccessPathFront apf, Co
13671423 )
13681424 or
13691425 exists ( Node mid , AccessPathFrontNil nil1 , AccessPathFrontNil nil2 , Content f |
1370- argumentFlowsThrough ( node , mid , _, _, TSummaryReadTaint ( f ) , config ) and
1426+ argumentFlowsThrough3 ( node , mid , _, _, TSummaryReadTaint ( f ) , config ) and
13711427 flowCand ( mid , toReturn , nil1 , config ) and
13721428 consCandFwd ( f , nil2 , unbind ( config ) ) and
13731429 apf .headUsesContent ( f )
@@ -1402,15 +1458,6 @@ private predicate consCand(Content f, AccessPathFront apf, Configuration config)
14021458 apf0 .headUsesContent ( f ) and
14031459 flowCandRead ( n , f , _, apf , config )
14041460 )
1405- or
1406- consCandFwd ( f , apf , unbind ( config ) ) and
1407- exists ( Node node , Node mid , AccessPathFront apf0 |
1408- argumentFlowsThrough ( node , mid , _, _, TSummaryReadTaint ( f ) , config ) and
1409- flowCand ( mid , _, any ( AccessPathFrontNil nil1 ) , config ) and
1410- apf instanceof AccessPathFrontNil and
1411- flowCandFwd ( node , _, apf0 , config ) and
1412- apf0 .headUsesContent ( f )
1413- )
14141461}
14151462
14161463private newtype TAccessPath =
@@ -1605,7 +1652,7 @@ private predicate flowFwd0(
16051652 or
16061653 exists ( Node mid , AccessPathNil nil , DataFlowType t |
16071654 flowFwd ( mid , fromArg , _, nil , config ) and
1608- argumentFlowsThrough ( mid , node , _, t , TSummaryTaint ( ) , config ) and
1655+ argumentFlowsThrough3 ( mid , node , _, t , TSummaryTaint ( ) , config ) and
16091656 ap = TNil ( t ) and
16101657 apf = ap .( AccessPathNil ) .getFront ( )
16111658 )
@@ -1623,7 +1670,7 @@ private predicate flowFwd0(
16231670 or
16241671 exists ( Content f , Node mid , AccessPathFront apf0 , DataFlowType t |
16251672 flowFwd ( mid , fromArg , apf0 , any ( AccessPathConsNil consnil ) , config ) and
1626- argumentFlowsThrough ( mid , node , _, t , TSummaryReadTaint ( f ) , config ) and
1673+ argumentFlowsThrough3 ( mid , node , _, t , TSummaryReadTaint ( f ) , config ) and
16271674 apf0 .headUsesContent ( f ) and
16281675 flowCand ( node , _, _, unbind ( config ) ) and
16291676 ap = TNil ( t ) and
@@ -1642,7 +1689,7 @@ private predicate flowFwdStore(
16421689 or
16431690 exists ( Node mid , DataFlowType t |
16441691 flowFwd ( mid , fromArg , _, any ( AccessPathNil nil ) , config ) and
1645- argumentFlowsThrough ( mid , node , t , _, TSummaryTaintStore ( f ) , config ) and
1692+ argumentFlowsThrough3 ( mid , node , t , _, TSummaryTaintStore ( f ) , config ) and
16461693 consCand ( f , TFrontNil ( t ) , unbind ( config ) ) and
16471694 ap0 = TNil ( t ) and
16481695 apf .headUsesContent ( f ) and
@@ -1732,7 +1779,7 @@ private predicate flow0(Node node, boolean toReturn, AccessPath ap, Configuratio
17321779 )
17331780 or
17341781 exists ( Node mid , AccessPathNil ap0 |
1735- argumentFlowsThrough ( node , mid , _, _, TSummaryTaint ( ) , config ) and
1782+ argumentFlowsThrough3 ( node , mid , _, _, TSummaryTaint ( ) , config ) and
17361783 flow ( mid , toReturn , ap0 , config ) and
17371784 ap instanceof AccessPathNil and
17381785 flowFwd ( node , _, _, ap , config )
@@ -1756,7 +1803,7 @@ private predicate flow0(Node node, boolean toReturn, AccessPath ap, Configuratio
17561803 )
17571804 or
17581805 exists ( Node mid , Content f |
1759- argumentFlowsThrough ( node , mid , _, _, TSummaryReadTaint ( f ) , config ) and
1806+ argumentFlowsThrough3 ( node , mid , _, _, TSummaryReadTaint ( f ) , config ) and
17601807 flow ( mid , toReturn , any ( AccessPathNil nil1 ) , config ) and
17611808 push ( any ( AccessPathNil nil2 ) , f , ap ) and
17621809 flowFwd ( node , _, _, ap , config )
@@ -1778,7 +1825,7 @@ private predicate flowTaintStore(
17781825 Node node , Content f , boolean toReturn , AccessPath ap0 , Configuration config
17791826) {
17801827 exists ( Node mid |
1781- argumentFlowsThrough ( node , mid , _, _, TSummaryTaintStore ( f ) , config ) and
1828+ argumentFlowsThrough3 ( node , mid , _, _, TSummaryTaintStore ( f ) , config ) and
17821829 flow ( mid , toReturn , ap0 , config )
17831830 )
17841831}
0 commit comments