Add taint analysis

Author: mmvpm

gradle.properties

@@ -60,8 +60,9 @@ kryoSerializersVersion=0.45
 asmVersion=9.2
 testNgVersion=7.6.0
 mockitoInlineVersion=4.0.0
-kamlVersion = 0.51.0
-jacksonVersion = 2.12.3
+kamlVersion=0.51.0
+jacksonVersion=2.12.3
+kotlinxSerializationVersion=1.5.0
 slf4jVersion=1.7.36
 eclipseAetherVersion=1.1.0
 mavenWagonVersion=3.5.1

utbot-analytics/src/main/kotlin/org/utbot/features/UtExpressionStructureCounter.kt

@@ -153,6 +153,13 @@ class UtExpressionStructureCounter(private val input: Iterable<UtExpression>) :
         return stat
     }
 
+    override fun visit(expr: UtBvNotExpression): NestStat {
+        val stat = buildState(expr.variable.expr)
+        stat.level++
+        stat.nodes++
+        return stat
+    }
+
     override fun visit(expr: UtCastExpression): NestStat {
         val stat = buildState(expr.variable.expr)
         stat.level++

utbot-framework-api/src/main/kotlin/org/utbot/framework/UtSettings.kt

@@ -265,6 +265,21 @@ object UtSettings : AbstractSettings(logger, defaultKeyForSettingsPath, defaultS
         DEFAULT_EXECUTION_TIMEOUT_IN_INSTRUMENTED_PROCESS_MS
     )
 
+    /**
+     * Enable taint analysis or not.
+     */
+    var useTaintAnalysis by getBooleanProperty(false)
+
+    /**
+     * How deep we should analyze the exceptions.
+     */
+    val exploreExceptionsDepth: ExploreExceptionsDepth
+        get() =
+            if (useTaintAnalysis)
+                ExploreExceptionsDepth.EXPLORE_ALL_STATEMENTS
+            else
+                ExploreExceptionsDepth.SKIP_ALL_STATEMENTS
+
 // region engine process debug
 
     /**
@@ -680,3 +695,24 @@ enum class SummariesGenerationType {
      */
     NONE,
 }
+
+/**
+ * Enum to describe how deep we should analyze the exceptions.
+ */
+enum class ExploreExceptionsDepth {
+
+    /**
+     * Skip all statements between exception's `new` and `<init>` statements.
+     */
+    SKIP_ALL_STATEMENTS,
+
+    /**
+     * Skip only exception's <init> statement.
+     */
+    SKIP_INIT_STATEMENT,
+
+    /**
+     * Do not skip statements.
+     */
+    EXPLORE_ALL_STATEMENTS
+}

utbot-framework-api/src/main/kotlin/org/utbot/framework/plugin/api/Api.kt

@@ -65,6 +65,7 @@ import org.utbot.framework.plugin.api.util.isSubtypeOf
 import org.utbot.framework.plugin.api.util.utContext
 import org.utbot.framework.process.OpenModulesContainer
 import soot.SootField
+import soot.SootMethod
 
 const val SYMBOLIC_NULL_ADDR: Int = 0
 
@@ -101,6 +102,12 @@ data class Step(
     }
 }
 
+data class SymbolicStep(
+    val method: SootMethod,
+    val lineNumber: Int,
+    val callDepth: Int,
+)
+
 
 /**
  * Traverse result.
@@ -150,7 +157,8 @@ class UtSymbolicExecution(
     coverage: Coverage? = null,
     summary: List<DocStatement>? = null,
     testMethodName: String? = null,
-    displayName: String? = null
+    displayName: String? = null,
+    val symbolicSteps: List<SymbolicStep> = listOf(),
 ) : UtExecution(stateBefore, stateAfter, result, coverage, summary, testMethodName, displayName) {
     /**
      * By design the 'before' and 'after' states contain info about the same fields.
@@ -201,7 +209,8 @@ class UtSymbolicExecution(
             coverage,
             summary,
             testMethodName,
-            displayName
+            displayName,
+            symbolicSteps,
         )
     }
 }

utbot-framework-api/src/main/kotlin/org/utbot/framework/plugin/api/ArtificialErrors.kt

@@ -15,4 +15,17 @@ sealed class ArtificialError(message: String): Error(message)
  *
  * See [TraversalContext.intOverflowCheck] for more details.
  */
-class OverflowDetectionError(message: String): ArtificialError(message)
+class OverflowDetectionError(message: String): ArtificialError(message)
+
+/**
+ * An artificial error that could be implicitly thrown by the symbolic engine during taint sink processing.
+ */
+class TaintAnalysisError(
+    /** Sink method name: "${classId.simpleName}.${methodId.name}". */
+    val sinkName: String,
+    /** Some information about a tainted var, for example, its type. */
+    val taintedVar: String,
+    /** Name of the taint mark. */
+    val taintMark: String,
+    message: String = "'$taintedVar' marked '$taintMark' was passed into '$sinkName' method"
+) : ArtificialError(message)

utbot-framework-api/src/main/kotlin/org/utbot/framework/plugin/api/UtExecutionResult.kt

@@ -23,6 +23,10 @@ data class UtOverflowFailure(
     override val exception: Throwable,
 ) : UtExecutionFailure()
 
+data class UtTaintAnalysisFailure(
+    override val exception: Throwable
+) : UtExecutionFailure()
+
 data class UtSandboxFailure(
     override val exception: Throwable
 ) : UtExecutionFailure()

utbot-framework-test/src/test/kotlin/org/utbot/examples/taint/LongTaintPathTest.kt

@@ -0,0 +1,38 @@
+package org.utbot.examples.taint
+
+import org.junit.jupiter.api.Test
+import org.utbot.framework.plugin.api.CodegenLanguage
+import org.utbot.framework.plugin.api.TaintAnalysisError
+import org.utbot.taint.TaintConfigurationProviderResources
+import org.utbot.testcheckers.eq
+import org.utbot.testcheckers.ge
+import org.utbot.testing.CodeGeneration
+import org.utbot.testing.UtValueTestCaseCheckerForTaint
+import org.utbot.testing.isException
+
+internal class LongTaintPathTest : UtValueTestCaseCheckerForTaint(
+    testClass = LongTaintPath::class,
+    testCodeGeneration = true,
+    pipelines = listOf(
+        TestLastStage(CodegenLanguage.JAVA),
+        TestLastStage(CodegenLanguage.KOTLIN, CodeGeneration)
+    ),
+    taintConfigurationProvider = TaintConfigurationProviderResources("taint/LongTaintPathConfig.yaml")
+) {
+    @Test
+    fun testTaintBad() {
+        checkWithException(
+            LongTaintPath::bad,
+            ge(2), // success & taint error
+            { r -> r.isException<TaintAnalysisError>() }
+        )
+    }
+
+    @Test
+    fun testTaintGood() {
+        check(
+            LongTaintPath::good,
+            eq(1), // only success
+        )
+    }
+}

utbot-framework-test/src/test/kotlin/org/utbot/examples/taint/SimpleTaintExampleTest.kt

@@ -0,0 +1,38 @@
+package org.utbot.examples.taint
+
+import org.junit.jupiter.api.Test
+import org.utbot.framework.plugin.api.CodegenLanguage
+import org.utbot.framework.plugin.api.TaintAnalysisError
+import org.utbot.taint.TaintConfigurationProviderResources
+import org.utbot.testcheckers.eq
+import org.utbot.testcheckers.ge
+import org.utbot.testing.CodeGeneration
+import org.utbot.testing.UtValueTestCaseCheckerForTaint
+import org.utbot.testing.isException
+
+internal class SimpleTaintExampleTest : UtValueTestCaseCheckerForTaint(
+    testClass = SimpleTaintExample::class,
+    testCodeGeneration = true,
+    pipelines = listOf(
+        TestLastStage(CodegenLanguage.JAVA),
+        TestLastStage(CodegenLanguage.KOTLIN, CodeGeneration)
+    ),
+    taintConfigurationProvider = TaintConfigurationProviderResources("taint/SimpleExampleConfig.yaml")
+) {
+    @Test
+    fun testTaintBad() {
+        checkWithException(
+            SimpleTaintExample::bad,
+            ge(2), // success & taint error
+            { r -> r.isException<TaintAnalysisError>() },
+        )
+    }
+
+    @Test
+    fun testTaintGood() {
+        check(
+            SimpleTaintExample::good,
+            eq(1), // only success
+        )
+    }
+}

utbot-framework-test/src/test/kotlin/org/utbot/sarif/SarifReportTest.kt

@@ -69,9 +69,8 @@ class SarifReportTest {
         Mockito.`when`(mockUtExecution.result).thenReturn(
             UtImplicitlyThrownException(NullPointerException(), false)
         )
+        mockCoverage(mockUtExecution, 1337, "Main")
         Mockito.`when`(mockUtExecution.stateBefore.parameters).thenReturn(listOf())
-        Mockito.`when`(mockUtExecution.coverage?.coveredInstructions?.lastOrNull()?.lineNumber).thenReturn(1337)
-        Mockito.`when`(mockUtExecution.coverage?.coveredInstructions?.lastOrNull()?.className).thenReturn("Main")
         Mockito.`when`(mockUtExecution.testMethodName).thenReturn("testMain_ThrowArithmeticException")
 
         val report = sarifReportMain.createReport()
@@ -144,15 +143,15 @@ class SarifReportTest {
     fun testProcessSandboxFailure() {
         mockUtMethodNames()
 
-        val uncheckedException = Mockito.mock(java.security.AccessControlException::class.java)
+        val uncheckedException = Mockito.mock(java.security.NoSuchAlgorithmException::class.java)
         Mockito.`when`(uncheckedException.stackTrace).thenReturn(arrayOf())
         Mockito.`when`(mockUtExecution.result).thenReturn(UtSandboxFailure(uncheckedException))
 
         defaultMockCoverage(mockUtExecution)
 
         val report = sarifReportMain.createReport()
         val result = report.runs.first().results.first()
-        assert(result.message.text.contains("AccessControlException"))
+        assert(result.message.text.contains("NoSuchAlgorithmException"))
     }
 
     @Test
@@ -179,6 +178,7 @@ class SarifReportTest {
 
         val classMainPath = "com/abc/Main"
         val classUtilPath = "com/cba/Util"
+        Mockito.`when`(mockUtExecution.symbolicSteps).thenReturn(listOf())
         Mockito.`when`(mockUtExecution.coverage?.coveredInstructions).thenReturn(listOf(
             Instruction(classMainPath, "main(l)l", 3, 1),
             Instruction(classMainPath, "main(l)l", 4, 2),
@@ -313,10 +313,8 @@ class SarifReportTest {
         Mockito.`when`(mockUtExecution2.result).thenReturn(UtImplicitlyThrownException(NullPointerException(), false))
 
         // different locations
-        Mockito.`when`(mockUtExecution1.coverage?.coveredInstructions?.lastOrNull()?.lineNumber).thenReturn(11)
-        Mockito.`when`(mockUtExecution1.coverage?.coveredInstructions?.lastOrNull()?.className).thenReturn("Main")
-        Mockito.`when`(mockUtExecution2.coverage?.coveredInstructions?.lastOrNull()?.lineNumber).thenReturn(22)
-        Mockito.`when`(mockUtExecution2.coverage?.coveredInstructions?.lastOrNull()?.className).thenReturn("Main")
+        mockCoverage(mockUtExecution1, 11, "Main")
+        mockCoverage(mockUtExecution2, 22, "Main")
 
         val testSets = listOf(
             UtMethodTestSet(mockExecutableId, listOf(mockUtExecution1)),
@@ -383,9 +381,19 @@ class SarifReportTest {
         Mockito.`when`(mockExecutableId.classId.name).thenReturn("Main")
     }
 
-    private fun defaultMockCoverage(mockExecution: UtExecution) {
+    private fun mockCoverage(mockExecution: UtExecution, lineNumber: Int, className: String) {
         Mockito.`when`(mockExecution.coverage?.coveredInstructions?.lastOrNull()?.lineNumber).thenReturn(1)
         Mockito.`when`(mockExecution.coverage?.coveredInstructions?.lastOrNull()?.className).thenReturn("Main")
+        (mockExecution as? UtSymbolicExecution)?.let { mockSymbolicSteps(it, lineNumber, className) }
+    }
+
+    private fun mockSymbolicSteps(mockExecution: UtSymbolicExecution, lineNumber: Int, className: String) {
+        Mockito.`when`(mockExecution.symbolicSteps.lastOrNull()?.lineNumber).thenReturn(lineNumber)
+        Mockito.`when`(mockExecution.symbolicSteps.lastOrNull()?.method?.declaringClass?.name).thenReturn(className)
+    }
+
+    private fun defaultMockCoverage(mockExecution: UtExecution) {
+        mockCoverage(mockExecution, 1, "Main")
     }
 
     // constants