apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-24 20:28:06 +02:00
Code Issues Projects Releases Packages Wiki Activity
nyx/src/taint/ssa_transfer/summary_extract.rs

993 lines
41 KiB
Rust
Raw Normal View History

Release/0.5.0 (#35) * feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures * feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests * feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements * feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles * feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing * feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling * feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures * feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration * feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests * feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic * feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection * feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements * feat: Enable auth-state analysis by default and update relevant tests in benchmark config * test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test * docs: update CHANGELOG.md * feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers * feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers * feat: Implement per-index array slot tracking in symbolic heap with overflow collapse * feat: Add implicit definition handling for uninitialized declarations in SSA value allocation * feat: Refactor function parameters and constants for improved clarity and maintainability * refactor: Reorder module imports and improve formatting for consistency * refactor: Fix formatting erorrs * refactor: Fix clippy warnings * refactor: Fix fmt warnings (again) * chore: Update dependencies and improve feature configuration * Add comprehensive tests for undertested modules (#36) (COPILOT) * Add comprehensive tests for undertested modules Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com> Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083 * Add comprehensive tests for ext, project, walk, and errors modules Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com> Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083 --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com> * chore: Update dependencies and improve feature configuration * fix: formatting errors in new tests * chore: Update license list in about.toml * chore: made functions input inline * chore: updated cfg graph to take up the full page * chore: add Prettier configuration and update code formatting * Add frontend test suite with Vitest (111 tests) (#37) * Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com> Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7 * ci: add frontend test step to CI workflow Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com> Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com> * chore: simplify array initialization in test files for consistency * ran typecheck * feat: add AnalysisWorkspace component and integrate it into CfgViewerPage * feat: update routing in AppLayout and improve empty state message in ExplorerPage * feat: enhance scan progress tracking with additional metrics and stages * feat: update license information and add license check script * feat: implement cross-file symbolic execution with callee body persistence * feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering * feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions * feat: enhance resource tracking with proxy method summaries and improve finding extraction * feat: add terminal function exit detection for accurate resource leak analysis * feat: add warnings for loops and functions without bodies to improve error recovery * feat: update lambda expression handling to ensure proper function classification and control flow * feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling * feat: add inline return taint analysis and regression tests for improved security checks * feat: add engine version management and migration handling for database schema updates * feat: enhance first_call_ident to skip nested function bodies and add regression tests * feat: enhance callee name resolution with two-segment normalization and disambiguation * feat: add cross-file context flags and debug assertions for taint analysis * feat: refactor taint analysis structure to unify context handling and improve clarity * feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests * docs: updated CHANGELOG.md * fmt: formatting fixes * fix: fixed frontend formatting and lint warnings * fix: optimized ci * fix: optimized ci * Add comprehensive multi-file test coverage to Nyx (#38) * Initial checklist for multi-file test suite expansion Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23 Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com> * Add 12 new multi-file test fixtures with TP/TN/near-miss coverage Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23 Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com> * deleted root repo * rebuilt to test for regressions --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com> Co-authored-by: elipeter <elicpeter@gmail.com> * feat: enhance import alias resolution and taint tracking * feat: implement security hardening with CSRF protection and path validation * feat: add support for import alias bindings in Python, PHP, and Rust * feat: enhance CFG analysis modes and improve code readability * feat: add detection for parameterized SQL queries to enhance security * feat: add safe internal redirect handling and enhance session destroy validation * feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads * feat: enhance taint detection by adding support for inline source member expressions in call arguments * feat: implement pre-emission of Source nodes for inline source member expressions in call arguments * feat: add support for Throw statement in control flow and error handling * feat: add debug and echo endpoints with potential information leakage * feat: implement internal redirect suppression and enhance taint detection * feat: implement module alias tracking for dynamic dispatch in JS/TS * feat: add authorization analysis module with Express support * feat: add authorization analysis module with Express support * feat: add tests for admin guard requirements and clean checks in authorization analysis * feat: integrate Koa and Fastify frameworks into authorization analysis * feat: add Flask and Django support to authorization analysis module * feat: add support for Rails and Sinatra frameworks in authorization analysis * feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis * feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis * feat: add support for Rails and Sinatra in authorization analysis * chore: add .DS_Store to .gitignore * refactor: simplify conditional checks and improve readability in multiple files * refactor: update usage of Option methods for improved clarity and consistency * refactor: improve code readability by simplifying conditional checks and formatting * refactor: improve code formatting and readability by simplifying conditional checks * refactor: simplify conditional checks and improve readability in multiple files * refactor: simplify conditional checks in axum.rs for improved readability * feat: add CodeQL analysis configuration for enhanced security scanning * test: add comprehensive tests for `src/output.rs` SARIF builder (#39) * chore: start test coverage improvement work Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423 Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com> * test: add comprehensive tests for src/output.rs SARIF builder Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423 Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com> * refactor: improve code formatting and readability in output.rs --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com> Co-authored-by: elipeter <elicpeter@gmail.com> * refactor: improve code formatting and readability in output.rs * Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * refactor: enhance triage file path handling with improved error management and validation * refactor: updated func summaries for richer detail * refactor: update SSA summary extraction to use canonical FuncKey for distinct entries * refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution * refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls * refactor: implement new Flask routes for safe and unsafe shell command execution * refactor: separate receiver handling in SSA operations and enhance taint propagation * refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments * refactor: implement auth decorator extraction and classification for multiple languages * refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation * refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic * refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior * refactor: standardize default struct initialization across multiple files * feat: add scripts for formatting checks and auto-fixes with test summaries * refactor: simplify character splitting and enhance namespace qualifier handling * refactor: improve documentation clarity and enhance code readability in resolver logic * refactor: replace default struct initialization with explicit field assignments for clarity * feat: enhance anonymous function naming by deriving context-based bindings * refactor: streamline match expressions for improved readability and performance * refactor: streamline match expressions for improved readability and performance * refactor: replace loop with while let for improved clarity and performance * feat: add SSA constant propagation support to analysis context for improved accuracy * feat: add SSA constant propagation support to analysis context for improved accuracy * feat: implement shell metacharacter validation and bounded-length checks in Rust analysis * feat: add static map analysis for command injection suppression and type safety * refactor: simplify match statements and reduce line breaks for improved readability * feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the primary sink source-location through function summaries. Swap SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a backward-compatible cap_sites() helper and serde defaults so pre-phase-1 on-disk rows continue to deserialise cleanly. Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the locator in for the persisted pass-1 path, while pass-2 intra-file transient summaries fall back to cap-only sites (behavior unchanged). Merge: GlobalSummaries::insert now unions sink sites with (file_rel, line, col, cap) dedup via shared union_param_sink_sites helper. Database: JSON-serialised summary columns carry the new shape automatically; no schema change needed. Phase 2 will consume SinkSite in build_taint_diag() to overwrite the caller-site Finding.line with the callee's sink line when resolved via summary. Phase 1 keeps behavior unchanged: scanning tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the same (wrong) line 10 finding. Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink sites, legacy-JSON default handling for both summary types, and merge dedup. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding Plumb Phase 1's SinkSite through the event pipeline into Findings, no output change yet. SsaTaintEvent gains `primary_sink_site: Option<SinkSite>`; when the main or callback sink-emission path has non-empty `param_to_sink_sites`, filter to sites whose `(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per distinct site — the multi-primary collapse keeps each downstream Finding single-primary. Resolution: ResolvedSummary and SinkInfo gain mirror `param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink` (SSA + callback paths) and `FuncSummary.param_to_sink` (global paths). Label, local-summary, and interop resolution paths leave the field empty — they only ever had cap-level info to begin with. Finding: new `primary_location: Option<SinkLocation>` with `file_rel/line/col`. `ssa_events_to_findings` maps `event.primary_sink_site` → `Finding.primary_location`, filtering cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never leaks to formatters. Dedup key extended with the primary location so multi-site events aren't collapsed back together. Invariants (debug_assert!): * every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps != ∅` — enforced by the pick_primary_sink_sites* filters; * every populated Finding.primary_location has `line != 0` AND non-empty `file_rel` — the cap-only → None translation upstream guarantees this. Deliberately independent of `uses_summary`: that flag tracks whether the *taint chain* used a summary, whereas primary attribution requires only that the *sink* itself was summary-resolved. A local source reaching a cross-file sink produces `uses_summary=false` alongside a populated primary_location — documented on Finding.primary_location, covered by `cross_file_sink_finding_carries_primary_location`. build_taint_diag, SARIF/JSON/explanation formatters, and the benchmark scorer remain untouched: finding.line still comes from `cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10 and the benchmark's rs-cmdi-003 row still shows FN in the LOC column. Tests: `cross_file_sink_finding_carries_primary_location` (proves plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and `cross_file_sink_cap_only_site_leaves_primary_location_none` (regression guard against cap-only sites surfacing). All 1566 lib tests + integration tests pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(output): phase 3/5 consume primary sink location in diag + SARIF When a finding's primary_location (populated in phase 2 from a callee summary's SinkSite) names the dangerous instruction inside a callee body, attribute the diagnostic line to that location instead of the caller's call site. The call site is demoted to a Call step in flow_steps, and a synthetic Sink step at the primary location is appended so analysts still see the full trace. Changes: - Add scan_root parameter to build_taint_diag so file_rel can be resolved back to an absolute path via a shared resolve_file_rel helper. Empty file_rel (single-file scans where namespace == "") resolves to the file under analysis. - Extend SinkLocation with snippet, carried from the upstream SinkSite so the formatter needs no second file read. - Relax the ssa_events_to_findings debug_assert to allow empty file_rel, which is valid when scan root equals the file itself. - SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[]; locations[0] already reflects the primary sink position via the updated diag line/col. Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs now reports line 5 (Command::new) as the primary sink, with the call site at line 10 visible in flow_steps. Two expect.json fixtures updated (must_match line_range widened): - javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is the real sink inside run()). - rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new inside the closure). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(bench): phase 4/5 validate primary sink attribution across corpus Extend the benchmark scorer and ground truth to lock in phase 3's primary-location behavior, and add fixtures that exercise the new capability end-to-end. Scorer (tests/benchmark_test.rs): - Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on Case. When present, score_location_level additionally requires at least one flow_step in the finding's evidence trace to fall within ±2 of the call-site range. When absent, the check is skipped — fully forward-compatible with existing fixtures. - Retain ±2 tolerance on expected_sink_lines (compared against the now-primary Diag.line post-phase-3). Ground truth edits: - rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the transform::wrap call site (a cross-file propagator, not a sink); line 9 is Command::new, the real sink. The ±2 tolerance happened to mask this stale attribution but it was semantically wrong — phase 4 is the right time to correct it. Also adds expected_call_site_lines [8,8] so the new field is exercised on an existing cross-file case. - rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call). This fixture's sink (Command::new inside run_cmd at line 5) was the motivating case for phases 1-3; adding the call-site assertion guards against regression to caller-line attribution. New fixtures: - rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both takes two tainted params and invokes two Command sinks on consecutive lines. Locks in that primary line lands inside the helper (lines 5-6), not at the caller (line 12). Notes document that SinkSite is currently one-per-callee so both findings today collapse onto the first sink; expected_sink_lines=[5,6] and expected_call_site_lines=[12,12] stay valid either way. - python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross- 004): sink os.system lives in helper.py (cross-file), caller in app.py reads env source and calls run_cmd. Verifies phase 3's cross-file primary attribution: Diag.path = helper.py, Diag.line = 5, with app.py:7 recorded in flow_steps as a Call step. Acceptance: - `cargo test --test benchmark_test -- --ignored --nocapture` passes. - rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are TP/TP/TP. - Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994 F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on 264 pre-phase-4, delta is the +2 new cases both resolving TP). - Full `cargo test` green (1566 lib tests + all integration tests). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(taint): phase 5/5 lock Finding.primary_location contract via regression test Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three emission stages (pick_primary_sink_sites → emit_ssa_taint_events → ssa_events_to_findings) against a minimal caller SSA body. Asserts the resulting Finding.primary_location is exactly that triple. The existing integration tests in src/taint/tests.rs cover the coarse FuncSummary path end-to-end through analyse_file. This test locks in the lower-level SSA-side plumbing so a future refactor that silently drops the site between pick → emit → findings fails here rather than only at the benchmark layer. Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003 remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4). Closes the primary sink-location attribution feature (phases 1-5/5): * Phase 1 — SinkSite data model on summaries. * Phase 2 — SinkSite threaded into SsaTaintEvent and Finding. * Phase 3 — diag + SARIF consume primary_location. * Phase 4 — benchmark validates primary_call_site_lines across corpus. * Phase 5 — regression test locks the event→finding contract. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * refactor: clean up formatting and improve readability in multiple files * refactor: simplify type definition for deduplication key in findings * test(harness): add must_not_match expectation for FP regression guards Extends ExpectedFinding with must_not_match field that asserts a diagnostic must NOT fire — presence is a hard failure. Non-consuming scan so it coexists with must_match entries on the same rule_id. Adds forbidden_violations accumulator and updates summary line. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules * feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking * feat: update switch statement handling to improve control flow analysis * feat: implement promisify alias handling for JS/TS to enhance taint tracking * feat: enhance taint tracking by refining expectation handling and adding mode filtering * feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters * feat: update taint tracking rules to enforce full mode matching and improve flow analysis * feat: enhance Ruby subshell handling to improve taint tracking and flow analysis * feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding * feat: refine framework detection and update expectation handling for Echo and Sinatra * feat: implement max_count for taint tracking expectations and deduplicate findings * feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files * feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity * feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files * feat: add structural invariant checks for SSA bodies * feat: ensure deterministic phi emission order using BTreeSet * feat: enhance handling of terminators to ensure authoritative flow through successor edges * feat: enhance Goto terminator handling to ensure all successors are marked executable * feat: refactor code for improved readability and organization * feat: simplify predicate checks and enhance readability in SSA handling * feat: implement per-file parse timeout and enhance file size handling * feat: migrate analysis engine toggles from environment variables to configuration file * feat: remove unnecessary whitespace in hostile_input_tests.rs * feat: remove unnecessary whitespace in hostile_input_tests.rs * feat: update dependencies and enhance documentation on language maturity * feat: enhance security headers and improve request body limits * feat: implement sink capability bits for deduplication and enhance evidence tagging * feat: implement dynamic activation handling for gated sinks and enhance validation logic * feat: enhance configuration documentation and clarify inline analysis cache behavior * feat: implement panic recovery during analysis to continue scans past errors * feat: add expectations configuration for taint analysis and performance metrics * feat: enhance error handling and logging during file reading and mutex locking * feat: add cross-file body loading tests and plumbing for CF-1 phase * feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures * feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality * feat: enhance classification span handling in CFG and AST for improved source attribution * feat: add new Express routes for handling user input and telemetry data * feat: implement ternary expression handling in CFG with diamond structure for JS/TS * feat: implement Phase CF-3 abstract-domain transfer channels in summaries * feat: add support for string-prefix transfer in cross-file calls and update tests * docs: reduce RESULTS.md doc size * feat: implement Phase CF-4 per-return-path summary decomposition with tests * feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization * feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests * feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests * refactor: update comments and documentation for clarity and consistency * style: format code for consistency and readability * refactor: simplify verdict handling and improve edge checking logic * refactor: optimize path and identifier collection by avoiding unnecessary cloning * chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults * refactor: update documentation and improve clarity in configuration files * refactor: update documentation and improve clarity in configuration files * feat: add JS/TS pass-2 convergence tests and expectations configuration * feat: add Phase 5 regression tests for inline cache origin attribution and update related logic * feat: implement Phase 7 deduplication and alternative path linking for taint findings * feat: implement structural DFS index for anonymous functions and update naming conventions * feat: add Phase 8 regression tests for container-element taint in JS and Python * feat: add engine-depth profiles and explain-engine option for CLI * feat: update expectations and add new README fixtures for multi-file scan regression * feat: implement Phase 11 callback-alias and factory patterns with regression tests * feat: implement Terminator::Switch for multi-way dispatch and add regression tests * feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants * refactor: extract cfg and ssa_transfer to submodules * refactor: cargo fmt * refactor: remove unnecessary blank line in cfg_tests.rs * refactor: remove unnecessary planning file * chore: update Rust version to 1.88 and bump dependencies in Cargo files * feat: enhance triage UI with new layout and controls, update README for clarity * feat: enhance triage UI with new layout and controls, update README for clarity * chore: remove outdated section from README for version 0.5.0 * docs: improve clarity and consistency in README content * chore: add "GPL-3.0-or-later" to license options in about.toml * chore: update license handling in about.toml and check-licenses.mjs * style: format code for improved readability in TriagePage component * style: format code for improved readability in TriagePage component * chore: enhance license handling and improve body_id scoping in seed lookup * feat: introduce owner and parent body IDs for enhanced seed scoping * feat: implement direction-aware engine provenance with new CLI flag for strict CI gating * feat: add Undef SSA operation for improved control-flow handling * style: improve code formatting for consistency and readability in multiple files * feat: add 16-function chain SCC across multiple files for enhanced analysis * style: simplify code formatting for improved readability in multiple files * fix: update CapHitReason default implementation and improve README clarity * docs: enhance README with detailed explanations of taint analysis and limitations * docs: refine README for clarity and consistency in taint analysis section * style: improve code formatting for better readability in NewScanModal and scans * fix: update cargo-about command to use --offline for deterministic license generation * fix: update cargo-about command to use --offline for deterministic license generation * ci: add step to prime cargo registry cache for deterministic license generation * feat: add support for non-sink collections in authorization analysis * feat: enhance authorization checks with row-level ownership equality and binding tracking * feat: implement self-scoped user handling and enhance ownership checks * refactor: simplify assertions and formatting in authorization analysis tests * fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure * docs: update AI disclosure section for clarity and conciseness * feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure * feat: enhance authorization analysis with SSA-derived variable type classification * feat: implement auth_finding_to_diag function for enhanced security diagnostics * feat: add args_value_refs to CallSite struct for enhanced argument tracking * feat: add args_value_refs to CallSite struct for enhanced argument tracking * feat: add direction-aware engine provenance with LossDirection classification and new CLI flag * feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks * feat: enhance error message handling in cli_validation_tests for better Windows compatibility * feat: optimize release profile settings in Cargo.toml and update CodeQL configuration * feat: enhance release build process with SBOM generation and SLSA provenance * feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries * feat: introduce PathFact handling for path safety checks and rejection logic * feat: introduce PathFact handling for path safety checks and rejection logic * feat: update benchmark data and enhance path sanitization logic with new safety checks * feat: document AI assistance in frontend UI development and human review process * feat: add return path facts for enhanced path safety checks and update documentation * chore: update release date for version 0.5.0 in CHANGELOG.md * chore: clean up ci.yml by removing outdated comments and clarifying steps * feat: implement cross-language path sanitizers and validators for enhanced security * feat: enhance SSA value usage tracking by including block terminators and improve path safety checks * feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases * refactor: simplify conditional formatting and improve code readability in executor and lower modules * feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues * feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers * feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers * feat: add transform classifiers for Java, Go, and Ruby with corresponding tests * refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-25 17:59:11 -04:00
//! SSA function-summary and container-flow extraction.
//!
//! Extracted from the monolithic `ssa_transfer.rs`. Contains:
//! * [`extract_ssa_func_summary`] — runs per-parameter taint probes and
//! synthesises an [`crate::summary::ssa_summary::SsaFuncSummary`] with
//! source caps, return transforms, per-path transforms, and sink site
//! attribution.
//! * [`extract_container_flow_summary`] — structural scan for
//! `param_container_to_return` + `param_to_container_store` pairs.
//! * Private helpers for predicate-hash summarisation, abstract-transfer
//! derivation, callback source detection, and return-type inference.
use super::events::extract_sink_arg_positions;
use super::state::{BindingKey, SsaTaintState};
use super::{
SsaTaintEvent, SsaTaintTransfer, detect_variant_inner_fact, run_ssa_taint_full, transfer_block,
transfer_inst,
};
use crate::cfg::{BodyId, Cfg, FuncSummaries};
use crate::labels::{Cap, SourceKind};
use crate::ssa::ir::{SsaBody, SsaOp, SsaValue, Terminator};
use crate::summary::GlobalSummaries;
use crate::symbol::Lang;
use crate::taint::domain::{TaintOrigin, VarTaint};
use petgraph::graph::NodeIndex;
use smallvec::SmallVec;
use std::collections::{HashMap, HashSet};
/// Maximum number of parameters to probe for summary extraction.
/// Functions with more params fall back to legacy `FuncSummary`.
const MAX_PROBE_PARAMS: usize = 8;
/// Extract a precise per-parameter `SsaFuncSummary` from an already-lowered SSA body.
///
/// For each parameter (up to [`MAX_PROBE_PARAMS`]), runs a taint probe by seeding
/// that parameter with `Cap::all()` via `global_seed` and observing what caps
/// survive to return positions and which sinks fire. A final probe with no params
/// tainted detects intrinsic source caps.
#[allow(clippy::too_many_arguments)]
pub fn extract_ssa_func_summary(
ssa: &SsaBody,
cfg: &Cfg,
local_summaries: &FuncSummaries,
global_summaries: Option<&GlobalSummaries>,
lang: Lang,
namespace: &str,
interner: &crate::state::symbol::SymbolInterner,
param_count: usize,
module_aliases: Option<&HashMap<SsaValue, SmallVec<[String; 2]>>>,
locator: Option<&crate::summary::SinkSiteLocator<'_>>,
formal_param_names: Option<&[String]>,
) -> crate::summary::ssa_summary::SsaFuncSummary {
use crate::summary::SinkSite;
use crate::summary::ssa_summary::{SsaFuncSummary, TaintTransform};
let effective_params = param_count.min(MAX_PROBE_PARAMS);
// Collect (param_index, var_name, ssa_value) from the SSA body
let mut param_info: Vec<(usize, String, SsaValue)> = Vec::new();
for block in &ssa.blocks {
for inst in block.phis.iter().chain(block.body.iter()) {
if let SsaOp::Param { index } = &inst.op {
if *index < effective_params {
if let Some(name) = inst.var_name.as_ref() {
param_info.push((*index, name.clone(), inst.value));
}
}
}
}
}
// Identify return-reaching blocks
let return_blocks: Vec<usize> = ssa
.blocks
.iter()
.enumerate()
.filter(|(_, b)| matches!(b.terminator, Terminator::Return(_)))
.map(|(i, _)| i)
.collect();
// Collect all param SSA values to exclude from return cap collection.
// Param values persist with their seeded taint throughout the function —
// we only want caps on derived values (call results, assigns) at return.
let all_param_values: std::collections::HashSet<SsaValue> =
param_info.iter().map(|(_, _, v)| *v).collect();
// Per-return-block observation captured alongside the aggregate return
// caps. Each entry records one return block's exit state — caps
// contributed on that path, path-predicate hash, known_true/false bits,
// and the return SSA value's abstract fact — so the per-param loop can
// emit one [`ReturnPathTransform`] per distinct predicate gate.
struct ReturnBlockObs {
/// Caps at the return SSA value (or joined live values for
/// implicit returns) on this block's exit.
derived_caps: Cap,
/// Caps collected from parameter values reaching this return
/// (passthrough fallback).
param_caps: Cap,
/// Deterministic hash of the predicate gate at this return.
/// `0` means "no predicate gate" — an unguarded return.
predicate_hash: u64,
/// `PredicateSummary::known_true` bits intersected across all
/// tracked variables at this return. Encoded via
/// [`crate::taint::domain::predicate_kind_bit`].
known_true: u8,
/// `PredicateSummary::known_false` bits at this return.
known_false: u8,
/// Abstract fact on the return SSA value at this return (None
/// when Top or abstract interp disabled).
abstract_value: Option<crate::abstract_interp::AbstractValue>,
/// [`crate::abstract_interp::PathFact`] on the return SSA value
/// at this block's exit. Top when abstract interp is disabled
/// or no narrowing was proved on this path.
path_fact: crate::abstract_interp::PathFact,
/// Inner [`PathFact`] when the rv on this path is a one-arg
/// variant constructor; [`None`] otherwise.
variant_inner_fact: Option<crate::abstract_interp::PathFact>,
}
// Helper: run a taint probe with a given global_seed and return
// the aggregate return caps, sink events, joined return abstract,
// and the per-return-block observation list used to derive
// per-return-path transforms.
let run_probe = |seed: HashMap<BindingKey, VarTaint>| -> (
Cap,
Vec<SsaTaintEvent>,
Option<crate::abstract_interp::AbstractValue>,
Vec<ReturnBlockObs>,
) {
let seed_ref = if seed.is_empty() { None } else { Some(&seed) };
let transfer = SsaTaintTransfer {
lang,
namespace,
interner,
local_summaries,
global_summaries,
interop_edges: &[],
owner_body_id: BodyId(0),
parent_body_id: None,
global_seed: seed_ref,
param_seed: None,
receiver_seed: None,
const_values: None,
type_facts: None,
ssa_summaries: None,
extra_labels: None,
base_aliases: None,
callee_bodies: None,
inline_cache: None,
context_depth: 0,
callback_bindings: None,
points_to: None,
dynamic_pts: None,
import_bindings: None,
promisify_aliases: None,
module_aliases,
static_map: None,
auto_seed_handler_params: false,
cross_file_bodies: None,
};
let (events, block_states) = run_ssa_taint_full(ssa, cfg, &transfer);
// Collect surviving caps at return blocks.
// Separate param values from derived values: derived values give
// more precise transforms (they reflect function-internal sanitization).
// If only param values reach return → pure passthrough (Identity).
let mut total_derived_caps = Cap::empty();
let mut total_param_caps = Cap::empty();
// Extract abstract value of the return SSA value.
let mut return_abstract: Option<crate::abstract_interp::AbstractValue> = None;
// Per-return-block observations for per-path transforms.
let mut per_return: Vec<ReturnBlockObs> = Vec::with_capacity(return_blocks.len());
for &bid in &return_blocks {
if let Some(entry) = &block_states[bid] {
let empty_induction = HashSet::new();
let exit = transfer_block(
&ssa.blocks[bid],
cfg,
ssa,
&transfer,
entry.clone(),
&empty_induction,
None,
);
let ret_val = match &ssa.blocks[bid].terminator {
Terminator::Return(rv) => rv.as_ref().copied(),
_ => None,
};
let mut block_derived_caps = Cap::empty();
let mut block_param_caps = Cap::empty();
if let Some(rv) = ret_val {
// Explicit return value: use only its taint for derived_caps.
// If rv has no taint entry, this block contributes no derived caps.
if let Some(taint) = exit.get(rv) {
if all_param_values.contains(&rv) {
block_param_caps |= taint.caps;
} else {
block_derived_caps |= taint.caps;
}
}
// When rv is not a param value, also collect param taint as a
// fallback. The SSA terminator's rv may point to the last body
// instruction (e.g. push/append result) rather than the actual
// return expression (the container parameter itself). This fires
// both when rv is tainted (derived) and when rv is untainted
// (the push result may have no taint but the param does).
// Skip when rv IS a param (already handled above) or when rv is
// a Const (provably untainted constant return).
let rv_is_const = ssa.blocks[bid]
.body
.iter()
.chain(ssa.blocks[bid].phis.iter())
.any(|inst| inst.value == rv && matches!(inst.op, SsaOp::Const(_)));
if !all_param_values.contains(&rv) && !rv_is_const {
for (val, taint) in &exit.values {
if all_param_values.contains(val) {
block_param_caps |= taint.caps;
}
}
}
} else {
// Return(None): implicit return — fall back to all live values.
for (val, taint) in &exit.values {
if all_param_values.contains(val) {
block_param_caps |= taint.caps;
} else {
block_derived_caps |= taint.caps;
}
}
}
total_derived_caps |= block_derived_caps;
total_param_caps |= block_param_caps;
// Abstract return: use terminator's return value when available,
// fall back to last instruction heuristic for Return(None).
let mut block_abs: Option<crate::abstract_interp::AbstractValue> = None;
let mut block_path_fact = crate::abstract_interp::PathFact::top();
let mut block_variant_inner: Option<crate::abstract_interp::PathFact> = None;
if let Some(ref abs) = exit.abstract_state {
let abs_rv = ret_val.or_else(|| {
ssa.blocks[bid]
.body
.last()
.or_else(|| ssa.blocks[bid].phis.last())
.map(|inst| inst.value)
});
if let Some(rv) = abs_rv {
let av = abs.get(rv);
block_path_fact = av.path.clone();
if !av.is_top() {
block_abs = Some(av.clone());
return_abstract = Some(match return_abstract {
None => av,
Some(prev) => prev.join(&av),
});
}
block_variant_inner = detect_variant_inner_fact(rv, ssa, &exit);
}
}
// Derive a predicate hash + known-true/false
// intersection across tracked variables at this return.
// The hash is stable across runs for a given predicate
// shape so call sites can compare paths deterministically.
let (predicate_hash, known_true, known_false) = summarise_return_predicates(&exit);
per_return.push(ReturnBlockObs {
derived_caps: block_derived_caps,
param_caps: block_param_caps,
predicate_hash,
known_true,
known_false,
abstract_value: block_abs,
path_fact: block_path_fact,
variant_inner_fact: block_variant_inner,
});
}
}
// Prefer derived caps; fall back to param caps for passthrough functions
let return_caps = if !total_derived_caps.is_empty() {
total_derived_caps
} else {
total_param_caps
};
// Drop return_abstract if it joined to Top
let return_abstract = return_abstract.filter(|v| !v.is_top());
(return_caps, events, return_abstract, per_return)
};
// Probe with no params tainted → detect source_caps + return abstract.
// Abstract values don't depend on taint seeding, so the baseline probe
// captures the function's intrinsic abstract return value.
let (baseline_return_caps, _baseline_events, return_abstract, baseline_obs) =
run_probe(HashMap::new());
let source_caps = baseline_return_caps;
// Per-return-path PathFact decomposition derived from the baseline
// probe (no seeded taint). Abstract facts on the return rv are
// independent of taint seeding — they describe the function's
// intrinsic narrowing, so the baseline run captures them without
// per-param noise.
//
// Emitted only when ≥2 return-block entries have distinct predicate
// hashes *and* at least one entry carries non-Top signal (fact or
// variant_inner_fact). A uniform all-Top list adds bytes without
// helping any caller.
let mut return_path_facts: SmallVec<[crate::summary::ssa_summary::PathFactReturnEntry; 2]> =
SmallVec::new();
if baseline_obs.len() >= 2 {
let mut merged: SmallVec<[crate::summary::ssa_summary::PathFactReturnEntry; 2]> =
SmallVec::new();
for obs in &baseline_obs {
let entry = crate::summary::ssa_summary::PathFactReturnEntry {
predicate_hash: obs.predicate_hash,
known_true: obs.known_true,
known_false: obs.known_false,
path_fact: obs.path_fact.clone(),
variant_inner_fact: obs.variant_inner_fact.clone(),
};
crate::summary::ssa_summary::merge_path_fact_return_paths(&mut merged, &[entry]);
}
let distinct_hashes = merged
.iter()
.map(|e| e.predicate_hash)
.collect::<std::collections::HashSet<_>>();
let has_signal = merged
.iter()
.any(|e| !e.path_fact.is_top() || e.variant_inner_fact.is_some());
if distinct_hashes.len() >= 2 && has_signal {
return_path_facts = merged;
}
}
// Probe each param
let mut param_to_return = Vec::new();
let mut param_to_sink: Vec<(usize, SmallVec<[SinkSite; 1]>)> = Vec::new();
let mut param_to_sink_param = Vec::new();
// Per-param return-path decomposition. Populated only when the param
// has ≥2 distinct return-block predicate hashes — a single-return-path
// callee is already precise via `param_to_return`.
let mut param_return_paths: Vec<(
usize,
SmallVec<[crate::summary::ssa_summary::ReturnPathTransform; 2]>,
)> = Vec::new();
for &(idx, ref var_name, _ssa_val) in &param_info {
let mut seed = HashMap::new();
let origin = TaintOrigin {
node: NodeIndex::new(0), // synthetic origin for probing
source_kind: SourceKind::UserInput,
source_span: None,
};
seed.insert(
BindingKey::new(var_name.as_str(), BodyId(0)),
VarTaint {
caps: Cap::all(),
origins: SmallVec::from_elem(origin, 1),
uses_summary: false,
},
);
let (return_caps, events, _, per_return_obs) = run_probe(seed);
// Subtract baseline source_caps — we only want param-contributed caps
let param_return_caps = return_caps & !source_caps;
if !param_return_caps.is_empty() {
let stripped = Cap::all() & !param_return_caps;
let transform = if stripped.is_empty() {
TaintTransform::Identity
} else {
TaintTransform::StripBits(stripped)
};
param_to_return.push((idx, transform));
}
// Derive per-return-path decomposition. For each
// observed return block, derive a `ReturnPathTransform` mirroring
// the aggregate logic (prefer derived caps, fall back to param
// caps, strip baseline source caps). Only emit when ≥2 distinct
// predicate hashes are present — a single-hash summary adds no
// signal over the aggregate `param_to_return`.
if per_return_obs.len() >= 2 {
let mut per_path: SmallVec<[crate::summary::ssa_summary::ReturnPathTransform; 2]> =
SmallVec::new();
for obs in &per_return_obs {
let block_return_caps = if !obs.derived_caps.is_empty() {
obs.derived_caps
} else {
obs.param_caps
};
let block_contributed = block_return_caps & !source_caps;
let transform_kind = if block_contributed.is_empty() {
// No caps on this path — param does not reach return
// under this predicate. A `StripBits(all)` records
// "all bits cleared" so downstream join preserves the
// disparity with other paths.
TaintTransform::StripBits(Cap::all())
} else {
let stripped = Cap::all() & !block_contributed;
if stripped.is_empty() {
TaintTransform::Identity
} else {
TaintTransform::StripBits(stripped)
}
};
crate::summary::ssa_summary::merge_return_paths(
&mut per_path,
&[crate::summary::ssa_summary::ReturnPathTransform {
transform: transform_kind,
path_predicate_hash: obs.predicate_hash,
known_true: obs.known_true,
known_false: obs.known_false,
abstract_contribution: obs.abstract_value.clone(),
}],
);
}
// Only record when ≥2 distinct predicate gates survived
// the dedup (a single-entry vector is no finer than the
// aggregate `param_to_return` and wastes bytes on disk).
let distinct_hashes = per_path
.iter()
.map(|e| e.path_predicate_hash)
.collect::<std::collections::HashSet<_>>();
if distinct_hashes.len() >= 2 {
param_return_paths.push((idx, per_path));
}
}
// Collect sink caps + primary-location sites from events + per-arg-position detail
let mut param_sites: SmallVec<[SinkSite; 1]> = SmallVec::new();
for event in &events {
for pos in extract_sink_arg_positions(event, ssa) {
param_to_sink_param.push((idx, pos, event.sink_caps));
}
if event.sink_caps.is_empty() {
continue;
}
let site = match locator {
Some(loc) => {
loc.site_for_span(cfg[event.sink_node].classification_span(), event.sink_caps)
}
None => SinkSite::cap_only(event.sink_caps),
};
let key = site.dedup_key();
if !param_sites.iter().any(|s| s.dedup_key() == key) {
param_sites.push(site);
}
}
if !param_sites.is_empty() {
param_to_sink.push((idx, param_sites));
}
}
let (param_container_to_return, param_to_container_store) =
extract_container_flow_summary(ssa, lang, effective_params);
// Parameter-granularity points-to summary.
let points_to = crate::ssa::param_points_to::analyse_param_points_to(
ssa,
&param_info,
effective_params,
formal_param_names,
Some(lang),
);
// Infer return type: scan return-reaching blocks for constructor calls.
let return_type = infer_summary_return_type(ssa, lang);
// Detect source_to_callback: internal source taint flowing to calls of
// parameter functions (e.g., `fn apply(f) { let x = source(); f(x); }`).
// Re-runs the baseline probe internally to get accurate taint state.
let source_to_callback = if !source_caps.is_empty() && !param_info.is_empty() {
let baseline_transfer = SsaTaintTransfer {
lang,
namespace,
interner,
local_summaries,
global_summaries,
interop_edges: &[],
owner_body_id: BodyId(0),
parent_body_id: None,
global_seed: None,
param_seed: None,
receiver_seed: None,
const_values: None,
type_facts: None,
ssa_summaries: None,
extra_labels: None,
base_aliases: None,
callee_bodies: None,
inline_cache: None,
context_depth: 0,
callback_bindings: None,
points_to: None,
dynamic_pts: None,
import_bindings: None,
promisify_aliases: None,
module_aliases: None,
static_map: None,
auto_seed_handler_params: false,
cross_file_bodies: None,
};
detect_source_to_callback_from_states(
ssa,
cfg,
source_caps,
&param_info,
&baseline_transfer,
)
} else {
vec![]
};
// Per-parameter abstract-domain transfers.
//
// Derived structurally from the SSA body — no additional taint probes.
// Three-step inference per parameter:
// 1. Identity: return SSA value at every return block traces back to
// this parameter (possibly through assigns / phi merges all feeding
// from the same param).
// 2. Callee-intrinsic bound: baseline `return_abstract` carries a
// concrete fact (bounded interval or known prefix) that holds
// regardless of caller input — record it once per parameter as
// `Clamped` / `LiteralPrefix` so the caller sees the bound even
// when it has no abstract info on its own argument.
// 3. Top: default; the entry is omitted (empty transfer is meaningless).
let abstract_transfer = derive_abstract_transfer(ssa, &param_info, return_abstract.as_ref());
SsaFuncSummary {
param_to_return,
param_to_sink,
source_caps,
param_to_sink_param,
param_container_to_return,
param_to_container_store,
return_type,
return_abstract,
source_to_callback,
receiver_to_return: None,
receiver_to_sink: Cap::empty(),
abstract_transfer,
param_return_paths,
return_path_facts,
points_to,
}
}
/// Derive a deterministic predicate-hash + known-true/false intersection
/// for a return-block exit state.
///
/// The hash combines the sorted `(SymbolId, known_true, known_false)` tuples
/// from the state's `predicates` list with the validated_must bitmask. Two
/// return blocks whose predicate gates are observationally identical produce
/// the same hash; the intersection of known_true/false gives the bits that
/// hold on every path into each return block.
///
/// Returns `(0, 0, 0)` for a Top state (no predicates tracked).
pub(super) fn summarise_return_predicates(state: &SsaTaintState) -> (u64, u8, u8) {
use std::collections::hash_map::DefaultHasher;
use std::hash::{Hash, Hasher};
if state.predicates.is_empty() && state.validated_must.is_empty() {
return (0, 0, 0);
}
let mut h = DefaultHasher::new();
// Validated-must contributes deterministically via bits().
state.validated_must.bits().hash(&mut h);
// Sort by SymbolId (predicates list is already sorted by SsaTaintState
// invariants, but hash-input stability matters here).
let mut sorted: smallvec::SmallVec<[(u32, u8, u8); 4]> = state
.predicates
.iter()
.map(|(id, s)| (id.0, s.known_true, s.known_false))
.collect();
sorted.sort_by_key(|(id, _, _)| *id);
for (id, kt, kf) in &sorted {
id.hash(&mut h);
kt.hash(&mut h);
kf.hash(&mut h);
}
let hash = h.finish();
// Intersect known_true / known_false across all tracked variables:
// the bits that hold for EVERY predicate-tracked var at this return.
let known_true = sorted
.iter()
.map(|(_, kt, _)| *kt)
.fold(u8::MAX, |a, b| a & b);
let known_false = sorted
.iter()
.map(|(_, _, kf)| *kf)
.fold(u8::MAX, |a, b| a & b);
// Use `1` for the "no predicates but validated_must non-empty" case to
// avoid colliding with the unguarded sentinel (0).
let hash = if hash == 0 { 1 } else { hash };
(hash, known_true, known_false)
}
/// Derive per-parameter [`AbstractTransfer`] entries for a function's SSA
/// body.
///
/// `return_abstract` is the callee's intrinsic baseline (from the no-seed
/// probe). When present, it describes a fact that holds for the return
/// regardless of parameter input — so it can be attached as a
/// `Clamped` / `LiteralPrefix` transform to every parameter that flows to
/// the return.
///
/// Identity detection is structural: walk the return values back through
/// [`SsaOp::Assign`] / [`SsaOp::Phi`] chains (bounded) and check whether
/// every leaf resolves to the same [`SsaOp::Param`]. The trace is cheap
/// and can only produce `Identity` for passthrough callees — anything
/// more complex degrades to the baseline fact or `Top`.
fn derive_abstract_transfer(
ssa: &SsaBody,
param_info: &[(usize, String, SsaValue)],
return_abstract: Option<&crate::abstract_interp::AbstractValue>,
) -> Vec<(usize, crate::abstract_interp::AbstractTransfer)> {
use crate::abstract_interp::{AbstractTransfer, IntervalTransfer, StringTransfer};
if param_info.is_empty() {
return Vec::new();
}
// Build a lookup from SsaValue → defining op by scanning the body once.
let mut defs: HashMap<SsaValue, &SsaOp> = HashMap::new();
for block in &ssa.blocks {
for inst in block.phis.iter().chain(block.body.iter()) {
defs.insert(inst.value, &inst.op);
}
}
// Trace an SSA value backwards to the single source parameter index it
// resolves to, if any. Returns `None` when the trace diverges, hits a
// non-pass-through op, or exceeds the depth bound.
fn trace_to_param(
v: SsaValue,
defs: &HashMap<SsaValue, &SsaOp>,
depth: usize,
) -> Option<usize> {
const MAX_DEPTH: usize = 8;
if depth > MAX_DEPTH {
return None;
}
match defs.get(&v)? {
SsaOp::Param { index } => Some(*index),
SsaOp::Assign(ops) if ops.len() == 1 => trace_to_param(ops[0], defs, depth + 1),
SsaOp::Phi(preds) => {
let mut result: Option<usize> = None;
for (_, pv) in preds {
let p = trace_to_param(*pv, defs, depth + 1)?;
match result {
None => result = Some(p),
Some(existing) if existing == p => {}
Some(_) => return None,
}
}
result
}
_ => None,
}
}
// For every return block, trace its return value and record which
// parameter (if any) it resolves to. If all return blocks agree on the
// same parameter index, that parameter has `Identity`. If they disagree
// (or some don't resolve), no parameter gets `Identity` and we fall
// back to baseline-derived forms.
let mut identity_param: Option<usize> = None;
let mut identity_consistent = true;
for block in &ssa.blocks {
if let Terminator::Return(Some(rv)) = &block.terminator {
let traced = trace_to_param(*rv, &defs, 0);
match (identity_param, traced) {
(None, Some(p)) => identity_param = Some(p),
(Some(existing), Some(p)) if existing == p => {}
_ => {
identity_consistent = false;
break;
}
}
}
}
// Derive a baseline-invariant transform from `return_abstract`. This is
// the "callee intrinsic" fact that always holds — each parameter that
// flows to the return gets it attached as the conservative transfer.
let baseline_invariant: Option<AbstractTransfer> = return_abstract.map(|av| {
let interval = match (av.interval.lo, av.interval.hi) {
(Some(lo), Some(hi)) if lo <= hi => IntervalTransfer::Clamped { lo, hi },
_ => IntervalTransfer::Top,
};
let string = match &av.string.prefix {
Some(p) if !p.is_empty() => StringTransfer::literal_prefix(p),
_ => StringTransfer::Unknown,
};
AbstractTransfer { interval, string }
});
let mut result: Vec<(usize, AbstractTransfer)> = Vec::new();
for (idx, _, _) in param_info {
let mut transfer = AbstractTransfer::top();
if identity_consistent && identity_param == Some(*idx) {
transfer.interval = IntervalTransfer::Identity;
transfer.string = StringTransfer::Identity;
} else if let Some(base) = baseline_invariant.as_ref() {
// Baseline intrinsic bound applies to every parameter that could
// reach the return. We conservatively attach it to all params
// — at apply time the caller meets it with the real return
// abstract (also from this same summary), so double-counting
// would collapse to the tighter of the two.
transfer = base.clone();
}
if !transfer.is_top() {
result.push((*idx, transfer));
}
}
result
}
/// Detect callback patterns where internal source taint flows to a call of a
/// parameter function. Re-runs the baseline probe internally to get accurate
/// taint state at each instruction point.
///
/// Returns `(param_index_of_callee, source_caps)` pairs.
fn detect_source_to_callback_from_states(
ssa: &SsaBody,
cfg: &Cfg,
source_caps: Cap,
param_info: &[(usize, String, SsaValue)],
transfer: &SsaTaintTransfer,
) -> Vec<(usize, Cap)> {
use crate::ssa::ir::SsaOp;
// Map param var_name → param_index
let param_name_to_index: HashMap<&str, usize> = param_info
.iter()
.map(|(idx, name, _)| (name.as_str(), *idx))
.collect();
// Run taint analysis to get converged block states
let (_events, block_states) = run_ssa_taint_full(ssa, cfg, transfer);
let mut result: Vec<(usize, Cap)> = vec![];
for (bid, block) in ssa.blocks.iter().enumerate() {
let Some(entry_state) = &block_states[bid] else {
continue;
};
// Replay block transfer to get accurate taint state at each instruction
let mut state = entry_state.clone();
for inst in &block.body {
// Apply transfer for this instruction to advance state
transfer_inst(inst, cfg, ssa, transfer, &mut state);
// After transfer: check if this is a call to a param with tainted args
if let SsaOp::Call { callee, args, .. } = &inst.op {
if let Some(&param_idx) = param_name_to_index.get(callee.as_str()) {
let any_arg_tainted = args.iter().any(|arg_vals| {
arg_vals
.iter()
.any(|v| state.get(*v).is_some_and(|t| !t.caps.is_empty()))
});
if any_arg_tainted && !result.iter().any(|(idx, _)| *idx == param_idx) {
result.push((param_idx, source_caps));
}
}
}
}
}
result
}
/// Infer the return type of a function from its SSA body by checking whether
/// return-reaching blocks produce values from known constructor/factory calls.
fn infer_summary_return_type(
ssa: &SsaBody,
lang: Lang,
) -> Option<crate::ssa::type_facts::TypeKind> {
// Find blocks with Return terminators, then look at the last defined value
// in those blocks — if it's a Call with a known constructor, that's our type.
for block in &ssa.blocks {
if !matches!(block.terminator, Terminator::Return(_)) {
continue;
}
// Only inspect the very last instruction in the returning block.
if let Some(inst) = block.body.last()
&& let SsaOp::Call { callee, .. } = &inst.op
&& let Some(ty) = crate::ssa::type_facts::constructor_type(lang, callee)
{
return Some(ty);
}
}
None
}
// ── Inter-procedural container flow detection (structural SSA analysis) ──
/// Build a map from SsaValue to its defining instruction.
fn build_inst_map(ssa: &SsaBody) -> HashMap<SsaValue, (SsaOp, Option<SsaValue>)> {
let mut map = HashMap::new();
for block in &ssa.blocks {
for inst in block.phis.iter().chain(block.body.iter()) {
// Store the op and optionally the receiver for calls
map.insert(inst.value, (inst.op.clone(), None));
}
}
map
}
/// Trace an SSA value back through Assign/Phi chains to find if it originates
/// from a `Param { index }`. Returns `Some(index)` if a param is found.
/// Does NOT trace through Call, Const, Source, or other non-identity ops.
fn trace_to_param(
v: SsaValue,
ssa: &SsaBody,
inst_map: &HashMap<SsaValue, (SsaOp, Option<SsaValue>)>,
visited: &mut HashSet<SsaValue>,
) -> Option<usize> {
if !visited.insert(v) {
return None;
}
let (op, _) = inst_map.get(&v)?;
match op {
SsaOp::Param { index } => Some(*index),
SsaOp::Assign(uses) => {
for u in uses {
if let Some(idx) = trace_to_param(*u, ssa, inst_map, visited) {
return Some(idx);
}
}
None
}
SsaOp::Phi(operands) => {
for (_, op_val) in operands {
if let Some(idx) = trace_to_param(*op_val, ssa, inst_map, visited) {
return Some(idx);
}
}
None
}
// Don't trace through Call (new identity), Const, Source, Nop, CatchParam
_ => None,
}
}
/// Detect inter-procedural container flow patterns from SSA structure:
/// - `param_container_to_return`: params whose container identity flows to return
/// - `param_to_container_store`: (src_param, container_param) pairs where src taint
/// is stored into container_param's contents
pub(crate) fn extract_container_flow_summary(
ssa: &SsaBody,
lang: Lang,
formal_param_count: usize,
) -> (Vec<usize>, Vec<(usize, usize)>) {
use crate::ssa::pointsto::{ContainerOp, classify_container_op};
let inst_map = build_inst_map(ssa);
let mut container_to_return: HashSet<usize> = HashSet::new();
let mut container_store: Vec<(usize, usize)> = Vec::new();
// 1. param_container_to_return: trace Assign/Phi ops in return blocks to params.
//
// `trace_to_param` will happily return any `SsaOp::Param { index }`, but
// scoped lowering synthesises `Param` ops for external captures (module
// imports, free identifiers) at indices beyond the formal parameter count.
// Those must not enter the summary — the key's arity only covers formal
// params, and an out-of-range index trips `ssa_summary_fits_arity`, forcing
// the reconciliation probe to generate a synthetic disambiguator that no
// caller will ever look up.
for block in &ssa.blocks {
if !matches!(block.terminator, Terminator::Return(_)) {
continue;
}
for inst in block.phis.iter().chain(block.body.iter()) {
match &inst.op {
// Only trace identity-preserving ops (Assign, Phi).
// Skip Param (would cause false positives in single-block functions),
// Call (new identity), Const, Source, Nop, CatchParam.
SsaOp::Assign(_) | SsaOp::Phi(_) => {
if let Some(idx) =
trace_to_param(inst.value, ssa, &inst_map, &mut HashSet::new())
&& idx < formal_param_count
{
container_to_return.insert(idx);
}
}
_ => {}
}
}
}
// 2. param_to_container_store: find container Store calls, trace args to params
for block in &ssa.blocks {
for inst in block.body.iter() {
if let SsaOp::Call {
callee,
args,
receiver,
} = &inst.op
{
let op = match classify_container_op(callee, lang) {
Some(ContainerOp::Store { value_args, .. }) => value_args,
_ => continue,
};
// Resolve container SSA value. With the new call ABI, the
// receiver is a separate channel and `args` contains only
// positional arguments. For Go, container ops are plain
// function calls (no receiver), so args[0] is the container.
let container_val = if let Some(v) = *receiver {
Some(v)
} else if lang == Lang::Go {
args.first().and_then(|a| a.first().copied())
} else if let Some(dot_pos) = callee.rfind('.') {
let receiver_name = &callee[..dot_pos];
args.iter()
.flat_map(|a| a.iter())
.find(|&&v| {
ssa.value_defs
.get(v.0 as usize)
.and_then(|d| d.var_name.as_deref())
== Some(receiver_name)
})
.copied()
} else {
None
};
let container_val = match container_val {
Some(v) => v,
None => continue,
};
// Trace container to positional param (SelfParam → None, so
// when the container is the receiver we skip — the caller
// tracks that via `receiver_to_container_store` if needed).
// Same arity filter as above: reject synthetic Param ops that
// were injected for free captures.
let container_param =
match trace_to_param(container_val, ssa, &inst_map, &mut HashSet::new()) {
Some(idx) if idx < formal_param_count => idx,
_ => continue,
};
// Go container ops are plain function calls with the container
// at args[0]; value args start at args[1]. Other languages
// place the container on the receiver channel so args holds
// only value args starting at index 0.
let arg_offset = if lang == Lang::Go && receiver.is_none() {
1usize
} else {
0
};
// Trace each value arg to param (same arity filter as above).
for &va_idx in &op {
let effective_idx = va_idx + arg_offset;
if let Some(arg_vals) = args.get(effective_idx) {
for &av in arg_vals {
if let Some(src_param) =
trace_to_param(av, ssa, &inst_map, &mut HashSet::new())
&& src_param < formal_param_count
&& src_param != container_param
&& !container_store.contains(&(src_param, container_param))
{
container_store.push((src_param, container_param));
}
}
}
}
}
}
}
let mut ctr: Vec<usize> = container_to_return.into_iter().collect();
ctr.sort();
container_store.sort();
(ctr, container_store)
}
Reference in a new issue Copy permalink