Fraunhofer-AISEC · oxisto · Jul 26, 2023 · Mar 17, 2023 · Mar 18, 2023 · Mar 19, 2023
@@ -76,6 +76,10 @@ open class ValueEvaluator(
         return evaluateInternal(node as? Node, 0)
     }
 
+    fun clearPath() {
+        path.clear()
+    }
+
     /** Tries to evaluate this node. Anything can happen. */
     protected open fun evaluateInternal(node: Node?, depth: Int): Any? {
         // Add the expression to the current path

@@ -28,71 +28,192 @@ package de.fraunhofer.aisec.cpg.passes
 import de.fraunhofer.aisec.cpg.TranslationContext
 import de.fraunhofer.aisec.cpg.analysis.ValueEvaluator
 import de.fraunhofer.aisec.cpg.graph.Node
+import de.fraunhofer.aisec.cpg.graph.declarations.FunctionDeclaration
 import de.fraunhofer.aisec.cpg.graph.declarations.TranslationUnitDeclaration
 import de.fraunhofer.aisec.cpg.graph.edge.Properties
+import de.fraunhofer.aisec.cpg.graph.edge.PropertyEdge
 import de.fraunhofer.aisec.cpg.graph.statements.IfStatement
 import de.fraunhofer.aisec.cpg.graph.statements.WhileStatement
+import de.fraunhofer.aisec.cpg.helpers.*
 import de.fraunhofer.aisec.cpg.passes.order.DependsOn
-import de.fraunhofer.aisec.cpg.processing.IVisitor
-import de.fraunhofer.aisec.cpg.processing.strategy.Strategy
 
 /**
  * A [Pass] which uses a simple logic to determine constant values and mark unreachable code regions
  * by setting the [Properties.UNREACHABLE] property of an eog-edge to true.
  */
 @DependsOn(ControlFlowSensitiveDFGPass::class)
 class UnreachableEOGPass(ctx: TranslationContext) : TranslationUnitPass(ctx) {
+    override fun cleanup() {
+        // Nothing to do
+    }
+
     override fun accept(tu: TranslationUnitDeclaration) {
-        tu.accept(
-            Strategy::AST_FORWARD,
-            object : IVisitor<Node>() {
-                override fun visit(t: Node) {
-                    when (t) {
-                        is IfStatement -> handleIfStatement(t)
-                        is WhileStatement -> handleWhileStatement(t)
-                    }
-
-                    super.visit(t)
+        val walker = SubgraphWalker.IterativeGraphWalker()
+        walker.registerOnNodeVisit(::handle)
+        walker.iterate(tu)
+    }
+
+    /**
+     * We perform the actions for each [FunctionDeclaration].
+     *
+     * @param node every node in the TranslationResult
+     */
+    protected fun handle(node: Node) {
+        if (node is FunctionDeclaration) {
+            val startState = UnreachabilityState()
+            for (firstEdge in node.nextEOGEdges) {
+                startState.push(firstEdge, ReachabilityLattice(Reachability.REACHABLE))
+            }
+            val finalState = iterateEOG(node.nextEOGEdges, startState, ::transfer) ?: return
+
+            for ((key, value) in finalState) {
+                if (value.elements == Reachability.UNREACHABLE) {
+                    key.addProperty(Properties.UNREACHABLE, true)
                 }
             }
-        )
+        }
     }
+}
+
+/**
+ * This method is executed for each EOG edge which is in the worklist. [currentEdge] is the edge to
+ * process, [currentState] contains the state which was observed before arriving here.
+ *
+ * This method modifies the state for the next eog edge as follows:
+ * - If the next node in the eog is an [IfStatement], the condition is evaluated and if it is either
+ *   always true or false, the else or then branch receives set to [Reachability.UNREACHABLE].
+ * - If the next node in the eog is a [WhileStatement], the condition is evaluated and if it's
+ *   always true or false, either the EOG edge to the loop body or out of the loop body is set to
+ *   [Reachability.UNREACHABLE].
+ * - For all other nodes, we simply propagate the state which led us here.
+ *
+ * Returns the updated state and true because we always expect an update of the state.
+ */
+fun transfer(
+    currentEdge: PropertyEdge<Node>,
+    currentState: State<PropertyEdge<Node>, Reachability>,
+    currentWorklist: Worklist<PropertyEdge<Node>, PropertyEdge<Node>, Reachability>
+): State<PropertyEdge<Node>, Reachability> {
+    val currentNode = currentEdge.end
+    if (currentNode is IfStatement) {
+        handleIfStatement(currentEdge, currentNode, currentState)
+    } else if (currentNode is WhileStatement) {
+        handleWhileStatement(currentEdge, currentNode, currentState)
+    } else {
+        // For all other edges, we simply propagate the reachability property of the edge
+        // which made us come here.
+        currentNode.nextEOGEdges.forEach { currentState.push(it, currentState[currentEdge]) }
+    }
+
+    return currentState
+}
+
+/**
+ * Evaluates the condition of the [IfStatement] [n] (which is the end node of [enteringEdge]). If it
+ * is always true, then the else-branch receives the [state] [Reachability.UNREACHABLE]. If the
+ * condition is always false, then the then-branch receives the [state] [Reachability.UNREACHABLE].
+ * All other cases simply copy the state which led us here.
+ */
+private fun handleIfStatement(
+    enteringEdge: PropertyEdge<Node>,
+    n: IfStatement,
+    state: State<PropertyEdge<Node>, Reachability>
+) {
+    val evalResult = ValueEvaluator().evaluate(n.condition)
 
-    private fun handleIfStatement(n: IfStatement) {
-        val evalResult = ValueEvaluator().evaluate(n.condition)
+    val (unreachableEdge, remainingEdges) =
         if (evalResult is Boolean && evalResult == true) {
-            n.nextEOGEdges
-                .firstOrNull { e -> e.getProperty(Properties.INDEX) == 1 }
-                ?.addProperty(Properties.UNREACHABLE, true)
+            Pair(
+                n.nextEOGEdges.firstOrNull { e -> e.getProperty(Properties.INDEX) == 1 },
+                n.nextEOGEdges.filter { e -> e.getProperty(Properties.INDEX) != 1 }
+            )
         } else if (evalResult is Boolean && evalResult == false) {
-            n.nextEOGEdges
-                .firstOrNull { e -> e.getProperty(Properties.INDEX) == 0 }
-                ?.addProperty(Properties.UNREACHABLE, true)
+            Pair(
+                n.nextEOGEdges.firstOrNull { e -> e.getProperty(Properties.INDEX) == 0 },
+                n.nextEOGEdges.filter { e -> e.getProperty(Properties.INDEX) != 0 }
+            )
+        } else {
+            Pair(null, n.nextEOGEdges)
         }
+
+    if (unreachableEdge != null) {
+        // This edge is definitely unreachable
+        state.push(unreachableEdge, ReachabilityLattice(Reachability.UNREACHABLE))
     }
 
-    private fun handleWhileStatement(n: WhileStatement) {
-        /*
-         * Note: It does not understand that code like
-         * x = true; while(x) {...; x = false;}
-         * makes the loop execute at least once.
-         * Apparently, the CPG does not offer the required functionality to
-         * differentiate between the first and subsequent evaluations of the
-         * condition.
-         */
-        val evalResult = ValueEvaluator().evaluate(n.condition)
+    // For all other edges, we simply propagate the reachability property of the edge which
+    // made us come here.
+    remainingEdges.forEach { state.push(it, state[enteringEdge]) }
+}
+
+/**
+ * Evaluates the condition of the [WhileStatement] [n] (which is the end node of [enteringEdge]). If
+ * it is always true, then the edge to the code after the loop receives the [state]
+ * [Reachability.UNREACHABLE]. If the condition is always false, then the edge to the loop body
+ * receives the [state] [Reachability.UNREACHABLE]. All other cases simply copy the state which led
+ * us here.
+ */
+private fun handleWhileStatement(
+    enteringEdge: PropertyEdge<Node>,
+    n: WhileStatement,
+    state: State<PropertyEdge<Node>, Reachability>
+) {
+    /*
+     * Note: It does not understand that code like
+     * x = true; while(x) {...; x = false;}
+     * makes the loop execute at least once.
+     * Apparently, the CPG does not offer the required functionality to
+     * differentiate between the first and subsequent evaluations of the
+     * condition.
+     */
+    val evalResult = ValueEvaluator().evaluate(n.condition)
+
+    val (unreachableEdge, remainingEdges) =
         if (evalResult is Boolean && evalResult == true) {
-            n.nextEOGEdges
-                .firstOrNull { e -> e.getProperty(Properties.INDEX) == 1 }
-                ?.addProperty(Properties.UNREACHABLE, true)
+            Pair(
+                n.nextEOGEdges.firstOrNull { e -> e.getProperty(Properties.INDEX) == 1 },
+                n.nextEOGEdges.filter { e -> e.getProperty(Properties.INDEX) != 1 }
+            )
         } else if (evalResult is Boolean && evalResult == false) {
-            n.nextEOGEdges
-                .firstOrNull { e -> e.getProperty(Properties.INDEX) == 0 }
-                ?.addProperty(Properties.UNREACHABLE, true)
+            Pair(
+                n.nextEOGEdges.firstOrNull { e -> e.getProperty(Properties.INDEX) == 0 },
+                n.nextEOGEdges.filter { e -> e.getProperty(Properties.INDEX) != 0 }
+            )
+        } else {
+            Pair(null, n.nextEOGEdges)
         }
-    }
 
-    override fun cleanup() {
-        // nothing to do
+    if (unreachableEdge != null) {
+        // This edge is definitely unreachable
+        state.push(unreachableEdge, ReachabilityLattice(Reachability.UNREACHABLE))
     }
+
+    // For all other edges, we simply propagate the reachability property of the edge which
+    // made us come here.
+    remainingEdges.forEach { state.push(it, state[enteringEdge]) }
 }
+
+/** Implements the [Lattice] over reachability properties: TOP | REACHABLE | UNREACHABLE | BOTTOM */
+class ReachabilityLattice(override val elements: Reachability) : Lattice<Reachability>(elements) {
+    override fun lub(other: Lattice<Reachability>?) =
+        ReachabilityLattice(maxOf(this.elements, other?.elements ?: Reachability.BOTTOM))
+
+    override fun duplicate() = ReachabilityLattice(this.elements)
+
+    override fun compareTo(other: Lattice<Reachability>?) =
+        this.elements.compareTo(other?.elements ?: Reachability.BOTTOM)
+}
+
+/** The ordering will be as follows: BOTTOM (no information) < UNREACHABLE < REACHABLE < TOP */
+enum class Reachability {
+    BOTTOM,
+    UNREACHABLE,
+    REACHABLE,
+    TOP
+}
+
+/**
+ * A state which actually holds a state for all [PropertyEdge]s, one only for declarations and one
+ * for ReturnStatements.
+ */
+class UnreachabilityState : State<PropertyEdge<Node>, Reachability>()
@@ -167,21 +167,25 @@ class MultiValueEvaluatorTest {
 
         printB = main.bodyOrNull<CallExpression>(1)
         assertNotNull(printB)
+        evaluator.clearPath()
         value = evaluator.evaluate(printB.arguments.firstOrNull()) as ConcreteNumberSet
         assertEquals(setOf<Long>(0, 1, 2), value.values)
 
         printB = main.bodyOrNull<CallExpression>(2)
         assertNotNull(printB)
+        evaluator.clearPath()
         value = evaluator.evaluate(printB.arguments.firstOrNull()) as ConcreteNumberSet
         assertEquals(setOf<Long>(0, 1, 2, 4), value.values)
 
         printB = main.bodyOrNull<CallExpression>(3)
         assertNotNull(printB)
+        evaluator.clearPath()
         value = evaluator.evaluate(printB.arguments.firstOrNull()) as ConcreteNumberSet
         assertEquals(setOf<Long>(-4, -2, -1, 0, 1, 2, 4), value.values)
 
         printB = main.bodyOrNull<CallExpression>(4)
         assertNotNull(printB)
+        evaluator.clearPath()
         value = evaluator.evaluate(printB.arguments.firstOrNull()) as ConcreteNumberSet
         assertEquals(setOf<Long>(3, 6), value.values)
     }

@@ -34,10 +34,7 @@ import de.fraunhofer.aisec.cpg.graph.edge.Properties
 import de.fraunhofer.aisec.cpg.graph.statements.IfStatement
 import de.fraunhofer.aisec.cpg.graph.statements.WhileStatement
 import java.nio.file.Path
-import kotlin.test.Test
-import kotlin.test.assertFalse
-import kotlin.test.assertNotNull
-import kotlin.test.assertTrue
+import kotlin.test.*
 import org.junit.jupiter.api.BeforeAll
 import org.junit.jupiter.api.TestInstance
 
@@ -80,8 +77,46 @@ class UnreachableEOGPassTest {
         val ifStatement = method.bodyOrNull<IfStatement>()
         assertNotNull(ifStatement)
 
-        assertFalse(ifStatement.nextEOGEdges[0].getProperty(Properties.UNREACHABLE) as Boolean)
-        assertTrue(ifStatement.nextEOGEdges[1].getProperty(Properties.UNREACHABLE) as Boolean)
+        // Check if the then-branch is set as reachable including all the edges until reaching the
+        // print
+        val thenDecl = ifStatement.nextEOGEdges[0]
+        assertFalse(thenDecl.getProperty(Properties.UNREACHABLE) as Boolean)
+        assertEquals(1, thenDecl.end.nextEOGEdges.size)
+        // The "++"
+        val incOp = thenDecl.end.nextEOGEdges[0]
+        assertFalse(incOp.getProperty(Properties.UNREACHABLE) as Boolean)
+        assertEquals(1, incOp.end.nextEOGEdges.size)
+        // The compoundStmt
+        val thenCompound = incOp.end.nextEOGEdges[0]
+        assertFalse(thenCompound.getProperty(Properties.UNREACHABLE) as Boolean)
+        assertEquals(1, thenCompound.end.nextEOGEdges.size)
+        // There's the outgoing EOG edge to the statement after the branching
+        val thenExit = thenCompound.end.nextEOGEdges[0]
+        assertFalse(thenExit.getProperty(Properties.UNREACHABLE) as Boolean)
+
+        // Check if the else-branch is set as unreachable including all the edges until reaching the
+        // print
+        val elseDecl = ifStatement.nextEOGEdges[1]
+        assertTrue(elseDecl.getProperty(Properties.UNREACHABLE) as Boolean)
+        assertEquals(1, elseDecl.end.nextEOGEdges.size)
+        // The "--"
+        val decOp = elseDecl.end.nextEOGEdges[0]
+        assertTrue(decOp.getProperty(Properties.UNREACHABLE) as Boolean)
+        assertEquals(1, decOp.end.nextEOGEdges.size)
+        // The compoundStmt
+        val elseCompound = decOp.end.nextEOGEdges[0]
+        assertTrue(elseCompound.getProperty(Properties.UNREACHABLE) as Boolean)
+        assertEquals(1, elseCompound.end.nextEOGEdges.size)
+        // There's the outgoing EOG edge to the statement after the branching
+        val elseExit = elseCompound.end.nextEOGEdges[0]
+        assertTrue(elseExit.getProperty(Properties.UNREACHABLE) as Boolean)
+
+        // After the branching, it's reachable again. Check that we found the merge node and that we
+        // continue with reachable edges.
+        assertEquals(thenExit.end, elseExit.end)
+        val mergeNode = thenExit.end
+        assertEquals(1, mergeNode.nextEOGEdges.size)
+        assertFalse(mergeNode.nextEOGEdges[0].getProperty(Properties.UNREACHABLE) as Boolean)
     }
 
     @Test

@@ -204,8 +204,22 @@ interface HasUnknownType : LanguageTrait {
  * evaluation if the logical result is already known: '&&', '||' in Java or 'and','or' in Python
  */
 interface HasShortCircuitOperators : LanguageTrait {
-    // '&&', 'and', '^'
+    /**
+     * Operations which only execute the rhs of a binary operation if the lhs is `true`. Typically,
+     * these are `&&`, `and` or `^`
+     */
     val conjunctiveOperators: List<String>
-    // '||', 'or', 'v'
+
+    /**
+     * Operations which only execute the rhs of a binary operation if the lhs is `false`. Typically,
+     * these are `||`, `or` or `v`
+     */
     val disjunctiveOperators: List<String>
+
+    /**
+     * The union of [conjunctiveOperators] and [disjunctiveOperators], i.e., all binary operators of
+     * this language which result in some kind of branching behavior.
+     */
+    val operatorCodes: Set<String>
+        get() = conjunctiveOperators.union(disjunctiveOperators)
 }
@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) 2023, Fraunhofer AISEC. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ *                    $$$$$$\  $$$$$$$\   $$$$$$\
+ *                   $$  __$$\ $$  __$$\ $$  __$$\
+ *                   $$ /  \__|$$ |  $$ |$$ /  \__|
+ *                   $$ |      $$$$$$$  |$$ |$$$$\
+ *                   $$ |      $$  ____/ $$ |\_$$ |
+ *                   $$ |  $$\ $$ |      $$ |  $$ |
+ *                   \$$$$$   |$$ |      \$$$$$   |
+ *                    \______/ \__|       \______/
+ *
+ */
+package de.fraunhofer.aisec.cpg.graph
+
+/** A node triggering a conditional execution of other code. */
+interface BranchingNode {
+    /** The node which affects the next EOG edge. Typically, this is a condition or similar. */
+    val branchedBy: Node?
+}