Re: [abc-users] tracematches on local variables

(Apologies for the delay with this, the message was stuck in a mail
queue since this morning without my noticing.)

Hi,

Just before sending the message below, I tried compiling and running the
sample code I included with abc's old Polyglot-based frontend. With
that, I could reproduce exactly the behaviour you describe -- no matches
occur, unless each assignment of d.filter() is to a new local! This is
clearly a bug in the old frontend.

However, that is pretty much deprecated and almost unmaintained at this
point. I would strongly recommend you use "-ext abc.ja.tm" rather than
"-ext abc.tm" when compiling tracematches, so that you get all the
benefits fo abc's shiny new JastAddJ-based frontend.

The original message is still included below for reference.

Cheers,
-P

==================================

Hi there,

First off, tracematches are not concerned with local variables -- state
is tracked at the level of object instances, and so whether something is
stored in a local, a field, or a new local should not make a difference.

Having said that, I've looked at your example quite carefully, and I
think I see a possible cause of the problem. Your code reads:

    sym input after returning (from) :
        call(Data DataFactory.makeData(String)) && call(*
*.markAsTainted(..));

Note, however, that since no method is called makeData and markAsTainted
at the same time, this pointcut *never matches*. Indeed, for me abc
gives a warning to that effect.

Now, I assume you either meant disjunction ("||" rather than "&&"), or
you only meant calls to markAsTainted. If I fix this, things work
exactly as I expect: When I compile the program given below and run it,
I get the following output:

% java DataFactory
propagating from Tainted to Tainted#filtered
propagating from Tainted#filtered to Tainted#filtered#filtered
%

Having said this, I'm not sure why changing the assignment of d.filter()
to a new local made a difference for you, since the 'input' event should
still not have matched anywhere.

Here's the code that I used:

---------------------------------------------
public aspect DataFactory {

static class Data {
private String str;
public Data(String s) {
str = s;
}

public String toString() {
return str;
}

public Data filter() {
return new Data((str+"#filtered").intern());
}
}

public static Data makeData(String s) {
return new Data(s.intern());
}

public static Data markAsTainted(Data d) { return d; }

public static void main(String[] args) {
Data d = makeData("Tainted");
markAsTainted(d);
d = d.filter();
d = d.filter();
}

tracematch (Data from, Data to) {
sym input after returning (from) :
//call(Data DataFactory.makeData(String)) && call(* *.markAsTainted(..));
call(* *.markAsTainted(..));
sym propagation after returning(to) :
call(Data Data.filter()) && target(from);

input propagation+ {
System.out.println("propagating from " + from + " to " + to);
markAsTainted(to);
}
}
}
------------------------------

Hope this helps,
- Pavel

Kazunori Kawauchi wrote:
> Hi,
>
> I'm a Kazunori Kawauchi and a doctoral student supervised by Dr. Hidehiko
> Masuhara at University of Tokyo.
>
> I attempt to implement "dataflow pointcut" which is analogous to "taint mode" in
> perl by using tracematch (included in abc 1.3.0) to implement "taint bit
> propagation". But, Some propagations on local variables doesn't work.
>
> I define the following tracematch:
>
> tracematch (Data from, Data to) {
> sym input after returning (from) :
> call(Data DataFactory.makeData(String)) && call(* *.markAsTainted(..));
> sym propagation after returning (to) :
> call(Data Data.filter()) && target(from);
>
> input propagation+ {
> System.out.println(" DEBUG: propagation from " + from + " to " + to);
> markAsTainted(to) // (Identity function)
> }
> }
>
> Then I define an application program too (I'll show the excerpt of the program):
>
> Data d = DataFactory.makeData("Tainted");
> d = d.filter(); // I would like to propagate a 'taint bit'
>
> But, the above tracematch body(i.e., taint bit propagation) isn't executed.
>
> I found suspicious instructions in the weaved bytecode:
> 61: aload_0
> 62: invokevirtual #43; //Method app/Data.filter:()Lapp/Data;
> 65: astore_0
> 66: goto 84
> (snip)
> 84: aload_1
> 85: invokevirtual #34; //Method tracematches/SampleTM.beforeafter$3:()V
> 88: aload_1
> 89: aload_0
> 90: aload_0
> 91: invokevirtual #14; //Method
> tracematches/SampleTM.afterReturning$2:(Lapp/Data;Lapp/Data;)V
> local variable "d" is allocated to #0, and an aspect instance to #1.
> Instruction 65 ("astore_0") overwrites a old value of 'd'(i.e., 'from') by a
> filtered value of 'd'(i.e., 'to'), and Instruction 91 ("invokevirtual") takes
> the filtered value as a value bound to 'from' in the tracematch body, doesn't it?
> Is it a correct behavior in terms of tracematches semantics?
>
> I also found taint bit propagation occurs with the following modification:
> Data d = DataFactory.makeData("Tainted");
> Data new_d = d.filter()
> in this case, the value bound to 'new_d' is marked as tainted.
>
> Thank you for your help in this matter.
>
> Regards,
>
> Kazunori Kawauchi
> kazu_at_graco.c.u-tokyo.ac.jp
>
>
>
>
Received on Sun Nov 23 2008 - 16:04:07 GMT