FunctionSummaries now also include partial writes

cpg-core/src/main/kotlin/de/fraunhofer/aisec/cpg/graph/declarations/FunctionDeclaration.kt

@@ -34,7 +34,6 @@ import de.fraunhofer.aisec.cpg.graph.statements.*
 import de.fraunhofer.aisec.cpg.graph.statements.expressions.Block
 import de.fraunhofer.aisec.cpg.graph.statements.expressions.Expression
 import de.fraunhofer.aisec.cpg.graph.types.Type
-import de.fraunhofer.aisec.cpg.helpers.IdentitySet
 import java.util.*
 import org.apache.commons.lang3.builder.ToStringBuilder
 import org.neo4j.ogm.annotation.Relationship
@@ -77,13 +76,13 @@ open class FunctionDeclaration : ValueDeclaration(), DeclarationHolder, EOGStart
         }
 
     /**
-     * Saves the information on which parameter(s) of the function are modified by the function. This
-     * is interesting since we need to add DFG edges between the modified parameter and the
+     * Saves the information on which parameter(s) of the function are modified by the function.
+     * This is interesting since we need to add DFG edges between the modified parameter and the
      * respective argument(s). For each [ParameterDeclaration] as well as the
      * [MethodDeclaration.receiver] that has some incoming DFG-edge within this
      * [FunctionDeclaration], we store all previous DFG nodes.
      */
-    var functionSummary = mutableMapOf<Node, IdentitySet<Pair<Node, Boolean>>>()
+    var functionSummary = mutableMapOf<Node, MutableSet<Pair<Node, Boolean>>>()
 
     /** Returns true, if this function has a [body] statement. */
     fun hasBody(): Boolean {

cpg-core/src/main/kotlin/de/fraunhofer/aisec/cpg/passes/DFGPass.kt

@@ -84,7 +84,9 @@ class DFGPass(ctx: TranslationContext) : ComponentPass(ctx) {
                             callingContext = CallingContextOut(call)
                         )
                         (arg as? Reference)?.let {
-                            it.access = AccessValues.READWRITE
+                            // The access value stays on READ. Even if it's a pointer, only the
+                            // dereference will be written.
+                            // it.access = AccessValues.READWRITE
                             it.refersTo?.let { it1 -> it.nextDFGEdges += it1 }
                         }
                     }

cpg-core/src/main/kotlin/de/fraunhofer/aisec/cpg/passes/PointsToPass.kt

@@ -132,8 +132,21 @@ class PointsToPass(ctx: TranslationContext) : EOGStarterPass(ctx, orderDependenc
 
     private fun storeFunctionSummary(node: FunctionDeclaration, doubleState: PointsToState2) {
         node.parameters.forEach { param ->
+            val addresses = doubleState.getAddresses(param)
             val indexes = mutableSetOf<Node>()
-            doubleState.getAddresses(param).forEach { indexes.addAll(doubleState.getValues(it)) }
+            addresses.forEach { addr ->
+                indexes.addAll(doubleState.getValues(addr))
+                // Additionally check for partial writes to fields
+                if (addr is MemoryAddress) {
+                    addr.fieldAddresses
+                        .flatMap { it.value }
+                        .forEach {
+                            //                            indexes.addAll( doubleState.getValues(it)
+                            // )
+                            indexes.add(it)
+                        }
+                }
+            }
             indexes.forEach { index ->
                 val finalValue =
                     doubleState.declarationsState.elements
@@ -154,7 +167,7 @@ class PointsToPass(ctx: TranslationContext) : EOGStarterPass(ctx, orderDependenc
                     // If so, store the last write for the parameter in the FunctionSummary
                     ?.forEach { value ->
                         node.functionSummary
-                            .computeIfAbsent(param) { identitySetOf() }
+                            .computeIfAbsent(param) { mutableSetOf() }
                             .add(Pair(value, true))
                     }
             }
@@ -196,11 +209,12 @@ class PointsToPass(ctx: TranslationContext) : EOGStarterPass(ctx, orderDependenc
         to add them to the FunctionSummary */
         var doubleState = doubleState
         if (currentNode.returnValues.isNotEmpty()) {
-            val parentFD = currentNode.scope?.parent?.astNode as? FunctionDeclaration
+            val parentFD =
+                currentNode.firstParentOrNull { it is FunctionDeclaration } as? FunctionDeclaration
             if (parentFD != null) {
                 currentNode.returnValues.forEach { retval ->
                     parentFD.functionSummary
-                        .computeIfAbsent(currentNode) { identitySetOf() }
+                        .computeIfAbsent(currentNode) { mutableSetOf() }
                         .addAll(doubleState.getValues(retval).map { Pair(it, false) })
                 }
             }
@@ -230,8 +244,8 @@ class PointsToPass(ctx: TranslationContext) : EOGStarterPass(ctx, orderDependenc
                 } else {
                     // Add a dummy function Summary so that we don't try this every time
                     // In this dummy, all parameters point to the return
-                    val newValues: IdentitySet<Pair<Node, Boolean>> =
-                        invoke.parameters.map { Pair(it, false) }.toIdentitySet()
+                    val newValues: MutableSet<Pair<Node, Boolean>> =
+                        invoke.parameters.map { Pair(it, false) }.toMutableSet()
                     invoke.functionSummary[ReturnStatement()] = newValues
                 }
             }
@@ -385,10 +399,12 @@ class PointsToPass(ctx: TranslationContext) : EOGStarterPass(ctx, orderDependenc
         /* No need to set the address, this already happens in the constructor */
         val addresses = doubleState.getAddresses(currentNode)
 
-        val values =
-            (currentNode as? HasInitializer)?.initializer?.let { initializer ->
-                doubleState.getValues(initializer)
-            } ?: identitySetOf()
+        val values = identitySetOf<Node>()
+
+        (currentNode as? HasInitializer)?.initializer?.let { initializer ->
+            if (initializer is Literal<*>) values.add(initializer)
+            else values.addAll(doubleState.getValues(initializer))
+        }
 
         var doubleState =
             doubleState.push(
@@ -574,10 +590,6 @@ class PointsToPass(ctx: TranslationContext) : EOGStarterPass(ctx, orderDependenc
 
         fun getValues(node: Node): Set<Node> {
             return when (node) {
-                is MemoryAddress -> {
-                    /* In these cases, we simply have to fetch the current value for the MemoryAddress from the DeclarationState */
-                    fetchElementFromDeclarationState(node)
-                }
                 is PointerReference -> {
                     /* For PointerReferences, the value is the address of the input
                      * For example, the value of `&i` is the address of `i`
@@ -595,12 +607,7 @@ class PointsToPass(ctx: TranslationContext) : EOGStarterPass(ctx, orderDependenc
                             identitySetOf(UnknownMemoryValue(node.name))
                         }
                     val retVal = identitySetOf<Node>()
-                    inputVal.forEach {
-                        // If we have a literal here, we don't further resolve this b/c we don't
-                        // know anything about memory addresses
-                        if (it is Literal<*>) retVal.addAll(fetchElementFromDeclarationState(it))
-                        else retVal.addAll(this.getValues(it))
-                    }
+                    inputVal.forEach { retVal.addAll(this.getValues(it)) }
                     retVal
                 }
                 is Declaration -> {
@@ -659,8 +666,8 @@ class PointsToPass(ctx: TranslationContext) : EOGStarterPass(ctx, orderDependenc
                         } else identitySetOf(UnknownMemoryValue(node.name))
                     } else identitySetOf(UnknownMemoryValue(node.name))
                 }
-                is Literal<*>, // -> identitySetOf(UnknownMemoryValue(Name(node.value.toString())))
                 is BinaryOperator -> identitySetOf(node)
+                /* In these cases, we simply have to fetch the current value for the MemoryAddress from the DeclarationState */
                 else -> fetchElementFromDeclarationState(node)
             }
         }

cpg-language-cxx/src/test/kotlin/de/fraunhofer/aisec/cpg/passes/PointsToPassTest.kt

@@ -1079,6 +1079,16 @@ class PointsToPassTest {
             tu.allChildren<Literal<*>> { it.location?.region?.startLine == 177 }.first()
         assertNotNull(literal0Line177)
 
+        // MemberExpressions
+        val meLine201 =
+            tu.allChildren<MemberExpression> { it.location?.region?.startLine == 201 }.first()
+        assertNotNull(meLine201)
+
+        // CastExpressions
+        val ceLine201 =
+            tu.allChildren<CastExpression> { it.location?.region?.startLine == 201 }.first()
+        assertNotNull(ceLine201)
+
         // Line 159
         assertEquals(1, local_20Line159.prevDFG.size)
         assertEquals(1, local_20Line159.prevDFG.size)
@@ -1105,26 +1115,43 @@ class PointsToPassTest {
 
         // Line 179
         assertEquals(3, local_28DerefLine179.prevDFG.size)
-        assertTrue(local_28DerefLine179.prevDFG.contains(literal10Line166))
+        assertTrue(local_28DerefLine179.prevDFG.contains(literal0Line177))
         assertEquals(
-            1,
+            2,
             local_28DerefLine179.prevDFG
                 .filterIsInstance<UnknownMemoryValue>()
-                .filter { it.name.localName == "0" }
+                .filter { it.name.localName == "0" || it.name.localName == "16" }
                 .size
         )
         assertTrue(local_28DerefLine179.prevDFG.contains(literal0Line177))
         assertEquals(2, local_28DerefLine179.memoryAddress.size)
-        assertTrue(local_28DerefLine179.memoryAddress.contains(literal0Line167))
+        assertTrue(
+            local_28DerefLine179.memoryAddress
+                .filterIsInstance<UnknownMemoryValue>()
+                .filter { it.name.localName == "0" }
+                .size == 1
+        )
         assertTrue(local_28DerefLine179.memoryAddress.contains(local_10Line172))
 
         // Line 180
         assertEquals(2, local_28Line180.prevDFG.size)
-        assertTrue(literal0Line167 in local_28Line180.prevDFG)
+        assertTrue(
+            local_28Line180.prevDFG
+                .filterIsInstance<UnknownMemoryValue>()
+                .filter { it.name.localName == "0" }
+                .size == 1
+        )
         assertTrue(local_10Line172 in local_28Line180.prevDFG)
 
         // Line 181
-        println(local_28DerefLine181)
+        assertEquals(5, local_28DerefLine181.prevDFG.size)
+        assertTrue(local_28DerefLine181.prevDFG.contains(meLine201))
+        assertTrue(local_28DerefLine181.prevDFG.contains(ceLine201))
+        assertTrue(
+            local_28DerefLine181.prevDFG.any {
+                it is UnknownMemoryValue && it.name.localName == "DAT_0011b1c8"
+            }
+        )
 
         // Line 192
         println(param_1Line193)