Pcode parser rewrite

.github/workflows/acceptance-tests.yml

@@ -5,6 +5,8 @@ on:
     branches:
       - master
   pull_request:
+    branches:
+      - master
 
 env:
   CARGO_TERM_COLOR: always

CHANGES.md

@@ -1,6 +1,8 @@
 0.8-dev
 ===
 
+-   Improve logic and context information generation of CWE-416 (use-after-free) check (PRs #423, #429)
+
 0.7 (2023-06)
 ====
 

Cargo.toml

@@ -1,2 +1,3 @@
 [workspace]
 members = ["src/cwe_checker_lib", "src/caller", "test", "src/installer"]
+resolver = "2"

README.md

@@ -3,8 +3,8 @@
 </p>
 
 # cwe_checker #
-![Acceptance tests](https://github.com/fkie-cad/cwe_checker/actions/workflows/acceptance-tests.yml/badge.svg)
-![Unit tests](https://github.com/fkie-cad/cwe_checker/actions/workflows/unit-tests.yml/badge.svg)
+![Acceptance tests](https://github.com/fkie-cad/cwe_checker/actions/workflows/acceptance-tests.yml/badge.svg?branch=master)
+![Unit tests](https://github.com/fkie-cad/cwe_checker/actions/workflows/unit-tests.yml/badge.svg?branch=master)
 ![Docker-Pulls](https://img.shields.io/docker/pulls/fkiecad/cwe_checker.svg)
 [![Documentation](https://img.shields.io/badge/doc-stable-green.svg)](https://fkie-cad.github.io/cwe_checker/index.html)
 

src/cwe_checker_lib/src/analysis/expression_propagation/mod.rs

@@ -233,10 +233,20 @@ pub fn propagate_input_expressions(
                 var,
                 value: expression,
             } => {
-                // insert known input expressions
-                for (input_var, input_expr) in insertable_expressions.iter() {
-                    expression.substitute_input_var(input_var, input_expr);
+                // Extend the considered expression with already known expressions.
+                let mut extended_expression = expression.clone();
+                for input_var in expression.input_vars().into_iter() {
+                    if let Some(expr) = insertable_expressions.get(input_var) {
+                        // We limit the complexity of expressions to insert.
+                        // This prevents extremely large expressions that can lead to extremely high RAM usage.
+                        // FIXME: Right now this limit is quite arbitrary. Maybe there is a better way to achieve the same result?
+                        if expr.recursion_depth() < 10 {
+                            extended_expression.substitute_input_var(input_var, expr)
+                        }
+                    }
                 }
+                extended_expression.substitute_trivial_operations();
+                *expression = extended_expression;
                 // expressions dependent on the assigned variable are no longer insertable
                 insertable_expressions.retain(|input_var, input_expr| {
                     input_var != var && !input_expr.input_vars().into_iter().any(|x| x == var)

src/cwe_checker_lib/src/analysis/expression_propagation/tests.rs

@@ -142,11 +142,7 @@ fn inter_block_propagation() {
                 variable!("X:8"),
                 expr!("-(42:4)").un_op(UnOpType::BoolNegate),
             ),
-            Def::assign(
-                "entry_jmp_def_2",
-                variable!("Z:8"),
-                expr!("-(42:4)").un_op(UnOpType::IntNegate),
-            )
+            Def::assign("entry_jmp_def_2", variable!("Z:8"), expr!("42:4"),)
         ]
     )
 }
@@ -290,11 +286,7 @@ fn expressions_inserted() {
                 variable!("X:8"),
                 expr!("-(42:4)").un_op(UnOpType::BoolNegate),
             ),
-            Def::assign(
-                "entry_jmp_def_2",
-                variable!("Z:8"),
-                expr!("-(42:4)").un_op(UnOpType::IntNegate)
-            )
+            Def::assign("entry_jmp_def_2", variable!("Z:8"), expr!("42:4"))
         ]
     );
     assert_eq!(

src/cwe_checker_lib/src/analysis/string_abstraction/context/symbol_calls.rs

@@ -101,7 +101,7 @@ impl<'a, T: AbstractDomain + DomainInsertion + HasTop + Eq + From<String>> Conte
 
     /// Regex that filters format specifier from a format string.
     pub fn re_format_specifier() -> Regex {
-        Regex::new(r#"%\d{0,2}([c,C,d,i,o,u,x,X,e,E,f,F,g,G,a,A,n,p,s,S]|hi|hd|hu|li|ld|lu|lli|lld|llu|lf|lg|le|la|lF|lG|lE|lA|Lf|Lg|Le|La|LF|LG|LE|LA)"#).expect("No valid regex!")
+        Regex::new(r"%\d{0,2}([c,C,d,i,o,u,x,X,e,E,f,F,g,G,a,A,n,p,s,S]|hi|hd|hu|li|ld|lu|lli|lld|llu|lf|lg|le|la|lF|lG|lE|lA|Lf|Lg|Le|La|LF|LG|LE|LA)").expect("No valid regex!")
     }
 
     /// Merges domains from multiple pointer targets. The merged domain serves as input to a format string.

src/cwe_checker_lib/src/checkers/cwe_119/state.rs

@@ -261,7 +261,7 @@ fn collect_tids_for_cwe_warning(
             &caller_tid,
             state.stack_id.get_tid(),
         );
-        tids.extend(call_sequence_tids.into_iter());
+        tids.extend(call_sequence_tids);
     }
     // Build a string out of the TID list
     tids.iter()

src/cwe_checker_lib/src/checkers/cwe_416/context.rs

@@ -76,7 +76,7 @@ impl<'a> Context<'a> {
         state: &mut State,
         call_tid: &Tid,
         call_params: impl IntoIterator<Item = &'b Arg>,
-    ) -> Option<Vec<(AbstractIdentifier, Tid)>> {
+    ) -> Option<Vec<(AbstractIdentifier, Vec<Tid>)>> {
         let mut warnings = Vec::new();
         for arg in call_params {
             if let Some(arg_value) = self
@@ -174,7 +174,7 @@ impl<'a> Context<'a> {
         name: &str,
         description: String,
         location: &Tid,
-        warning_causes: Vec<(AbstractIdentifier, Tid)>,
+        warning_causes: Vec<(AbstractIdentifier, Vec<Tid>)>,
         root_function: &Tid,
     ) {
         let cwe_warning = CweWarning {