Use fninstr even without dataflow, initialized all duktape vars in ta…

…rball with lavaTool

scripts/add_queries.sh

@@ -132,27 +132,37 @@ for i in $c_files; do
     $lava/src_clang/build/lavaFnTool $i
 done
 
+#progress "queries" 0  "Initialize variables..."
+#for i in $c_files; do
+#    $lava/src_clang/build/lavaTool -action=init \
+#    -p="$source/compile_commands.json" \
+#    -src-prefix=$(readlink -f "$source") \
+#    $i
+#done
+
+# TODO: This should probably be just for dataflow
+# but we still need it for non-dataflow targets, otherwise we inject into
+# va_args functions and everything breask
+
+# Analyze that output and figure out
+fnfiles=$(echo $c_files | sed 's/\.c/\.c\.fn/g')
+fninstr=$directory/$name/fninstr
+
+echo "Creating fninstr [$fninstr]"
+echo -e "\twith command: \"python $lava/scripts/fninstr.py -d -o $fninstr $fnfiles\""
+python $lava/scripts/fninstr.py -d -o $fninstr $fnfiles
+
+if [[ ! -z "$df_fn_blacklist" ]]; then
+    cmd=$(echo "sed -i /${df_fn_blacklist}/d $fninstr")
+    echo "Removing blacklisted functions with regex: $df_fn_blacklist"
+    $cmd
+fi
 
 if [ "$dataflow" = "true" ]; then
-    progress "queries" 0 "Using dataflow as specified in project.json"
-    # analyze that output and figure out 
-    fnfiles=$(echo $c_files | sed 's/\.c/\.c\.fn/g')
-    fninstr=$directory/$name/fninstr
-
-    echo "Creating fninstr [$fninstr]"
-    echo -e "\twith command: \"python $lava/scripts/fninstr.py -d -o $fninstr $fnfiles\""
-    python $lava/scripts/fninstr.py -d -o $fninstr $fnfiles
-
-    if [[ ! -z "$df_fn_blacklist" ]]; then
-        cmd=$(echo "sed -i /${df_fn_blacklist}/d $fninstr")
-        echo "Removing blacklisted functions with regex: $df_fn_blacklist"
-        $cmd
-    fi
-
     # Insert queries with DF - could merge this with the else if logic below instead of duplicating
     # TODO: Just make lavaTool load dataflow from project.json instead of passing as CLI arg.
     # Since it's okay to pass the whitelist either way
-    progress "queries" 0  "Inserting queries with dataflow"
+    progress "queries" 0  "Inserting queries for dataflow"
     for i in $c_files; do
         $lava/src_clang/build/lavaTool -action=query \
         -lava-db="$directory/$name/lavadb" \
@@ -165,13 +175,13 @@ if [ "$dataflow" = "true" ]; then
         $i
     done
 else
-
     progress "queries" 0  "Inserting queries..."
+    # TODO: remove lava-wl here, unless we're using it to limit where we inject
     for i in $c_files; do
         $lava/src_clang/build/lavaTool -action=query \
         -lava-db="$directory/$name/lavadb" \
-        -lava-wl="$fninstr" \
         -p="$source/compile_commands.json" \
+        -lava-wl="$fninstr" \
         -src-prefix=$(readlink -f "$source") \
         $ATP_TYPE \
         -db="$db" \

src_clang/lavaTool.cpp

@@ -59,7 +59,7 @@ extern "C" {
 #define FNARG   (1 << 2)
 #define PRI     (1 << 3)
 #define INI     (1 << 4)
-#define DEBUG_FLAGS ( INI | MATCHER | INJECT | FNARG | PRI)
+#define DEBUG_FLAGS INI // ( INI | MATCHER | INJECT | FNARG | PRI)
 #define ARG_NAME "data_flow"
 
 using namespace odb::core;
@@ -157,6 +157,13 @@ static cl::opt<unsigned int> ArgRandSeed("randseed",
     cl::init(0));
 
 
+// Normally we inject everywhere unless dataflow is specified
+// and when it is, we only inject in our whitelist.
+// If this is set to true, we will use the whitelist always,
+// even when dataflow is not set. May help with some issues
+// where we inject into bad places
+bool USE_QUERY_WHITELIST=true;
+
 std::string LavaPath;
 
 uint32_t num_taint_queries = 0;
@@ -926,7 +933,7 @@ struct PriQueryPointHandler : public LavaMatchHandler {
         const Stmt *toSiphon = Result.Nodes.getNodeAs<Stmt>("stmt");
         const SourceManager &sm = *Result.SourceManager;
 
-        if (ArgDataflow) {
+        if (ArgDataflow || USE_QUERY_WHITELIST) {
             auto fnname = get_containing_function_name(Result, *toSiphon);
 
             // only instrument this stmt
@@ -1879,7 +1886,7 @@ int main(int argc, const char **argv) {
     RANDOM_SEED = ArgRandSeed;
     srand(RANDOM_SEED);
 
-    if (ArgDataflow || ArgDebug) {
+    if (ArgDataflow || ArgDebug || USE_QUERY_WHITELIST) {
         if (LavaWL != "XXX") {
             parse_whitelist(LavaWL);
         } else {

target_configs/duktape/duktape.json

@@ -2,7 +2,7 @@
     "name": "duktape",
     "db": "duktape",
     "preprocessed": true,
-    "dataflow": true,
+    "dataflow": false,
 
     "tarfile": "duktape-2.3.0-pre.tar.gz",
 
@@ -14,14 +14,15 @@
     "make": "make",
     "install": "make install",
     "command": "{install_dir}/bin/duk {input_file}",
-    "injfixupsscript": "duktape_fixup.sh {bug_build}",
+
+    "injfixupsscript_DISABLED": "duktape_fixup.sh {bug_build}",
 
     "max_liveness": 100000,
     "max_cardinality": 100,
     "max_tcn": 10000,
     "max_lval_size": 100,
 
-    "main_file": [ "duktape-pre.c" ],
+    "main_file": [ "src/duktape-pre.c" ],
 
     "inputs": ["inputs/hello.js"]
 }

target_configs/duktape/duktape_fixup.sh

@@ -1,5 +1,20 @@
 #!/bin/bash
 
 cd "$1/src"
-sed -i -e 's/duk_push_literal_raw((thr)/duk_push_literal_raw(data_flow, (thr)/g' duktape-pre.c
 sed -i -e 's/duk_push_string(ctx/duk_push_string(data_flow, ctx/g' duk_module_duktape-pre.c
+sed -i -e 's/typedef\(.*\)int \*data_flow, /typedef\1/g' duktape-pre.c
+
+sed -i -e 's/duk_push_literal_raw((thr)/duk_push_literal_raw(data_flow, (thr)/g' duktape-pre.c
+#sed -i -e 's/duk_heap_mark_and_sweep(heap/duk_heap_mark_and_sweep(data_flow, heap/g' duktape-pre.c
+
+# Don't inject into these, they're called from uninstrumented fns
+#sed -i -e 's/duk_heap_mem_alloc_checked((thr)/duk_heap_mem_alloc_checked(data_flow, (thr)/g' duktape-pre.c
+#sed -i -e 's/duk__check_voluntary_gc((heap/duk__check_voluntary_gc(data_flow, (heap/g' duktape-pre.c
+#sed -i -e 's/duk_err_error_alloc_failed((thr)/duk_err_error_alloc_failed(data_flow, (thr)/g' duktape-pre.c
+
+sed -i -e 's/duk_err_handle_error((thr)/duk_err_handle_error(data_flow, (thr)/g' duktape-pre.c
+
+sed -i -e 's/duk_generic_error_stash)(ctx/duk_generic_error_stash)(data_flow, ctx /g' duk_cmdline-pre.c
+
+# Too ambitious, we didn't inject into all these
+#sed -i -e 's/duk_\([a-z_]*\)((thr)/duk_\1(data_flow, (thr)/g' duktape-pre.c