/// <summary>
/// Creates new Instance of ForwardAnalysis
/// </summary>
/// <param name="entryMethodGraph">ControlFlowGraph to analyze</param>
/// <param name="memoryModel">Memory model used by analyser</param>
/// <param name="simplifyLimit">Limit for calling simplificaion in memory model. It is different for tests</param>
public ForwardAnalysis(ControlFlowGraph.ControlFlowGraph entryMethodGraph, MemoryModels.MemoryModelFactory memoryModel, int simplifyLimit = 3)
: base(entryMethodGraph, memoryModel.CreateSnapshot)
{
GlobalsInitializer();
this.SimplifyLimit = simplifyLimit;
this.WideningLimit = 2;
}
static string RunVerification(ControlFlowGraph.ControlFlowGraph controlFlowGraph, string fileName, MemoryModels.MemoryModelFactory memoryModel)
{
var output = new WebOutput();
try
{
var ppGraph = Analyze(controlFlowGraph, fileName, memoryModel);
if (ppGraph.End != null)
{
output.ProgramPointInfo("End point", ppGraph.End);
}
else
{
output.Error("End point was not reached");
}
}
catch (Exception e)
{
output.Error(e.Message);
}
return(output.Output);
}
static ProgramPointGraph Analyze(ControlFlowGraph.ControlFlowGraph entryMethod, string fileName, MemoryModels.MemoryModelFactory memoryModel)
{
FileInfo fileInfo = new FileInfo(fileName);
var analysis = new ForwardAnalysis(entryMethod, memoryModel);
analysis.Analyse();
return(analysis.ProgramPointGraph);
}
/// <summary>
/// Analyses CFG and return PPG generated by forward analysis
/// </summary>
/// <param name="entryMethod">Start point CFG of PHP code</param>
/// <param name="memoryModel">The memory model used for analysis</param>
/// <returns>PPG generated by forward analysis</returns>
internal static ProgramPointGraph Analyze(ControlFlowGraph.ControlFlowGraph entryMethod, MemoryModels.MemoryModelFactory memoryModel)
{
//ForwardAnalysisBase forwardAnalysis = analysis.CreateAnalysis(entryMethod, memoryModel);
ForwardAnalysisBase forwardAnalysis = new Weverca.Analysis.ForwardAnalysis(entryMethod, memoryModel);
forwardAnalysis.Analyse();
return(forwardAnalysis.ProgramPointGraph);
}
/// <summary>
/// Execute the static analysis and print results
/// </summary>
/// <param name="filenames">List of file name patterns from command line</param>
/// <param name="memoryModel">The memory model used for analysis</param>
private static void RunStaticAnalysis(string[] filenames, MemoryModels.MemoryModelFactory memoryModel, bool displayTaintFlows)
{
var console = new ConsoleOutput();
console.CommentLine("Using " + memoryModel.ToString());
console.CommentLine("");
foreach (var argument in filenames)
{
var filesInfo = Analyzer.GetFileNames(argument);
if (filesInfo == null)
{
Console.WriteLine("Path \"{0}\" cannot be recognized", argument);
Console.WriteLine();
continue;
}
else if (filesInfo.Length <= 0)
{
Console.WriteLine("Path pattern \"{0}\" does not match any file", argument);
Console.WriteLine();
continue;
}
foreach (var fileInfo in filesInfo)
{
// This is for time consumption analyzing only
// Analyze twice - because of omitting .NET initialization we get better analysis time
//Analyzer.Run(fileInfo, memoryModel);
#if TEST
// Process analysis
// First phase
var watch = System.Diagnostics.Stopwatch.StartNew();
var ppGraph = Analyzer.Run(fileInfo, memoryModel);
watch.Stop();
// Second phase
var watch2 = System.Diagnostics.Stopwatch.StartNew();
var nextPhase = new TaintForwardAnalysis(ppGraph);
nextPhase.Analyse();
watch2.Stop();
// Build output
console.CommentLine(string.Format("File path: {0}\n", fileInfo.FullName));
var graphWalker = new GraphWalking.CallGraphPrinter(ppGraph);
console.CommentLine(string.Format("Analysis completed in: {0}ms\n", watch.ElapsedMilliseconds));
//graphWalker.Run(console);
console.Warnings(AnalysisWarningHandler.GetWarnings(), AnalysisWarningHandler.GetSecurityWarnings());
console.CommentLine(string.Format("Analysis completed in: {0}ms\n", watch.ElapsedMilliseconds));
console.CommentLine(string.Format("The number of nodes in the application is: {0}\n", numProgramPoints(new HashSet <ProgramPointGraph>(), new Dictionary <string, HashSet <int> >(), ppGraph)));
//printIncludes(console, ppGraph);
//console.CommentLine(string.Format("Analysis in the second phase completed in: {0}ms\n", watch2.ElapsedMilliseconds));
//console.WarningsTaint(nextPhase.analysisTaintWarnings);
if (ppGraph.End.OutSet != null)
{
console.CommentLine(string.Format("The number of memory locations is: {0}\n", ppGraph.End.OutSnapshot.NumMemoryLocations()));
int[] statistics = ppGraph.End.OutSnapshot.GetStatistics().GetStatisticsValues();
console.CommentLine(string.Format("The number of memory entry assigns is: {0}\n", statistics[(int)Statistic.MemoryEntryAssigns]));
console.CommentLine(string.Format("The number of value reads is: {0}\n", statistics[(int)Statistic.ValueReads]));
console.CommentLine(string.Format("The number of memory entry merges is: {0}\n", statistics[(int)Statistic.MemoryEntryMerges]));
console.CommentLine(string.Format("The number of index reads is: {0}\n", statistics[(int)Statistic.IndexReads]));
console.CommentLine(string.Format("The number of value reads is: {0}\n", statistics[(int)Statistic.ValueReads]));
}
else
{
console.CommentLine(string.Format("Snapshot statistics are not available, because end point was not reached"));
}
#else
console.CommentLine(string.Format("File path: {0}\n", fileInfo.FullName));
TaintForwardAnalysis nextPhase = null;
System.Diagnostics.Stopwatch watch = null;
try
{
watch = System.Diagnostics.Stopwatch.StartNew();
var ppGraph = Analyzer.Run(fileInfo, memoryModel);
watch.Stop();
if (ppGraph.End.OutSet != null)
{
//console.ProgramPointInfo("End point", ppGraph.End);
}
else
{
//console.Error("End point was not reached");
}
console.CommentLine(string.Format("First phase of the analysis completed in: {0} seconds\n", watch.ElapsedMilliseconds / 1000));
nextPhase = new TaintForwardAnalysis(ppGraph);
nextPhase.Analyse();
}
catch (OutOfMemoryException)
{
watch.Stop();
console.Error(string.Format("The analyser ran out of memory after {0} seconds, terminating the analysis.\n", watch.ElapsedMilliseconds / 1000));
}
catch (Exception e)
{
console.Error("Analyser crashed (" + e.Message + ").");
}
finally
{
console.Warnings(AnalysisWarningHandler.GetWarnings(), nextPhase != null ? nextPhase.analysisTaintWarnings : new List <AnalysisTaintWarning>(), displayTaintFlows);
}
#endif
}
//Console.ReadKey();
Console.WriteLine();
}
}
/// <summary>
/// Perform static analysis on a file with PPG as the result
/// </summary>
/// <param name="entryFile">File with PHP source</param>
/// <param name="memoryModel">The memory model used for analysis</param>
/// <returns>PPG generated by forward analysis</returns>
public static ProgramPointGraph Run(FileInfo entryFile, MemoryModels.MemoryModelFactory memoryModel)
{
var cfg = GenerateCfg(entryFile);
return(Analyze(cfg, memoryModel));
}
internal override ForwardAnalysisBase createAnalysis(ControlFlowGraph.ControlFlowGraph entryMethodGraph, MemoryModels.MemoryModelFactory memoryModel, EnvironmentInitializer initializer)
{
return(new WevercaAnalysisTest(entryMethodGraph, memoryModel, initializer));
}
private static void RunStaticAnalysis(string[] filenames, MemoryModels.MemoryModelFactory memoryModel)
{
var bigWatch = System.Diagnostics.Stopwatch.StartNew();
var console = new ConsoleOutput();
foreach (var argument in filenames)
{
var filesInfo = Analyzer.GetFileNames(argument);
if (filesInfo == null)
{
fileOutput.WriteLine("Path \"{0}\" cannot be recognized", argument);
fileOutput.WriteLine();
continue;
}
else if (filesInfo.Length <= 0)
{
fileOutput.WriteLine("Path pattern \"{0}\" does not match any file", argument);
fileOutput.WriteLine();
}
foreach (var fileInfo in filesInfo)
{
console.CommentLine(string.Format("File path: {0}\n", fileInfo.FullName));
//try
{
var watch = System.Diagnostics.Stopwatch.StartNew();
var ppGraph = Analyzer.Run(fileInfo, memoryModel);
watch.Stop();
GC.Collect();
GC.WaitForPendingFinalizers();
var watch2 = System.Diagnostics.Stopwatch.StartNew();
var nextPhase = new TaintForwardAnalysis(ppGraph);
nextPhase.analysisTaintWarnings = new List <AnalysisTaintWarning>();
if (SECOND_PHASE)
{
nextPhase.Analyse();
}
watch2.Stop();
fileOutput.WriteLine("Analysis warnings:");
var firstPhaseWarnings = AnalysisWarningHandler.GetWarnings();
//PrintWarnings(new List<AnalysisWarning>());
PrintWarnings(firstPhaseWarnings);
var firstPhaseSecurityWarnings = new List <AnalysisSecurityWarning>();
if (!SECOND_PHASE)
{
firstPhaseSecurityWarnings = AnalysisWarningHandler.GetSecurityWarnings();
PrintSecurityWarnings(firstPhaseSecurityWarnings);
}
//fileOutput.WriteLine("Security warnings with taint flow:");
if (SECOND_PHASE)
{
PrintTaintWarnings(nextPhase.analysisTaintWarnings);
}
fileOutput.WriteLine("Variables:");
var processedPPGraphs = new HashSet <ProgramPointGraph>();
var processedPPoints = new HashSet <ProgramPointBase>();
writeAll(ppGraph, ref processedPPGraphs, ref processedPPoints);
bigWatch.Stop();
fileOutput.WriteLine("Overview:");
fileOutput.WriteLine("Total number of warnings: " + (firstPhaseWarnings.Count + firstPhaseSecurityWarnings.Count + nextPhase.analysisTaintWarnings.Count));
fileOutput.WriteLine("Number of warnings in the first phase: " + firstPhaseWarnings.Count);
fileOutput.WriteLine("Number of warnings in the second phase: " + nextPhase.analysisTaintWarnings.Count);
fileOutput.WriteLine("Weverca analyzer time consumption: " + bigWatch.ElapsedMilliseconds);
fileOutput.WriteLine("First phase time consumption: " + watch.ElapsedMilliseconds);
fileOutput.WriteLine("Second phase time consumption: " + watch2.ElapsedMilliseconds);
var programLines = new Dictionary <string, HashSet <int> > ();
fileOutput.WriteLine("The number of nodes in the application is: " + Program.numProgramPoints(new HashSet <ProgramPointGraph>(), programLines, ppGraph));
var programLinesNum = 0;
foreach (var script in programLines.Values)
{
programLinesNum += script.Count;
}
fileOutput.WriteLine("The number of processed lines of code is: " + programLinesNum);
}
/*
* catch (Exception e)
* {
* fileOutput.WriteLine("error");
* //console.Error(e.Message);
* fileOutput.WriteLine (e.Message);
* }*/
}
}
}
/// <summary>
/// Set a memory model to be used in the test case.
/// </summary>
/// <param name="memoryModel">the memory model to be used in the test case</param>
/// <returns></returns>
internal TestCase MemoryModel(MemoryModels.MemoryModelFactory memoryModel)
{
_memoryModels.Clear();
_memoryModels.Add(memoryModel);
return(this);
}
public override ForwardAnalysisBase CreateAnalysis(ControlFlowGraph.ControlFlowGraph entryMethodGraph, MemoryModels.MemoryModelFactory memoryModel)
{
throw new NotImplementedException();
}
/// <summary> /// Creates an instance of ForwardAnalysis corresponding to given enumeration item. /// </summary> /// <param name="entryMethodGraph">the method where the analysis starts</param> /// <param name="memoryModel">memory model used for the analysis</param> /// <returns></returns> public abstract ForwardAnalysisBase CreateAnalysis(ControlFlowGraph.ControlFlowGraph entryMethodGraph, MemoryModels.MemoryModelFactory memoryModel);
/// <summary> /// Creates an instance of ForwardAnalysis corresponding to given enumeration item. /// </summary> /// <returns>an instance of ForwardAnalysis corresponding to given enumeration item</returns> internal abstract ForwardAnalysisBase createAnalysis(ControlFlowGraph.ControlFlowGraph entryMethodGraph, MemoryModels.MemoryModelFactory memoryModel, EnvironmentInitializer initializer);
public WevercaAnalysisTest(ControlFlowGraph.ControlFlowGraph entryMethodGraph, MemoryModels.MemoryModelFactory memoryModel, EnvironmentInitializer initializer)
: base(entryMethodGraph, memoryModel)
{
_flowResolver = new WevercaFlowResolverTest();
_functionResolver = new WevercaFunctionResolverTest(initializer);
}
public override ForwardAnalysisBase CreateAnalysis(ControlFlowGraph.ControlFlowGraph entryMethodGraph, MemoryModels.MemoryModelFactory memoryModel)
{
return(createAnalysis(entryMethodGraph, memoryModel, delegate(FlowOutputSet o) { }));
}
public override ForwardAnalysisBase CreateAnalysis(ControlFlowGraph.ControlFlowGraph entryMethodGraph, MemoryModels.MemoryModelFactory memoryModel)
{
return(createAnalysis(entryMethodGraph, memoryModel, EnvironmentInitializer));
}
