leak not found in llvm generated with rust #642
Description
- I have searched open and closed issues for duplicates
- I made sure that I am not using an old project version (DO: pull Phasar, update git submodules, rebuild the project and check if the bug is still there)
Bug description
I try to use phasar to check LLVM code generated with rust. For this I wrote some simple test programs (https://github.com/sse-labs/PhASARust) but I haven't managed to analyze
them properly. I use rustc versions smaller 1.61.0 because they uses LLVM version lower or equal to 14.0.0. The phasar ifds-solvertest accepts the generated LLVM code. I tried to find a leak in the following rust code:
#[inline(never)]
#[no_mangle]
fn source() -> i32 {1029384756}
#[inline(never)]
#[no_mangle]
fn sink(source: i32) -> i32 {source}
#[inline(never)]
#[no_mangle]
fn sanitize(source: i32) -> i32 {source}
fn main() {
let unsanitized = source();
let source = source();
let sanitized = sanitize(source);
let sink_unsanitized = sink(unsanitized);
let sink_sanitized = sink(sanitized);
println!("{sink_unsanitized}");
println!("{sink_sanitized}");
}In my understanding this should be a Leak because the variable unsanitized get's into the sink function without passing through the sanitize function first. I use the following analysis-config.json
{
"name": "simple sql injection",
"version": 1,
"functions": [
{
"name": "source",
"ret": "source",
"params": {
}
},
{
"name": "sink",
"params": {
"source": [1]
}
},
{
"name": "sanitize",
"ret": "sanitizer",
"params": {
"source": [1]
}
}
],
"variables": []
}And the following compiler-flags for rust:
[build]
rustflags = [
"--emit=llvm-ir",
"-Cno-prepopulate-passes",
"-Cdebuginfo=0",
"-Copt-level=0",
]The main function (without the print statement) in LLVM looks like this:
; sql_injection_02_simple_requests::main
; Function Attrs: uwtable
define internal void @_ZN32sql_injection_02_simple_requests4main17hb222746dbaa73089E() unnamed_addr #1 {
start:
%_29 = alloca [1 x { i8*, i64* }], align 8
%_22 = alloca %"core::fmt::Arguments", align 8
%_17 = alloca [1 x { i8*, i64* }], align 8
%_10 = alloca %"core::fmt::Arguments", align 8
%sink_sanitized = alloca i32, align 4
%sink_unsanitized = alloca i32, align 4
%unsanitized = call i32 @source()
br label %bb1
bb1: ; preds = %start
%source = call i32 @source()
br label %bb2
bb2: ; preds = %bb1
%sanitized = call i32 @sanitize(i32 %source)
br label %bb3
bb3: ; preds = %bb2
%0 = call i32 @sink(i32 %unsanitized)
store i32 %0, i32* %sink_unsanitized, align 4
br label %bb4
bb4: ; preds = %bb3
%1 = call i32 @sink(i32 %sanitized)
store i32 %1, i32* %sink_sanitized, align 4
br label %bb5
.
.
.Rust generates bloated LLVM code so I posted only the main function without the print statement.
I attache all relevant files below.
Steps to reproduce
- create a cargo project
- place config.toml in a .cargo folder in the project
- place rust-toolchain.toml in root of project
- use attached main.rs
- compile with cargo b (should use the correct rustc version and compiler-flags)
- try to analyze the resulting LLVM code with a phasar taint analyzes
Actual result: phasar doesn't find the leak
Expected result: phasar should find a leak
Context (Environment)
- phasar: [2a941ee]
Operating System:
- Linux
- Windows
- macOS
Build Type:
- cmake
- custom build
Example files
Files:
examplefiles.zip