auditor

An aarch64 constant-time memory access auditing tool.
git clone git://git.ppad.tech/auditor.git
Log | Files | Refs | README | LICENSE
commit b80aaa0c714c56b9534cbde1cd0be7e2be70671a
parent abdc5295496088db413cccd84db7cf35fb64d07c
Author: Jared Tobin <jared@jtobin.io>
Date:   Tue, 10 Feb 2026 13:44:07 +0400

fix: apply callee summaries in inter-proc return state computation

runFunctionDataflow was using analyzeBlock instead of
analyzeBlockWithSummaries when computing OUT states for return blocks,
causing callee summaries to be ignored and potentially under-propagating
taint.

Also fixes checkCFGInterProc to compute runFunctionBlocks once per
function rather than per-block, and removes unused binding.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Diffstat:

Mlib/Audit/AArch64/Check.hs | 8+++-----


Mlib/Audit/AArch64/Taint.hs | 2+-


2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/lib/Audit/AArch64/Check.hs b/lib/Audit/AArch64/Check.hs
@@ -148,7 +148,6 @@ checkIndex sym ln instr idx st =
 checkCFGInterProc :: Text -> CFG -> AuditResult
 checkCFGInterProc sym cfg =
   let summaries = runInterProc cfg
-      blocks = cfgBlocks cfg
       funcs = functionLabels cfg
   in  mconcat
         [ checkFunction cfg sym func summaries
@@ -157,15 +156,14 @@ checkCFGInterProc sym cfg =
   where
     checkFunction c s func summs =
       let blockIdxs = functionBlocks c func
-          inStates = runFunctionDataflow c blockIdxs summs
           bs = cfgBlocks c
+          inStatesIM = runFunctionBlocks c blockIdxs summs
+          inStatesMap = IM.foldlWithKey' toMap Map.empty inStatesIM
       in  mconcat
             [ fst (checkBlockWithSummary s summs inState (bbLines bb))
             | idx <- blockIdxs
             , let bb = bs !! idx
-                  inState = Map.findWithDefault initTaintState idx
-                              (IM.foldlWithKey' toMap Map.empty
-                                (runFunctionBlocks c blockIdxs summs))
+                  inState = Map.findWithDefault initTaintState idx inStatesMap
             ]
     toMap m k v = Map.insert k v m
 
diff --git a/lib/Audit/AArch64/Taint.hs b/lib/Audit/AArch64/Taint.hs
@@ -339,7 +339,7 @@ runFunctionDataflow cfg blockIndices summaries =
       -- Run dataflow on just these blocks
       inStates = runFunctionBlocks cfg blockIndices summaries
       -- Collect OUT states at return instructions
-      returnOuts = [ analyzeBlock (bbLines (blocks !! i)) inState
+      returnOuts = [ analyzeBlockWithSummaries bb inState summaries
                    | i <- blockIndices
                    , let bb = blocks !! i
                          inState = IM.findWithDefault initTaintState i inStates