commit 5485a84da7d9f9fe9a86538b6cd416e9b2dd9b78
author Inseob Kim <inseob@google.com> Mon Mar 17 18:14:08 2025 +0900
committer Inseob Kim <inseob@google.com> Tue Mar 18 10:22:27 2025 +0900
tree e4d0887982fa6741b2db750a562af84b5ec7e2e0
parent bf4c41d5556de4227fc670b1aee94c983090398e

Correctly handle line markers

For better debuggability upon neverallow violations, this change leaves
line markers as-is.

* build_sepolicy filter_out tool leaves line markers as-is. It may cause
  markers to be redundant, so it also cleans up such markers.
* remove_line_marker property is removed as it is not needed.
* fixed odm_sepolicy.cil filtering.

Bug: 400544895
Test: check sepolicy artifacts
Change-Id: I793ffe728488422fc31de2705889869b2ea7d050

build/file_utils.py

diff --git a/build/file_utils.py b/build/file_utils.py
index e3210ed..5023fd0 100644
--- a/build/file_utils.py
+++ b/build/file_utils.py
@@ -30,19 +30,72 @@
         os.makedirs(parent_dir)
 
 
+def remove_redundant_line_markers(lines):
+    """
+    Removes any redundant line markers.
+
+    Line markers are to support better error reporting for neverallow rules.
+    Line markers, possibly nested, look like:
+
+        ;;* lm(s|x) LINENO FILENAME
+        (CIL STATEMENTS)
+        ;;* lme
+
+    * lms is used when each of the following CIL statements corresponds to a line
+      in the original file.
+
+    * lmx is used when the following CIL statements are all expanded from a
+      single high-level language line.
+
+    * lme ends a line mark block.
+
+    Redundant line markers are markers without any statements inside. Normally
+    there are no such redundant line markers, but CIL files filtered out by
+    filter_out function below may contain those. remove_redundant_line_markers
+    find all such redundant line markers and removes all of them. See
+    file_utils_test.py for an example.
+    """
+
+    marker_stk = []
+    valid = [False] * len(lines)
+
+    for idx in range(len(lines)):
+        line = lines[idx]
+        if line.startswith(";;* lmx") or line.startswith(";;* lms"):
+            # line start marker
+            marker_stk.append(idx)
+        elif line.startswith(";;* lme"): # line end marker
+            if valid[marker_stk[-1]]:
+                valid[idx] = True
+                # propagate valid to parent markers
+                if len(marker_stk) >= 2:
+                    valid[marker_stk[-2]] = True
+            marker_stk.pop()
+        else:
+            # any other expressions
+            valid[idx] = True
+            # set the current marker as valid
+            if marker_stk:
+                valid[marker_stk[-1]] = True
+
+    return [lines[idx] for idx in range(len(lines)) if valid[idx]]
+
 def filter_out(pattern_files, input_file):
     """"Removes lines in input_file that match any line in pattern_files."""
 
     # Prepares patterns.
     patterns = []
     for f in pattern_files:
-        patterns.extend(open(f).readlines())
+        patterns.extend([x for x in open(f).readlines() if not x.startswith(";;*")])
 
     # Copy lines that are not in the pattern.
     tmp_output = tempfile.NamedTemporaryFile(mode='w+')
     with open(input_file, 'r') as in_file:
-        tmp_output.writelines(line for line in in_file.readlines()
-                              if line not in patterns)
+        lines = [line for line in in_file.readlines()
+                 if line not in patterns and line.strip()]
+        lines = remove_redundant_line_markers(lines)
+        tmp_output.writelines(lines)
+
         # Append empty line because a completely empty file
         # will trip up secilc later on:
         tmp_output.write("\n")