svf-lib 1.0.2084 → 1.0.2086

package/SVF-linux/Release-build/include/AE/Core/AbstractState.h

@@ -95,6 +95,8 @@ public:
     // storeValue
     void storeValue(NodeID varId, AbstractValue val);
 
+    u32_t getAllocaInstByteSize(const AddrStmt *addr);
+
 
     /// The physical address starts with 0x7f...... + idx
     static inline u32_t getVirtualMemAddress(u32_t idx)
@@ -281,13 +283,14 @@ public:
     /// domain meet with other, important! other widen this.
     void meetWith(const AbstractState&other);
 
-
-    /// Return int value from an expression if it is a numeral, otherwise return an approximate value
-    inline s32_t Interval2NumValue(const IntervalValue &e) const
-    {
-        //TODO: return concrete value;
-        return (s32_t) e.lb().getNumeral();
-    }
+    /**
+    * if this NodeID in SVFIR is a pointer, get the pointee type
+    * e.g  arr = (int*) malloc(10*sizeof(int))
+    *      getPointeeType(arr) -> return int
+    * we can set arr[0]='c', arr[1]='c', arr[2]='\0'
+    * @param call callnode of memset like api
+     */
+    const SVFType* getPointeeElement(NodeID id);
 
 
     u32_t hash() const;
@@ -395,7 +398,6 @@ public:
         _varToAbsVal.clear();
     }
 
-
 };
 
 }

package/SVF-linux/Release-build/include/AE/Svfexe/AEDetector.h

@@ -0,0 +1,322 @@
+//===- AEDetector.h -- Vulnerability Detectors---------------------------------//
+//
+//                     SVF: Static Value-Flow Analysis
+//
+// Copyright (C) <2013->  <Yulei Sui>
+//
+
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+//===----------------------------------------------------------------------===//
+
+
+//
+// Created by Jiawei Wang on 2024/8/20.
+//
+#pragma once
+#include <SVFIR/SVFIR.h>
+#include <AE/Core/AbstractState.h>
+#include "Util/SVFBugReport.h"
+
+namespace SVF
+{
+/**
+ * @class AEDetector
+ * @brief Base class for all detectors.
+ */
+class AEDetector
+{
+public:
+    /**
+     * @enum DetectorKind
+     * @brief Enumerates the types of detectors available.
+     */
+    enum DetectorKind
+    {
+        BUF_OVERFLOW,   ///< Detector for buffer overflow issues.
+        UNKNOWN,    ///< Default type if the kind is not specified.
+    };
+
+    /**
+     * @brief Constructor initializes the detector kind to UNKNOWN.
+     */
+    AEDetector(): kind(UNKNOWN) {}
+
+    /**
+     * @brief Virtual destructor for safe polymorphic use.
+     */
+    virtual ~AEDetector() = default;
+
+    /**
+     * @brief Check if the detector is of the UNKNOWN kind.
+     * @param detector Pointer to the detector.
+     * @return True if the detector is of type UNKNOWN, false otherwise.
+     */
+    static bool classof(const AEDetector* detector)
+    {
+        return detector->getKind() == AEDetector::UNKNOWN;
+    }
+
+    /**
+     * @brief Pure virtual function for detecting issues within a node.
+     * @param as Reference to the abstract state.
+     * @param node Pointer to the ICFG node.
+     */
+    virtual void detect(AbstractState& as, const ICFGNode* node) = 0;
+
+    /**
+     * @brief Pure virtual function to report detected bugs.
+     */
+    virtual void reportBug() = 0;
+
+    /**
+     * @brief Get the kind of the detector.
+     * @return The kind of the detector.
+     */
+    DetectorKind getKind() const
+    {
+        return kind;
+    }
+
+protected:
+    DetectorKind kind; ///< The kind of the detector.
+};
+
+/**
+ * @class AEException
+ * @brief Exception class for handling errors in Abstract Execution.
+ */
+class AEException : public std::exception
+{
+public:
+    /**
+     * @brief Constructor initializes the exception with a message.
+     * @param message The error message.
+     */
+    AEException(const std::string& message)
+        : msg_(message) {}
+
+    /**
+     * @brief Provides the error message.
+     * @return The error message as a C-string.
+     */
+    virtual const char* what() const throw()
+    {
+        return msg_.c_str();
+    }
+
+private:
+    std::string msg_; ///< The error message.
+};
+
+/**
+ * @class BufOverflowDetector
+ * @brief Detector for identifying buffer overflow issues.
+ */
+class BufOverflowDetector : public AEDetector
+{
+    friend class AbstractInterpretation;
+public:
+    /**
+     * @brief Constructor initializes the detector kind to BUF_OVERFLOW and sets up external API buffer overflow rules.
+     */
+    BufOverflowDetector()
+    {
+        kind = BUF_OVERFLOW;
+        initExtAPIBufOverflowCheckRules();
+    }
+
+    /**
+     * @brief Destructor.
+     */
+    ~BufOverflowDetector() = default;
+
+    /**
+     * @brief Check if the detector is of the BUF_OVERFLOW kind.
+     * @param detector Pointer to the detector.
+     * @return True if the detector is of type BUF_OVERFLOW, false otherwise.
+     */
+    static bool classof(const AEDetector* detector)
+    {
+        return detector->getKind() == AEDetector::BUF_OVERFLOW;
+    }
+
+    /**
+     * @brief Updates the offset of a GEP object from its base.
+     * @param gepAddrs Address value for GEP.
+     * @param objAddrs Address value for the object.
+     * @param offset The interval value of the offset.
+     */
+    void updateGepObjOffsetFromBase(AddressValue gepAddrs,
+                                    AddressValue objAddrs,
+                                    IntervalValue offset);
+
+    /**
+     * @brief Detect buffer overflow issues within a node.
+     * @param as Reference to the abstract state.
+     * @param node Pointer to the ICFG node.
+     */
+    void detect(AbstractState& as, const ICFGNode*);
+
+    /**
+     * @brief Adds an offset to a GEP object.
+     * @param obj Pointer to the GEP object.
+     * @param offset The interval value of the offset.
+     */
+    void addToGepObjOffsetFromBase(const GepObjVar* obj, const IntervalValue& offset)
+    {
+        gepObjOffsetFromBase[obj] = offset;
+    }
+
+    /**
+     * @brief Checks if a GEP object has an associated offset.
+     * @param obj Pointer to the GEP object.
+     * @return True if the GEP object has an offset, false otherwise.
+     */
+    bool hasGepObjOffsetFromBase(const GepObjVar* obj) const
+    {
+        return gepObjOffsetFromBase.find(obj) != gepObjOffsetFromBase.end();
+    }
+
+    /**
+     * @brief Retrieves the offset of a GEP object from its base.
+     * @param obj Pointer to the GEP object.
+     * @return The interval value of the offset.
+     */
+    IntervalValue getGepObjOffsetFromBase(const GepObjVar* obj) const
+    {
+        if (hasGepObjOffsetFromBase(obj))
+            return gepObjOffsetFromBase.at(obj);
+        else
+            assert(false && "GepObjVar not found in gepObjOffsetFromBase");
+    }
+
+    /**
+     * @brief Retrieves the access offset for a given object and GEP statement.
+     * @param as Reference to the abstract state.
+     * @param objId The ID of the object.
+     * @param gep Pointer to the GEP statement.
+     * @return The interval value of the access offset.
+     */
+    IntervalValue getAccessOffset(AbstractState& as, NodeID objId, const GepStmt* gep);
+
+    /**
+     * @brief Adds a bug to the reporter based on an exception.
+     * @param e The exception that was thrown.
+     * @param node Pointer to the ICFG node where the bug was detected.
+     */
+    void addBugToReporter(const AEException& e, const ICFGNode* node)
+    {
+        const SVFInstruction* inst = nullptr;
+
+        // Determine the instruction associated with the ICFG node
+        if (const CallICFGNode* call = SVFUtil::dyn_cast<CallICFGNode>(node))
+        {
+            inst = call->getCallSite(); // If the node is a call node, get the call site instruction
+        }
+        else
+        {
+            inst = node->getSVFStmts().back()->getInst(); // Otherwise, get the last instruction of the node's
+            // statements
+        }
+
+        GenericBug::EventStack eventStack;
+        SVFBugEvent sourceInstEvent(SVFBugEvent::EventType::SourceInst, inst);
+        eventStack.push_back(sourceInstEvent); // Add the source instruction event to the event stack
+
+        if (eventStack.empty())
+        {
+            return; // If the event stack is empty, return early
+        }
+
+        std::string loc = eventStack.back().getEventLoc(); // Get the location of the last event in the stack
+
+        // Check if the bug at this location has already been reported
+        if (bugLoc.find(loc) != bugLoc.end())
+        {
+            return; // If the bug location is already reported, return early
+        }
+        else
+        {
+            bugLoc.insert(loc); // Otherwise, mark this location as reported
+        }
+
+        // Add the bug to the recorder with details from the event stack
+        recoder.addAbsExecBug(GenericBug::FULLBUFOVERFLOW, eventStack, 0, 0, 0, 0);
+        nodeToBugInfo[node] = e.what(); // Record the exception information for the node
+    }
+
+    /**
+     * @brief Reports all detected buffer overflow bugs.
+     */
+    void reportBug()
+    {
+        if (!nodeToBugInfo.empty())
+        {
+            std::cerr << "######################Buffer Overflow (" + std::to_string(nodeToBugInfo.size())
+                      + " found)######################\n";
+            std::cerr << "---------------------------------------------\n";
+            for (const auto& it : nodeToBugInfo)
+            {
+                std::cerr << it.second << "\n---------------------------------------------\n";
+            }
+        }
+    }
+
+    /**
+     * @brief Initializes external API buffer overflow check rules.
+     */
+    void initExtAPIBufOverflowCheckRules();
+
+    /**
+     * @brief Handles external API calls related to buffer overflow detection.
+     * @param as Reference to the abstract state.
+     * @param call Pointer to the call ICFG node.
+     */
+    void detectExtAPI(AbstractState& as, const CallICFGNode *call);
+
+    /**
+     * @brief Checks if memory can be safely accessed.
+     * @param as Reference to the abstract state.
+     * @param value Pointer to the SVF value.
+     * @param len The interval value representing the length of the memory access.
+     * @return True if the memory access is safe, false otherwise.
+     */
+    bool canSafelyAccessMemory(AbstractState& as, const SVFValue *value, const IntervalValue &len);
+
+private:
+    /**
+     * @brief Detects buffer overflow in 'strcat' function calls.
+     * @param as Reference to the abstract state.
+     * @param call Pointer to the call ICFG node.
+     * @return True if a buffer overflow is detected, false otherwise.
+     */
+    bool detectStrcat(AbstractState& as, const CallICFGNode *call);
+
+    /**
+     * @brief Detects buffer overflow in 'strcpy' function calls.
+     * @param as Reference to the abstract state.
+     * @param call Pointer to the call ICFG node.
+     * @return True if a buffer overflow is detected, false otherwise.
+     */
+    bool detectStrcpy(AbstractState& as, const CallICFGNode *call);
+
+private:
+    Map<const GepObjVar*, IntervalValue> gepObjOffsetFromBase; ///< Maps GEP objects to their offsets from the base.
+    Map<std::string, std::vector<std::pair<u32_t, u32_t>>> extAPIBufOverflowCheckRules; ///< Rules for checking buffer overflows in external APIs.
+    Set<std::string> bugLoc; ///< Set of locations where bugs have been reported.
+    SVFBugReport recoder; ///< Recorder for abstract execution bugs.
+    Map<const ICFGNode*, std::string> nodeToBugInfo; ///< Maps ICFG nodes to bug information.
+};
+}

package/SVF-linux/Release-build/include/AE/Svfexe/AbstractInterpretation.h

@@ -27,11 +27,12 @@
 // Xiao Cheng, Jiawei Wang and Yulei Sui. Precise Sparse Abstract Execution via Cross-Domain Interaction.
 // 46th International Conference on Software Engineering. (ICSE24)
 //
-
+#pragma once
+#include "AE/Core/AbstractState.h"
 #include "AE/Core/ICFGWTO.h"
+#include "AE/Svfexe/AEDetector.h"
 #include "Util/SVFBugReport.h"
 #include "WPA/Andersen.h"
-#include "AE/Core/AbstractState.h"
 
 namespace SVF
 {
@@ -41,12 +42,6 @@ class AEAPI;
 
 template<typename T> class FILOWorkList;
 
-enum class AEKind
-{
-    AbstractExecution,
-    BufOverflowChecker,
-};
-
 /// AEStat: Statistic for AE
 class AEStat : public SVFStat
 {
@@ -67,14 +62,12 @@ public:
 
     void finializeStat();
     void performStat() override;
-    void reportBug();
 
 public:
     AbstractInterpretation* _ae;
     s32_t count{0};
     std::string memory_usage;
     std::string memUsage;
-    std::string bugStr;
 
 
     u32_t& getFunctionTrace()
@@ -108,6 +101,7 @@ class AbstractInterpretation
 {
     friend class AEStat;
     friend class AEAPI;
+    friend class BufOverflowDetector;
 
 public:
     enum ExtAPIType { UNCLASSIFIED, MEMCPY, MEMSET, STRCPY, STRCAT };
@@ -123,14 +117,15 @@ public:
     /// Program entry
     void analyse();
 
-    static bool classof(const AbstractInterpretation* ae)
+    static AbstractInterpretation& getAEInstance()
     {
-        return ae->getKind() == AEKind::AbstractExecution;
+        static AbstractInterpretation instance;
+        return instance;
     }
 
-    AEKind getKind() const
+    void addDetector(std::unique_ptr<AEDetector> detector)
     {
-        return _kind;
+        detectors.push_back(std::move(detector));
     }
 
 protected:
@@ -233,13 +228,6 @@ protected:
     */
     virtual void initExtFunMap();
 
-    /**
-    * get byte size of alloca inst
-    *
-    * @param addr Address Stmt like malloc/calloc/ALLOCA/StackAlloc
-    * @return the byte size e.g. int32_t a[10] -> return 40
-    */
-    u32_t getAllocaInstByteSize(AbstractState& as, const AddrStmt *addr);
 
     /**
     * get byte size of alloca inst
@@ -259,16 +247,6 @@ protected:
     */
     IntervalValue getStrlen(AbstractState& as, const SVF::SVFValue *strValue);
 
-    /**
-    * get memory allocation size
-    * e.g  arr = new int[10]
-    *      ....
-    *      memset(arr, 1, 10* sizeof(int))
-    * when we trace the 'arr', we can get the alloc size [40, 40]
-    * @param value to be traced
-    * @return IntervalValue of allocation size
-    */
-    IntervalValue traceMemoryAllocationSize(AbstractState& as, const SVFValue *value);
     /**
     * execute strcpy in abstract execution
     * e.g  arr = new char[10]
@@ -305,23 +283,9 @@ protected:
     */
     virtual void handleMemset(AbstractState& as, const SVFValue* dst, IntervalValue elem, IntervalValue len);
 
-    /**
-    * if this NodeID in SVFIR is a pointer, get the pointee type
-    * e.g  arr = (int*) malloc(10*sizeof(int))
-    *      getPointeeType(arr) -> return int
-    * we can set arr[0]='c', arr[1]='c', arr[2]='\0'
-    * @param call callnode of memset like api
-    */
-    const SVFType* getPointeeElement(AbstractState& as, NodeID id);
 
     void collectCheckPoint();
     void checkPointAllSet();
-    // helper functions for traceMemoryAllocationSize and canSafelyAccessMemory
-    void AccessMemoryViaRetNode(const CallICFGNode *callnode, SVF::FILOWorkList<const SVFValue *>& worklist, Set<const SVFValue *>& visited);
-    void AccessMemoryViaCopyStmt(const CopyStmt *copy, SVF::FILOWorkList<const SVFValue *>& worklist, Set<const SVFValue *>& visited);
-    void AccessMemoryViaLoadStmt(AbstractState& as, const LoadStmt *load, SVF::FILOWorkList<const SVFValue *>& worklist, Set<const SVFValue *>& visited);
-    void AccessMemoryViaCallArgs(const SVF::SVFArgument *arg, SVF::FILOWorkList<const SVFValue *>& worklist, Set<const SVFValue *>& visited);
-
 
     void updateStateOnAddr(const AddrStmt *addr);
 
@@ -349,20 +313,16 @@ protected:
 
 
     /// protected data members, also used in subclasses
-    SVFIR* _svfir;
+    SVFIR* svfir;
     /// Execution State, used to store the Interval Value of every SVF variable
-    AEAPI* _api{nullptr};
+    AEAPI* api{nullptr};
 
-    ICFG* _icfg;
-    AEStat* _stat;
-    AEKind _kind;
+    ICFG* icfg;
+    AEStat* stat;
 
-    Set<std::string> _bugLoc;
-    SVFBugReport _recoder;
-    std::vector<const CallICFGNode*> _callSiteStack;
-    Map<const ICFGNode*, std::string> _nodeToBugInfo;
-    Map<const SVFFunction*, ICFGWTO*> _funcToWTO;
-    Set<const SVFFunction*> _recursiveFuns;
+    std::vector<const CallICFGNode*> callSiteStack;
+    Map<const SVFFunction*, ICFGWTO*> funcToWTO;
+    Set<const SVFFunction*> recursiveFuns;
 
 private:
     // helper functions in handleCallSite
@@ -379,29 +339,33 @@ protected:
 
     AbstractState& getAbsStateFromTrace(const ICFGNode* node)
     {
-        const ICFGNode* repNode = _icfg->getRepNode(node);
-        if (_abstractTrace.count(repNode) == 0)
+        const ICFGNode* repNode = icfg->getRepNode(node);
+        if (abstractTrace.count(repNode) == 0)
         {
             assert(0 && "No preAbsTrace for this node");
         }
         else
         {
-            return _abstractTrace[repNode];
+            return abstractTrace[repNode];
         }
     }
 
     bool hasAbsStateFromTrace(const ICFGNode* node)
     {
-        const ICFGNode* repNode = _icfg->getRepNode(node);
-        return _abstractTrace.count(repNode) != 0;
+        const ICFGNode* repNode = icfg->getRepNode(node);
+        return abstractTrace.count(repNode) != 0;
     }
 
 protected:
     // there data should be shared with subclasses
-    Map<std::string, std::function<void(const CallSite &)>> _func_map;
-    Set<const CallICFGNode*> _checkpoints;
-    Set<std::string> _checkpoint_names;
-    Map<const ICFGNode*, AbstractState> _abstractTrace; // abstract states immediately after nodes
-    std::string _moduleName;
+    Map<std::string, std::function<void(const CallSite &)>> func_map;
+    Set<const CallICFGNode*> checkpoints;
+    Set<std::string> checkpoint_names;
+    Map<const ICFGNode*, AbstractState>
+    abstractTrace; // abstract states immediately after nodes
+    std::string moduleName;
+
+    std::vector<std::unique_ptr<AEDetector>> detectors;
+
 };
 }

package/SVF-osx/Release-build/include/Graphs/ICFG.h

@@ -198,12 +198,21 @@ public:
     //@{
     ICFGNode* getICFGNode(const SVFInstruction* inst);
 
+    /// Whether has the ICFGNode
+    bool hasICFGNode(const SVFInstruction* inst);
+
     CallICFGNode* getCallICFGNode(const SVFInstruction* inst);
 
+    CallICFGNode* addCallICFGNode(const SVFInstruction* inst);
+
     RetICFGNode* getRetICFGNode(const SVFInstruction* inst);
 
+    RetICFGNode* addRetICFGNode(const SVFInstruction* inst);
+
     IntraICFGNode* getIntraICFGNode(const SVFInstruction* inst);
 
+    IntraICFGNode* addIntraICFGNode(const SVFInstruction* inst);
+
     FunEntryICFGNode* getFunEntryICFGNode(const SVFFunction*  fun);
 
     FunExitICFGNode* getFunExitICFGNode(const SVFFunction*  fun);

package/SVF-osx/Release-build/include/MSSA/MemRegion.h

@@ -470,9 +470,9 @@ public:
     }
     //@}
     /// Whether this instruction has SVFIR Edge
-    bool hasSVFStmtList(const SVFInstruction* inst);
+    bool hasSVFStmtList(const ICFGNode* icfgNode);
     /// Given an instruction, get all its the PAGEdge (statement) in sequence
-    SVFStmtList& getPAGEdgesFromInst(const SVFInstruction* inst);
+    SVFStmtList& getPAGEdgesFromInst(const ICFGNode* node);
 
     /// getModRefInfo APIs
     //@{

package/SVF-osx/Release-build/include/MTA/MHP.h

@@ -341,8 +341,7 @@ public:
         NodeID parentTid = tct->getParentThread(tid);
         const CxtThread& parentct = tct->getTCTNode(parentTid)->getCxtThread();
         const SVFFunction* parentRoutine = tct->getStartRoutineOfCxtThread(parentct);
-        const SVFInstruction* inst = parentRoutine->getExitBB()->back();
-        return tct->getICFGNode(inst);
+        return parentRoutine->getExitBB()->back();
     }
 
     /// Get loop for join site

package/SVF-osx/Release-build/include/SVF-LLVM/ICFGBuilder.h

@@ -62,23 +62,30 @@ private:
     ///@{
     void processFunEntry(const Function*  fun, WorkList& worklist);
 
+    void processNoPrecessorBasicBlocks(const Function*  fun, WorkList& worklist);
+
     void processFunBody(WorkList& worklist);
 
     void processFunExit(const Function*  fun);
     //@}
 
+    void checkICFGNodesVisited(const Function* fun);
+
     void connectGlobalToProgEntry(SVFModule* svfModule);
 
     /// Add/Get an inter block ICFGNode
-    InterICFGNode* getOrAddInterBlockICFGNode(const SVFInstruction* inst);
+    InterICFGNode* addInterBlockICFGNode(const SVFInstruction* inst);
 
     /// Add/Get a basic block ICFGNode
-    inline ICFGNode* getOrAddBlockICFGNode(const SVFInstruction* inst)
+    inline ICFGNode* addBlockICFGNode(const SVFInstruction* inst)
     {
+        ICFGNode* node;
         if(SVFUtil::isNonInstricCallSite(inst))
-            return getOrAddInterBlockICFGNode(inst);
+            node = addInterBlockICFGNode(inst);
         else
-            return getOrAddIntraBlockICFGNode(inst);
+            node = addIntraBlockICFGNode(inst);
+        const_cast<SVFBasicBlock*>(inst->getParent())->addICFGNode(node);
+        return node;
     }
 
     /// Create edges between ICFG nodes across functions
@@ -96,10 +103,13 @@ private:
     }
 
     /// Add and get IntraBlock ICFGNode
-    IntraICFGNode* getOrAddIntraBlockICFGNode(const SVFInstruction* inst)
+    IntraICFGNode* addIntraBlockICFGNode(const SVFInstruction* inst)
     {
-        return icfg->getIntraICFGNode(inst);
+        return icfg->addIntraICFGNode(inst);
     }
+
+private:
+    BBSet visited;
 };
 
 } // End namespace SVF

package/SVF-osx/Release-build/include/SVF-LLVM/LLVMUtil.h

@@ -303,6 +303,17 @@ void getNextInsts(const Instruction* curInst,
 void getPrevInsts(const Instruction* curInst,
                   std::vector<const Instruction*>& instList);
 
+/// Basic block does not have predecessors
+/// map-1.cpp.bc
+/// try.cont: ; No predecessors!
+///    call void @llvm.trap()
+///    unreachable
+inline bool isNoPrecessorBasicBlock(const BasicBlock* bb)
+{
+    return bb != &bb->getParent()->getEntryBlock() &&
+           pred_empty(bb);
+}
+
 /// Get num of BB's predecessors
 u32_t getBBPredecessorNum(const BasicBlock* BB);
 

package/SVF-osx/Release-build/include/SVF-LLVM/SVFIRBuilder.h

@@ -450,9 +450,9 @@ protected:
     /// Add Store edge
     inline void addStoreEdge(NodeID src, NodeID dst)
     {
-        IntraICFGNode* node;
+        ICFGNode* node;
         if (const SVFInstruction* inst = SVFUtil::dyn_cast<SVFInstruction>(curVal))
-            node = pag->getICFG()->getIntraICFGNode(inst);
+            node = pag->getICFG()->getICFGNode(inst);
         else
             node = nullptr;
         if (StoreStmt* edge = pag->addStoreStmt(src, dst, node))

package/SVF-osx/Release-build/include/SVFIR/SVFIR.h

@@ -658,7 +658,7 @@ private:
     /// Add Load edge
     LoadStmt* addLoadStmt(NodeID src, NodeID dst);
     /// Add Store edge
-    StoreStmt* addStoreStmt(NodeID src, NodeID dst, const IntraICFGNode* val);
+    StoreStmt* addStoreStmt(NodeID src, NodeID dst, const ICFGNode* val);
     /// Add Call edge
     CallPE* addCallPE(NodeID src, NodeID dst, const CallICFGNode* cs,
                       const FunEntryICFGNode* entry);

package/SVF-osx/Release-build/include/SVFIR/SVFStatements.h

@@ -478,7 +478,7 @@ public:
     //@}
 
     /// constructor
-    StoreStmt(SVFVar* s, SVFVar* d, const IntraICFGNode* st);
+    StoreStmt(SVFVar* s, SVFVar* d, const ICFGNode* st);
 
     virtual const std::string toString() const override;
 };

package/SVF-osx/Release-build/include/SVFIR/SVFValue.h

@@ -524,6 +524,8 @@ public:
     }
 };
 
+class ICFGNode;
+
 class SVFBasicBlock : public SVFValue
 {
     friend class LLVMModuleSet;
@@ -531,21 +533,26 @@ class SVFBasicBlock : public SVFValue
     friend class SVFIRReader;
     friend class SVFIRBuilder;
     friend class SVFFunction;
+    friend class ICFGBuilder;
+    friend class ICFG;
 
 public:
-    typedef std::vector<const SVFInstruction*>::const_iterator const_iterator;
+    typedef std::vector<const ICFGNode*>::const_iterator const_iterator;
 
 private:
-    std::vector<const SVFInstruction*> allInsts;    ///< all Instructions in this BasicBlock
+    std::vector<const ICFGNode*> allICFGNodes;    ///< all ICFGNodes in this BasicBlock
     std::vector<const SVFBasicBlock*> succBBs;  ///< all successor BasicBlocks of this BasicBlock
     std::vector<const SVFBasicBlock*> predBBs;  ///< all predecessor BasicBlocks of this BasicBlock
     const SVFFunction* fun;                 /// Function where this BasicBlock is
 
 protected:
     ///@{ attributes to be set only through Module builders e.g., LLVMModule
-    inline void addInstruction(const SVFInstruction* inst)
+
+    inline void addICFGNode(const ICFGNode* icfgNode)
     {
-        allInsts.push_back(inst);
+        assert(std::find(getICFGNodeList().begin(), getICFGNodeList().end(),
+                         icfgNode) == getICFGNodeList().end() && "duplicated icfgnode");
+        allICFGNodes.push_back(icfgNode);
     }
 
     inline void addSuccBasicBlock(const SVFBasicBlock* succ)
@@ -570,19 +577,19 @@ public:
         return node->getKind() == SVFBB;
     }
 
-    inline const std::vector<const SVFInstruction*>& getInstructionList() const
+    inline const std::vector<const ICFGNode*>& getICFGNodeList() const
     {
-        return allInsts;
+        return allICFGNodes;
     }
 
     inline const_iterator begin() const
     {
-        return allInsts.begin();
+        return allICFGNodes.begin();
     }
 
     inline const_iterator end() const
     {
-        return allInsts.end();
+        return allICFGNodes.end();
     }
 
     inline const SVFFunction* getParent() const
@@ -595,20 +602,18 @@ public:
         return fun;
     }
 
-    inline const SVFInstruction* front() const
+    inline const ICFGNode* front() const
     {
-        return allInsts.front();
+        assert(!allICFGNodes.empty() && "bb empty?");
+        return allICFGNodes.front();
     }
 
-    inline const SVFInstruction* back() const
+    inline const ICFGNode* back() const
     {
-        return allInsts.back();
+        assert(!allICFGNodes.empty() && "bb empty?");
+        return allICFGNodes.back();
     }
 
-    /// Returns the terminator instruction if the block is well formed or null
-    /// if the block is not well formed.
-    const SVFInstruction* getTerminator() const;
-
     inline const std::vector<const SVFBasicBlock*>& getSuccessors() const
     {
         return succBBs;

package/SVF-osx/Release-build/include/Util/SVFUtil.h

@@ -168,6 +168,8 @@ void dumpPointsToList(const PointsToList& ptl);
 
 /// Return true if it is an llvm intrinsic instruction
 bool isIntrinsicInst(const SVFInstruction* inst);
+bool isIntrinsicInst(const ICFGNode* inst);
+
 //@}
 
 /// Whether an instruction is a call or invoke instruction
@@ -184,6 +186,10 @@ inline bool isCallSite(const SVFValue* val)
         return false;
 }
 
+bool isCallSite(const ICFGNode* inst);
+
+bool isRetInstNode(const ICFGNode* node);
+
 /// Whether an instruction is a callsite in the application code, excluding llvm intrinsic calls
 inline bool isNonInstricCallSite(const SVFInstruction* inst)
 {
@@ -192,6 +198,14 @@ inline bool isNonInstricCallSite(const SVFInstruction* inst)
     return isCallSite(inst);
 }
 
+/// Whether an instruction is a callsite in the application code, excluding llvm intrinsic calls
+inline bool isNonInstricCallSite(const ICFGNode* inst)
+{
+    if(isIntrinsicInst(inst))
+        return false;
+    return isCallSite(inst);
+}
+
 /// Return LLVM callsite given an instruction
 inline CallSite getSVFCallSite(const SVFInstruction* inst)
 {
@@ -250,6 +264,8 @@ inline const SVFFunction* getCallee(const SVFInstruction *inst)
     CallSite cs(inst);
     return getCallee(cs);
 }
+
+const SVFFunction* getCallee(const ICFGNode *inst);
 //@}
 
 /// Given a map mapping points-to sets to a count, adds from into to.
@@ -402,27 +418,20 @@ inline bool isArgOfUncalledFunction(const SVFValue* svfval)
 
 /// Return thread fork function
 //@{
-inline const SVFValue* getForkedFun(const CallSite cs)
-{
-    return ThreadAPI::getThreadAPI()->getForkedFun(cs.getInstruction());
-}
 inline const SVFValue* getForkedFun(const SVFInstruction *inst)
 {
     return ThreadAPI::getThreadAPI()->getForkedFun(inst);
 }
 //@}
 
-/// This function servers a allocation wrapper detector
-inline bool isAnAllocationWraper(const SVFInstruction*)
-{
-    return false;
-}
 
 inline bool isExtCall(const CallSite cs)
 {
     return isExtCall(getCallee(cs));
 }
 
+bool isExtCall(const ICFGNode* node);
+
 inline bool isExtCall(const SVFInstruction *inst)
 {
     return isExtCall(getCallee(inst));
@@ -451,10 +460,7 @@ inline bool isHeapAllocExtCallViaRet(const SVFInstruction *inst)
     return isPtrTy && isHeapAllocExtFunViaRet(getCallee(inst));
 }
 
-inline bool isHeapAllocExtCall(const CallSite cs)
-{
-    return isHeapAllocExtCallViaRet(cs) || isHeapAllocExtCallViaArg(cs);
-}
+bool isHeapAllocExtCall(const ICFGNode* cs);
 
 inline bool isHeapAllocExtCall(const SVFInstruction *inst)
 {
@@ -477,10 +483,6 @@ inline bool isReallocExtCall(const CallSite cs)
 
 /// Return true if this is a thread creation call
 ///@{
-inline bool isThreadForkCall(const CallSite cs)
-{
-    return ThreadAPI::getThreadAPI()->isTDFork(cs.getInstruction());
-}
 inline bool isThreadForkCall(const SVFInstruction *inst)
 {
     return ThreadAPI::getThreadAPI()->isTDFork(inst);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "svf-lib",
-  "version": "1.0.2084",
+  "version": "1.0.2086",
   "description": "SVF's npm support",
   "main": "index.js",
   "scripts": {

package/SVF-linux/Release-build/include/AE/Svfexe/BufOverflowChecker.h

@@ -1,216 +0,0 @@
-//===- BufOverflowChecker.cpp -- BufOVerflowChecker Client for Abstract Execution---//
-//
-//                     SVF: Static Value-Flow Analysis
-//
-// Copyright (C) <2013->  <Yulei Sui>
-//
-
-// This program is free software: you can redistribute it and/or modify
-// it under the terms of the GNU Affero General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU Affero General Public License for more details.
-
-// You should have received a copy of the GNU Affero General Public License
-// along with this program.  If not, see <http://www.gnu.org/licenses/>.
-//
-//===----------------------------------------------------------------------===//
-
-
-//
-// Created by Jiawei Wang on 2024/1/12.
-// The implementation is based on
-// Xiao Cheng, Jiawei Wang and Yulei Sui. Precise Sparse Abstract Execution via Cross-Domain Interaction.
-// 46th International Conference on Software Engineering. (ICSE24)
-//
-
-#include "AE/Svfexe/AbstractInterpretation.h"
-
-namespace SVF
-{
-
-struct BufOverflowException: public std::exception
-{
-public:
-    BufOverflowException(std::string msg, u32_t allocLb,
-                         u32_t allocUb, u32_t accessLb, u32_t accessUb, const SVFValue* allocVal) :
-        _msg(msg), _allocLb(allocLb), _allocUb(allocUb),
-        _accessLb(accessLb), _accessUb(accessUb), _allocVar(allocVal)
-    {
-    }
-
-    u32_t getAllocLb() const
-    {
-        return _allocLb;
-    }
-
-    void setAllocLb(u32_t allocLb)
-    {
-        _allocLb = allocLb;
-    }
-
-    u32_t getAllocUb() const
-    {
-        return _allocUb;
-    }
-
-    void setAllocUb(u32_t allocUb)
-    {
-        _allocUb = allocUb;
-    }
-
-    u32_t getAccessLb() const
-    {
-        return _accessLb;
-    }
-
-    void setAccessLb(u32_t accessLb)
-    {
-        _accessLb = accessLb;
-    }
-
-    u32_t getAccessUb() const
-    {
-        return _accessUb;
-    }
-
-    void setAccessUb(u32_t accessUb)
-    {
-        _accessUb = accessUb;
-    }
-
-    const SVFValue* getAllocVar() const
-    {
-        return _allocVar;
-    }
-
-    const char* what() const noexcept override
-    {
-        return _msg.c_str();
-    }
-
-
-protected:
-    std::string _msg;
-    u32_t _allocLb, _allocUb, _accessLb, _accessUb;
-    const SVFValue* _allocVar;
-};
-
-class BufOverflowChecker: public AbstractInterpretation
-{
-public:
-    BufOverflowChecker() : AbstractInterpretation()
-    {
-        initExtFunMap();
-        _kind = AEKind::BufOverflowChecker;
-        initExtAPIBufOverflowCheckRules();
-    }
-
-    static bool classof(const AbstractInterpretation* ae)
-    {
-        return ae->getKind() == AEKind::BufOverflowChecker;
-    }
-
-protected:
-    /**
-    * the map of external function to its API type
-    *
-    * it initialize the ext apis about buffer overflow checking
-    */
-    virtual void initExtFunMap() override;
-
-    /**
-    * the map of ext apis of buffer overflow checking rules
-    *
-    * it initialize the rules of extapis about buffer overflow checking
-    * e.g. memcpy(dst, src, sz) -> we check allocSize(dst)>=sz and allocSize(src)>=sz
-    */
-    void initExtAPIBufOverflowCheckRules();
-
-    /**
-    * handle external function call regarding buffer overflow checking
-    * e.g. memcpy(dst, src, sz) -> we check allocSize(dst)>=sz and allocSize(src)>=sz
-    *
-    * @param call call node whose callee is external function
-    */
-    void handleExtAPI(const CallICFGNode *call) override;
-    /**
-    * detect buffer overflow from strcpy like apis
-    * e.g. strcpy(dst, src), if dst is shorter than src, we will throw buffer overflow
-    *
-    * @param call call node whose callee is strcpy-like external function
-    * @return true if the buffer overflow is detected
-    */
-    bool detectStrcpy(const CallICFGNode *call);
-    /**
-    * detect buffer overflow from strcat like apis
-    * e.g. strcat(dst, src), if dst is shorter than src, we will throw buffer overflow
-    *
-    * @param call call node whose callee is strcpy-like external function
-    * @return true if the buffer overflow is detected
-    */
-    bool detectStrcat(const CallICFGNode *call);
-
-    /**
-     * detect buffer overflow by giving a var and a length
-     * e.g. int x[10]; x[10] = 1;
-     * we call canSafelyAccessMemory(x, 11 * sizeof(int));
-     *
-     * @param value the value of the buffer overflow checkpoint
-     * @param len the length of the buffer overflow checkpoint
-     * @return true if the buffer overflow is detected
-     */
-    bool canSafelyAccessMemory(const SVFValue *value, const IntervalValue &len, const ICFGNode *curNode);
-
-private:
-    /**
-    * handle SVF statement regarding buffer overflow checking
-    *
-    * @param stmt SVF statement
-    */
-    virtual void handleSVFStatement(const SVFStmt *stmt) override;
-
-    // TODO: will delete later
-    virtual void handleSingletonWTO(const ICFGSingletonWTO *icfgSingletonWto) override
-    {
-        AbstractInterpretation::handleSingletonWTO(icfgSingletonWto);
-        const ICFGNode* repNode = _icfg->getRepNode(icfgSingletonWto->getICFGNode());
-        if (_abstractTrace.count(repNode) == 0)
-        {
-            return;
-        }
-        const std::vector<const ICFGNode*>& worklist_vec = _icfg->getSubNodes(icfgSingletonWto->getICFGNode());
-
-        for (auto it = worklist_vec.begin(); it != worklist_vec.end(); ++it)
-        {
-            const ICFGNode* curNode = *it;
-            detectBufOverflow(curNode);
-        }
-    }
-
-    /**
-    * check buffer overflow at ICFGNode which is a checkpoint
-    *
-    * @param node ICFGNode
-    * @return true if the buffer overflow is detected
-    */
-    bool detectBufOverflow(const ICFGNode *node);
-
-    /**
-    * add buffer overflow bug to recoder
-    *
-    * @param e the exception that is thrown by BufOverflowChecker
-    * @param node ICFGNode that causes the exception
-    */
-    void addBugToRecoder(const BufOverflowException& e, const ICFGNode* node);
-
-private:
-    Map<NodeID, const GepStmt*> _addrToGep;
-    Map<std::string, std::vector<std::pair<u32_t, u32_t>>> _extAPIBufOverflowCheckRules;
-
-};
-}

package/SVF-linux/Release-build/include/AE/Svfexe/ICFGSimplification.h

@@ -1,44 +0,0 @@
-//===- ICFGSimplification.h -- Simplify ICFG----------------------------------//
-//
-//                     SVF: Static Value-Flow Analysis
-//
-// Copyright (C) <2013->  <Yulei Sui>
-//
-
-// This program is free software: you can redistribute it and/or modify
-// it under the terms of the GNU Affero General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU Affero General Public License for more details.
-
-// You should have received a copy of the GNU Affero General Public License
-// along with this program.  If not, see <http://www.gnu.org/licenses/>.
-//
-//===----------------------------------------------------------------------===//
-
-
-//
-// Created by Jiawei Wang on 2024/2/25.
-//
-// The implementation is based on
-// Xiao Cheng, Jiawei Wang and Yulei Sui. Precise Sparse Abstract Execution via Cross-Domain Interaction.
-// 46th International Conference on Software Engineering. (ICSE24)
-#include "Graphs/ICFG.h"
-
-namespace SVF
-{
-
-class ICFGSimplification
-{
-public:
-    ICFGSimplification() = default;
-
-    virtual ~ICFGSimplification() = default;
-
-    static void mergeAdjacentNodes(ICFG* icfg);
-};
-}