svf-tools 1.0.1084 → 1.0.1086

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "svf-tools",
-  "version": "1.0.1084",
+  "version": "1.0.1086",
   "description": "* <b>[TypeClone](https://github.com/SVF-tools/SVF/wiki/TypeClone) published in our [ECOOP paper](https://yuleisui.github.io/publications/ecoop20.pdf) is now available in SVF </b> * <b>SVF now uses a single script for its build. Just type [`source ./build.sh`](https://github.com/SVF-tools/SVF/blob/master/build.sh) in your terminal, that's it!</b> * <b>SVF now supports LLVM-10.0.0! </b> * <b>We thank [bsauce](https://github.com/bsauce) for writing a user manual of SVF ([link1](https://www.jianshu.com/p/068a08ec749c) and [link2](https://www.jianshu.com/p/777c30d4240e)) in Chinese </b> * <b>SVF now supports LLVM-9.0.0 (Thank [Byoungyoung Lee](https://github.com/SVF-tools/SVF/issues/142) for his help!). </b> * <b>SVF now supports a set of [field-sensitive pointer analyses](https://yuleisui.github.io/publications/sas2019a.pdf). </b> * <b>[Use SVF as an external lib](https://github.com/SVF-tools/SVF/wiki/Using-SVF-as-a-lib-in-your-own-tool) for your own project (Contributed by [Hongxu Chen](https://github.com/HongxuChen)). </b> * <b>SVF now supports LLVM-7.0.0. </b> * <b>SVF now supports Docker. [Try SVF in Docker](https://github.com/SVF-tools/SVF/wiki/Try-SVF-in-Docker)! </b> * <b>SVF now supports [LLVM-6.0.0](https://github.com/svf-tools/SVF/pull/38) (Contributed by [Jack Anthony](https://github.com/jackanth)). </b> * <b>SVF now supports [LLVM-4.0.0](https://github.com/svf-tools/SVF/pull/23) (Contributed by Jared Carlson. Thank [Jared](https://github.com/jcarlson23) and [Will](https://github.com/dtzWill) for their in-depth [discussions](https://github.com/svf-tools/SVF/pull/18) about updating SVF!) </b> * <b>SVF now supports analysis for C++ programs.</b> <br />",
   "main": "index.js",
   "scripts": {

package/svf/include/AE/Core/AbstractState.h

@@ -291,7 +291,8 @@ public:
     /// domain meet with other, important! other widen this.
     void meetWith(const AbstractState&other);
 
-    void addToFreedAddrs(NodeID addr) {
+    void addToFreedAddrs(NodeID addr)
+    {
         _freedAddrs.insert(addr);
     }
 

package/svf/include/AE/Svfexe/AEDetector.h

@@ -322,7 +322,8 @@ private:
     SVFBugReport recoder; ///< Recorder for abstract execution bugs.
     Map<const ICFGNode*, std::string> nodeToBugInfo; ///< Maps ICFG nodes to bug information.
 };
-class NullptrDerefDetector : public AEDetector{
+class NullptrDerefDetector : public AEDetector
+{
     friend class AbstractInterpretation;
 public:
     NullptrDerefDetector()
@@ -355,17 +356,17 @@ public:
      * @param v The Abstract Value to check.
      * @return True if the value is uninitialized, false otherwise.
      */
-    bool isUninit(AbstractValue v) 
+    bool isUninit(AbstractValue v)
     {
         bool is = v.getAddrs().isBottom() && v.getInterval().isBottom();
         return is;
     }
 
-     /**
-     * @brief Adds a bug to the reporter based on an exception.
-     * @param e The exception that was thrown.
-     * @param node Pointer to the ICFG node where the bug was detected.
-     */
+    /**
+    * @brief Adds a bug to the reporter based on an exception.
+    * @param e The exception that was thrown.
+    * @param node Pointer to the ICFG node where the bug was detected.
+    */
     void addBugToReporter(const AEException& e, const ICFGNode* node)
     {
         GenericBug::EventStack eventStack;
@@ -390,7 +391,7 @@ public:
         recoder.addAbsExecBug(GenericBug::FULLNULLPTRDEREFERENCE, eventStack, 0, 0, 0, 0);
         nodeToBugInfo[node] = e.what(); // Record the exception information for the node
     }
-    
+
     /**
      * @brief Reports all detected nullptr dereference bugs.
      */
@@ -415,7 +416,7 @@ public:
      */
     void detectExtAPI(AbstractState& as, const CallICFGNode* call);
 
- 
+
     /**
      * @brief Check if an Abstract Value is NULL (or uninitialized).
      *
@@ -427,7 +428,7 @@ public:
     }
 
     bool canSafelyDerefPtr(AbstractState& as, const SVFVar* ptr);
- 
+
 private:
     Set<std::string> bugLoc; ///< Set of locations where bugs have been reported.
     SVFBugReport recoder; ///< Recorder for abstract execution bugs.

package/svf/lib/AE/Svfexe/AEDetector.cpp

@@ -359,7 +359,8 @@ void BufOverflowDetector::updateGepObjOffsetFromBase(AbstractState& as, SVF::Add
                 {
                     addToGepObjOffsetFromBase(gepObjVar, offset);
                 }
-                else {
+                else
+                {
                     assert(AbstractState::isInvalidMem(gepAddr) && "GEP object is neither a GepObjVar nor an invalid memory address");
                 }
             }
@@ -387,7 +388,8 @@ void BufOverflowDetector::updateGepObjOffsetFromBase(AbstractState& as, SVF::Add
                                "GEP RHS object has no offset from base");
                     }
                 }
-                else {
+                else
+                {
                     assert(AbstractState::isInvalidMem(gepAddr) && "GEP object is neither a GepObjVar nor an invalid memory address");
                 }
             }
@@ -513,26 +515,34 @@ bool BufOverflowDetector::canSafelyAccessMemory(AbstractState& as, const SVF::SV
     return true;
 }
 
-void NullptrDerefDetector::detect(AbstractState& as, const ICFGNode* node) {
-    if (SVFUtil::isa<CallICFGNode>(node)){
+void NullptrDerefDetector::detect(AbstractState& as, const ICFGNode* node)
+{
+    if (SVFUtil::isa<CallICFGNode>(node))
+    {
         const CallICFGNode* callNode = SVFUtil::cast<CallICFGNode>(node);
         if (SVFUtil::isExtCall(callNode->getCalledFunction()))
         {
             detectExtAPI(as, callNode);
         }
     }
-    else {
-        for (const auto& stmt: node->getSVFStmts()) {
-            if (const GepStmt* gep = SVFUtil::dyn_cast<GepStmt>(stmt)) {
+    else
+    {
+        for (const auto& stmt: node->getSVFStmts())
+        {
+            if (const GepStmt* gep = SVFUtil::dyn_cast<GepStmt>(stmt))
+            {
                 SVFVar* rhs = gep->getRHSVar();
-                if (!canSafelyDerefPtr(as, rhs)) {
+                if (!canSafelyDerefPtr(as, rhs))
+                {
                     AEException bug(stmt->toString());
                     addBugToReporter(bug, stmt->getICFGNode());
                 }
             }
-            else if (const LoadStmt* load = SVFUtil::dyn_cast<LoadStmt>(stmt)) {
+            else if (const LoadStmt* load = SVFUtil::dyn_cast<LoadStmt>(stmt))
+            {
                 SVFVar* lhs = load->getLHSVar();
-                if ( !canSafelyDerefPtr(as, lhs)) {
+                if ( !canSafelyDerefPtr(as, lhs))
+                {
                     AEException bug(stmt->toString());
                     addBugToReporter(bug, stmt->getICFGNode());
                 }
@@ -542,68 +552,75 @@ void NullptrDerefDetector::detect(AbstractState& as, const ICFGNode* node) {
 }
 
 
-void NullptrDerefDetector::handleStubFunctions(const CallICFGNode* callNode){
-     std::string funcName = callNode->getCalledFunction()->getName();
-     if (funcName == "UNSAFE_LOAD")
-     {
-         // void UNSAFE_LOAD(void* ptr);
-         AbstractInterpretation::getAEInstance().checkpoints.erase(callNode);
-         if (callNode->arg_size() < 1)
-             return;
-         AbstractState& as = AbstractInterpretation::getAEInstance().getAbsStateFromTrace(callNode);
-         
-         const SVFVar* arg0Val = callNode->getArgument(0);
-         // opt may directly dereference a null pointer and call UNSAFE_LOAD(null)
-         bool isSafe = canSafelyDerefPtr(as, arg0Val) && arg0Val->getId() != 0;
-         if (!isSafe) {
+void NullptrDerefDetector::handleStubFunctions(const CallICFGNode* callNode)
+{
+    std::string funcName = callNode->getCalledFunction()->getName();
+    if (funcName == "UNSAFE_LOAD")
+    {
+        // void UNSAFE_LOAD(void* ptr);
+        AbstractInterpretation::getAEInstance().checkpoints.erase(callNode);
+        if (callNode->arg_size() < 1)
+            return;
+        AbstractState& as = AbstractInterpretation::getAEInstance().getAbsStateFromTrace(callNode);
+
+        const SVFVar* arg0Val = callNode->getArgument(0);
+        // opt may directly dereference a null pointer and call UNSAFE_LOAD(null)
+        bool isSafe = canSafelyDerefPtr(as, arg0Val) && arg0Val->getId() != 0;
+        if (!isSafe)
+        {
             std::cout << "detect null pointer deference success: " << callNode->toString() << std::endl;
             return;
-         }
-         else
-         {
+        }
+        else
+        {
             std::string err_msg = "this UNSAFE_LOAD should be a null pointer dereference but not detected. Pos: ";
             err_msg += callNode->getSourceLoc();
             std::cerr << err_msg << std::endl;
             assert(false);
-         }
-     }
-     else if (funcName == "SAFE_LOAD")
-     {
-         // void SAFE_LOAD(void* ptr);
-         AbstractInterpretation::getAEInstance().checkpoints.erase(callNode);
-         if (callNode->arg_size() < 1) return;
-         AbstractState&as = AbstractInterpretation::getAEInstance().getAbsStateFromTrace(callNode);
-         const SVFVar* arg0Val = callNode->getArgument(0);
-         // opt may directly dereference a null pointer and call UNSAFE_LOAD(null)ols
-         bool isSafe = canSafelyDerefPtr(as, arg0Val) && arg0Val->getId() != 0;
-         if (isSafe) {
-             std::cout << "safe load pointer success: " << callNode->toString() << std::endl;
-             return;
-         }
-         else
-         {
-             std::string err_msg = "this SAFE_LOAD should be a safe but a null pointer dereference detected. Pos: ";
-             err_msg += callNode->getSourceLoc();
-             std::cerr << err_msg << std::endl;
-             assert(false);
-         }
-     }
+        }
+    }
+    else if (funcName == "SAFE_LOAD")
+    {
+        // void SAFE_LOAD(void* ptr);
+        AbstractInterpretation::getAEInstance().checkpoints.erase(callNode);
+        if (callNode->arg_size() < 1) return;
+        AbstractState&as = AbstractInterpretation::getAEInstance().getAbsStateFromTrace(callNode);
+        const SVFVar* arg0Val = callNode->getArgument(0);
+        // opt may directly dereference a null pointer and call UNSAFE_LOAD(null)ols
+        bool isSafe = canSafelyDerefPtr(as, arg0Val) && arg0Val->getId() != 0;
+        if (isSafe)
+        {
+            std::cout << "safe load pointer success: " << callNode->toString() << std::endl;
+            return;
+        }
+        else
+        {
+            std::string err_msg = "this SAFE_LOAD should be a safe but a null pointer dereference detected. Pos: ";
+            err_msg += callNode->getSourceLoc();
+            std::cerr << err_msg << std::endl;
+            assert(false);
+        }
+    }
 }
 
-void NullptrDerefDetector::detectExtAPI(AbstractState& as, const CallICFGNode* call) {
+void NullptrDerefDetector::detectExtAPI(AbstractState& as, const CallICFGNode* call)
+{
     assert(call->getCalledFunction() && "FunObjVar* is nullptr");
     // get ext type
     // get argument index which are nullptr deref checkpoints for extapi
     std::vector<u32_t> tmp_args;
-    for (const std::string &annotation: ExtAPI::getExtAPI()->getExtFuncAnnotations(call->getCalledFunction())){
+    for (const std::string &annotation: ExtAPI::getExtAPI()->getExtFuncAnnotations(call->getCalledFunction()))
+    {
         if (annotation.find("MEMCPY") != std::string::npos)
         {
-            if (call->arg_size() < 4) {
+            if (call->arg_size() < 4)
+            {
                 // for memcpy(void* dest, const void* src, size_t n)
                 tmp_args.push_back(0);
                 tmp_args.push_back(1);
             }
-            else {
+            else
+            {
                 // for unsigned long iconv(void* cd, char **restrict inbuf, unsigned long *restrict inbytesleft, char **restrict outbuf, unsigned long *restrict outbytesleft)
                 tmp_args.push_back(1);
                 tmp_args.push_back(2);
@@ -631,11 +648,13 @@ void NullptrDerefDetector::detectExtAPI(AbstractState& as, const CallICFGNode* c
         }
     }
 
-    for (const auto &arg: tmp_args) {
+    for (const auto &arg: tmp_args)
+    {
         if (call->arg_size() <= arg)
             continue;
         const SVFVar* argVal = call->getArgument(arg);
-        if (argVal && !canSafelyDerefPtr(as, argVal)) {
+        if (argVal && !canSafelyDerefPtr(as, argVal))
+        {
             AEException bug(call->toString());
             addBugToReporter(bug, call);
         }
@@ -649,8 +668,10 @@ bool NullptrDerefDetector::canSafelyDerefPtr(AbstractState& as, const SVFVar* va
     AbstractValue AbsVal = as[value_id];
     if (isUninit(AbsVal)) return false;
     if (!AbsVal.isAddr()) return true;
-    for (const auto &addr: AbsVal.getAddrs()) {
-        if (AbstractState::isInvalidMem(addr)) {
+    for (const auto &addr: AbsVal.getAddrs())
+    {
+        if (AbstractState::isInvalidMem(addr))
+        {
             return false;
         }
         else if (AbstractState::isNullMem(addr))

package/svf/lib/AE/Svfexe/AbsExtAPI.cpp

@@ -340,32 +340,37 @@ void AbsExtAPI::initExtFunMap()
     };
     func_map["recv"] = sse_recv;
     func_map["__recv"] = sse_recv;
-     
-     auto sse_free = [&](const CallICFGNode *callNode)
-     {
-         if (callNode->arg_size() < 1) return;
-         AbstractState& as = getAbsStateFromTrace(callNode);
-         const u32_t freePtr = callNode->getArgument(0)->getId();
-         for (auto addr: as[freePtr].getAddrs()) {
-             if (AbstractState::isInvalidMem(addr)) {
-                 // double free here.
-             } else
-             {
-                 as.addToFreedAddrs(addr);
-             }
-         }
-     };
-     // Add all free-related functions to func_map
-     std::vector<std::string> freeFunctions = {
-         "VOS_MemFree", "cfree", "free", "free_all_mem", "freeaddrinfo",
-         "gcry_mpi_release", "gcry_sexp_release", "globfree", "nhfree",
-         "obstack_free", "safe_cfree", "safe_free", "safefree", "safexfree",
-         "sm_free", "vim_free", "xfree", "SSL_CTX_free", "SSL_free", "XFree"
-     };
-
-     for (const auto& name : freeFunctions) {
-         func_map[name] = sse_free;
-     }
+
+    auto sse_free = [&](const CallICFGNode *callNode)
+    {
+        if (callNode->arg_size() < 1) return;
+        AbstractState& as = getAbsStateFromTrace(callNode);
+        const u32_t freePtr = callNode->getArgument(0)->getId();
+        for (auto addr: as[freePtr].getAddrs())
+        {
+            if (AbstractState::isInvalidMem(addr))
+            {
+                // double free here.
+            }
+            else
+            {
+                as.addToFreedAddrs(addr);
+            }
+        }
+    };
+    // Add all free-related functions to func_map
+    std::vector<std::string> freeFunctions =
+    {
+        "VOS_MemFree", "cfree", "free", "free_all_mem", "freeaddrinfo",
+        "gcry_mpi_release", "gcry_sexp_release", "globfree", "nhfree",
+        "obstack_free", "safe_cfree", "safe_free", "safefree", "safexfree",
+        "sm_free", "vim_free", "xfree", "SSL_CTX_free", "SSL_free", "XFree"
+    };
+
+    for (const auto& name : freeFunctions)
+    {
+        func_map[name] = sse_free;
+    }
 };
 
 AbstractState& AbsExtAPI::getAbsStateFromTrace(const SVF::ICFGNode* node)

package/svf/lib/AE/Svfexe/AbstractInterpretation.cpp

@@ -275,7 +275,8 @@ bool AbstractInterpretation::isCmpBranchFeasible(const CmpStmt* cmpStmt, s64_t s
     NodeID res_id = cmpStmt->getResID();
     s32_t predicate = cmpStmt->getPredicate();
     // if op0 or op1 is nullptr, no need to change value, just copy the state
-    if (op0 == IRGraph::NullPtr || op1 == IRGraph::NullPtr) {
+    if (op0 == IRGraph::NullPtr || op1 == IRGraph::NullPtr)
+    {
         as = new_es;
         return true;
     }
@@ -1325,7 +1326,8 @@ void AbstractInterpretation::updateStateOnCmp(const CmpStmt *cmp)
         as[res] = resVal;
     }
     // if op0 or op1 is nullptr, compare abstractValue instead of touching addr or interval
-    else if (op0 == IRGraph::NullPtr || op1 == IRGraph::NullPtr) {
+    else if (op0 == IRGraph::NullPtr || op1 == IRGraph::NullPtr)
+    {
         u32_t res = cmp->getResID();
         IntervalValue resVal = (as[op0].equals(as[op1])) ? IntervalValue(1, 1) : IntervalValue(0, 0);
         as[res] = resVal;