svf-tools 1.0.1254 → 1.0.1256

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "svf-tools",
-  "version": "1.0.1254",
+  "version": "1.0.1256",
   "description": "* <b>[TypeClone](https://github.com/SVF-tools/SVF/wiki/TypeClone) published in our [ECOOP paper](https://yuleisui.github.io/publications/ecoop20.pdf) is now available in SVF </b> * <b>SVF now uses a single script for its build. Just type [`source ./build.sh`](https://github.com/SVF-tools/SVF/blob/master/build.sh) in your terminal, that's it!</b> * <b>SVF now supports LLVM-10.0.0! </b> * <b>We thank [bsauce](https://github.com/bsauce) for writing a user manual of SVF ([link1](https://www.jianshu.com/p/068a08ec749c) and [link2](https://www.jianshu.com/p/777c30d4240e)) in Chinese </b> * <b>SVF now supports LLVM-9.0.0 (Thank [Byoungyoung Lee](https://github.com/SVF-tools/SVF/issues/142) for his help!). </b> * <b>SVF now supports a set of [field-sensitive pointer analyses](https://yuleisui.github.io/publications/sas2019a.pdf). </b> * <b>[Use SVF as an external lib](https://github.com/SVF-tools/SVF/wiki/Using-SVF-as-a-lib-in-your-own-tool) for your own project (Contributed by [Hongxu Chen](https://github.com/HongxuChen)). </b> * <b>SVF now supports LLVM-7.0.0. </b> * <b>SVF now supports Docker. [Try SVF in Docker](https://github.com/SVF-tools/SVF/wiki/Try-SVF-in-Docker)! </b> * <b>SVF now supports [LLVM-6.0.0](https://github.com/svf-tools/SVF/pull/38) (Contributed by [Jack Anthony](https://github.com/jackanth)). </b> * <b>SVF now supports [LLVM-4.0.0](https://github.com/svf-tools/SVF/pull/23) (Contributed by Jared Carlson. Thank [Jared](https://github.com/jcarlson23) and [Will](https://github.com/dtzWill) for their in-depth [discussions](https://github.com/svf-tools/SVF/pull/18) about updating SVF!) </b> * <b>SVF now supports analysis for C++ programs.</b> <br />",
   "main": "index.js",
   "scripts": {

package/svf/include/Graphs/IRGraph.h

@@ -260,7 +260,6 @@ public:
     {
         return nullPtrSymID();
     }
-
     u32_t getValueNodeNum();
 
     u32_t getObjectNodeNum();

package/svf/lib/AE/Svfexe/AbstractInterpretation.cpp

@@ -205,19 +205,12 @@ void AbstractInterpretation::handleGlobalNode()
         handleSVFStatement(stmt);
     }
 
-    // BlkPtr represents a pointer whose target is statically unknown (e.g., from
-    // int2ptr casts, external function returns, or unmodeled instructions like
-    // AtomicCmpXchg). It should be an address pointing to the BlackHole object
-    // (ID=2), NOT an interval top.
-    //
-    // History: this was originally set to IntervalValue::top() as a quick fix when
-    // the analysis crashed on programs containing uninitialized BlkPtr. However,
-    // BlkPtr is semantically a *pointer* (address domain), not a numeric value
-    // (interval domain). Setting it to interval top broke cross-domain consistency:
-    // the interval domain and address domain gave contradictory information for the
-    // same variable. The correct representation is an AddressValue containing the
-    // BlackHole virtual address, which means "points to unknown memory".
-    abstractTrace[node][PAG::getPAG()->getBlkPtr()] = AddressValue(BlackHoleObjAddr);
+    // BlkPtr is the canonical unknown value.  Keep its address-domain meaning
+    // for pointer uses, and also give it numeric top so external-input stores
+    // can flow through ordinary store/load state as [-inf, +inf].
+    AbstractValue blkPtrValue(IntervalValue::top());
+    blkPtrValue.getAddrs().insert(BlackHoleObjAddr);
+    abstractTrace[node][PAG::getPAG()->getBlkPtr()] = blkPtrValue;
 }
 
 /// Pull-based state merge: for each predecessor that has an abstract state,
@@ -1361,4 +1354,3 @@ void AbstractInterpretation::updateStateOnCopy(const CopyStmt *copy)
 }
 
 
-

package/svf-llvm/include/SVF-LLVM/SVFIRBuilder.h

@@ -243,6 +243,7 @@ protected:
     //@{
     virtual const Type *getBaseTypeAndFlattenedFields(const Value *V, std::vector<AccessPath> &fields, const Value* szValue);
     virtual void addComplexConsForExt(Value *D, Value *S, const Value* sz);
+    virtual void handleNondetArgStoreAtExtCall(const CallBase* cs, const CallICFGNode* callICFGNode);
     virtual void handleExtCall(const CallBase* cs, const Function* callee);
     //@}
 

package/svf-llvm/lib/SVFIRExtAPI.cpp

@@ -32,6 +32,7 @@
 #include "SVF-LLVM/SymbolTableBuilder.h"
 #include "SVF-LLVM/ObjTypeInference.h"
 #include "Graphs/CallGraph.h"
+#include "Util/ExtAPI.h"
 
 using namespace std;
 using namespace SVF;
@@ -48,6 +49,44 @@ struct MemcpyField
     const SVFType* elementType;
 };
 
+bool parseNondetArgStoreAtExtCall(const std::string& annotation, u32_t& firstArg)
+{
+    const std::string prefix = "STORE_TOP:Arg";
+    const size_t start = annotation.find(prefix);
+    if (start == std::string::npos)
+        return false;
+
+    size_t idx = start + prefix.size();
+    if (idx >= annotation.size() || annotation[idx] < '0' || annotation[idx] > '9')
+        return false;
+
+    firstArg = 0;
+    do
+    {
+        firstArg = firstArg * 10 + static_cast<u32_t>(annotation[idx] - '0');
+        ++idx;
+    }
+    while (idx < annotation.size() && annotation[idx] >= '0' && annotation[idx] <= '9');
+
+    return idx < annotation.size() && annotation[idx] == '+';
+}
+
+bool hasNondetArgStoreAtExtCall(const CallICFGNode* callICFGNode)
+{
+    const FunObjVar* extFun = callICFGNode->getCalledFunction();
+    if (extFun == nullptr)
+        return false;
+
+    for (const std::string& annotation :
+            ExtAPI::getExtAPI()->getExtFuncAnnotations(extFun))
+    {
+        u32_t firstArg = 0;
+        if (parseNondetArgStoreAtExtCall(annotation, firstArg))
+            return true;
+    }
+    return false;
+}
+
 void collectMemcpyFields(
     const Type* llvmType,
     const SVFType* svfType,
@@ -209,41 +248,40 @@ void SVFIRBuilder::addComplexConsForExt(Value *D, Value *S, const Value* szValue
         const SVFType* srcSVFType = llvmModuleSet()->getSVFType(srcLayoutType);
         std::vector<MemcpyField> dstMemcpyFields = getMemcpyFields(D, dstLayoutType, dstSVFType);
         std::vector<MemcpyField> srcMemcpyFields = getMemcpyFields(S, srcLayoutType, srcSVFType);
-        if (dstMemcpyFields.empty() || srcMemcpyFields.empty())
-            goto fallback_memcpy_copy;
-
-        std::unordered_map<APOffset, MemcpyField> srcFieldsByByteOffset;
-        for (const auto& field : srcMemcpyFields)
-            srcFieldsByByteOffset.emplace(field.byteOffset, field);
-
-        const DataLayout& dl = llvmModuleSet()->getMainLLVMModule()->getDataLayout();
-        APOffset copyBytes = std::min<APOffset>(
-                                 static_cast<APOffset>(dl.getTypeAllocSize(const_cast<Type*>(dstLayoutType))),
-                                 static_cast<APOffset>(dl.getTypeAllocSize(const_cast<Type*>(srcLayoutType))));
-        if (szValue && SVFUtil::isa<ConstantInt>(szValue))
-        {
-            auto szIntVal = LLVMUtil::getIntegerValue(SVFUtil::cast<ConstantInt>(szValue));
-            copyBytes = std::min(copyBytes, static_cast<APOffset>(szIntVal.first));
-        }
-
-        for (const auto& dstField : dstMemcpyFields)
+        if (!dstMemcpyFields.empty() && !srcMemcpyFields.empty())
         {
-            if (dstField.byteOffset >= copyBytes)
-                continue;
-            auto it = srcFieldsByByteOffset.find(dstField.byteOffset);
-            if (it == srcFieldsByByteOffset.end())
-                continue;
+            std::unordered_map<APOffset, MemcpyField> srcFieldsByByteOffset;
+            for (const auto& field : srcMemcpyFields)
+                srcFieldsByByteOffset.emplace(field.byteOffset, field);
+
+            const DataLayout& dl = llvmModuleSet()->getMainLLVMModule()->getDataLayout();
+            APOffset copyBytes = std::min<APOffset>(
+                                     static_cast<APOffset>(dl.getTypeAllocSize(const_cast<Type*>(dstLayoutType))),
+                                     static_cast<APOffset>(dl.getTypeAllocSize(const_cast<Type*>(srcLayoutType))));
+            if (szValue && SVFUtil::isa<ConstantInt>(szValue))
+            {
+                auto szIntVal = LLVMUtil::getIntegerValue(SVFUtil::cast<ConstantInt>(szValue));
+                copyBytes = std::min(copyBytes, static_cast<APOffset>(szIntVal.first));
+            }
 
-            NodeID dField = getGepValVar(dstFieldBase, dstField.accessPath, dstField.elementType);
-            NodeID sField = getGepValVar(srcFieldBase, it->second.accessPath, it->second.elementType);
-            NodeID dummy = pag->addDummyValNode();
-            addLoadEdge(sField, dummy);
-            addStoreEdge(dummy, dField);
+            for (const auto& dstField : dstMemcpyFields)
+            {
+                if (dstField.byteOffset >= copyBytes)
+                    continue;
+                auto it = srcFieldsByByteOffset.find(dstField.byteOffset);
+                if (it == srcFieldsByByteOffset.end())
+                    continue;
+
+                NodeID dField = getGepValVar(dstFieldBase, dstField.accessPath, dstField.elementType);
+                NodeID sField = getGepValVar(srcFieldBase, it->second.accessPath, it->second.elementType);
+                NodeID dummy = pag->addDummyValNode();
+                addLoadEdge(sField, dummy);
+                addStoreEdge(dummy, dField);
+            }
+            return;
         }
-        return;
     }
 
-fallback_memcpy_copy:
     //For each field (i), add (Ti = *S + i) and (*D + i = Ti).
     for (u32_t index = 0; index < sz; index++)
     {
@@ -260,11 +298,52 @@ fallback_memcpy_copy:
     }
 }
 
+void SVFIRBuilder::handleNondetArgStoreAtExtCall(const CallBase* cs, const CallICFGNode* callICFGNode)
+{
+    Set<u32_t> storeTopArgs;
+    const FunObjVar* extFun = callICFGNode->getCalledFunction();
+    if (extFun)
+    {
+        for (const std::string& annotation :
+                ExtAPI::getExtAPI()->getExtFuncAnnotations(extFun))
+        {
+            u32_t firstArg = 0;
+            if (!parseNondetArgStoreAtExtCall(annotation, firstArg))
+                continue;
+            if (firstArg >= cs->arg_size())
+                continue;
+
+            for (u32_t argIdx = firstArg; argIdx < cs->arg_size(); ++argIdx)
+                storeTopArgs.insert(argIdx);
+        }
+    }
+
+    for (u32_t argIdx : storeTopArgs)
+    {
+        const Value* arg = cs->getArgOperand(argIdx);
+        if (!arg->getType()->isPointerTy())
+            continue;
+
+        const Type* storedType =
+            LLVMModuleSet::getLLVMModuleSet()->getTypeInference()->inferObjType(arg);
+        NodeID src = pag->getBlkPtr();
+        NodeID dst = getValueNode(arg);
+        if (NodeID fieldZero = getDirectAccessFieldZeroValVar(arg, storedType))
+            dst = fieldZero;
+        if (src && dst)
+            addStoreEdge(src, dst);
+    }
+}
+
 void SVFIRBuilder::handleExtCall(const CallBase* cs, const Function* callee)
 {
     const CallICFGNode *callICFGNode = llvmModuleSet()->getCallICFGNode(cs);
 
-    if (isHeapAllocExtCallViaRet(callICFGNode))
+    if (hasNondetArgStoreAtExtCall(callICFGNode))
+    {
+        handleNondetArgStoreAtExtCall(cs, callICFGNode);
+    }
+    else if (isHeapAllocExtCallViaRet(callICFGNode))
     {
         NodeID val = llvmModuleSet()->getValueNode(cs);
         NodeID obj = llvmModuleSet()->getObjectNode(cs);

package/svf-llvm/lib/extapi.c

@@ -18,6 +18,7 @@
         MEMSET,            // memcpy() operations
         MEMCPY,            // memset() operations
         OVERWRITE,         // svf function overwrite app function
+        STORE_TOP:Argi+,   // store nondeterministic top values through argument i and following arguments
 */
 __attribute__((annotate("ALLOC_HEAP_RET"), annotate("AllocSize:Arg0")))
 void *malloc(unsigned long size)
@@ -805,6 +806,42 @@ unsigned long iconv(void* cd, char **__restrict inbuf, unsigned long *__restrict
     return 0;
 }
 
+__attribute__((annotate("STORE_TOP:Arg1+")))
+int scanf(const char *format, ...)
+{
+    return 0;
+}
+
+__attribute__((annotate("STORE_TOP:Arg1+")))
+int __isoc99_scanf(const char *format, ...)
+{
+    return 0;
+}
+
+__attribute__((annotate("STORE_TOP:Arg2+")))
+int fscanf(void *stream, const char *format, ...)
+{
+    return 0;
+}
+
+__attribute__((annotate("STORE_TOP:Arg2+")))
+int __isoc99_fscanf(void *stream, const char *format, ...)
+{
+    return 0;
+}
+
+__attribute__((annotate("STORE_TOP:Arg2+")))
+int sscanf(const char *str, const char *format, ...)
+{
+    return 0;
+}
+
+__attribute__((annotate("STORE_TOP:Arg2+")))
+int __isoc99_sscanf(const char *str, const char *format, ...)
+{
+    return 0;
+}
+
 __attribute__((annotate("OVERWRITE")))
 void* _ZNSt5arrayIPK1ALm2EE4backEv(void *arg)
 {