svf-tools 1.0.657 → 1.0.659

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "svf-tools",
-  "version": "1.0.657",
+  "version": "1.0.659",
   "description": "* <b>[TypeClone](https://github.com/SVF-tools/SVF/wiki/TypeClone) published in our [ECOOP paper](https://yuleisui.github.io/publications/ecoop20.pdf) is now available in SVF </b> * <b>SVF now uses a single script for its build. Just type [`source ./build.sh`](https://github.com/SVF-tools/SVF/blob/master/build.sh) in your terminal, that's it!</b> * <b>SVF now supports LLVM-10.0.0! </b> * <b>We thank [bsauce](https://github.com/bsauce) for writing a user manual of SVF ([link1](https://www.jianshu.com/p/068a08ec749c) and [link2](https://www.jianshu.com/p/777c30d4240e)) in Chinese </b> * <b>SVF now supports LLVM-9.0.0 (Thank [Byoungyoung Lee](https://github.com/SVF-tools/SVF/issues/142) for his help!). </b> * <b>SVF now supports a set of [field-sensitive pointer analyses](https://yuleisui.github.io/publications/sas2019a.pdf). </b> * <b>[Use SVF as an external lib](https://github.com/SVF-tools/SVF/wiki/Using-SVF-as-a-lib-in-your-own-tool) for your own project (Contributed by [Hongxu Chen](https://github.com/HongxuChen)). </b> * <b>SVF now supports LLVM-7.0.0. </b> * <b>SVF now supports Docker. [Try SVF in Docker](https://github.com/SVF-tools/SVF/wiki/Try-SVF-in-Docker)! </b> * <b>SVF now supports [LLVM-6.0.0](https://github.com/svf-tools/SVF/pull/38) (Contributed by [Jack Anthony](https://github.com/jackanth)). </b> * <b>SVF now supports [LLVM-4.0.0](https://github.com/svf-tools/SVF/pull/23) (Contributed by Jared Carlson. Thank [Jared](https://github.com/jcarlson23) and [Will](https://github.com/dtzWill) for their in-depth [discussions](https://github.com/svf-tools/SVF/pull/18) about updating SVF!) </b> * <b>SVF now supports analysis for C++ programs.</b> <br />",
   "main": "index.js",
   "scripts": {

package/svf/include/CFL/CFLAlias.h

@@ -51,6 +51,10 @@ public:
     /// Initialize the grammar, graph, solver
     virtual void initialize();
 
+    /// Initialize Solver
+    virtual void initializeSolver();
+
+
     /// Print grammar and graph
     virtual void finalize();
 
@@ -143,9 +147,19 @@ public:
     POCRAlias(SVFIR* ir) : CFLAlias(ir)
     {
     }
+    /// Initialize POCR Solver
+    virtual void initializeSolver();
+};
 
-    /// Initialize the grammar, graph, CFLData, solver
-    virtual void initialize();
+class POCRHybrid : public CFLAlias
+{
+public:
+    POCRHybrid(SVFIR* ir) : CFLAlias(ir)
+    {
+    }
+
+    /// Initialize POCRHybrid Solver
+    virtual void initializeSolver();
 };
 } // End namespace SVF
 

package/svf/include/CFL/CFLGrammar.txt

@@ -3,7 +3,7 @@ Start:
 Terminal:
    addr copy store load gep vgep 
 Productions:
-   F -> epsilon | F copy | addr Memflow | F store V load | store Memflow load;
+   F -> epsilon | F copy | addr Memflow | F store V load | store Memflow load | F F;
    Fbar -> epsilon | copybar Fbar | Memflowbar addrbar | loadbar V storebar Fbar | loadbar Memflowbar storebar;
    V -> Fbar V F | addrbar addr | gepbar_i V gep_i | gepbarpath V gep_0 | gepbar_i F gep_i | gepbar_i Fbar gep_i;
    copy -> vgep;

package/svf/include/CFL/CFLSolver.h

@@ -40,112 +40,6 @@ namespace SVF
 {
 typedef GrammarBase::Symbol Label;
 
-/*!
- * Hybrid graph representation for transitive relations
- * The implementation is based on
- * Yuxiang Lei, Yulei Sui, Shuo Ding, and Qirun Zhang.
- * Taming Transitive Redundancy for Context-Free Language Reachability.
- * ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications
- */
-class HybridData
-{
-public:
-    struct TreeNode
-    {
-        NodeID id;
-        std::unordered_set<TreeNode*> children;
-
-        TreeNode(NodeID nId) : id(nId)
-        {}
-
-        ~TreeNode()
-        {
-        }
-
-        inline bool operator==(const TreeNode& rhs) const
-        {
-            return id == rhs.id;
-        }
-
-        inline bool operator<(const TreeNode& rhs) const
-        {
-            return id < rhs.id;
-        }
-    };
-
-
-public:
-    Map<NodeID, std::unordered_map<NodeID, TreeNode*>> indMap;   // indMap[v][u] points to node v in tree(u)
-
-    HybridData()
-    {}
-
-    ~HybridData()
-    {
-        for (auto iter1: indMap)
-        {
-            for (auto iter2: iter1.second)
-            {
-                delete iter2.second;
-                iter2.second = NULL;
-            }
-        }
-    }
-
-    bool hasInd(NodeID src, NodeID dst)
-    {
-        auto it = indMap.find(dst);
-        if (it == indMap.end())
-            return false;
-        return (it->second.find(src) != it->second.end());
-    }
-
-    /// Add a node dst to tree(src)
-    TreeNode* addInd(NodeID src, NodeID dst)
-    {
-        auto resIns = indMap[dst].insert(std::make_pair(src, new TreeNode(dst)));
-        if (resIns.second)
-            return resIns.first->second;
-        return nullptr;
-    }
-
-    /// Get the node dst in tree(src)
-    TreeNode* getNode(NodeID src, NodeID dst)
-    {
-        return indMap[dst][src];
-    }
-
-    /// add v into desc(x) as a child of u
-    void insertEdge(TreeNode* u, TreeNode* v)
-    {
-        u->children.insert(v);
-    }
-
-    void addArc(NodeID src, NodeID dst)
-    {
-        if (!hasInd(src, dst))
-        {
-            for (auto iter: indMap[src])
-            {
-                meld(iter.first, getNode(iter.first, src), getNode(dst, dst));
-            }
-        }
-    }
-
-    void meld(NodeID x, TreeNode* uNode, TreeNode* vNode)
-    {
-        TreeNode* newVNode = addInd(x, vNode->id);
-        if (!newVNode)
-            return;
-
-        insertEdge(uNode, newVNode);
-        for (TreeNode* vChild: vNode->children)
-        {
-            meld(x, newVNode, vChild);
-        }
-    }
-};
-
 class CFLSolver
 {
 
@@ -389,6 +283,92 @@ public:
 
     virtual void initialize();
 };
+/*!
+ * Hybrid graph representation for transitive relations
+ * The implementation is based on
+ * Yuxiang Lei, Yulei Sui, Shuo Ding, and Qirun Zhang.
+ * Taming Transitive Redundancy for Context-Free Language Reachability.
+ * ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications
+ */
+/// Solver Utilize Hybrid Representation of Graph
+class POCRHybridSolver : public POCRSolver
+{
+//Hybrid
+//{@
+public:
+    struct TreeNode
+    {
+        NodeID id;
+        std::unordered_set<TreeNode*> children;
+
+        TreeNode(NodeID nId) : id(nId)
+        {}
+
+        ~TreeNode()
+        {
+        }
+
+        inline bool operator==(const TreeNode& rhs) const
+        {
+            return id == rhs.id;
+        }
+
+        inline bool operator<(const TreeNode& rhs) const
+        {
+            return id < rhs.id;
+        }
+    };
+
+public:
+    Map<NodeID, std::unordered_map<NodeID, TreeNode*>> indMap;   // indMap[v][u] points to node v in tree(u)
+
+    bool hasInd_h(NodeID src, NodeID dst);
+
+    /// Add a node dst to tree(src)
+    TreeNode* addInd_h(NodeID src, NodeID dst);
+
+    /// Get the node dst in tree(src)
+    TreeNode* getNode_h(NodeID src, NodeID dst)
+    {
+        return indMap[dst][src];
+    }
+
+    /// add v into desc(x) as a child of u
+    void insertEdge_h(TreeNode* u, TreeNode* v)
+    {
+        u->children.insert(v);
+    }
+
+    void addArc_h(NodeID src, NodeID dst);
+
+    void meld_h(NodeID x, TreeNode* uNode, TreeNode* vNode);
+//@}
+public:
+    POCRHybridSolver(CFLGraph* _graph, CFLGrammar* _grammar) : POCRSolver(_graph, _grammar)
+    {
+    }
+    /// Destructor
+    virtual ~POCRHybridSolver()
+    {
+        for (auto iter1: indMap)
+        {
+            for (auto iter2: iter1.second)
+            {
+                delete iter2.second;
+                iter2.second = NULL;
+            }
+        }
+    }
+
+    /// Process CFLEdge
+    virtual void processCFLEdge(const CFLEdge* Y_edge);
+
+    virtual void initialize();
+
+public:
+    void addArc(NodeID src, NodeID dst);
+    void meld(NodeID x, TreeNode* uNode, TreeNode* vNode);
+};
 }
 
 #endif /* INCLUDE_CFL_CFLSolver_H_*/

package/svf/include/Util/Options.h

@@ -223,6 +223,9 @@ public:
     // SaberCondAllocator.cpp
     static const Option<bool> PrintPathCond;
 
+    // SaberSVFGBuilder.cpp
+    static const Option<bool> CollectExtRetGlobals;
+
     // SVFUtil.cpp
     static const Option<bool> DisableWarn;
 
@@ -256,6 +259,7 @@ public:
     static const Option<bool>  PEGTransfer;
     static const Option<bool>  CFLSVFG;
     static const Option<bool> POCRAlias;
+    static const Option<bool> POCRHybrid;
 
     // Loop Analysis
     static const Option<bool> LoopAnalysis;

package/svf/lib/CFL/CFLAlias.cpp

@@ -201,6 +201,11 @@ void CFLAlias::initialize()
     normalizeCFLGrammar();
 
     // Initialize sovler
+    initializeSolver();
+}
+
+void CFLAlias::initializeSolver()
+{
     solver = new CFLSolver(graph, grammar);
 }
 
@@ -238,19 +243,12 @@ void CFLAlias::solve()
     timeOfSolving += (end - start) / TIMEINTERVAL;
 }
 
-void POCRAlias::initialize()
+void POCRAlias::initializeSolver()
 {
-    stat = new CFLStat(this);
-
-    // Build CFL Grammar
-    buildCFLGrammar();
-
-    // Build CFL Graph
-    buildCFLGraph();
-
-    // Normalize CFL Grammar
-    normalizeCFLGrammar();
-
-    // Initialize POCRSolver
     solver = new POCRSolver(graph, grammar);
 }
+
+void POCRHybrid::initializeSolver()
+{
+    solver = new POCRHybridSolver(graph, grammar);
+}

package/svf/lib/CFL/CFLSolver.cpp

@@ -191,15 +191,110 @@ void POCRSolver::processCFLEdge(const CFLEdge* Y_edge)
 
 void POCRSolver::initialize()
 {
-    for(auto it = graph->begin(); it!= graph->end(); it++)
+    for(auto edge : graph->getCFLEdges())
     {
-        for(const CFLEdge* edge : (*it).second->getOutEdges())
+        pushIntoWorklist(edge);
+    }
+
+    /// Foreach production X -> epsilon
+    ///     add X(i,i) if not exist to E and to worklist
+    for(const Production& prod : grammar->getEpsilonProds())
+    {
+        for(auto IDMap : getSuccMap())
         {
-            pushIntoWorklist(edge);
+            Symbol X = grammar->getLHSSymbol(prod);
+            if (addEdge(IDMap.first, IDMap.first, X))
+            {
+                CFLNode* i = graph->getGNode(IDMap.first);
+                const CFLEdge* newEdge = graph->addCFLEdge(i, i, X);
+                pushIntoWorklist(newEdge);
+            }
         }
     }
+}
+
+void POCRHybridSolver::processCFLEdge(const CFLEdge* Y_edge)
+{
+    CFLNode* i = Y_edge->getSrcNode();
+    CFLNode* j = Y_edge->getDstNode();
+
+    /// For each production X -> Y
+    ///     add X(i,j) if not exist to E and to worklist
+    Symbol Y = Y_edge->getEdgeKind();
+    if (grammar->hasProdsFromSingleRHS(Y))
+        for(const Production& prod : grammar->getProdsFromSingleRHS(Y))
+        {
+            Symbol X = grammar->getLHSSymbol(prod);
+            numOfChecks++;
+            if (addEdge(i->getId(), j->getId(), X))
+            {
+                const CFLEdge* newEdge = graph->addCFLEdge(Y_edge->getSrcNode(), Y_edge->getDstNode(), X);
+                pushIntoWorklist(newEdge);
+            }
+
+        }
+
+    /// For each production X -> Y Z
+    /// Foreach outgoing edge Z(j,k) from node j do
+    ///     add X(i,k) if not exist to E and to worklist
+    if (grammar->hasProdsFromFirstRHS(Y))
+        for(const Production& prod : grammar->getProdsFromFirstRHS(Y))
+        {
+            if ((grammar->getLHSSymbol(prod) == grammar->str2Symbol("F")) && (Y == grammar->str2Symbol("F")) && (grammar->getSecondRHSSymbol(prod) == grammar->str2Symbol("F")))
+            {
+                addArc(i->getId(), j->getId());
+            }
+            else
+            {
+                Symbol X = grammar->getLHSSymbol(prod);
+                NodeBS diffDsts = addEdges(i->getId(), getSuccMap(j->getId())[grammar->getSecondRHSSymbol(prod)], X);
+                numOfChecks += getSuccMap(j->getId())[grammar->getSecondRHSSymbol(prod)].count();
+                for (NodeID diffDst: diffDsts)
+                {
+                    const CFLEdge* newEdge = graph->addCFLEdge(i, graph->getGNode(diffDst), X);
+                    pushIntoWorklist(newEdge);
+                }
+            }
+        }
+
+    /// For each production X -> Z Y
+    /// Foreach incoming edge Z(k,i) to node i do
+    ///     add X(k,j) if not exist to E and to worklist
+    if(grammar->hasProdsFromSecondRHS(Y))
+        for(const Production& prod : grammar->getProdsFromSecondRHS(Y))
+        {
+            if ((grammar->getLHSSymbol(prod) == grammar->str2Symbol("F")) && (Y == grammar->str2Symbol("F")) && (grammar->getFirstRHSSymbol(prod) == grammar->str2Symbol("F")))
+            {
+                addArc(i->getId(), j->getId());
+            }
+            else
+            {
+                Symbol X = grammar->getLHSSymbol(prod);
+                NodeBS diffSrcs = addEdges(getPredMap(i->getId())[grammar->getFirstRHSSymbol(prod)], j->getId(), X);
+                numOfChecks += getPredMap(i->getId())[grammar->getFirstRHSSymbol(prod)].count();
+                for (NodeID diffSrc: diffSrcs)
+                {
+                    const CFLEdge* newEdge = graph->addCFLEdge(graph->getGNode(diffSrc), j, X);
+                    pushIntoWorklist(newEdge);
+                }
+            }
+        }
+}
+
+void POCRHybridSolver::initialize()
+{
+    for(auto edge : graph->getCFLEdges())
+    {
+        pushIntoWorklist(edge);
+    }
+
+    // init hybrid dataset
+    for (auto it = graph->begin(); it != graph->end(); ++it)
+    {
+        NodeID nId = it->first;
+        addInd_h(nId, nId);
+    }
 
-    /// Foreach production X -> epsilon
     ///     add X(i,i) if not exist to E and to worklist
     for(const Production& prod : grammar->getEpsilonProds())
     {
@@ -214,4 +309,73 @@ void POCRSolver::initialize()
             }
         }
     }
+}
+
+void POCRHybridSolver::addArc(NodeID src, NodeID dst)
+{
+    if(hasEdge(src, dst, grammar->str2Symbol("F")))
+        return;
+
+    for (auto& iter: indMap[src])
+    {
+        meld(iter.first, getNode_h(iter.first, src), getNode_h(dst, dst));
+    }
+}
+
+
+void POCRHybridSolver::meld(NodeID x, TreeNode* uNode, TreeNode* vNode)
+{
+    numOfChecks++;
+
+    TreeNode* newVNode = addInd_h(x, vNode->id);
+    if (!newVNode)
+        return;
+
+    insertEdge_h(uNode, newVNode);
+    for (TreeNode* vChild: vNode->children)
+    {
+        meld_h(x, newVNode, vChild);
+    }
+}
+
+bool POCRHybridSolver::hasInd_h(NodeID src, NodeID dst)
+{
+    auto it = indMap.find(dst);
+    if (it == indMap.end())
+        return false;
+    return (it->second.find(src) != it->second.end());
+}
+
+POCRHybridSolver::TreeNode* POCRHybridSolver::addInd_h(NodeID src, NodeID dst)
+{
+    TreeNode* newNode = new TreeNode(dst);
+    auto resIns = indMap[dst].insert(std::make_pair(src, newNode));
+    if (resIns.second)
+        return resIns.first->second;
+    delete newNode;
+    return nullptr;
+}
+
+void POCRHybridSolver::addArc_h(NodeID src, NodeID dst)
+{
+    if (!hasInd_h(src, dst))
+    {
+        for (auto iter: indMap[src])
+        {
+            meld_h(iter.first, getNode_h(iter.first, src), getNode_h(dst, dst));
+        }
+    }
+}
+
+void POCRHybridSolver::meld_h(NodeID x, TreeNode* uNode, TreeNode* vNode)
+{
+    TreeNode* newVNode = addInd_h(x, vNode->id);
+    if (!newVNode)
+        return;
+
+    insertEdge_h(uNode, newVNode);
+    for (TreeNode* vChild: vNode->children)
+    {
+        meld_h(x, newVNode, vChild);
+    }
 }

package/svf/lib/SABER/SaberSVFGBuilder.cpp

@@ -31,6 +31,7 @@
 #include "SABER/SaberCheckerAPI.h"
 #include "MemoryModel/PointerAnalysisImpl.h"
 #include "Graphs/SVFG.h"
+#include "Util/Options.h"
 
 using namespace SVF;
 using namespace SVFUtil;
@@ -99,17 +100,48 @@ void SaberSVFGBuilder::collectGlobals(BVDataPTAImpl* pta)
     }
 }
 
-PointsTo& SaberSVFGBuilder::CollectPtsChain(BVDataPTAImpl* pta,NodeID id, NodeToPTSSMap& cachedPtsMap)
+
+/*
+ * https://github.com/SVF-tools/SVF/issues/991
+ *
+ * Originally, this function will collect all base pointers with all their fields
+ * inside the points-to set of global variables. But if a global variable points
+ * to the pointer returned by malloc() at some program points, then all pointers
+ * returned by malloc() will be included in the global set because of the
+ * context-insensitive pointer analysis results. This will make saber abandon
+ * too many slicing thus miss potential bugs.
+ *
+ * We add an option "saber-collect-extret-globals" to control whether this function
+ * will collect external functions' returned pointers. This option is true by default,
+ * making it to be false will let saber analyze more slicing but cause performance downgrade.
+ *
+ */
+PointsTo& SaberSVFGBuilder::CollectPtsChain(BVDataPTAImpl* pta, NodeID id, NodeToPTSSMap& cachedPtsMap)
 {
     SVFIR* pag = svfg->getPAG();
 
     NodeID baseId = pag->getBaseObjVar(id);
     NodeToPTSSMap::iterator it = cachedPtsMap.find(baseId);
     if(it!=cachedPtsMap.end())
+    {
         return it->second;
+    }
     else
     {
         PointsTo& pts = cachedPtsMap[baseId];
+        // base object
+        if (!Options::CollectExtRetGlobals())
+        {
+            if(pta->isFIObjNode(baseId) && pag->getGNode(baseId)->hasValue())
+            {
+                const SVFCallInst* inst = SVFUtil::dyn_cast<SVFCallInst>(pag->getGNode(baseId)->getValue());
+                if(inst && SVFUtil::isExtCall(inst))
+                {
+                    return pts;
+                }
+            }
+        }
+
         pts |= pag->getFieldsAfterCollapse(baseId);
 
         WorkList worklist;
@@ -127,7 +159,6 @@ PointsTo& SaberSVFGBuilder::CollectPtsChain(BVDataPTAImpl* pta,NodeID id, NodeTo
         }
         return pts;
     }
-
 }
 
 /*!

package/svf/lib/Util/Options.cpp

@@ -679,6 +679,14 @@ const Option<bool> Options::PrintPathCond(
 );
 
 
+// SaberSVFGBuilder.cpp
+const Option<bool> Options::CollectExtRetGlobals(
+    "saber-collect-extret-globals",
+    "Don't include pointers returned by external function during collecting globals",
+    true
+);
+
+
 // SVFUtil.cpp
 const Option<bool> Options::DisableWarn(
     "dwarn",
@@ -829,6 +837,12 @@ const Option<bool> Options::POCRAlias(
     false
 );
 
+const Option<bool> Options::POCRHybrid(
+    "pocr-hybrid",
+    "When explicit to true, POCRHybridSolver transfer CFL graph to internal hybird graph representation.",
+    false
+);
+
 const Option<bool> Options::LoopAnalysis(
     "loop-analysis",
     "Analyze every func and get loop info and loop bounds.",
@@ -841,4 +855,4 @@ const Option<u32_t> Options::LoopBound(
     1
 );
 
-} // namespace SVF.
+} // namespace SVF.

package/svf-llvm/tools/CFL/cfl.cpp

@@ -59,6 +59,8 @@ int main(int argc, char ** argv)
     std::unique_ptr<CFLBase> cfl;
     if (Options::CFLSVFG())
         cfl = std::make_unique<CFLVF>(svfir);
+    else if (Options::POCRHybrid())
+        cfl = std::make_unique<POCRHybrid>(svfir);
     else if (Options::POCRAlias())
         cfl = std::make_unique<POCRAlias>(svfir);
     else