svf-tools 1.0.698 → 1.0.699

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "svf-tools",
-  "version": "1.0.698",
+  "version": "1.0.699",
   "description": "* <b>[TypeClone](https://github.com/SVF-tools/SVF/wiki/TypeClone) published in our [ECOOP paper](https://yuleisui.github.io/publications/ecoop20.pdf) is now available in SVF </b> * <b>SVF now uses a single script for its build. Just type [`source ./build.sh`](https://github.com/SVF-tools/SVF/blob/master/build.sh) in your terminal, that's it!</b> * <b>SVF now supports LLVM-10.0.0! </b> * <b>We thank [bsauce](https://github.com/bsauce) for writing a user manual of SVF ([link1](https://www.jianshu.com/p/068a08ec749c) and [link2](https://www.jianshu.com/p/777c30d4240e)) in Chinese </b> * <b>SVF now supports LLVM-9.0.0 (Thank [Byoungyoung Lee](https://github.com/SVF-tools/SVF/issues/142) for his help!). </b> * <b>SVF now supports a set of [field-sensitive pointer analyses](https://yuleisui.github.io/publications/sas2019a.pdf). </b> * <b>[Use SVF as an external lib](https://github.com/SVF-tools/SVF/wiki/Using-SVF-as-a-lib-in-your-own-tool) for your own project (Contributed by [Hongxu Chen](https://github.com/HongxuChen)). </b> * <b>SVF now supports LLVM-7.0.0. </b> * <b>SVF now supports Docker. [Try SVF in Docker](https://github.com/SVF-tools/SVF/wiki/Try-SVF-in-Docker)! </b> * <b>SVF now supports [LLVM-6.0.0](https://github.com/svf-tools/SVF/pull/38) (Contributed by [Jack Anthony](https://github.com/jackanth)). </b> * <b>SVF now supports [LLVM-4.0.0](https://github.com/svf-tools/SVF/pull/23) (Contributed by Jared Carlson. Thank [Jared](https://github.com/jcarlson23) and [Will](https://github.com/dtzWill) for their in-depth [discussions](https://github.com/svf-tools/SVF/pull/18) about updating SVF!) </b> * <b>SVF now supports analysis for C++ programs.</b> <br />",
   "main": "index.js",
   "scripts": {

package/svf/include/SABER/FileChecker.h

@@ -73,8 +73,6 @@ public:
     }
     /// Report file/close bugs
     void reportBug(ProgSlice* slice);
-    void reportNeverClose(const SVFGNode* src);
-    void reportPartialClose(const SVFGNode* src);
 };
 
 } // End namespace SVF

package/svf/include/SABER/LeakChecker.h

@@ -93,8 +93,6 @@ protected:
     /// Report leaks
     //@{
     virtual void reportBug(ProgSlice* slice) override;
-    void reportNeverFree(const SVFGNode* src);
-    void reportPartialLeak(const SVFGNode* src);
     //@}
 
     /// Validate test cases for regression test purpose

package/svf/include/SABER/ProgSlice.h

@@ -41,6 +41,7 @@
 #include "Util/WorkList.h"
 #include "Graphs/SVFG.h"
 #include "Util/DPItem.h"
+#include "Util/SVFBugReport.h"
 
 namespace SVF
 {
@@ -201,6 +202,8 @@ public:
     }
     /// Evaluate final condition
     std::string evalFinalCond() const;
+    /// Add final condition to eventStack
+    void evalFinalCond2Event(GenericBug::EventStack &eventStack) const;
     //@}
 
 protected:

package/svf/include/SABER/SrcSnkDDA.h

@@ -37,11 +37,11 @@
 #ifndef SRCSNKANALYSIS_H_
 #define SRCSNKANALYSIS_H_
 
-
-#include "Util/GraphReachSolver.h"
 #include "Graphs/SVFGOPT.h"
 #include "SABER/ProgSlice.h"
 #include "SABER/SaberSVFGBuilder.h"
+#include "Util/GraphReachSolver.h"
+#include "Util/SVFBugReport.h"
 
 namespace SVF
 {
@@ -77,6 +77,7 @@ protected:
     SaberSVFGBuilder memSSA;
     SVFG* svfg;
     PTACallGraph* ptaCallGraph;
+    SVFBugReport report; /// Bug Reporter
 
 public:
 

package/svf/include/Util/SVFBugReport.h

@@ -0,0 +1,424 @@
+//===- SVFBugReport.h -- Base class for statistics---------------------------------//
+//
+//                     SVF: Static Value-Flow Analysis
+//
+// Copyright (C) <2013->  <Yulei Sui>
+//
+
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+//===----------------------------------------------------------------------===//
+
+//
+// Created by JoelYang on 2023/4/19.
+//
+
+#ifndef SVF_BUGRECODER_H
+#define SVF_BUGRECODER_H
+
+#include <vector>
+#include "SVFIR/SVFValue.h"
+#include "SVFIR/SVFVariables.h"
+#include "SVFIR/SVFStatements.h"
+#include "Graphs/ICFGNode.h"
+#include <string>
+#include <map>
+#include "Util/cJSON.h"
+#include <set>
+
+namespace SVF
+{
+
+/*!
+ * Bug Detector Recoder
+ */
+
+
+class GenericEvent
+{
+public:
+    enum EventType {Branch, Caller, CallSite, Loop, SourceInst};
+
+protected:
+    EventType eventType;
+
+public:
+    GenericEvent(EventType eventType): eventType(eventType) { };
+    virtual ~GenericEvent() = default;
+
+    inline EventType getEventType() const
+    {
+        return eventType;
+    }
+    virtual const std::string getEventDescription() const = 0;
+    virtual const std::string getFuncName() const = 0;
+    virtual const std::string getEventLoc() const = 0;
+};
+
+class BranchEvent: public GenericEvent
+{
+    /// branch statement and branch condition true or false
+protected:
+    const SVFInstruction *branchInst;
+    bool branchSuccessFlg;
+
+public:
+    BranchEvent(const SVFInstruction *branchInst, bool branchSuccessFlg):
+        GenericEvent(GenericEvent::Branch), branchInst(branchInst), branchSuccessFlg(branchSuccessFlg) { }
+
+    const std::string getEventDescription() const;
+    const std::string getFuncName() const;
+    const std::string getEventLoc() const;
+
+    /// ClassOf
+    static inline bool classof(const GenericEvent* event)
+    {
+        return event->getEventType() == GenericEvent::Branch;
+    }
+};
+
+class CallSiteEvent: public GenericEvent
+{
+protected:
+    const CallICFGNode *callSite;
+
+public:
+    CallSiteEvent(const CallICFGNode *callSite): GenericEvent(GenericEvent::CallSite), callSite(callSite) { }
+    const std::string getEventDescription() const;
+    const std::string getFuncName() const;
+    const std::string getEventLoc() const;
+
+    /// ClassOf
+    static inline bool classof(const GenericEvent* event)
+    {
+        return event->getEventType() == GenericEvent::CallSite;
+    }
+};
+
+class SourceInstEvent : public GenericEvent
+{
+protected:
+    const SVFInstruction *sourceSVFInst;
+
+public:
+    SourceInstEvent(const SVFInstruction *sourceSVFInst):
+        GenericEvent(GenericEvent::SourceInst), sourceSVFInst(sourceSVFInst) { }
+
+    const std::string getEventDescription() const;
+    const std::string getFuncName() const;
+    const std::string getEventLoc() const;
+
+    /// ClassOf
+    static inline bool classof(const GenericEvent* event)
+    {
+        return event->getEventType() == GenericEvent::SourceInst;
+    }
+};
+
+class GenericBug
+{
+public:
+    typedef std::vector<const GenericEvent *> EventStack;
+
+public:
+    enum BugType {FULLBUFOVERFLOW, PARTIALBUFOVERFLOW, NEVERFREE, PARTIALLEAK, DOUBLEFREE, FILENEVERCLOSE, FILEPARTIALCLOSE};
+
+protected:
+    BugType bugType;
+    EventStack bugEventStack;
+
+public:
+    /// note: should be initialized with a bugEventStack
+    GenericBug(BugType bugType, EventStack bugEventStack):
+        bugType(bugType), bugEventStack(bugEventStack)
+    {
+        assert(bugEventStack.size() != 0 && "bugEventStack should NOT be empty!");
+    }
+    virtual ~GenericBug() = default;
+    //GenericBug(const GenericBug &) = delete;
+    /// returns bug type
+    inline BugType getBugType() const
+    {
+        return bugType;
+    }
+    /// returns bug location as json format string
+    const std::string getLoc() const;
+    /// return bug source function name
+    const std::string getFuncName() const;
+
+    inline const EventStack& getEventStack() const
+    {
+        return bugEventStack;
+    }
+
+    virtual cJSON *getBugDescription() const = 0;
+    virtual void printBugToTerminal() const = 0;
+};
+
+class BufferOverflowBug: public GenericBug
+{
+protected:
+    s64_t allocLowerBound, allocUpperBound, accessLowerBound, accessUpperBound;
+
+public:
+    BufferOverflowBug(GenericBug::BugType bugType, const EventStack &eventStack,
+                      s64_t allocLowerBound, s64_t allocUpperBound,
+                      s64_t accessLowerBound, s64_t accessUpperBound):
+        GenericBug(bugType, eventStack), allocLowerBound(allocLowerBound),
+        allocUpperBound(allocUpperBound), accessLowerBound(accessLowerBound),
+        accessUpperBound(accessUpperBound) { }
+
+    cJSON *getBugDescription() const;
+    void printBugToTerminal() const;
+
+    /// ClassOf
+    static inline bool classof(const GenericBug *bug)
+    {
+        return bug->getBugType() == GenericBug::PARTIALBUFOVERFLOW || bug->getBugType() == GenericBug::FULLBUFOVERFLOW;
+    }
+};
+
+class FullBufferOverflowBug: public BufferOverflowBug
+{
+public:
+    FullBufferOverflowBug(const EventStack &eventStack,
+                          s64_t allocLowerBound, s64_t allocUpperBound,
+                          s64_t accessLowerBound, s64_t accessUpperBound):
+        BufferOverflowBug(GenericBug::FULLBUFOVERFLOW, eventStack, allocLowerBound,
+                          allocUpperBound, accessLowerBound, accessUpperBound) { }
+
+    /// ClassOf
+    static inline bool classof(const GenericBug *bug)
+    {
+        return bug->getBugType() == GenericBug::FULLBUFOVERFLOW;
+    }
+};
+
+class PartialBufferOverflowBug: public BufferOverflowBug
+{
+public:
+    PartialBufferOverflowBug( const EventStack &eventStack,
+                              s64_t allocLowerBound, s64_t allocUpperBound,
+                              s64_t accessLowerBound, s64_t accessUpperBound):
+        BufferOverflowBug(GenericBug::PARTIALBUFOVERFLOW, eventStack, allocLowerBound,
+                          allocUpperBound, accessLowerBound, accessUpperBound) { }
+
+    /// ClassOf
+    static inline bool classof(const GenericBug *bug)
+    {
+        return bug->getBugType() == GenericBug::PARTIALBUFOVERFLOW;
+    }
+};
+
+class NeverFreeBug : public GenericBug
+{
+public:
+    NeverFreeBug(const EventStack &bugEventStack):
+        GenericBug(GenericBug::NEVERFREE, bugEventStack) {  };
+
+    cJSON *getBugDescription() const;
+    void printBugToTerminal() const;
+
+    /// ClassOf
+    static inline bool classof(const GenericBug *bug)
+    {
+        return bug->getBugType() == GenericBug::NEVERFREE;
+    }
+};
+
+class PartialLeakBug : public GenericBug
+{
+public:
+    PartialLeakBug(const EventStack &bugEventStack):
+        GenericBug(GenericBug::PARTIALLEAK, bugEventStack) { }
+
+    cJSON *getBugDescription() const;
+    void printBugToTerminal() const;
+
+    /// ClassOf
+    static inline bool classof(const GenericBug *bug)
+    {
+        return bug->getBugType() == GenericBug::PARTIALLEAK;
+    }
+};
+
+class DoubleFreeBug : public GenericBug
+{
+public:
+    DoubleFreeBug(const EventStack &bugEventStack):
+        GenericBug(GenericBug::PARTIALLEAK, bugEventStack) { }
+
+    cJSON *getBugDescription() const;
+    void printBugToTerminal() const;
+
+    /// ClassOf
+    static inline bool classof(const GenericBug *bug)
+    {
+        return bug->getBugType() == GenericBug::DOUBLEFREE;
+    }
+};
+
+class FileNeverCloseBug : public GenericBug
+{
+public:
+    FileNeverCloseBug(const EventStack &bugEventStack):
+        GenericBug(GenericBug::NEVERFREE, bugEventStack) {  };
+
+    cJSON *getBugDescription() const;
+    void printBugToTerminal() const;
+
+    /// ClassOf
+    static inline bool classof(const GenericBug *bug)
+    {
+        return bug->getBugType() == GenericBug::FILENEVERCLOSE;
+    }
+};
+
+class FilePartialCloseBug : public GenericBug
+{
+public:
+    FilePartialCloseBug(const EventStack &bugEventStack):
+        GenericBug(GenericBug::PARTIALLEAK, bugEventStack) { }
+
+    cJSON *getBugDescription() const;
+    void printBugToTerminal() const;
+
+    /// ClassOf
+    static inline bool classof(const GenericBug *bug)
+    {
+        return bug->getBugType() == GenericBug::FILEPARTIALCLOSE;
+    }
+};
+
+class SVFBugReport
+{
+public:
+    SVFBugReport() = default;
+    ~SVFBugReport();
+    typedef SVF::Set<const GenericBug *> BugSet;
+    typedef SVF::Set<const GenericEvent *> EventSet;
+
+protected:
+    BugSet bugSet;    // maintain bugs
+    EventSet eventSet;// maintain added events
+
+public:
+    /*
+     * function: pass bug type (i.e., GenericBug::NEVERFREE) and eventStack as parameter,
+     *      it will add the bug into bugQueue.
+     * usage: addSaberBug(GenericBug::NEVERFREE, eventStack)
+     */
+    void addSaberBug(GenericBug::BugType bugType, const GenericBug::EventStack &eventStack)
+    {
+        /// resign added events
+        for(auto eventPtr : eventStack)
+        {
+            eventSet.insert(eventPtr);
+        }
+
+        /// create and add the bug
+        GenericBug *newBug = nullptr;
+        switch(bugType)
+        {
+        case GenericBug::NEVERFREE:
+        {
+            newBug = new NeverFreeBug(eventStack);
+            bugSet.insert(newBug);
+            break;
+        }
+        case GenericBug::PARTIALLEAK:
+        {
+            newBug = new PartialLeakBug(eventStack);
+            bugSet.insert(newBug);
+            break;
+        }
+        case GenericBug::DOUBLEFREE:
+        {
+            newBug = new DoubleFreeBug(eventStack);
+            bugSet.insert(newBug);
+            break;
+        }
+        case GenericBug::FILENEVERCLOSE:
+        {
+            newBug = new FileNeverCloseBug(eventStack);
+            bugSet.insert(newBug);
+            break;
+        }
+        case GenericBug::FILEPARTIALCLOSE:
+        {
+            newBug = new FilePartialCloseBug(eventStack);
+            bugSet.insert(newBug);
+            break;
+        }
+        default:
+        {
+            assert(false && "saber does NOT have this bug type!");
+            break;
+        }
+        }
+
+        // when add a bug, also print it to terminal
+        newBug->printBugToTerminal();
+    }
+
+    /*
+     * function: pass bug type (i.e., GenericBug::FULLBUFOVERFLOW) and eventStack as parameter,
+     *      it will add the bug into bugQueue.
+     * usage: addAbsExecBug(GenericBug::FULLBUFOVERFLOW, eventStack, 0, 10, 11, 11)
+     */
+    void addAbsExecBug(GenericBug::BugType bugType, const GenericBug::EventStack &eventStack,
+                       s64_t allocLowerBound, s64_t allocUpperBound, s64_t accessLowerBound, s64_t accessUpperBound)
+    {
+        /// resign added events
+        for(auto eventPtr : eventStack)
+        {
+            eventSet.insert(eventPtr);
+        }
+
+        /// add bugs
+        GenericBug *newBug = nullptr;
+        switch(bugType)
+        {
+        case GenericBug::FULLBUFOVERFLOW:
+        {
+            newBug = new FullBufferOverflowBug(eventStack, allocLowerBound, allocUpperBound, accessLowerBound, accessUpperBound);
+            bugSet.insert(newBug);
+            break;
+        }
+        case GenericBug::PARTIALBUFOVERFLOW:
+        {
+            newBug = new PartialBufferOverflowBug(eventStack, allocLowerBound, allocUpperBound, accessLowerBound, accessUpperBound);
+            bugSet.insert(newBug);
+            break;
+        }
+        default:
+        {
+            assert(false && "Abstract Execution does NOT hava his bug type!");
+            break;
+        }
+        }
+
+        // when add a bug, also print it to terminal
+        newBug->printBugToTerminal();
+    }
+
+    /*
+     * function: pass file path, open the file and dump bug report as JSON format
+     * usage: dumpToFile("/path/to/file")
+     */
+    void dumpToJsonFile(const std::string& filePath);
+};
+}
+
+#endif

package/svf/lib/SABER/DoubleFreeChecker.cpp

@@ -39,11 +39,11 @@ void DoubleFreeChecker::reportBug(ProgSlice* slice)
 
     if(slice->isSatisfiableForPairs() == false)
     {
-        const SVFGNode* src = slice->getSource();
-        const CallICFGNode* cs = getSrcCSID(src);
-        SVFUtil::errs() << bugMsg2("\t Double Free :") <<  " memory allocation at : ("
-                        << cs->getCallSite()->getSourceLoc() << ")\n";
-        SVFUtil::errs() << "\t\t double free path: \n" << slice->evalFinalCond() << "\n";
+        SourceInstEvent*sourceInstEvent = new SourceInstEvent(getSrcCSID(slice->getSource())->getCallSite());
+        GenericBug::EventStack eventStack;
+        slice->evalFinalCond2Event(eventStack);
+        eventStack.push_back(sourceInstEvent);
+        report.addSaberBug(GenericBug::DOUBLEFREE, eventStack);
     }
     if(Options::ValidateTests())
         testsValidation(slice);

package/svf/lib/SABER/FileChecker.cpp

@@ -33,31 +33,22 @@ using namespace SVF;
 using namespace SVFUtil;
 
 
-void FileChecker::reportNeverClose(const SVFGNode* src)
-{
-    const CallICFGNode* cs = getSrcCSID(src);
-    SVFUtil::errs() << bugMsg1("\t FileNeverClose :") <<  " file open location at : ("
-                    << cs->getCallSite()->getSourceLoc() << ")\n";
-}
-
-void FileChecker::reportPartialClose(const SVFGNode* src)
-{
-    const CallICFGNode* cs = getSrcCSID(src);
-    SVFUtil::errs() << bugMsg2("\t PartialFileClose :") <<  " file open location at : ("
-                    << cs->getCallSite()->getSourceLoc() << ")\n";
-}
-
 void FileChecker::reportBug(ProgSlice* slice)
 {
 
     if(isAllPathReachable() == false && isSomePathReachable() == false)
     {
-        reportNeverClose(slice->getSource());
+        // full leakage
+        SourceInstEvent*sourceInstEvent = new SourceInstEvent(getSrcCSID(slice->getSource())->getCallSite());
+        GenericBug::EventStack eventStack = {sourceInstEvent};
+        report.addSaberBug(GenericBug::FILENEVERCLOSE, eventStack);
     }
     else if (isAllPathReachable() == false && isSomePathReachable() == true)
     {
-        reportPartialClose(slice->getSource());
-        SVFUtil::errs() << "\t\t conditional file close path: \n" << slice->evalFinalCond() << "\n";
+        SourceInstEvent*sourceInstEvent = new SourceInstEvent(getSrcCSID(slice->getSource())->getCallSite());
+        GenericBug::EventStack eventStack;
+        slice->evalFinalCond2Event(eventStack);
+        eventStack.push_back(sourceInstEvent);
+        report.addSaberBug(GenericBug::FILEPARTIALCLOSE, eventStack);
     }
-
 }

package/svf/lib/SABER/LeakChecker.cpp

@@ -146,33 +146,24 @@ void LeakChecker::initSnks()
     }
 }
 
-
-void LeakChecker::reportNeverFree(const SVFGNode* src)
-{
-    const CallICFGNode* cs = getSrcCSID(src);
-    SVFUtil::errs() << bugMsg1("\t NeverFree :") <<  " memory allocation at : ("
-                    << cs->getCallSite()->getSourceLoc() << ")\n";
-}
-
-void LeakChecker::reportPartialLeak(const SVFGNode* src)
-{
-
-    const CallICFGNode* cs = getSrcCSID(src);
-    SVFUtil::errs() << bugMsg2("\t PartialLeak :") <<  " memory allocation at : ("
-                    << cs->getCallSite()->getSourceLoc() << ")\n";
-}
-
 void LeakChecker::reportBug(ProgSlice* slice)
 {
 
     if(isAllPathReachable() == false && isSomePathReachable() == false)
     {
-        reportNeverFree(slice->getSource());
+        // full leakage
+        SourceInstEvent*sourceInstEvent = new SourceInstEvent(getSrcCSID(slice->getSource())->getCallSite());
+        GenericBug::EventStack eventStack = {sourceInstEvent};
+        report.addSaberBug(GenericBug::NEVERFREE, eventStack);
     }
     else if (isAllPathReachable() == false && isSomePathReachable() == true)
     {
-        reportPartialLeak(slice->getSource());
-        SVFUtil::errs() << "\t\t conditional free path: \n" << slice->evalFinalCond() << "\n";
+        // partial leakage
+        SourceInstEvent*sourceInstEvent = new SourceInstEvent(getSrcCSID(slice->getSource())->getCallSite());
+        GenericBug::EventStack eventStack;
+        slice->evalFinalCond2Event(eventStack);
+        eventStack.push_back(sourceInstEvent);
+        report.addSaberBug(GenericBug::PARTIALLEAK, eventStack);
     }
 
     if(Options::ValidateTests())

package/svf/lib/SABER/ProgSlice.cpp

@@ -146,6 +146,19 @@ const CallICFGNode* ProgSlice::getRetSite(const SVFGEdge* edge) const
         return getSVFG()->getCallSite(SVFUtil::cast<RetIndSVFGEdge>(edge)->getCallSiteId());
 }
 
+void ProgSlice::evalFinalCond2Event(GenericBug::EventStack &eventStack) const
+{
+    NodeBS elems = pathAllocator->exactCondElem(finalCond);
+    Set<std::string> locations;
+    for(NodeBS::iterator it = elems.begin(), eit = elems.end(); it!=eit; ++it)
+    {
+        const SVFInstruction* tinst = pathAllocator->getCondInst(*it);
+        if(pathAllocator->isNegCond(*it))
+            eventStack.push_back(new BranchEvent(tinst, false));
+        else
+            eventStack.push_back(new BranchEvent(tinst, true));
+    }
+}
 
 /*!
  * Evaluate Atoms of a condition
@@ -160,8 +173,9 @@ std::string ProgSlice::evalFinalCond() const
 {
     std::string str;
     std::stringstream rawstr(str);
-    NodeBS elems = pathAllocator->exactCondElem(finalCond);
     Set<std::string> locations;
+    NodeBS elems = pathAllocator->exactCondElem(finalCond);
+
     for(NodeBS::iterator it = elems.begin(), eit = elems.end(); it!=eit; ++it)
     {
         const SVFInstruction* tinst = pathAllocator->getCondInst(*it);
@@ -170,6 +184,7 @@ std::string ProgSlice::evalFinalCond() const
         else
             locations.insert(tinst->getSourceLoc()+"|True");
     }
+
     /// print leak path after eliminating duplicated element
     for(Set<std::string>::iterator iter = locations.begin(), eiter = locations.end();
             iter!=eiter; ++iter)

package/svf/lib/SABER/SrcSnkDDA.cpp

@@ -105,7 +105,6 @@ void SrcSnkDDA::analyze(SVFModule* module)
 
         reportBug(getCurSlice());
     }
-
     finalize();
 
 }

package/svf/lib/Util/SVFBugReport.cpp

@@ -0,0 +1,411 @@
+//===- SVFBugReport.cpp -- Base class for statistics---------------------------------//
+//
+//                     SVF: Static Value-Flow Analysis
+//
+// Copyright (C) <2013->  <Yulei Sui>
+//
+
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+//===----------------------------------------------------------------------===//
+
+
+//
+// Created by JoelYang on 2023/4/19.
+//
+
+#include "Util/SVFBugReport.h"
+#include <cassert>
+#include "Util/cJSON.h"
+#include "Util/SVFUtil.h"
+#include <sstream>
+#include <fstream>
+
+using namespace std;
+using namespace SVF;
+
+const std::string GenericBug::getLoc() const
+{
+    const GenericEvent *sourceInstEvent = bugEventStack.at(bugEventStack.size() -1);
+    assert(SourceInstEvent::classof(sourceInstEvent) && "bugEventStack top should be a SourceInst event");
+    return sourceInstEvent->getEventLoc();
+}
+
+const std::string GenericBug::getFuncName() const
+{
+    const GenericEvent *sourceInstEvent = bugEventStack.at(bugEventStack.size() -1);
+    assert(SourceInstEvent::classof(sourceInstEvent) && "bugEventStack top should be a SourceInst event");
+    return sourceInstEvent->getFuncName();
+}
+
+cJSON *BufferOverflowBug::getBugDescription() const
+{
+    cJSON *bugDescription = cJSON_CreateObject();
+    cJSON *allocLB = cJSON_CreateNumber(allocLowerBound);
+    cJSON *allocUB = cJSON_CreateNumber(allocUpperBound);
+    cJSON *accessLB = cJSON_CreateNumber(accessLowerBound);
+    cJSON *accessUB = cJSON_CreateNumber(accessUpperBound);
+
+    cJSON_AddItemToObject(bugDescription, "AllocLowerBound", allocLB);
+    cJSON_AddItemToObject(bugDescription, "AllocUpperBound", allocUB);
+    cJSON_AddItemToObject(bugDescription, "AccessLowerBound", accessLB);
+    cJSON_AddItemToObject(bugDescription, "AccessUpperBound", accessUB);
+
+    return bugDescription;
+}
+
+void BufferOverflowBug::printBugToTerminal() const
+{
+    stringstream bugInfo;
+    if(FullBufferOverflowBug::classof(this))
+    {
+        SVFUtil::errs() << SVFUtil::bugMsg1("\t Full Overflow :") <<  " accessing at : ("
+                        << GenericBug::getLoc() << ")\n";
+
+    }
+    else
+    {
+        SVFUtil::errs() << SVFUtil::bugMsg1("\t Partial Overflow :") <<  " accessing at : ("
+                        << GenericBug::getLoc() << ")\n";
+    }
+    bugInfo << "\t\t  allocate size : [" << allocLowerBound << ", " << allocUpperBound << "], ";
+    bugInfo << "access size : [" << accessLowerBound << ", " << accessUpperBound << "]\n";
+    SVFUtil::errs() << "\t\t Info : \n" << bugInfo.str();
+    SVFUtil::errs() << "\t\t Events : \n";
+
+    for(auto eventPtr : bugEventStack)
+    {
+        switch(eventPtr->getEventType())
+        {
+        case GenericEvent::CallSite:
+        {
+            SVFUtil::errs() << "\t\t  callsite at : ( " << eventPtr->getEventLoc() << " )\n";
+            break;
+        }
+        default:   // TODO: implement more events when needed
+        {
+            break;
+        }
+        }
+    }
+
+}
+
+cJSON * NeverFreeBug::getBugDescription() const
+{
+    cJSON *bugDescription = cJSON_CreateObject();
+    return bugDescription;
+}
+
+void NeverFreeBug::printBugToTerminal() const
+{
+    SVFUtil::errs() << SVFUtil::bugMsg1("\t NeverFree :") <<  " memory allocation at : ("
+                    << GenericBug::getLoc() << ")\n";
+}
+
+cJSON * PartialLeakBug::getBugDescription() const
+{
+    cJSON *bugDescription = cJSON_CreateObject();
+    cJSON *pathInfo = cJSON_CreateArray();
+    auto lastBranchEventIt = bugEventStack.end() - 1;
+    for(auto eventIt = bugEventStack.begin(); eventIt != lastBranchEventIt; eventIt++)
+    {
+        cJSON *newBranch = cJSON_CreateObject();
+        cJSON *branchLoc = cJSON_Parse((*eventIt)->getEventLoc().c_str());
+        if(branchLoc == nullptr) branchLoc = cJSON_CreateObject();
+        cJSON *branchCondition = cJSON_CreateString((*eventIt)->getEventDescription().c_str());
+
+        cJSON_AddItemToObject(newBranch, "BranchLoc", branchLoc);
+        cJSON_AddItemToObject(newBranch, "BranchCond", branchCondition);
+
+        cJSON_AddItemToArray(pathInfo, newBranch);
+    }
+
+    cJSON_AddItemToObject(bugDescription, "ConditionalFreePath", pathInfo);
+
+    return bugDescription;
+}
+
+void PartialLeakBug::printBugToTerminal() const
+{
+    SVFUtil::errs() << SVFUtil::bugMsg2("\t PartialLeak :") <<  " memory allocation at : ("
+                    << GenericBug::getLoc() << ")\n";
+
+    SVFUtil::errs() << "\t\t conditional free path: \n";
+    auto lastBranchEventIt = bugEventStack.end() - 1;
+    for(auto eventIt = bugEventStack.begin(); eventIt != lastBranchEventIt; eventIt++)
+    {
+        SVFUtil::errs() << "\t\t  --> (" << (*eventIt)->getEventLoc() << "|" << (*eventIt)->getEventDescription() << ") \n";
+    }
+    SVFUtil::errs() << "\n";
+}
+
+cJSON * DoubleFreeBug::getBugDescription() const
+{
+    cJSON *bugDescription = cJSON_CreateObject();
+
+    cJSON *pathInfo = cJSON_CreateArray();
+    auto lastBranchEventIt = bugEventStack.end() - 1;
+    for(auto eventIt = bugEventStack.begin(); eventIt != lastBranchEventIt; eventIt++)
+    {
+        cJSON *newBranch = cJSON_CreateObject();
+        cJSON *branchLoc = cJSON_Parse((*eventIt)->getEventLoc().c_str());
+        if(branchLoc == nullptr) branchLoc = cJSON_CreateObject();
+        cJSON *branchCondition = cJSON_CreateString((*eventIt)->getEventDescription().c_str());
+
+        cJSON_AddItemToObject(newBranch, "BranchLoc", branchLoc);
+        cJSON_AddItemToObject(newBranch, "BranchCond", branchCondition);
+
+        cJSON_AddItemToArray(pathInfo, newBranch);
+    }
+    cJSON_AddItemToObject(bugDescription, "DoubleFreePath", pathInfo);
+
+    return bugDescription;
+}
+
+void DoubleFreeBug::printBugToTerminal() const
+{
+    SVFUtil::errs() << SVFUtil::bugMsg2("\t Double Free :") <<  " memory allocation at : ("
+                    << GenericBug::getLoc() << ")\n";
+
+    SVFUtil::errs() << "\t\t double free path: \n";
+    auto lastBranchEventIt = bugEventStack.end() - 1;
+    for(auto eventIt = bugEventStack.begin(); eventIt != lastBranchEventIt; eventIt++)
+    {
+        SVFUtil::errs() << "\t\t  --> (" << (*eventIt)->getEventLoc() << "|" << (*eventIt)->getEventDescription() << ") \n";
+    }
+    SVFUtil::errs() << "\n";
+}
+
+cJSON * FileNeverCloseBug::getBugDescription() const
+{
+    cJSON *bugDescription = cJSON_CreateObject();
+    return bugDescription;
+}
+
+void FileNeverCloseBug::printBugToTerminal() const
+{
+    SVFUtil::errs() << SVFUtil::bugMsg1("\t FileNeverClose :") <<  " file open location at : ("
+                    << GenericBug::getLoc() << ")\n";
+}
+
+cJSON * FilePartialCloseBug::getBugDescription() const
+{
+    cJSON *bugDescription = cJSON_CreateObject();
+
+    cJSON *pathInfo = cJSON_CreateArray();
+
+    auto lastBranchEventIt = bugEventStack.end() - 1;
+    for(auto eventIt = bugEventStack.begin(); eventIt != lastBranchEventIt; eventIt++)
+    {
+        cJSON *newBranch = cJSON_CreateObject();
+        cJSON *branchLoc = cJSON_Parse((*eventIt)->getEventLoc().c_str());
+        if(branchLoc == nullptr) branchLoc = cJSON_CreateObject();
+        cJSON *branchCondition = cJSON_CreateString((*eventIt)->getEventDescription().c_str());
+
+        cJSON_AddItemToObject(newBranch, "BranchLoc", branchLoc);
+        cJSON_AddItemToObject(newBranch, "BranchCond", branchCondition);
+
+        cJSON_AddItemToArray(pathInfo, newBranch);
+    }
+    cJSON_AddItemToObject(bugDescription, "ConditionalFileClosePath", pathInfo);
+
+    return bugDescription;
+}
+
+void FilePartialCloseBug::printBugToTerminal() const
+{
+    SVFUtil::errs() << SVFUtil::bugMsg2("\t PartialFileClose :") <<  " file open location at : ("
+                    << GenericBug::getLoc() << ")\n";
+
+    SVFUtil::errs() << "\t\t conditional file close path: \n";
+    auto lastBranchEventIt = bugEventStack.end() - 1;
+    for(auto eventIt = bugEventStack.begin(); eventIt != lastBranchEventIt; eventIt++)
+    {
+        SVFUtil::errs() << "\t\t  --> (" << (*eventIt)->getEventLoc() << "|" << (*eventIt)->getEventDescription() << ") \n";
+    }
+    SVFUtil::errs() << "\n";
+}
+
+const std::string CallSiteEvent::getFuncName() const
+{
+    return callSite->getCallSite()->getFunction()->getName();
+}
+
+const std::string CallSiteEvent::getEventLoc() const
+{
+    return callSite->getCallSite()->getSourceLoc();
+}
+
+const std::string CallSiteEvent::getEventDescription() const
+{
+    std::string description("calls ");
+    const SVFFunction *callee = SVFUtil::getCallee(callSite->getCallSite());
+    if(callee == nullptr)
+    {
+        description += "<unknown>";
+    }
+    else
+    {
+        description += callee->getName();
+    }
+    return description;
+}
+
+const std::string BranchEvent::getFuncName() const
+{
+    return branchInst->getFunction()->getName();
+}
+
+const std::string BranchEvent::getEventLoc() const
+{
+    return branchInst->getSourceLoc();
+}
+
+const std::string BranchEvent::getEventDescription() const
+{
+    if (branchSuccessFlg)
+    {
+        return "True";
+    }
+    else
+    {
+        return "False";
+    }
+}
+
+const std::string SourceInstEvent::getFuncName() const
+{
+    return sourceSVFInst->getFunction()->getName();
+}
+
+const std::string SourceInstEvent::getEventLoc() const
+{
+    return sourceSVFInst->getSourceLoc();
+}
+
+const std::string SourceInstEvent::getEventDescription() const
+{
+    return "None";
+}
+
+SVFBugReport::~SVFBugReport()
+{
+    for(auto bugIt: bugSet)
+    {
+        delete bugIt;
+    }
+    for(auto eventPtr:eventSet)
+    {
+        delete eventPtr;
+    }
+}
+
+void SVFBugReport::dumpToJsonFile(const std::string& filePath)
+{
+    std::map<GenericEvent::EventType, std::string> eventType2Str =
+    {
+        {GenericEvent::CallSite, "call site"},
+        {GenericEvent::Caller, "caller"},
+        {GenericEvent::Loop, "loop"},
+        {GenericEvent::Branch, "branch"}
+    };
+
+    std::map<GenericBug::BugType, std::string> bugType2Str =
+    {
+        {GenericBug::FULLBUFOVERFLOW, "Full Buffer Overflow"},
+        {GenericBug::PARTIALBUFOVERFLOW, "Partial Buffer Overflow"},
+        {GenericBug::NEVERFREE, "Never Free"},
+        {GenericBug::PARTIALLEAK, "Partial Leak"},
+        {GenericBug::FILENEVERCLOSE, "File Never Close"},
+        {GenericBug::FILEPARTIALCLOSE, "File Partial Close"},
+        {GenericBug::DOUBLEFREE, "Double Free"}
+    };
+
+    ofstream jsonFile(filePath, ios::out);
+
+    jsonFile << "{";
+
+    size_t commaCounter = bugSet.size() - 1;  // comma num needed
+    for(auto bugPtr : bugSet)
+    {
+        cJSON *singleBug = cJSON_CreateObject();
+
+        /// add bug information to json
+        cJSON *bugType = cJSON_CreateString(bugType2Str[bugPtr->getBugType()].c_str());
+        cJSON_AddItemToObject(singleBug, "DefectType", bugType);
+
+        cJSON *bugLoc = cJSON_Parse(bugPtr->getLoc().c_str());
+        if(bugLoc == nullptr)
+        {
+            bugLoc = cJSON_CreateObject();
+        }
+        cJSON_AddItemToObject(singleBug, "Location", bugLoc);
+
+        cJSON *bugFunction = cJSON_CreateString(bugPtr->getFuncName().c_str());
+        cJSON_AddItemToObject(singleBug, "Function", bugFunction);
+
+        cJSON_AddItemToObject(singleBug, "Description", bugPtr->getBugDescription());
+
+        /// add event information to json
+        cJSON *eventList = cJSON_CreateArray();
+        const GenericBug::EventStack bugEventStack = bugPtr->getEventStack();
+        if(BufferOverflowBug::classof(bugPtr))   // add only when bug is context sensitive
+        {
+            for(auto eventPtr : bugEventStack)
+            {
+                if (SourceInstEvent::classof(eventPtr))
+                {
+                    continue;
+                }
+
+                cJSON *singleEvent = cJSON_CreateObject();
+                //event type
+                cJSON *eventType = cJSON_CreateString(eventType2Str[eventPtr->getEventType()].c_str());
+                cJSON_AddItemToObject(singleEvent, "EventType", eventType);
+                //function name
+                cJSON *eventFunc = cJSON_CreateString(eventPtr->getFuncName().c_str());
+                cJSON_AddItemToObject(singleEvent, "Function", eventFunc);
+                //event loc
+                cJSON *eventLoc = cJSON_Parse(eventPtr->getEventLoc().c_str());
+                if(eventLoc == nullptr)
+                {
+                    eventLoc = cJSON_CreateObject();
+                }
+                cJSON_AddItemToObject(singleEvent, "Location", eventLoc);
+                //event description
+                cJSON *eventDescription = cJSON_CreateString(eventPtr->getEventDescription().c_str());
+                cJSON_AddItemToObject(singleEvent, "Description", eventDescription);
+
+                cJSON_AddItemToArray(eventList, singleEvent);
+            }
+        }
+        cJSON_AddItemToObject(singleBug, "Events", eventList);
+
+        /// dump single bug to json str and write to file
+        char *singleBugStr = cJSON_Print(singleBug);
+        jsonFile << singleBugStr;
+        if (commaCounter != 0)
+        {
+            jsonFile << ",\n";
+        }
+        commaCounter --;
+
+        /// destroy the cJSON object
+        cJSON_Delete(singleBug);
+    }
+
+    jsonFile << "}";
+    jsonFile.close();
+}

package/svf-llvm/lib/LLVMUtil.cpp

@@ -486,7 +486,7 @@ const std::string LLVMUtil::getSourceLoc(const Value* val )
                 if (llvm::DbgDeclareInst *DDI = SVFUtil::dyn_cast<llvm::DbgDeclareInst>(DII))
                 {
                     llvm::DIVariable *DIVar = SVFUtil::cast<llvm::DIVariable>(DDI->getVariable());
-                    rawstr << "ln: " << DIVar->getLine() << " fl: " << DIVar->getFilename().str();
+                    rawstr << "\"ln\": " << DIVar->getLine() << ", \"fl\": \"" << DIVar->getFilename().str() << "\"";
                     break;
                 }
             }
@@ -508,7 +508,7 @@ const std::string LLVMUtil::getSourceLoc(const Value* val )
                     File = inlineLoc->getFilename().str();
                 }
             }
-            rawstr << "ln: " << Line << "  cl: " << Column << "  fl: " << File;
+            rawstr << "\"ln\": " << Line << ", \"cl\": " << Column << ", \"fl\": \"" << File << "\"";
         }
     }
     else if (const Argument* argument = SVFUtil::dyn_cast<Argument>(val))
@@ -539,7 +539,7 @@ const std::string LLVMUtil::getSourceLoc(const Value* val )
 
                     if(DGV->getName() == gvar->getName())
                     {
-                        rawstr << "ln: " << DGV->getLine() << " fl: " << DGV->getFilename().str();
+                        rawstr << "\"ln\": " << DGV->getLine() << ", \"fl\": \"" << DGV->getFilename().str() << "\"";
                     }
 
                 }
@@ -552,7 +552,7 @@ const std::string LLVMUtil::getSourceLoc(const Value* val )
     }
     else if (const BasicBlock* bb = SVFUtil::dyn_cast<BasicBlock>(val))
     {
-        rawstr << "basic block: " << bb->getName().str() << " " << getSourceLoc(bb->getFirstNonPHI());
+        rawstr << "\"basic block\": " << bb->getName().str() << ", \"location\": " << getSourceLoc(bb->getFirstNonPHI());
     }
     else if(LLVMUtil::isConstDataOrAggData(val))
     {
@@ -584,7 +584,7 @@ const std::string LLVMUtil::getSourceLocOfFunction(const Function* F)
     if (llvm::DISubprogram *SP =  F->getSubprogram())
     {
         if (SP->describes(F))
-            rawstr << "in line: " << SP->getLine() << " file: " << SP->getFilename().str();
+            rawstr << "\"ln\": " << SP->getLine() << ", \"file\": \"" << SP->getFilename().str() << "\"";
     }
     return rawstr.str();
 }