svf-tools 1.0.913 → 1.0.915
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/SVF-doxygen/html/AbstractInterpretation_8cpp.html +7 -5
- package/SVF-doxygen/html/AbstractInterpretation_8cpp_source.html +1593 -1610
- package/SVF-doxygen/html/AbstractInterpretation_8h_source.html +157 -144
- package/SVF-doxygen/html/BufOverflowChecker_8cpp_source.html +797 -786
- package/SVF-doxygen/html/BufOverflowChecker_8h_source.html +7 -7
- package/SVF-doxygen/html/SVFIR2AbsState_8cpp_source.html +815 -826
- package/SVF-doxygen/html/SVFIR2AbsState_8h_source.html +153 -196
- package/SVF-doxygen/html/classSVF_1_1AEStat.html +116 -120
- package/SVF-doxygen/html/classSVF_1_1AbstractInterpretation-members.html +33 -33
- package/SVF-doxygen/html/classSVF_1_1AbstractInterpretation.html +1739 -1684
- package/SVF-doxygen/html/classSVF_1_1BufOverflowChecker-members.html +33 -33
- package/SVF-doxygen/html/classSVF_1_1BufOverflowChecker.html +471 -462
- package/SVF-doxygen/html/classSVF_1_1SVFIR2AbsState-members.html +35 -47
- package/SVF-doxygen/html/classSVF_1_1SVFIR2AbsState.html +1261 -1546
- package/SVF-doxygen/html/dir_9a8e7a56f4029a0d9f62b1c6d1f6e85b.html +0 -2
- package/SVF-doxygen/html/files.html +0 -1
- package/SVF-doxygen/html/functions.html +4 -7
- package/SVF-doxygen/html/functions_a.html +2 -2
- package/SVF-doxygen/html/functions_f.html +3 -3
- package/SVF-doxygen/html/functions_func.html +2 -2
- package/SVF-doxygen/html/functions_func_g.html +16 -16
- package/SVF-doxygen/html/functions_func_h.html +21 -57
- package/SVF-doxygen/html/functions_func_i.html +21 -12
- package/SVF-doxygen/html/functions_func_n.html +1 -1
- package/SVF-doxygen/html/functions_func_s.html +13 -19
- package/SVF-doxygen/html/functions_func_t.html +1 -1
- package/SVF-doxygen/html/functions_func_w.html +1 -1
- package/SVF-doxygen/html/functions_g.html +16 -16
- package/SVF-doxygen/html/functions_h.html +18 -54
- package/SVF-doxygen/html/functions_i.html +32 -23
- package/SVF-doxygen/html/functions_l.html +3 -3
- package/SVF-doxygen/html/functions_n.html +1 -1
- package/SVF-doxygen/html/functions_o.html +4 -4
- package/SVF-doxygen/html/functions_p.html +19 -17
- package/SVF-doxygen/html/functions_r.html +6 -6
- package/SVF-doxygen/html/functions_s.html +18 -26
- package/SVF-doxygen/html/functions_t.html +4 -4
- package/SVF-doxygen/html/functions_v.html +6 -6
- package/SVF-doxygen/html/functions_vars.html +4 -7
- package/SVF-doxygen/html/functions_w.html +1 -1
- package/SVF-doxygen/html/search/all_0.js +131 -132
- package/SVF-doxygen/html/search/all_1.js +504 -504
- package/SVF-doxygen/html/search/all_10.js +326 -326
- package/SVF-doxygen/html/search/all_11.js +227 -227
- package/SVF-doxygen/html/search/all_12.js +559 -562
- package/SVF-doxygen/html/search/all_13.js +186 -186
- package/SVF-doxygen/html/search/all_14.js +74 -74
- package/SVF-doxygen/html/search/all_15.js +175 -175
- package/SVF-doxygen/html/search/all_16.js +77 -77
- package/SVF-doxygen/html/search/all_17.js +1 -1
- package/SVF-doxygen/html/search/all_18.js +1 -1
- package/SVF-doxygen/html/search/all_19.js +27 -27
- package/SVF-doxygen/html/search/all_1a.js +174 -174
- package/SVF-doxygen/html/search/all_2.js +180 -180
- package/SVF-doxygen/html/search/all_3.js +635 -635
- package/SVF-doxygen/html/search/all_4.js +237 -237
- package/SVF-doxygen/html/search/all_5.js +120 -120
- package/SVF-doxygen/html/search/all_6.js +236 -236
- package/SVF-doxygen/html/search/all_7.js +1039 -1039
- package/SVF-doxygen/html/search/all_8.js +212 -224
- package/SVF-doxygen/html/search/all_9.js +630 -627
- package/SVF-doxygen/html/search/all_a.js +46 -46
- package/SVF-doxygen/html/search/all_b.js +24 -24
- package/SVF-doxygen/html/search/all_c.js +111 -111
- package/SVF-doxygen/html/search/all_d.js +204 -204
- package/SVF-doxygen/html/search/all_e.js +207 -207
- package/SVF-doxygen/html/search/all_f.js +122 -122
- package/SVF-doxygen/html/search/classes_0.js +29 -29
- package/SVF-doxygen/html/search/classes_1.js +11 -11
- package/SVF-doxygen/html/search/classes_10.js +71 -71
- package/SVF-doxygen/html/search/classes_11.js +14 -14
- package/SVF-doxygen/html/search/classes_12.js +2 -2
- package/SVF-doxygen/html/search/classes_13.js +10 -10
- package/SVF-doxygen/html/search/classes_14.js +19 -19
- package/SVF-doxygen/html/search/classes_15.js +1 -1
- package/SVF-doxygen/html/search/classes_2.js +72 -72
- package/SVF-doxygen/html/search/classes_3.js +35 -35
- package/SVF-doxygen/html/search/classes_4.js +7 -7
- package/SVF-doxygen/html/search/classes_5.js +28 -28
- package/SVF-doxygen/html/search/classes_6.js +98 -98
- package/SVF-doxygen/html/search/classes_7.js +33 -33
- package/SVF-doxygen/html/search/classes_8.js +57 -57
- package/SVF-doxygen/html/search/classes_9.js +1 -1
- package/SVF-doxygen/html/search/classes_a.js +12 -12
- package/SVF-doxygen/html/search/classes_b.js +29 -29
- package/SVF-doxygen/html/search/classes_c.js +6 -6
- package/SVF-doxygen/html/search/classes_d.js +19 -19
- package/SVF-doxygen/html/search/classes_e.js +36 -36
- package/SVF-doxygen/html/search/classes_f.js +25 -25
- package/SVF-doxygen/html/search/defines_0.js +3 -3
- package/SVF-doxygen/html/search/defines_1.js +3 -3
- package/SVF-doxygen/html/search/defines_10.js +2 -2
- package/SVF-doxygen/html/search/defines_2.js +30 -30
- package/SVF-doxygen/html/search/defines_3.js +20 -20
- package/SVF-doxygen/html/search/defines_4.js +3 -3
- package/SVF-doxygen/html/search/defines_5.js +4 -4
- package/SVF-doxygen/html/search/defines_6.js +2 -2
- package/SVF-doxygen/html/search/defines_7.js +5 -5
- package/SVF-doxygen/html/search/defines_8.js +11 -11
- package/SVF-doxygen/html/search/defines_9.js +9 -9
- package/SVF-doxygen/html/search/defines_a.js +2 -2
- package/SVF-doxygen/html/search/defines_b.js +1 -1
- package/SVF-doxygen/html/search/defines_c.js +3 -3
- package/SVF-doxygen/html/search/defines_d.js +2 -2
- package/SVF-doxygen/html/search/defines_e.js +8 -8
- package/SVF-doxygen/html/search/defines_f.js +4 -4
- package/SVF-doxygen/html/search/enums_0.js +3 -3
- package/SVF-doxygen/html/search/enums_1.js +2 -2
- package/SVF-doxygen/html/search/enums_10.js +1 -1
- package/SVF-doxygen/html/search/enums_11.js +1 -1
- package/SVF-doxygen/html/search/enums_2.js +9 -9
- package/SVF-doxygen/html/search/enums_3.js +2 -2
- package/SVF-doxygen/html/search/enums_4.js +3 -3
- package/SVF-doxygen/html/search/enums_5.js +1 -1
- package/SVF-doxygen/html/search/enums_6.js +2 -2
- package/SVF-doxygen/html/search/enums_7.js +2 -2
- package/SVF-doxygen/html/search/enums_8.js +4 -4
- package/SVF-doxygen/html/search/enums_9.js +1 -1
- package/SVF-doxygen/html/search/enums_a.js +1 -1
- package/SVF-doxygen/html/search/enums_b.js +7 -7
- package/SVF-doxygen/html/search/enums_c.js +1 -1
- package/SVF-doxygen/html/search/enums_d.js +4 -4
- package/SVF-doxygen/html/search/enums_e.js +2 -2
- package/SVF-doxygen/html/search/enums_f.js +4 -4
- package/SVF-doxygen/html/search/enumvalues_0.js +15 -15
- package/SVF-doxygen/html/search/enumvalues_1.js +16 -16
- package/SVF-doxygen/html/search/enumvalues_10.js +36 -36
- package/SVF-doxygen/html/search/enumvalues_11.js +6 -6
- package/SVF-doxygen/html/search/enumvalues_12.js +10 -10
- package/SVF-doxygen/html/search/enumvalues_13.js +1 -1
- package/SVF-doxygen/html/search/enumvalues_14.js +1 -1
- package/SVF-doxygen/html/search/enumvalues_15.js +4 -4
- package/SVF-doxygen/html/search/enumvalues_2.js +36 -36
- package/SVF-doxygen/html/search/enumvalues_3.js +13 -13
- package/SVF-doxygen/html/search/enumvalues_4.js +2 -2
- package/SVF-doxygen/html/search/enumvalues_5.js +50 -50
- package/SVF-doxygen/html/search/enumvalues_6.js +6 -6
- package/SVF-doxygen/html/search/enumvalues_7.js +8 -8
- package/SVF-doxygen/html/search/enumvalues_8.js +24 -24
- package/SVF-doxygen/html/search/enumvalues_9.js +6 -6
- package/SVF-doxygen/html/search/enumvalues_a.js +17 -17
- package/SVF-doxygen/html/search/enumvalues_b.js +11 -11
- package/SVF-doxygen/html/search/enumvalues_c.js +5 -5
- package/SVF-doxygen/html/search/enumvalues_d.js +19 -19
- package/SVF-doxygen/html/search/enumvalues_e.js +9 -9
- package/SVF-doxygen/html/search/enumvalues_f.js +48 -48
- package/SVF-doxygen/html/search/files_0.js +18 -18
- package/SVF-doxygen/html/search/files_1.js +9 -9
- package/SVF-doxygen/html/search/files_10.js +8 -8
- package/SVF-doxygen/html/search/files_11.js +8 -8
- package/SVF-doxygen/html/search/files_12.js +2 -2
- package/SVF-doxygen/html/search/files_2.js +51 -51
- package/SVF-doxygen/html/search/files_3.js +14 -14
- package/SVF-doxygen/html/search/files_4.js +3 -3
- package/SVF-doxygen/html/search/files_5.js +13 -13
- package/SVF-doxygen/html/search/files_6.js +10 -10
- package/SVF-doxygen/html/search/files_7.js +15 -15
- package/SVF-doxygen/html/search/files_8.js +13 -13
- package/SVF-doxygen/html/search/files_9.js +18 -18
- package/SVF-doxygen/html/search/files_a.js +3 -3
- package/SVF-doxygen/html/search/files_b.js +4 -4
- package/SVF-doxygen/html/search/files_c.js +20 -20
- package/SVF-doxygen/html/search/files_d.js +4 -4
- package/SVF-doxygen/html/search/files_e.js +56 -57
- package/SVF-doxygen/html/search/files_f.js +8 -8
- package/SVF-doxygen/html/search/functions_0.js +13 -13
- package/SVF-doxygen/html/search/functions_1.js +366 -366
- package/SVF-doxygen/html/search/functions_10.js +140 -140
- package/SVF-doxygen/html/search/functions_11.js +140 -140
- package/SVF-doxygen/html/search/functions_12.js +291 -293
- package/SVF-doxygen/html/search/functions_13.js +52 -52
- package/SVF-doxygen/html/search/functions_14.js +41 -41
- package/SVF-doxygen/html/search/functions_15.js +70 -70
- package/SVF-doxygen/html/search/functions_16.js +38 -38
- package/SVF-doxygen/html/search/functions_17.js +3 -3
- package/SVF-doxygen/html/search/functions_18.js +174 -174
- package/SVF-doxygen/html/search/functions_2.js +92 -92
- package/SVF-doxygen/html/search/functions_3.js +257 -257
- package/SVF-doxygen/html/search/functions_4.js +85 -85
- package/SVF-doxygen/html/search/functions_5.js +54 -54
- package/SVF-doxygen/html/search/functions_6.js +65 -65
- package/SVF-doxygen/html/search/functions_7.js +857 -857
- package/SVF-doxygen/html/search/functions_8.js +164 -176
- package/SVF-doxygen/html/search/functions_9.js +439 -436
- package/SVF-doxygen/html/search/functions_a.js +30 -30
- package/SVF-doxygen/html/search/functions_b.js +2 -2
- package/SVF-doxygen/html/search/functions_c.js +22 -22
- package/SVF-doxygen/html/search/functions_d.js +81 -81
- package/SVF-doxygen/html/search/functions_e.js +34 -34
- package/SVF-doxygen/html/search/functions_f.js +58 -58
- package/SVF-doxygen/html/search/namespaces_0.js +1 -1
- package/SVF-doxygen/html/search/namespaces_1.js +7 -7
- package/SVF-doxygen/html/search/related_0.js +4 -4
- package/SVF-doxygen/html/search/related_1.js +2 -2
- package/SVF-doxygen/html/search/related_2.js +2 -2
- package/SVF-doxygen/html/search/related_3.js +2 -2
- package/SVF-doxygen/html/search/related_4.js +2 -2
- package/SVF-doxygen/html/search/related_5.js +1 -1
- package/SVF-doxygen/html/search/related_6.js +2 -2
- package/SVF-doxygen/html/search/related_7.js +5 -5
- package/SVF-doxygen/html/search/related_8.js +2 -2
- package/SVF-doxygen/html/search/related_9.js +4 -4
- package/SVF-doxygen/html/search/related_a.js +19 -19
- package/SVF-doxygen/html/search/related_b.js +4 -4
- package/SVF-doxygen/html/search/related_c.js +2 -2
- package/SVF-doxygen/html/search/related_d.js +11 -11
- package/SVF-doxygen/html/search/related_e.js +2 -2
- package/SVF-doxygen/html/search/related_f.js +2 -2
- package/SVF-doxygen/html/search/typedefs_0.js +20 -20
- package/SVF-doxygen/html/search/typedefs_1.js +27 -27
- package/SVF-doxygen/html/search/typedefs_10.js +65 -65
- package/SVF-doxygen/html/search/typedefs_11.js +12 -12
- package/SVF-doxygen/html/search/typedefs_12.js +13 -13
- package/SVF-doxygen/html/search/typedefs_13.js +40 -40
- package/SVF-doxygen/html/search/typedefs_14.js +11 -11
- package/SVF-doxygen/html/search/typedefs_2.js +125 -125
- package/SVF-doxygen/html/search/typedefs_3.js +39 -39
- package/SVF-doxygen/html/search/typedefs_4.js +17 -17
- package/SVF-doxygen/html/search/typedefs_5.js +42 -42
- package/SVF-doxygen/html/search/typedefs_6.js +54 -54
- package/SVF-doxygen/html/search/typedefs_7.js +47 -47
- package/SVF-doxygen/html/search/typedefs_8.js +1 -1
- package/SVF-doxygen/html/search/typedefs_9.js +4 -4
- package/SVF-doxygen/html/search/typedefs_a.js +28 -28
- package/SVF-doxygen/html/search/typedefs_b.js +29 -29
- package/SVF-doxygen/html/search/typedefs_c.js +41 -41
- package/SVF-doxygen/html/search/typedefs_d.js +15 -15
- package/SVF-doxygen/html/search/typedefs_e.js +52 -52
- package/SVF-doxygen/html/search/typedefs_f.js +14 -14
- package/SVF-doxygen/html/search/variables_0.js +169 -170
- package/SVF-doxygen/html/search/variables_1.js +78 -78
- package/SVF-doxygen/html/search/variables_10.js +98 -98
- package/SVF-doxygen/html/search/variables_11.js +47 -47
- package/SVF-doxygen/html/search/variables_12.js +93 -93
- package/SVF-doxygen/html/search/variables_13.js +76 -76
- package/SVF-doxygen/html/search/variables_14.js +14 -14
- package/SVF-doxygen/html/search/variables_15.js +49 -49
- package/SVF-doxygen/html/search/variables_16.js +11 -11
- package/SVF-doxygen/html/search/variables_17.js +1 -1
- package/SVF-doxygen/html/search/variables_18.js +17 -17
- package/SVF-doxygen/html/search/variables_2.js +40 -40
- package/SVF-doxygen/html/search/variables_3.js +143 -143
- package/SVF-doxygen/html/search/variables_4.js +51 -51
- package/SVF-doxygen/html/search/variables_5.js +39 -39
- package/SVF-doxygen/html/search/variables_6.js +66 -66
- package/SVF-doxygen/html/search/variables_7.js +32 -32
- package/SVF-doxygen/html/search/variables_8.js +8 -8
- package/SVF-doxygen/html/search/variables_9.js +80 -80
- package/SVF-doxygen/html/search/variables_a.js +4 -4
- package/SVF-doxygen/html/search/variables_b.js +10 -10
- package/SVF-doxygen/html/search/variables_c.js +44 -44
- package/SVF-doxygen/html/search/variables_d.js +58 -58
- package/SVF-doxygen/html/search/variables_e.js +123 -123
- package/SVF-doxygen/html/search/variables_f.js +31 -31
- package/SVF-doxygen/html/svf-ex_8cpp.html +199 -197
- package/SVF-doxygen/html/svf-ex_8cpp_source.html +204 -202
- package/package.json +1 -1
- package/svf/include/AE/Svfexe/AbstractInterpretation.h +28 -21
- package/svf/include/AE/Svfexe/SVFIR2AbsState.h +37 -67
- package/svf/lib/AE/Svfexe/AbstractInterpretation.cpp +153 -169
- package/svf/lib/AE/Svfexe/BufOverflowChecker.cpp +64 -54
- package/svf/lib/AE/Svfexe/SVFIR2AbsState.cpp +134 -146
- package/svf-llvm/tools/Example/svf-ex.cpp +13 -12
- package/svf/lib/AE/Core/SVFIR2Relation.cpp +0 -193
|
@@ -62,13 +62,14 @@ std::string IntervalToIntStr(const IntervalValue& inv)
|
|
|
62
62
|
void BufOverflowChecker::handleSVFStatement(const SVFStmt *stmt)
|
|
63
63
|
{
|
|
64
64
|
AbstractInterpretation::handleSVFStatement(stmt);
|
|
65
|
+
AbstractState& as = getAbsState(stmt->getICFGNode());
|
|
65
66
|
// for gep stmt, add the gep stmt to the addrToGep map
|
|
66
67
|
if (const GepStmt *gep = SVFUtil::dyn_cast<GepStmt>(stmt))
|
|
67
68
|
{
|
|
68
69
|
for (NodeID addrID:
|
|
69
|
-
_svfir2AbsState->getAddrs(gep->getLHSVarID()).getAddrs())
|
|
70
|
+
_svfir2AbsState->getAddrs(as, gep->getLHSVarID()).getAddrs())
|
|
70
71
|
{
|
|
71
|
-
NodeID objId =
|
|
72
|
+
NodeID objId = AbstractState::getInternalID(addrID);
|
|
72
73
|
_addrToGep[objId] = gep;
|
|
73
74
|
}
|
|
74
75
|
}
|
|
@@ -123,10 +124,11 @@ void BufOverflowChecker::initExtAPIBufOverflowCheckRules()
|
|
|
123
124
|
|
|
124
125
|
bool BufOverflowChecker::detectStrcpy(const CallICFGNode *call)
|
|
125
126
|
{
|
|
127
|
+
AbstractState& as = getAbsState(call);
|
|
126
128
|
CallSite cs = SVFUtil::getSVFCallSite(call->getCallSite());
|
|
127
129
|
const SVFValue* arg0Val = cs.getArgument(0);
|
|
128
130
|
const SVFValue* arg1Val = cs.getArgument(1);
|
|
129
|
-
AbstractValue strLen = getStrlen(arg1Val);
|
|
131
|
+
AbstractValue strLen = getStrlen(as, arg1Val);
|
|
130
132
|
// no need to -1, since it has \0 as the last byte
|
|
131
133
|
return canSafelyAccessMemory(arg0Val, strLen, call);
|
|
132
134
|
}
|
|
@@ -136,11 +138,13 @@ void BufOverflowChecker::initExtFunMap()
|
|
|
136
138
|
|
|
137
139
|
auto sse_scanf = [&](const CallSite &cs)
|
|
138
140
|
{
|
|
141
|
+
const CallICFGNode* callNode = SVFUtil::dyn_cast<CallICFGNode>(_svfir->getICFG()->getICFGNode(cs.getInstruction()));
|
|
142
|
+
AbstractState& as = getAbsState(callNode);
|
|
139
143
|
//scanf("%d", &data);
|
|
140
144
|
if (cs.arg_size() < 2) return;
|
|
141
|
-
|
|
145
|
+
|
|
142
146
|
u32_t dst_id = _svfir->getValueNode(cs.getArgument(1));
|
|
143
|
-
if (!_svfir2AbsState->inVarToAddrsTable(dst_id))
|
|
147
|
+
if (!_svfir2AbsState->inVarToAddrsTable(as, dst_id))
|
|
144
148
|
{
|
|
145
149
|
BufOverflowException bug("scanf may cause buffer overflow.\n", 0, 0, 0, 0, cs.getArgument(1));
|
|
146
150
|
addBugToRecoder(bug, _svfir->getICFG()->getICFGNode(cs.getInstruction()));
|
|
@@ -148,12 +152,12 @@ void BufOverflowChecker::initExtFunMap()
|
|
|
148
152
|
}
|
|
149
153
|
else
|
|
150
154
|
{
|
|
151
|
-
AbstractValue Addrs = _svfir2AbsState->getAddrs(dst_id);
|
|
155
|
+
AbstractValue Addrs = _svfir2AbsState->getAddrs(as, dst_id);
|
|
152
156
|
for (auto vaddr: Addrs.getAddrs())
|
|
153
157
|
{
|
|
154
|
-
u32_t objId =
|
|
158
|
+
u32_t objId = AbstractState::getInternalID(vaddr);
|
|
155
159
|
AbstractValue range = _svfir2AbsState->getRangeLimitFromType(_svfir->getGNode(objId)->getType());
|
|
156
|
-
|
|
160
|
+
as.store(vaddr, range);
|
|
157
161
|
}
|
|
158
162
|
}
|
|
159
163
|
};
|
|
@@ -161,9 +165,10 @@ void BufOverflowChecker::initExtFunMap()
|
|
|
161
165
|
{
|
|
162
166
|
//fscanf(stdin, "%d", &data);
|
|
163
167
|
if (cs.arg_size() < 3) return;
|
|
164
|
-
|
|
168
|
+
const CallICFGNode* callNode = SVFUtil::dyn_cast<CallICFGNode>(_svfir->getICFG()->getICFGNode(cs.getInstruction()));
|
|
169
|
+
AbstractState& as = getAbsState(callNode);
|
|
165
170
|
u32_t dst_id = _svfir->getValueNode(cs.getArgument(2));
|
|
166
|
-
if (!_svfir2AbsState->inVarToAddrsTable(dst_id))
|
|
171
|
+
if (!_svfir2AbsState->inVarToAddrsTable(as, dst_id))
|
|
167
172
|
{
|
|
168
173
|
BufOverflowException bug("scanf may cause buffer overflow.\n", 0, 0, 0, 0, cs.getArgument(2));
|
|
169
174
|
addBugToRecoder(bug, _svfir->getICFG()->getICFGNode(cs.getInstruction()));
|
|
@@ -171,12 +176,12 @@ void BufOverflowChecker::initExtFunMap()
|
|
|
171
176
|
}
|
|
172
177
|
else
|
|
173
178
|
{
|
|
174
|
-
AbstractValue Addrs = _svfir2AbsState->getAddrs(dst_id);
|
|
179
|
+
AbstractValue Addrs = _svfir2AbsState->getAddrs(as, dst_id);
|
|
175
180
|
for (auto vaddr: Addrs.getAddrs())
|
|
176
181
|
{
|
|
177
|
-
u32_t objId =
|
|
182
|
+
u32_t objId = AbstractState::getInternalID(vaddr);
|
|
178
183
|
AbstractValue range = _svfir2AbsState->getRangeLimitFromType(_svfir->getGNode(objId)->getType());
|
|
179
|
-
|
|
184
|
+
as.store(vaddr, range);
|
|
180
185
|
}
|
|
181
186
|
}
|
|
182
187
|
};
|
|
@@ -193,11 +198,12 @@ void BufOverflowChecker::initExtFunMap()
|
|
|
193
198
|
auto sse_fread = [&](const CallSite &cs)
|
|
194
199
|
{
|
|
195
200
|
if (cs.arg_size() < 3) return;
|
|
196
|
-
|
|
201
|
+
const CallICFGNode* callNode = SVFUtil::dyn_cast<CallICFGNode>(_svfir->getICFG()->getICFGNode(cs.getInstruction()));
|
|
202
|
+
AbstractState&as = getAbsState(callNode);
|
|
197
203
|
u32_t block_count_id = _svfir->getValueNode(cs.getArgument(2));
|
|
198
204
|
u32_t block_size_id = _svfir->getValueNode(cs.getArgument(1));
|
|
199
|
-
AbstractValue block_count =
|
|
200
|
-
AbstractValue block_size =
|
|
205
|
+
AbstractValue block_count = as[block_count_id];
|
|
206
|
+
AbstractValue block_size = as[block_size_id];
|
|
201
207
|
AbstractValue block_byte = block_count * block_size;
|
|
202
208
|
canSafelyAccessMemory(cs.getArgument(0), block_byte, _svfir->getICFG()->getICFGNode(cs.getInstruction()));
|
|
203
209
|
};
|
|
@@ -211,7 +217,8 @@ void BufOverflowChecker::initExtFunMap()
|
|
|
211
217
|
auto sse_snprintf = [&](const CallSite &cs)
|
|
212
218
|
{
|
|
213
219
|
if (cs.arg_size() < 2) return;
|
|
214
|
-
|
|
220
|
+
const CallICFGNode* callNode = SVFUtil::dyn_cast<CallICFGNode>(_svfir->getICFG()->getICFGNode(cs.getInstruction()));
|
|
221
|
+
AbstractState&as = getAbsState(callNode);
|
|
215
222
|
u32_t size_id = _svfir->getValueNode(cs.getArgument(1));
|
|
216
223
|
u32_t dst_id = _svfir->getValueNode(cs.getArgument(0));
|
|
217
224
|
// get elem size of arg2
|
|
@@ -222,15 +229,15 @@ void BufOverflowChecker::initExtFunMap()
|
|
|
222
229
|
}
|
|
223
230
|
else if (cs.getArgument(2)->getType()->isPointerTy())
|
|
224
231
|
{
|
|
225
|
-
elemSize = getPointeeElement(_svfir->getValueNode(cs.getArgument(2)))->getByteSize();
|
|
232
|
+
elemSize = getPointeeElement(as, _svfir->getValueNode(cs.getArgument(2)))->getByteSize();
|
|
226
233
|
}
|
|
227
234
|
else
|
|
228
235
|
{
|
|
229
236
|
return;
|
|
230
237
|
// assert(false && "we cannot support this type");
|
|
231
238
|
}
|
|
232
|
-
AbstractValue size =
|
|
233
|
-
if (!
|
|
239
|
+
AbstractValue size = as[size_id] * IntervalValue(elemSize) - IntervalValue(1);
|
|
240
|
+
if (!as.inVarToAddrsTable(dst_id))
|
|
234
241
|
{
|
|
235
242
|
if (Options::BufferOverflowCheck())
|
|
236
243
|
{
|
|
@@ -260,10 +267,11 @@ void BufOverflowChecker::initExtFunMap()
|
|
|
260
267
|
// itoa(num, ch, 10);
|
|
261
268
|
// num: int, ch: char*, 10 is decimal
|
|
262
269
|
if (cs.arg_size() < 3) return;
|
|
263
|
-
|
|
270
|
+
const CallICFGNode* callNode = SVFUtil::dyn_cast<CallICFGNode>(_svfir->getICFG()->getICFGNode(cs.getInstruction()));
|
|
271
|
+
AbstractState&as = getAbsState(callNode);
|
|
264
272
|
u32_t num_id = _svfir->getValueNode(cs.getArgument(0));
|
|
265
273
|
|
|
266
|
-
u32_t num = (u32_t)
|
|
274
|
+
u32_t num = (u32_t) as[num_id].getInterval().getNumeral();
|
|
267
275
|
std::string snum = std::to_string(num);
|
|
268
276
|
canSafelyAccessMemory(cs.getArgument(1), AbstractValue((s32_t)snum.size()), _svfir->getICFG()->getICFGNode(cs.getInstruction()));
|
|
269
277
|
};
|
|
@@ -275,8 +283,9 @@ void BufOverflowChecker::initExtFunMap()
|
|
|
275
283
|
// check the arg size
|
|
276
284
|
if (cs.arg_size() < 1) return;
|
|
277
285
|
const SVFValue* strValue = cs.getArgument(0);
|
|
278
|
-
|
|
279
|
-
|
|
286
|
+
const CallICFGNode* callNode = SVFUtil::dyn_cast<CallICFGNode>(_svfir->getICFG()->getICFGNode(cs.getInstruction()));
|
|
287
|
+
AbstractState& as = getAbsState(callNode);
|
|
288
|
+
AbstractValue dst_size = getStrlen(as, strValue);
|
|
280
289
|
u32_t elemSize = 1;
|
|
281
290
|
if (strValue->getType()->isArrayTy())
|
|
282
291
|
{
|
|
@@ -284,13 +293,13 @@ void BufOverflowChecker::initExtFunMap()
|
|
|
284
293
|
}
|
|
285
294
|
else if (strValue->getType()->isPointerTy())
|
|
286
295
|
{
|
|
287
|
-
if (const SVFType* pointee = getPointeeElement(_svfir->getValueNode(strValue)))
|
|
296
|
+
if (const SVFType* pointee = getPointeeElement(as, _svfir->getValueNode(strValue)))
|
|
288
297
|
elemSize = pointee->getByteSize();
|
|
289
298
|
else
|
|
290
299
|
elemSize = 1;
|
|
291
300
|
}
|
|
292
301
|
u32_t lhsId = _svfir->getValueNode(cs.getInstruction());
|
|
293
|
-
|
|
302
|
+
as[lhsId] = dst_size / IntervalValue(elemSize);
|
|
294
303
|
};
|
|
295
304
|
_func_map["strlen"] = sse_strlen;
|
|
296
305
|
_func_map["wcslen"] = sse_strlen;
|
|
@@ -299,11 +308,12 @@ void BufOverflowChecker::initExtFunMap()
|
|
|
299
308
|
{
|
|
300
309
|
// recv(sockfd, buf, len, flags);
|
|
301
310
|
if (cs.arg_size() < 4) return;
|
|
302
|
-
|
|
311
|
+
const CallICFGNode* callNode = SVFUtil::dyn_cast<CallICFGNode>(_svfir->getICFG()->getICFGNode(cs.getInstruction()));
|
|
312
|
+
AbstractState&as = getAbsState(callNode);
|
|
303
313
|
u32_t len_id = _svfir->getValueNode(cs.getArgument(2));
|
|
304
|
-
AbstractValue len =
|
|
314
|
+
AbstractValue len = as[len_id] - IntervalValue(1);
|
|
305
315
|
u32_t lhsId = _svfir->getValueNode(cs.getInstruction());
|
|
306
|
-
|
|
316
|
+
as[lhsId] = len;
|
|
307
317
|
canSafelyAccessMemory(cs.getArgument(1), len, _svfir->getICFG()->getICFGNode(cs.getInstruction()));;
|
|
308
318
|
};
|
|
309
319
|
_func_map["recv"] = sse_recv;
|
|
@@ -314,9 +324,9 @@ void BufOverflowChecker::initExtFunMap()
|
|
|
314
324
|
_checkpoints.erase(callNode);
|
|
315
325
|
//void SAFE_BUFACCESS(void* data, int size);
|
|
316
326
|
if (cs.arg_size() < 2) return;
|
|
317
|
-
AbstractState&
|
|
327
|
+
AbstractState&as = getAbsState(callNode);
|
|
318
328
|
u32_t size_id = _svfir->getValueNode(cs.getArgument(1));
|
|
319
|
-
AbstractValue val =
|
|
329
|
+
AbstractValue val = as[size_id];
|
|
320
330
|
if (val.isBottom())
|
|
321
331
|
{
|
|
322
332
|
val = IntervalValue(0);
|
|
@@ -344,9 +354,9 @@ void BufOverflowChecker::initExtFunMap()
|
|
|
344
354
|
_checkpoints.erase(callNode);
|
|
345
355
|
//void UNSAFE_BUFACCESS(void* data, int size);
|
|
346
356
|
if (cs.arg_size() < 2) return;
|
|
347
|
-
AbstractState&
|
|
357
|
+
AbstractState&as = getAbsState(callNode);
|
|
348
358
|
u32_t size_id = _svfir->getValueNode(cs.getArgument(1));
|
|
349
|
-
AbstractValue val =
|
|
359
|
+
AbstractValue val = as[size_id];
|
|
350
360
|
if (val.isBottom())
|
|
351
361
|
{
|
|
352
362
|
assert(false && "UNSAFE_BUFACCESS size is bottom");
|
|
@@ -375,6 +385,7 @@ void BufOverflowChecker::initExtFunMap()
|
|
|
375
385
|
|
|
376
386
|
bool BufOverflowChecker::detectStrcat(const CallICFGNode *call)
|
|
377
387
|
{
|
|
388
|
+
AbstractState& as = getAbsState(call);
|
|
378
389
|
const SVFFunction *fun = SVFUtil::getCallee(call->getCallSite());
|
|
379
390
|
// check the arg size
|
|
380
391
|
// if it is strcat group, we need to check the length of string,
|
|
@@ -389,8 +400,8 @@ bool BufOverflowChecker::detectStrcat(const CallICFGNode *call)
|
|
|
389
400
|
CallSite cs = SVFUtil::getSVFCallSite(call->getCallSite());
|
|
390
401
|
const SVFValue* arg0Val = cs.getArgument(0);
|
|
391
402
|
const SVFValue* arg1Val = cs.getArgument(1);
|
|
392
|
-
AbstractValue strLen0 = getStrlen(arg0Val);
|
|
393
|
-
AbstractValue strLen1 = getStrlen(arg1Val);
|
|
403
|
+
AbstractValue strLen0 = getStrlen(as, arg0Val);
|
|
404
|
+
AbstractValue strLen1 = getStrlen(as, arg1Val);
|
|
394
405
|
AbstractValue totalLen = strLen0 + strLen1;
|
|
395
406
|
return canSafelyAccessMemory(arg0Val, totalLen, call);
|
|
396
407
|
}
|
|
@@ -399,9 +410,8 @@ bool BufOverflowChecker::detectStrcat(const CallICFGNode *call)
|
|
|
399
410
|
CallSite cs = SVFUtil::getSVFCallSite(call->getCallSite());
|
|
400
411
|
const SVFValue* arg0Val = cs.getArgument(0);
|
|
401
412
|
const SVFValue* arg2Val = cs.getArgument(2);
|
|
402
|
-
AbstractValue arg2Num =
|
|
403
|
-
|
|
404
|
-
AbstractValue strLen0 = getStrlen(arg0Val);
|
|
413
|
+
AbstractValue arg2Num = as[_svfir->getValueNode(arg2Val)];
|
|
414
|
+
AbstractValue strLen0 = getStrlen(as, arg0Val);
|
|
405
415
|
AbstractValue totalLen = strLen0 + arg2Num;
|
|
406
416
|
return canSafelyAccessMemory(arg0Val, totalLen, call);
|
|
407
417
|
}
|
|
@@ -414,6 +424,7 @@ bool BufOverflowChecker::detectStrcat(const CallICFGNode *call)
|
|
|
414
424
|
|
|
415
425
|
void BufOverflowChecker::handleExtAPI(const CallICFGNode *call)
|
|
416
426
|
{
|
|
427
|
+
AbstractState& as = getAbsState(call);
|
|
417
428
|
AbstractInterpretation::handleExtAPI(call);
|
|
418
429
|
const SVFFunction *fun = SVFUtil::getCallee(call->getCallSite());
|
|
419
430
|
assert(fun && "SVFFunction* is nullptr");
|
|
@@ -451,8 +462,7 @@ void BufOverflowChecker::handleExtAPI(const CallICFGNode *call)
|
|
|
451
462
|
// loop the args and check the offset
|
|
452
463
|
for (auto arg: args)
|
|
453
464
|
{
|
|
454
|
-
AbstractValue offset =
|
|
455
|
-
_svfir2AbsState->getAbsState()[_svfir->getValueNode(cs.getArgument(arg.second))] - IntervalValue(1);
|
|
465
|
+
AbstractValue offset = as[_svfir->getValueNode(cs.getArgument(arg.second))] - IntervalValue(1);
|
|
456
466
|
canSafelyAccessMemory(cs.getArgument(arg.first), offset, call);
|
|
457
467
|
}
|
|
458
468
|
}
|
|
@@ -469,8 +479,7 @@ void BufOverflowChecker::handleExtAPI(const CallICFGNode *call)
|
|
|
469
479
|
// loop the args and check the offset
|
|
470
480
|
for (auto arg: args)
|
|
471
481
|
{
|
|
472
|
-
AbstractValue offset =
|
|
473
|
-
_svfir2AbsState->getAbsState()[_svfir->getValueNode(cs.getArgument(arg.second))] - IntervalValue(1);
|
|
482
|
+
AbstractValue offset = as[_svfir->getValueNode(cs.getArgument(arg.second))] - IntervalValue(1);
|
|
474
483
|
canSafelyAccessMemory(cs.getArgument(arg.first), offset, call);
|
|
475
484
|
}
|
|
476
485
|
}
|
|
@@ -491,6 +500,7 @@ void BufOverflowChecker::handleExtAPI(const CallICFGNode *call)
|
|
|
491
500
|
|
|
492
501
|
bool BufOverflowChecker::canSafelyAccessMemory(const SVFValue *value, const AbstractValue &len, const ICFGNode *curNode)
|
|
493
502
|
{
|
|
503
|
+
AbstractState& as = getAbsState(curNode);
|
|
494
504
|
const SVFValue *firstValue = value;
|
|
495
505
|
/// Usually called by a GepStmt overflow check, or external API (like memcpy) overflow check
|
|
496
506
|
/// Defitions of Terms:
|
|
@@ -525,7 +535,7 @@ bool BufOverflowChecker::canSafelyAccessMemory(const SVFValue *value, const Abst
|
|
|
525
535
|
}
|
|
526
536
|
else if (const LoadStmt *load = SVFUtil::dyn_cast<LoadStmt>(stmt))
|
|
527
537
|
{
|
|
528
|
-
AccessMemoryViaLoadStmt(load, worklist, visited);
|
|
538
|
+
AccessMemoryViaLoadStmt(as, load, worklist, visited);
|
|
529
539
|
}
|
|
530
540
|
else if (const GepStmt *gep = SVFUtil::dyn_cast<GepStmt>(stmt))
|
|
531
541
|
{
|
|
@@ -559,7 +569,7 @@ bool BufOverflowChecker::canSafelyAccessMemory(const SVFValue *value, const Abst
|
|
|
559
569
|
else
|
|
560
570
|
{
|
|
561
571
|
byteOffset =
|
|
562
|
-
_svfir2AbsState->getByteOffset(gep).getInterval();
|
|
572
|
+
_svfir2AbsState->getByteOffset(as, gep).getInterval();
|
|
563
573
|
}
|
|
564
574
|
// for variable offset, join with accumulate gep offset
|
|
565
575
|
gep_offsets[gep->getICFGNode()] = byteOffset;
|
|
@@ -588,8 +598,7 @@ bool BufOverflowChecker::canSafelyAccessMemory(const SVFValue *value, const Abst
|
|
|
588
598
|
else
|
|
589
599
|
{
|
|
590
600
|
u32_t idx = _svfir->getValueNode(idxValue);
|
|
591
|
-
IntervalValue idxVal =
|
|
592
|
-
_svfir2AbsState->getAbsState()[idx].getInterval();
|
|
601
|
+
IntervalValue idxVal = as[idx].getInterval();
|
|
593
602
|
if (idxVal.isBottom())
|
|
594
603
|
{
|
|
595
604
|
gepArrTotalByte = gepArrTotalByte + IntervalValue(0, 0);
|
|
@@ -652,7 +661,7 @@ bool BufOverflowChecker::canSafelyAccessMemory(const SVFValue *value, const Abst
|
|
|
652
661
|
else if (const AddrStmt *addr = SVFUtil::dyn_cast<AddrStmt>(stmt))
|
|
653
662
|
{
|
|
654
663
|
// addrStmt is source node.
|
|
655
|
-
u32_t arr_type_size = getAllocaInstByteSize(addr);
|
|
664
|
+
u32_t arr_type_size = getAllocaInstByteSize(as, addr);
|
|
656
665
|
if (total_bytes.ub().getNumeral() >= arr_type_size ||
|
|
657
666
|
total_bytes.lb().getNumeral() < 0)
|
|
658
667
|
{
|
|
@@ -687,7 +696,7 @@ bool BufOverflowChecker::canSafelyAccessMemory(const SVFValue *value, const Abst
|
|
|
687
696
|
if (SVFUtil::isa<SVFPointerType>(svftype))
|
|
688
697
|
{
|
|
689
698
|
if (const SVFArrayType *ptrArrType = SVFUtil::dyn_cast<SVFArrayType>(
|
|
690
|
-
getPointeeElement(_svfir->getValueNode(gvalue))))
|
|
699
|
+
getPointeeElement(as, _svfir->getValueNode(gvalue))))
|
|
691
700
|
arr_type_size = ptrArrType->getByteSize();
|
|
692
701
|
else
|
|
693
702
|
arr_type_size = svftype->getByteSize();
|
|
@@ -745,6 +754,7 @@ void BufOverflowChecker::handleICFGNode(const SVF::ICFGNode *node)
|
|
|
745
754
|
//
|
|
746
755
|
bool BufOverflowChecker::detectBufOverflow(const ICFGNode *node)
|
|
747
756
|
{
|
|
757
|
+
AbstractState &as = getAbsState(node);
|
|
748
758
|
for (auto* stmt: node->getSVFStmts())
|
|
749
759
|
{
|
|
750
760
|
if (const GepStmt *gep = SVFUtil::dyn_cast<GepStmt>(stmt))
|
|
@@ -764,13 +774,13 @@ bool BufOverflowChecker::detectBufOverflow(const ICFGNode *node)
|
|
|
764
774
|
}
|
|
765
775
|
else if (const LoadStmt* load = SVFUtil::dyn_cast<LoadStmt>(stmt))
|
|
766
776
|
{
|
|
767
|
-
if (_svfir2AbsState->inVarToAddrsTable(load->getRHSVarID()))
|
|
777
|
+
if (_svfir2AbsState->inVarToAddrsTable(as, load->getRHSVarID()))
|
|
768
778
|
{
|
|
769
779
|
AbstractValue Addrs =
|
|
770
|
-
_svfir2AbsState->getAddrs(load->getRHSVarID());
|
|
780
|
+
_svfir2AbsState->getAddrs(as, load->getRHSVarID());
|
|
771
781
|
for (auto vaddr: Addrs.getAddrs())
|
|
772
782
|
{
|
|
773
|
-
u32_t objId =
|
|
783
|
+
u32_t objId = AbstractState::getInternalID(vaddr);
|
|
774
784
|
if (_addrToGep.find(objId) != _addrToGep.end())
|
|
775
785
|
{
|
|
776
786
|
const GepStmt* gep = _addrToGep.at(objId);
|
|
@@ -781,13 +791,13 @@ bool BufOverflowChecker::detectBufOverflow(const ICFGNode *node)
|
|
|
781
791
|
}
|
|
782
792
|
else if (const StoreStmt* store = SVFUtil::dyn_cast<StoreStmt>(stmt))
|
|
783
793
|
{
|
|
784
|
-
if (_svfir2AbsState->inVarToAddrsTable(store->getLHSVarID()))
|
|
794
|
+
if (_svfir2AbsState->inVarToAddrsTable(as, store->getLHSVarID()))
|
|
785
795
|
{
|
|
786
796
|
AbstractValue Addrs =
|
|
787
|
-
_svfir2AbsState->getAddrs(store->getLHSVarID());
|
|
797
|
+
_svfir2AbsState->getAddrs(as, store->getLHSVarID());
|
|
788
798
|
for (auto vaddr: Addrs.getAddrs())
|
|
789
799
|
{
|
|
790
|
-
u32_t objId =
|
|
800
|
+
u32_t objId = AbstractState::getInternalID(vaddr);
|
|
791
801
|
if (_addrToGep.find(objId) != _addrToGep.end())
|
|
792
802
|
{
|
|
793
803
|
const GepStmt* gep = _addrToGep.at(objId);
|