svf-tools 1.0.987 → 1.0.989

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "svf-tools",
-  "version": "1.0.987",
+  "version": "1.0.989",
   "description": "* <b>[TypeClone](https://github.com/SVF-tools/SVF/wiki/TypeClone) published in our [ECOOP paper](https://yuleisui.github.io/publications/ecoop20.pdf) is now available in SVF </b> * <b>SVF now uses a single script for its build. Just type [`source ./build.sh`](https://github.com/SVF-tools/SVF/blob/master/build.sh) in your terminal, that's it!</b> * <b>SVF now supports LLVM-10.0.0! </b> * <b>We thank [bsauce](https://github.com/bsauce) for writing a user manual of SVF ([link1](https://www.jianshu.com/p/068a08ec749c) and [link2](https://www.jianshu.com/p/777c30d4240e)) in Chinese </b> * <b>SVF now supports LLVM-9.0.0 (Thank [Byoungyoung Lee](https://github.com/SVF-tools/SVF/issues/142) for his help!). </b> * <b>SVF now supports a set of [field-sensitive pointer analyses](https://yuleisui.github.io/publications/sas2019a.pdf). </b> * <b>[Use SVF as an external lib](https://github.com/SVF-tools/SVF/wiki/Using-SVF-as-a-lib-in-your-own-tool) for your own project (Contributed by [Hongxu Chen](https://github.com/HongxuChen)). </b> * <b>SVF now supports LLVM-7.0.0. </b> * <b>SVF now supports Docker. [Try SVF in Docker](https://github.com/SVF-tools/SVF/wiki/Try-SVF-in-Docker)! </b> * <b>SVF now supports [LLVM-6.0.0](https://github.com/svf-tools/SVF/pull/38) (Contributed by [Jack Anthony](https://github.com/jackanth)). </b> * <b>SVF now supports [LLVM-4.0.0](https://github.com/svf-tools/SVF/pull/23) (Contributed by Jared Carlson. Thank [Jared](https://github.com/jcarlson23) and [Will](https://github.com/dtzWill) for their in-depth [discussions](https://github.com/svf-tools/SVF/pull/18) about updating SVF!) </b> * <b>SVF now supports analysis for C++ programs.</b> <br />",
   "main": "index.js",
   "scripts": {

package/svf/include/AE/Svfexe/AEDetector.h

@@ -75,6 +75,12 @@ public:
      */
     virtual void detect(AbstractState& as, const ICFGNode* node) = 0;
 
+    /**
+     * @brief Pure virtual function for handling stub external API calls. (e.g. UNSAFE_BUFACCESS)
+     * @param call Pointer to the ext call ICFG node.
+     */
+    virtual void handleStubFunctions(const CallICFGNode* call) = 0;
+
     /**
      * @brief Pure virtual function to report detected bugs.
      */
@@ -169,6 +175,13 @@ public:
      */
     void detect(AbstractState& as, const ICFGNode*);
 
+
+    /**
+     * @brief Handles external API calls related to buffer overflow detection.
+     * @param call Pointer to the call ICFG node.
+     */
+    void handleStubFunctions(const CallICFGNode*);
+
     /**
      * @brief Adds an offset to a GEP object.
      * @param obj Pointer to the GEP object.
@@ -277,11 +290,11 @@ public:
     /**
      * @brief Checks if memory can be safely accessed.
      * @param as Reference to the abstract state.
-     * @param value Pointer to the SVF value.
+     * @param value Pointer to the SVF var.
      * @param len The interval value representing the length of the memory access.
      * @return True if the memory access is safe, false otherwise.
      */
-    bool canSafelyAccessMemory(AbstractState& as, const SVFValue *value, const IntervalValue &len);
+    bool canSafelyAccessMemory(AbstractState& as, const SVFVar *value, const IntervalValue &len);
 
 private:
     /**

package/svf/include/AE/Svfexe/AbsExtAPI.h

@@ -0,0 +1,147 @@
+//===- AbsExtAPI.h -- Abstract Interpretation External API handler-----//
+//
+//                     SVF: Static Value-Flow Analysis
+//
+// Copyright (C) <2013->  <Yulei Sui>
+//
+
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+//===----------------------------------------------------------------------===//
+
+
+//
+// Created by Jiawei Wang on 2024/9/9.
+//
+#pragma once
+#include "AE/Core/AbstractState.h"
+#include "AE/Core/ICFGWTO.h"
+#include "AE/Svfexe/AEDetector.h"
+#include "AE/Svfexe/AbsExtAPI.h"
+#include "Util/SVFBugReport.h"
+#include "WPA/Andersen.h"
+
+namespace SVF
+{
+
+// Forward declaration of AbstractInterpretation class
+class AbstractInterpretation;
+
+/**
+ * @class AbsExtAPI
+ * @brief Handles external API calls and manages abstract states.
+ */
+class AbsExtAPI
+{
+public:
+    /**
+     * @enum ExtAPIType
+     * @brief Enumeration of external API types.
+     */
+    enum ExtAPIType { UNCLASSIFIED, MEMCPY, MEMSET, STRCPY, STRCAT };
+
+    /**
+     * @brief Constructor for AbsExtAPI.
+     * @param abstractTrace Reference to a map of ICFG nodes to abstract states.
+     */
+    AbsExtAPI(Map<const ICFGNode*, AbstractState>& abstractTrace);
+
+    /**
+     * @brief Initializes the external function map.
+     */
+    void initExtFunMap();
+
+    /**
+     * @brief Reads a string from the abstract state.
+     * @param as Reference to the abstract state.
+     * @param rhs Pointer to the SVF variable representing the string.
+     * @return The string value.
+     */
+    std::string strRead(AbstractState& as, const SVFVar* rhs);
+
+    /**
+     * @brief Handles an external API call.
+     * @param call Pointer to the call ICFG node.
+     */
+    void handleExtAPI(const CallICFGNode *call);
+
+    /**
+     * @brief Handles the strcpy API call.
+     * @param call Pointer to the call ICFG node.
+     */
+    void handleStrcpy(const CallICFGNode *call);
+
+    /**
+     * @brief Calculates the length of a string.
+     * @param as Reference to the abstract state.
+     * @param strValue Pointer to the SVF variable representing the string.
+     * @return The interval value representing the string length.
+     */
+    IntervalValue getStrlen(AbstractState& as, const SVF::SVFVar *strValue);
+
+    /**
+     * @brief Handles the strcat API call.
+     * @param call Pointer to the call ICFG node.
+     */
+    void handleStrcat(const SVF::CallICFGNode *call);
+
+    /**
+     * @brief Handles the memcpy API call.
+     * @param as Reference to the abstract state.
+     * @param dst Pointer to the destination SVF variable.
+     * @param src Pointer to the source SVF variable.
+     * @param len The interval value representing the length to copy.
+     * @param start_idx The starting index for copying.
+     */
+    void handleMemcpy(AbstractState& as, const SVF::SVFVar *dst, const SVF::SVFVar *src, IntervalValue len, u32_t start_idx);
+
+    /**
+     * @brief Handles the memset API call.
+     * @param as Reference to the abstract state.
+     * @param dst Pointer to the destination SVF variable.
+     * @param elem The interval value representing the element to set.
+     * @param len The interval value representing the length to set.
+     */
+    void handleMemset(AbstractState& as, const SVFVar* dst, IntervalValue elem, IntervalValue len);
+
+    /**
+     * @brief Gets the range limit from a type.
+     * @param type Pointer to the SVF type.
+     * @return The interval value representing the range limit.
+     */
+    IntervalValue getRangeLimitFromType(const SVFType* type);
+
+    /**
+     * @brief Retrieves the abstract state from the trace for a given ICFG node.
+     * @param node Pointer to the ICFG node.
+     * @return Reference to the abstract state.
+     * @throws Assertion if no trace exists for the node.
+     */
+    AbstractState& getAbsStateFromTrace(const ICFGNode* node);
+
+    /**
+     * @brief Retrieves the SVF variable from a given SVF value.
+     * @param val Pointer to the SVF value.
+     * @return Pointer to the corresponding SVF variable.
+     */
+    const SVFVar* getSVFVar(const SVFValue* val);
+
+protected:
+    SVFIR* svfir; ///< Pointer to the SVF intermediate representation.
+    ICFG* icfg; ///< Pointer to the interprocedural control flow graph.
+    Map<const ICFGNode*, AbstractState>& abstractTrace; ///< Map of ICFG nodes to abstract states.
+    Map<std::string, std::function<void(const CallICFGNode*)>> func_map; ///< Map of function names to handlers.
+};
+
+} // namespace SVF

package/svf/include/AE/Svfexe/AbstractInterpretation.h

@@ -31,12 +31,14 @@
 #include "AE/Core/AbstractState.h"
 #include "AE/Core/ICFGWTO.h"
 #include "AE/Svfexe/AEDetector.h"
+#include "AE/Svfexe/AbsExtAPI.h"
 #include "Util/SVFBugReport.h"
 #include "WPA/Andersen.h"
 
 namespace SVF
 {
 class AbstractInterpretation;
+class AbsExtAPI;
 class AEStat;
 class AEAPI;
 
@@ -104,7 +106,6 @@ class AbstractInterpretation
     friend class BufOverflowDetector;
 
 public:
-    enum ExtAPIType { UNCLASSIFIED, MEMCPY, MEMSET, STRCPY, STRCAT };
     typedef SCCDetection<CallGraph*> CallGraphSCC;
     /// Constructor
     AbstractInterpretation();
@@ -128,7 +129,9 @@ public:
         detectors.push_back(std::move(detector));
     }
 
-protected:
+    Set<const CallICFGNode*> checkpoints; // for CI check
+
+private:
     /// Global ICFGNode is handled at the entry of the program,
     virtual void handleGlobalNode();
 
@@ -213,77 +216,6 @@ protected:
                                 AbstractState& as);
 
 
-    /**
-    * handle external function call
-    *
-    * @param call call node whose callee is external function
-    */
-    virtual void handleExtAPI(const CallICFGNode *call);
-
-    /**
-    * the map of external function to its API type
-    *
-    * In AEAPI, this function is mainly used for abstract explanation.
-    * In subclasses, this function is mainly used to check specific bugs
-    */
-    virtual void initExtFunMap();
-
-
-    /**
-    * get byte size of alloca inst
-    * e.g. source code str = "abc", there are str value, return "abc"
-    *
-    * @param rhs SVFValue of string
-    * @return the string
-    */
-    std::string strRead(AbstractState& as,const SVFValue* rhs);
-
-    /**
-    * get length of string
-    * e.g. source code str = "abc", return 3
-    *
-    * @param strValue SVFValue of string
-    * @return IntervalValue of string length
-    */
-    IntervalValue getStrlen(AbstractState& as, const SVF::SVFValue *strValue);
-
-    /**
-    * execute strcpy in abstract execution
-    * e.g  arr = new char[10]
-    *      str = "abc"
-    *      strcpy(arr, str)
-    * we can set arr[0]='a', arr[1]='b', arr[2]='c', arr[3]='\0'
-    * @param call callnode of strcpy like api
-    */
-    virtual void handleStrcpy(const CallICFGNode *call);
-    /**
-    * execute strcpy in abstract execution
-    * e.g  arr[10] = "abc"
-    *      str = "de"
-    *      strcat(arr, str)
-    * we can set arr[3]='d', arr[4]='e', arr[5]='\0'
-    * @param call callnode of strcat like api
-    */
-    virtual void handleStrcat(const CallICFGNode *call);
-    /**
-    * execute memcpy in abstract execution
-    * e.g  arr = new char[10]
-    *      str = "abcd"
-    *      memcpy(arr, str, 5)
-    * we can set arr[3]='d', arr[4]='e', arr[5]='\0'
-    * @param call callnode of memcpy like api
-    */
-    virtual void handleMemcpy(AbstractState& as, const SVFValue* dst, const SVFValue* src, IntervalValue len, u32_t start_idx);
-    /**
-    * execute memset in abstract execution
-    * e.g  arr = new char[10]
-    *      memset(arr, 'c', 2)
-    * we can set arr[0]='c', arr[1]='c', arr[2]='\0'
-    * @param call callnode of memset like api
-    */
-    virtual void handleMemset(AbstractState& as, const SVFValue* dst, IntervalValue elem, IntervalValue len);
-
-
     void collectCheckPoint();
     void checkPointAllSet();
 
@@ -309,8 +241,6 @@ protected:
 
     void updateStateOnPhi(const PhiStmt *phi);
 
-    IntervalValue getRangeLimitFromType(const SVFType* type);
-
 
     /// protected data members, also used in subclasses
     SVFIR* svfir;
@@ -324,18 +254,6 @@ protected:
     Map<const SVFFunction*, ICFGWTO*> funcToWTO;
     Set<const SVFFunction*> recursiveFuns;
 
-private:
-    // helper functions in handleCallSite
-    virtual bool isExtCall(const CallICFGNode* callNode);
-    virtual void extCallPass(const CallICFGNode* callNode);
-    virtual bool isRecursiveCall(const CallICFGNode* callNode);
-    virtual void recursiveCallPass(const CallICFGNode* callNode);
-    virtual bool isDirectCall(const CallICFGNode* callNode);
-    virtual void directCallFunPass(const CallICFGNode* callNode);
-    virtual bool isIndirectCall(const CallICFGNode* callNode);
-    virtual void indirectCallFunPass(const CallICFGNode* callNode);
-
-protected:
 
     AbstractState& getAbsStateFromTrace(const ICFGNode* node)
     {
@@ -356,16 +274,31 @@ protected:
         return abstractTrace.count(repNode) != 0;
     }
 
-protected:
+    AbsExtAPI* getUtils()
+    {
+        return utils;
+    }
+
+    // helper functions in handleCallSite
+    virtual bool isExtCall(const CallICFGNode* callNode);
+    virtual void extCallPass(const CallICFGNode* callNode);
+    virtual bool isRecursiveCall(const CallICFGNode* callNode);
+    virtual void recursiveCallPass(const CallICFGNode* callNode);
+    virtual bool isDirectCall(const CallICFGNode* callNode);
+    virtual void directCallFunPass(const CallICFGNode* callNode);
+    virtual bool isIndirectCall(const CallICFGNode* callNode);
+    virtual void indirectCallFunPass(const CallICFGNode* callNode);
+
     // there data should be shared with subclasses
     Map<std::string, std::function<void(const CallICFGNode*)>> func_map;
-    Set<const CallICFGNode*> checkpoints;
-    Set<std::string> checkpoint_names;
-    Map<const ICFGNode*, AbstractState>
-    abstractTrace; // abstract states immediately after nodes
+
+    Map<const ICFGNode*, AbstractState> abstractTrace; // abstract states immediately after nodes
     std::string moduleName;
 
     std::vector<std::unique_ptr<AEDetector>> detectors;
+    AbsExtAPI* utils;
+
+
 
 };
 }

package/svf/include/SVFIR/SVFValue.h

@@ -319,7 +319,6 @@ private:
     const SVFFunction* realDefFun;  /// the definition of a function across multiple modules
     std::vector<const SVFBasicBlock*> allBBs;   /// all BasicBlocks of this function
     std::vector<const SVFArgument*> allArgs;    /// all formal arguments of this function
-    std::vector<std::string> annotations; /// annotations of this function
     SVFBasicBlock *exitBlock;             /// a 'single' basic block having no successors and containing return instruction in a function
 
 protected:
@@ -463,16 +462,6 @@ public:
         return  !isNotRet;
     }
 
-    inline const std::vector<std::string>& getAnnotations() const
-    {
-        return annotations;
-    }
-
-    inline void setAnnotations(std::vector<std::string>& annotations)
-    {
-        this->annotations = annotations;
-    }
-
     inline void getExitBlocksOfLoop(const SVFBasicBlock* bb, BBList& exitbbs) const
     {
         return loopAndDom->getExitBlocksOfLoop(bb,exitbbs);

package/svf/include/Util/ExtAPI.h

@@ -43,10 +43,14 @@ namespace SVF
 
 class ExtAPI
 {
+    friend class LLVMModuleSet;
 private:
 
     static ExtAPI *extOp;
 
+    // Map SVFFunction to its annotations
+    Map<const SVFFunction*, std::vector<std::string>> func2Annotations;
+
     // extapi.bc file path
     static std::string extBcPath;
 
@@ -67,6 +71,8 @@ public:
     // Get the annotation of (F)
     std::string getExtFuncAnnotation(const SVFFunction* fun, const std::string& funcAnnotation);
 
+    const std::vector<std::string>& getExtFuncAnnotations(const SVFFunction* fun);
+
     // Does (F) have some annotation?
     bool hasExtFuncAnnotation(const SVFFunction* fun, const std::string& funcAnnotation);
 
@@ -94,6 +100,10 @@ public:
     // Should (F) be considered "external" (either not defined in the program
     //   or a user-defined version of a known alloc or no-op)?
     bool is_ext(const SVFFunction *F);
+
+private:
+    // Set the annotation of (F)
+    void setExtFuncAnnotations(const SVFFunction* fun, const std::vector<std::string>& funcAnnotations);
 };
 } // End namespace SVF
 

package/svf/include/Util/SVFUtil.h

@@ -391,19 +391,13 @@ bool isExtCall(const ICFGNode* node);
 
 bool isHeapAllocExtCallViaArg(const CallICFGNode* cs);
 
-bool isHeapAllocExtCallViaArg(const SVFInstruction *inst);
-
-bool isHeapAllocExtCallViaRet(const SVFInstruction *inst);
 
 /// interfaces to be used externally
 bool isHeapAllocExtCallViaRet(const CallICFGNode* cs);
 
 bool isHeapAllocExtCall(const ICFGNode* cs);
 
-inline bool isHeapAllocExtCall(const SVFInstruction *inst)
-{
-    return isHeapAllocExtCallViaRet(inst) || isHeapAllocExtCallViaArg(inst);
-}
+
 
 //@}