search

SVF-tools / SVF

Static Value-Flow Analysis Framework for Source Code
http://svf-tools.github.io/SVF/
Other
1.42k stars 435 forks source link

Can SVFG option of WPA detect writing operation from snprintf? #1081

Open UESuperGate opened 1 year ago

UESuperGate commented 1 year ago

Hi there!

I'm trying out the value-flow analysis of SVF. I wrote a simple example as follow:

#include <stdio.h>
#include <string.h>

char gv[16] = {0};

void func1(const char *msg) {
    printf("calling func1 with msg: %s\n", msg);
    snprintf(gv, 16,  "%s", msg);
    printf("Here gv is: %s\n", gv);
}

int main() {
    func1("pure call inner func");
    return 0;
}

I want to get the value-flow result of gv. Therotically, gv are assigned in func1 by snprintf. However, the results did not match the assumption.

I used the command as follow:

clang -S -c -Xclang -disable-O0-optnone -fno-discard-value-names -emit-llvm ./test_snprintf.c -o ./test_snprintf.ll
wpa -ander -svfg -dump-vfg -opt-svfg=false ./test_snprintf.ll

Here is the SVFG it generated. To make it clearer, I only post the part related to gv. The modification of gv from snprintf is not recorded: image

Here are the logs WPA printed in console:

shell
*********CallGraph Stats***************
################ (program : test_snprintf.ll)###############
-------------------------------------------------------
TotalNode           4
TotalEdge           4
TotalCycle          0
MaxNodeInCycle      0
NodeInCycle         0
CalRetPairInCycle   0
#######################################################

*********General Stats***************
################ (program : test_snprintf.ll)###############
BBWith2Succ         0
BBWith3Succ         0
TotalPointers       41
TotalObjects        9
TotalFieldObjects   1
MaxStructSize       0
TotalSVFStmts       28
TotalPTASVFStmts    22
FIObjNum            0
FSObjNum            8
AddrsNum            15
LoadsNum            2
StoresNum           2
CopysNum            1
GepsNum             6
CallsNum            1
ReturnsNum          0
FunctionObjs        4
GlobalObjs          1
HeapObjs            0
StackObjs           2
VarStructObj        0
VarArrayObj         1
ConstStructObj      0
ConstArrayObj       0
NonPtrObj           7
ConstantObj         0
IndCallSites        0
TotalCallSite       4
-------------------------------------------------------
LLVMIRTime          0.004
SymbolTableTime     0
SVFIRTime           0
#######################################################

*********Constraint Graph Stats***************
################ (program : test_snprintf.ll)###############
-------------------------------------------------------
AvgIn/OutCopyEdge   0.366667
AvgIn/OutLoadEdge   0.0666667
AvgIn/OutAddrEdge   0.366667
AvgIn/OutEdge       0.833333
LocalVarInRecur     0
NumOfCGNode         59
TotalValidNode      30
TotalValidObjNode   8
NumOfCGEdge         14
NumOfAddrs          11
NumOfCopys          5
NumOfGeps           6
NumOfLoads          2
NumOfStores         1
MaxInCopyEdge       1
MaxOutCopyEdge      2
MaxInLoadEdge       1
MaxOutLoadEdge      2
MaxInStoreEdge      1
MaxOutStoreEdge     1
AvgIn/OutStoreEdge  0
MaxInAddrEdge       1
MaxOutAddrEdge      4
#######################################################

*********Andersen Pointer Analysis Stats***************
################ (program : test_snprintf.ll)###############
-------------------------------------------------------
TotalTime           0
SCCDetectTime       0
SCCMergeTime        0
LoadStoreTime       0
CopyGepTime         0
UpdateCGTime        0
AvgPtsSetSize       0.355932
AvgTopLvlPtsSize    0.952381
CollapseTime        0
Pointers            41
TotalPointers       41
TotalObjects        10
IndCallSites        0
AddrProcessed       11
CopyProcessed       4
GepProcessed        6
LoadProcessed       2
StoreProcessed      1
NumOfSFRs           0
NumOfFieldExpand    0
MemObjects          9
DummyFieldPtrs      0
FieldObjs           1
MaxPtsSetSize       1
SolveIterations     2
IndEdgeSolved       0
NumOfSCCDetect      2
TotalCycleNum       0
TotalPWCCycleNum    0
NodesInCycles       0
MaxNodesInSCC       0
NullPointer         0
PointsToConstPtr    0
PointsToBlkPtr      0
#######################################################

****Persistent Points-To Cache Statistics: Andersen's analysis bitvector****
################ (program : test_snprintf.ll)###############
UniquePointsToSets       10
TotalUnions              21
PropertyUnions           21
UniqueUnions             0
LookupUnions             0
PreemptiveUnions         0
TotalComplements         117
PropertyComplements      117
UniqueComplements        0
LookupComplements        0
PreemptiveComplements    0
TotalIntersections       3
PropertyIntersections    3
UniqueIntersections      0
LookupIntersections      0
PreemptiveIntersections  0
#######################################################

*********Memory SSA Statistics***************
################ (program : test_snprintf.ll)###############
-------------------------------------------------------
AverageRegSize      1
SSARenameTime       0
InsertPHITime       0
GenMUCHITime        0
GenRegionTime       0
TotalMSSATime       0
BBHasMSSAPhi        0
MSSAPhi             0
StoreHasChi         2
LoadHasMu           2
CSHasMu             0
CSHasChi            0
FunHasRetMu         2
FunHasEntryChi      2
StoreChiNode        2
LoadMuNode          2
CSMuNode            0
CSChiNode           0
FunRetMu            2
FunEntryChi         2
MemRegions          2
MaxRegSize          1
#######################################################

****SVFG Statistics****

************************
################ (program : test_snprintf.ll)###############
-------------------------------------------------------
TotalTime           0
ConnDirEdgeTime     0
ConnIndEdgeTime     0
TLNodeTime          0
ATNodeTime          0
OptTime             0
AvgWeight           1
TotalNode           46
FormalIn            2
FormalOut           2
FormalParam         1
FormalRet           1
ActualIn            0
ActualOut           0
ActualParam         9
ActualRet           3
TotalEdge           28
DirectEdge          22
IndirectEdge        6
IndirectEdgeLabels  6
IndCallEdge         0
IndRetEdge          0
DirectCallEdge      1
DirectRetEdge       0
AvgInDegree         0
AvgOutDegree        0
MaxInDegree         3
MaxOutDegree        3
AvgIndInDeg         1
AvgIndOutDeg        1
MaxIndInDeg         1
MaxIndOutDeg        3
MSSAPhi             0
PHI                 1
Addr                15
Copy                1
Gep                 6
Load                2
Store               2
#######################################################
Writing 'svfg_final.dot'...

I'm wondering wether SVF can treat some external functions (e.g., snprintf) that might modify values as store operations as well. Or is it possible for us to write our own analysis based on SVF to achieve the same effect?

yuleisui commented 1 year ago

This could be done by changing the side-effect of external functions here: https://github.com/SVF-tools/SVF/blob/master/svf/include/Util/ExtAPI.json#L1964

UESuperGate commented 1 year ago

That works for me, thank you so much!