Crash During Pointer Analysis on Boringssl with WPA

[liushengahn]

Hello,

I am currently using the WPA tool to perform pointer analysis on the Boringssl(https://github.com/google/fuzzer-test-suite/blob/master/boringssl-2016-02-12/build.sh) from the Google Fuzzer Test Suite(https://github.com/google/fuzzer-test-suite/tree/master). I have successfully built the executable using wllvm and wllvm++, resulting in the boringssl-2016-02-12.bc bitcode file.

However, when I attempt to run pointer analysis using SVF, the tool crashes. I am not sure what is causing this issue and would greatly appreciate your assistance in resolving it. boringssl-2016-02-12.zip

Here is the error message I received:

wpa: /root/SVF/svf/lib/WPA/WPAPass.cpp:77: virtual void SVF::WPAPass::runOnModule(SVF::SVFIR*): Assertion `!ptaVector.empty() && "No pointer analysis is specified.\n"' failed.
Aborted (core dumped)

This is not the first time I've encountered crashes during testing with some libraries. Could you please advise on potential reasons for these issues and how they can be prevented or resolved?

I would be grateful for any guidance or insights into this issue. Thank you for your time and assistance.

[yuleisui]

What command line options did you use to run wpa?

[jumormt]

@liushengahn The message indicates missing of the pointer analysis type, e.g., ``-ander'' (Andersen's pointer analysis).

[liushengahn]

I apologize for the confusion in my previous message. I actually encountered an error while implementing my own analysis based on the example provided here. When I ran my program, I received the following error:

svf-cd-dd: /root/SVF/svf/include/Util/Casting.h:198: static bool SVF::SVFUtil::isa_impl_cl<To, const From*>::doit(const From*) [with To = SVF::IntraCFGEdge; From = SVF::ICFGEdge]: Assertion `Val && "SVFUtil::isa<> used on a null pointer"' failed.
Aborted (core dumped)

Here is the code where I construct some graphs:

// Parse command-line arguments to get module name vector
std::vector<std::string> moduleNameVec =
    OptionBase::parseOptions(argc, argv, "Whole Program Points-to Analysis",
                             "[options] <input-bitcode...>");

// If the write option is enabled, preprocess the LLVM modules
if (Options::WriteAnder() == "ir_annotator") {
    LLVMModuleSet::preProcessBCs(moduleNameVec);
}

// Build the SVF module
auto svf_start = std::chrono::high_resolution_clock::now();
SVFModule *svfModule = LLVMModuleSet::buildSVFModule(moduleNameVec);

// Build the program analysis graph (SVFIR)
SVFIRBuilder builder(svfModule);
SVFIR *pag = builder.build();

// Get the indirect control flow graph (ICFG)
icfg = pag->getICFG();

// Build the control dependence graph (CDG)
CDGBuilder CDGbuilder;
CDGbuilder.build();

cdgBBdep = CDGbuilder.get_svfdependentOnMap();
cdgBBctl = CDGbuilder.get_svfcontrolMap();
// Build the call graph (CallGraph)
SVF::Andersen *ander =
    SVF::AndersenWaveDiff::createAndersenWaveDiff(SVF::PAG::getPAG());
cg = ander->getPTACallGraph();

// Build the sparse value flow graph (SVFG)
SVFGBuilder svfBuilder(true);
svfg = svfBuilder.buildFullSVFG(ander);

The program runs successfully on some projects, but it crashes on the most recent one. I am unsure what might be causing this issue, and I would appreciate any guidance or insights into what could be going wrong.

[liushengahn]

[New LWP 961933]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/root/svf-cd-dd/bin/svf-cd-dd -ander -target=/root/aflgo/examples/boringssl-201'.
Program terminated with signal SIGABRT, Aborted.
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007f53b7bc9859 in __GI_abort () at abort.c:79
#2  0x00007f53b7bc9729 in __assert_fail_base (fmt=0x7f53b7d5f588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", 
    assertion=0x5594f6b007f8 "Val && \"SVFUtil::isa<> used on a null pointer\"", file=0x5594f6b007d0 "/root/SVF/svf/include/Util/Casting.h", 
    line=198, function=<optimized out>) at assert.c:92
#3  0x00007f53b7bdafd6 in __GI___assert_fail (assertion=0x5594f6b007f8 "Val && \"SVFUtil::isa<> used on a null pointer\"", 
    file=0x5594f6b007d0 "/root/SVF/svf/include/Util/Casting.h", line=198, 
    function=0x5594f6b22fc0 "static bool SVF::SVFUtil::isa_impl_cl<To, const From*>::doit(const From*) [with To = SVF::IntraCFGEdge; From = SVF::ICFGEdge]") at assert.c:101
#4  0x00005594f6351c8f in SVF::CDGBuilder::buildControlDependence(SVF::SVFModule const*) ()
#5  0x00005594f6351e5b in SVF::CDGBuilder::build() ()
#6  0x00005594f61ea408 in main ()

[liushengahn]

I'm using an older version of SVF, I patched it with a later update and added a build to control the dependency graph, which I guess should be my issue.

[liushengahn]

I wanted to follow up with an update on my previous query regarding the crash I was experiencing with SVF.

After updating to the latest version of SVF, I am still encountering issues. The error message I am receiving is as follows:

(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007f63354c0859 in __GI_abort () at abort.c:79
#2  0x00007f63354c0729 in __assert_fail_base (fmt=0x7f6335656588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", 
    assertion=0x55e45bf0ac80 "Val && \"SVFUtil::isa<> used on a null pointer\"", file=0x55e45bf0ac58 "/root/svf/svf/include/Util/Casting.h", line=198, function=<optimized out>)
    at assert.c:92
#3  0x00007f63354d1fd6 in __GI___assert_fail (assertion=0x55e45bf0ac80 "Val && \"SVFUtil::isa<> used on a null pointer\"", 
    file=0x55e45bf0ac58 "/root/svf/svf/include/Util/Casting.h", line=198, 
    function=0x55e45bf29d20 "static bool SVF::SVFUtil::isa_impl_cl<To, const From*>::doit(const From*) [with To = SVF::IntraCFGEdge; From = SVF::ICFGEdge]") at assert.c:101
#4  0x000055e45b959325 in bool SVF::SVFUtil::isa<SVF::IntraCFGEdge, SVF::ICFGEdge const*>(SVF::ICFGEdge const* const&) [clone .isra.0] [clone .part.0] ()
#5  0x000055e45b959735 in SVF::CDGBuilder::getBBSuccessorBranchID(SVF::SVFBasicBlock const*, SVF::SVFBasicBlock const*) ()
#6  0x000055e45b959cf2 in SVF::CDGBuilder::buildControlDependence(SVF::SVFModule const*) ()
#7  0x000055e45b95a1e1 in SVF::CDGBuilder::build() ()
#8  0x000055e45b470224 in main ()

I would greatly appreciate any guidance on how to resolve this issue or any suggestions for further troubleshooting steps.

[liushengahn]

svf-example: /root/svf/svf/include/Util/Casting.h:198: static bool SVF::SVFUtil::isa_impl_cl<To, const From*>::doit(const From*) [with To = SVF::IntraCFGEdge; From = SVF::ICFGEdge]: Assertion `Val && "SVFUtil::isa<> used on a null pointer"' failed.

[yuleisui]

Looks to be a null pointer error. Did you implement your algorithm or it is caused by SVF? What commandline options you used?

[jumormt]

It seems that edge here is a nullptr. But there should be an edge connecting BB and succ because these two basic blocks are neighbours. Could you please send us the minimal sized bitcode?

[liushengahn]

boringssl-2016-02-12.zip The bad bitcode.

[liushengahn]

Looks to be a null pointer error. Did you implement your algorithm or it is caused by SVF? What commandline options you used?

I have not made any modifications to SVF; I simply utilized SVF to construct the CG, CFG, and CDG, as mentioned in the code I provided above. I traverse these graphs in my tool, so my tool does not involve any parameters from SVF.

[liushengahn]

guetzli.zip This program will also cause the same bug.

[jumormt]

@liushengahn This should be fixed.

[liushengahn]

@liushengahn This should be fixed. Thank you for your patient responses, and I also hope to contribute my strength.