Closed jmp0x7c00 closed 2 years ago
I found that assignment 2, 3, and 4 all fail when running test2, but if test1 is commented out, test2 will pass, so I guess the resources of test1 are not released correctly.
when I run test1() and test2() , test2() failed
but when I commented test1(),test2() passed..
I have tried to replace PAG::releasePAG();
with SVFIR::releasePAG();
, but no effect
when
test1();
test2();
break at test1() -> assert
when
test2();
test1(); // assert will fail
symTable->getTotalSymNum() is not correct
I read the relevant source code and found that there may be bugs here.
assert(pag->getTotalNodeNum() >= symTable->getTotalSymNum()
&& "not all node been inititalize!!!");
symTable->getTotalSymNum()
invoked follow code:
and allocator
returned its numNodes
field .
so, the result of symTable->getTotalSymNum()
is numNodes
field of the allocator obj.
however,
SVFModule *svfModule = LLVMModuleSet::getLLVModuleSet()->buildSVFModule(moduleNameVec);
The svfModule is not released, so NodeIDAllocator::unset();
is not called either, the singleton object NodeIDAllocator
has not been released. After my experiments, even if the delete svfModule
is called additionally, since the unset
function does not set allocator
to nullptr
after the delete
, the old allocator will be retrieved by NodeIDAllocator::get(void)
, which should be regarded as a UAF vulnerability
//NodeIDAllocator.cpp
NodeIDAllocator *NodeIDAllocator::get(void)
{
if (allocator == nullptr)
{
allocator = new NodeIDAllocator();
}
return allocator;
}
void NodeIDAllocator::unset(void)
{
if (allocator != nullptr)
{
delete allocator;
}
}
since the allocator is not released, the fieldnumNodes
will always be accumulated forever.
#601 in SVF has been merged.
https://github.com/SVF-tools/SVF/commit/e9da085c236cbca3aab0e2ed61ca56be5cc33b1a and https://github.com/SVF-tools/SVF-Teaching/commit/17f6e102ab68c84c25f86564c1ea1c5e6f273f4b should fix your problem.
Please update SVF and SVF-Teaching, and let me know if your problem still exists
https://github.com/SVF-tools/SVF/commit/786e2501d87173762d969fcaaaf0d9de36c9a1ca should solve the destructor issue in AndersenBase.
Everything is OK,thank you sir!
After I updated to the lasted version of SVF,the assignment that was written before does not work properly...