Static Value-Flow Analysis
Loading...
Searching...
No Matches
DoubleFreeChecker.cpp
Go to the documentation of this file.
1//===- DoubleFreeChecker.cpp -- Detecting double-free errors------------------//
2//
3// SVF: Static Value-Flow Analysis
4//
5// Copyright (C) <2013-> <Yulei Sui>
6//
7
8// This program is free software: you can redistribute it and/or modify
9// it under the terms of the GNU Affero General Public License as published by
10// the Free Software Foundation, either version 3 of the License, or
11// (at your option) any later version.
12
13// This program is distributed in the hope that it will be useful,
14// but WITHOUT ANY WARRANTY; without even the implied warranty of
15// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16// GNU Affero General Public License for more details.
17
18// You should have received a copy of the GNU Affero General Public License
19// along with this program. If not, see <http://www.gnu.org/licenses/>.
20//
21//===----------------------------------------------------------------------===//
22
23/*
24 * DoubleFreeChecker.cpp
25 *
26 * Created on: Apr 24, 2014
27 * Author: Yulei Sui
28 */
29
30#include "SABER/DoubleFreeChecker.h"
31#include "Util/SVFUtil.h"
32#include "Util/Options.h"
33
34using namespace SVF;
35using namespace SVFUtil;
36
37void DoubleFreeChecker::reportBug(ProgSlice* slice)
38{
39
40 if(slice->isSatisfiableForPairs() == false)
41 {
42 GenericBug::EventStack eventStack;
43 slice->evalFinalCond2Event(eventStack);
44 eventStack.push_back(
45 SVFBugEvent(SVFBugEvent::SourceInst, getSrcCSID(slice->getSource())));
46 report.addSaberBug(GenericBug::DOUBLEFREE, eventStack);
47 }
48 if(Options::ValidateTests())
49 testsValidation(slice);
50}
51
52
53
54void DoubleFreeChecker::testsValidation(ProgSlice *slice)
55{
56 const SVFGNode* source = slice->getSource();
57 const CallICFGNode* cs = getSrcCSID(source);
58 const FunObjVar* fun = cs->getCalledFunction();
59 if(fun==nullptr)
60 return;
61 validateSuccessTests(slice,fun);
62 validateExpectedFailureTests(slice,fun);
63}
64
65void DoubleFreeChecker::validateSuccessTests(ProgSlice *slice, const FunObjVar *fun)
66{
67 const SVFGNode* source = slice->getSource();
68 const CallICFGNode* cs = getSrcCSID(source);
69
70 bool success = false;
71
72 if(fun->getName() == "SAFEMALLOC")
73 {
74 if(slice->isSatisfiableForPairs() == true)
75 success = true;
76 }
77 else if(fun->getName() == "DOUBLEFREEMALLOC")
78 {
79 if(slice->isSatisfiableForPairs() == false)
80 success = true;
81 }
82 else if(fun->getName() == "DOUBLEFREEMALLOCFN" || fun->getName() == "SAFEMALLOCFP")
83 {
84 return;
85 }
86 else
87 {
88 writeWrnMsg("\t can not validate, check function not found, please put it at the right place!!");
89 return;
90 }
91
92 std::string funName = source->getFun()->getName();
93
94 if (success)
95 {
96 if (!(getSrcCSID(source))->hasLLVMValue())
97 {
98 outs() << sucMsg("\t SUCCESS :") << funName<<"\n";
99 return;
100 }
101 outs() << sucMsg("\t SUCCESS :") << funName << " check <src id:" << source->getId()
102 << ", cs id:" << (getSrcCSID(source))->valueOnlyToString() << "> at ("
103 << cs->getSourceLoc() << ")\n";
104 outs() << "\t\t double free path: \n" << slice->evalFinalCond() << "\n";
105 }
106 else
107 {
108 if (!(getSrcCSID(source))->hasLLVMValue())
109 {
110 SVFUtil::errs() << errMsg("\t FAILURE :") << funName << "\n";
111 return;
112 }
113 SVFUtil::errs() << errMsg("\t FAILURE :") << funName << " check <src id:" << source->getId()
114 << ", cs id:" << (getSrcCSID(source))->valueOnlyToString() << "> at ("
115 << cs->getSourceLoc() << ")\n";
116 SVFUtil::errs() << "\t\t double free path: \n" << slice->evalFinalCond() << "\n";
117 assert(false && "test case failed!");
118 }
119}
120
121void DoubleFreeChecker::validateExpectedFailureTests(ProgSlice *slice, const FunObjVar *fun)
122{
123 const SVFGNode* source = slice->getSource();
124 const CallICFGNode* cs = getSrcCSID(source);
125
126 bool expectedFailure = false;
128 if(fun->getName() == "DOUBLEFREEMALLOCFN")
129 {
130 if(slice->isSatisfiableForPairs() == true)
131 expectedFailure = true;
132 }
133 else if(fun->getName() == "SAFEMALLOCFP")
134 {
135 if(slice->isSatisfiableForPairs() == false)
136 expectedFailure = true;
137 }
138 else if(fun->getName() == "SAFEMALLOC" || fun->getName() == "DOUBLEFREEMALLOC")
139 {
140 return;
141 }
142 else
143 {
144 writeWrnMsg("\t can not validate, check function not found, please put it at the right place!!");
145 return;
146 }
147
148 std::string funName = source->getFun()->getName();
149
150 if (expectedFailure)
151 {
152 if (!(getSrcCSID(source))->hasLLVMValue())
153 {
154 outs() << sucMsg("\t EXPECTED-FAILURE :") << funName <<"\n";
155 return;
156 }
157 outs() << sucMsg("\t EXPECTED-FAILURE :") << funName << " check <src id:" << source->getId()
158 << ", cs id:" << (getSrcCSID(source))->valueOnlyToString() << "> at ("
159 << cs->getSourceLoc() << ")\n";
160 outs() << "\t\t double free path: \n" << slice->evalFinalCond() << "\n";
161 }
162 else
163 {
164 if (!(getSrcCSID(source))->hasLLVMValue())
165 {
166 SVFUtil::errs() << errMsg("\t UNEXPECTED FAILURE :") << funName <<"\n";
167 assert(false && "test case failed!");
168 return;
169 }
170 SVFUtil::errs() << errMsg("\t UNEXPECTED FAILURE :") << funName
171 << " check <src id:" << source->getId()
172 << ", cs id:" << (getSrcCSID(source))->valueOnlyToString() << "> at ("
173 << cs->getSourceLoc() << ")\n";
174 SVFUtil::errs() << "\t\t double free path: \n" << slice->evalFinalCond() << "\n";
175 assert(false && "test case failed!");
176 }
177}
SVF::CallICFGNode::getCalledFunction
const FunObjVar * getCalledFunction() const
Definition ICFGNode.h:500
SVF::CallICFGNode::getSourceLoc
const std::string getSourceLoc() const override
Definition ICFGNode.h:570
SVF::DoubleFreeChecker::testsValidation
void testsValidation(ProgSlice *slice)
Validate test cases for regression test purpose.
Definition DoubleFreeChecker.cpp:54
SVF::DoubleFreeChecker::validateExpectedFailureTests
void validateExpectedFailureTests(ProgSlice *slice, const FunObjVar *fun)
Definition DoubleFreeChecker.cpp:121
SVF::DoubleFreeChecker::validateSuccessTests
void validateSuccessTests(ProgSlice *slice, const FunObjVar *fun)
Definition DoubleFreeChecker.cpp:65
SVF::DoubleFreeChecker::reportBug
void reportBug(ProgSlice *slice) override
Report file/close bugs.
Definition DoubleFreeChecker.cpp:37
SVF::GenericBug::EventStack
std::vector< SVFBugEvent > EventStack
Definition SVFBugReport.h:83
SVF::LeakChecker::getSrcCSID
const CallICFGNode * getSrcCSID(const SVFGNode *src)
Definition LeakChecker.h:109
SVF::Options::ValidateTests
static const Option< bool > ValidateTests
Definition Options.h:166
SVF::SVFBugReport::addSaberBug
void addSaberBug(GenericBug::BugType bugType, const GenericBug::EventStack &eventStack)
Definition SVFBugReport.h:315
SVF::SVFValue::getName
virtual const std::string & getName() const
Definition SVFValue.h:186
SVF::SrcSnkDDA::report
SVFBugReport report
Definition SrcSnkDDA.h:80
SVF::SVFUtil::sucMsg
std::string sucMsg(const std::string &msg)
Returns successful message by converting a string into green string output.
Definition SVFUtil.cpp:55
SVF::SVFUtil::errMsg
std::string errMsg(const std::string &msg)
Print error message by converting a string into red string output.
Definition SVFUtil.cpp:78
SVF::SVFUtil::errs
std::ostream & errs()
Overwrite llvm::errs()
Definition SVFUtil.h:58
SVF::SVFUtil::writeWrnMsg
void writeWrnMsg(const std::string &msg)
Writes a message run through wrnMsg.
Definition SVFUtil.cpp:68
SVF::SVFUtil::outs
std::ostream & outs()
Overwrite llvm::outs()
Definition SVFUtil.h:52
SVF
for isBitcode
Definition BasicTypes.h:68
SVF::IRBuilder
llvm::IRBuilder IRBuilder
Definition BasicTypes.h:74
Generated by doxygen 1.9.8