Static Value-Flow Analysis
Loading...
Searching...
No Matches
SVFBugReport.cpp
Go to the documentation of this file.
1//===- SVFBugReport.cpp -- Base class for statistics---------------------------------//
2//
3// SVF: Static Value-Flow Analysis
4//
5// Copyright (C) <2013-> <Yulei Sui>
6//
7
8// This program is free software: you can redistribute it and/or modify
9// it under the terms of the GNU Affero General Public License as published by
10// the Free Software Foundation, either version 3 of the License, or
11// (at your option) any later version.
12
13// This program is distributed in the hope that it will be useful,
14// but WITHOUT ANY WARRANTY; without even the implied warranty of
15// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16// GNU Affero General Public License for more details.
17
18// You should have received a copy of the GNU Affero General Public License
19// along with this program. If not, see <http://www.gnu.org/licenses/>.
20//
21//===----------------------------------------------------------------------===//
22
23
24//
25// Created by JoelYang on 2023/4/19.
26//
27
28#include "Util/SVFBugReport.h"
29#include <cassert>
30#include "Util/cJSON.h"
31#include "Util/SVFUtil.h"
32#include <sstream>
33#include <fstream>
34
35using namespace std;
36using namespace SVF;
37
38const std::map<GenericBug::BugType, std::string> GenericBug::BugType2Str =
39{
40 {GenericBug::FULLBUFOVERFLOW, "Full Buffer Overflow"},
41 {GenericBug::PARTIALBUFOVERFLOW, "Partial Buffer Overflow"},
42 {GenericBug::NEVERFREE, "Never Free"},
43 {GenericBug::PARTIALLEAK, "Partial Leak"},
44 {GenericBug::FILENEVERCLOSE, "File Never Close"},
45 {GenericBug::FILEPARTIALCLOSE, "File Partial Close"},
46 {GenericBug::DOUBLEFREE, "Double Free"},
47 {GenericBug::FULLNULLPTRDEREFERENCE, "Full Null Ptr Dereference"},
48 {GenericBug::PARTIALNULLPTRDEREFERENCE, "Partial Null Ptr Dereference"}
49};
50
51const std::string GenericBug::getLoc() const
52{
53 const SVFBugEvent&sourceInstEvent = bugEventStack.at(bugEventStack.size() -1);
54 return sourceInstEvent.getEventLoc();
55}
56
57const std::string GenericBug::getFuncName() const
58{
59 const SVFBugEvent&sourceInstEvent = bugEventStack.at(bugEventStack.size() -1);
60 return sourceInstEvent.getFuncName();
61}
62
78
79void BufferOverflowBug::printBugToTerminal() const
80{
81 stringstream bugInfo;
82 if(FullBufferOverflowBug::classof(this))
83 {
84 SVFUtil::errs() << SVFUtil::bugMsg1("\t Full Overflow :") << " accessing at : ("
85 << GenericBug::getLoc() << ")\n";
86
87 }
88 else
89 {
90 SVFUtil::errs() << SVFUtil::bugMsg1("\t Partial Overflow :") << " accessing at : ("
91 << GenericBug::getLoc() << ")\n";
92 }
93 bugInfo << "\t\t allocate size : [" << allocLowerBound << ", " << allocUpperBound << "], ";
94 bugInfo << "access size : [" << accessLowerBound << ", " << accessUpperBound << "]\n";
95 SVFUtil::errs() << "\t\t Info : \n" << bugInfo.str();
96 SVFUtil::errs() << "\t\t Events : \n";
97
98 for(auto event : bugEventStack)
99 {
100 switch(event.getEventType())
101 {
102 case SVFBugEvent::CallSite:
103 {
104 SVFUtil::errs() << "\t\t callsite at : ( " << event.getEventLoc() << " )\n";
105 break;
106 }
107 default:
108 {
109 // TODO: implement more events when needed
110 break;
111 }
112 }
113 }
114}
115
121
122void NeverFreeBug::printBugToTerminal() const
123{
124 SVFUtil::errs() << SVFUtil::bugMsg1("\t NeverFree :") << " memory allocation at : ("
125 << GenericBug::getLoc() << ")\n";
126}
127
128cJSON * PartialLeakBug::getBugDescription() const
129{
130 cJSON *bugDescription = cJSON_CreateObject();
131 cJSON *pathInfo = cJSON_CreateArray();
132 auto lastBranchEventIt = bugEventStack.end() - 1;
133 for(auto eventIt = bugEventStack.begin(); eventIt != lastBranchEventIt; eventIt++)
134 {
135 cJSON *newBranch = cJSON_CreateObject();
136 cJSON *branchLoc = cJSON_Parse((*eventIt).getEventLoc().c_str());
137 if(branchLoc == nullptr) branchLoc = cJSON_CreateObject();
138
139 cJSON *branchCondition = cJSON_CreateString((*eventIt).getEventDescription().c_str());
140
141 cJSON_AddItemToObject(newBranch, "BranchLoc", branchLoc);
142 cJSON_AddItemToObject(newBranch, "BranchCond", branchCondition);
143
144 cJSON_AddItemToArray(pathInfo, newBranch);
145 }
146
147 cJSON_AddItemToObject(bugDescription, "ConditionalFreePath", pathInfo);
148
149 return bugDescription;
150}
151
152void PartialLeakBug::printBugToTerminal() const
153{
154 SVFUtil::errs() << SVFUtil::bugMsg2("\t PartialLeak :") << " memory allocation at : ("
155 << GenericBug::getLoc() << ")\n";
156
157 SVFUtil::errs() << "\t\t conditional free path: \n";
158 auto lastBranchEventIt = bugEventStack.end() - 1;
159 for(auto eventIt = bugEventStack.begin(); eventIt != lastBranchEventIt; eventIt++)
160 {
161 SVFUtil::errs() << "\t\t --> (" << (*eventIt).getEventLoc() << "|" << (*eventIt).getEventDescription() << ") \n";
162 }
163 SVFUtil::errs() << "\n";
164}
165
166cJSON * DoubleFreeBug::getBugDescription() const
167{
168 cJSON *bugDescription = cJSON_CreateObject();
169
170 cJSON *pathInfo = cJSON_CreateArray();
171 auto lastBranchEventIt = bugEventStack.end() - 1;
172 for(auto eventIt = bugEventStack.begin(); eventIt != lastBranchEventIt; eventIt++)
173 {
174 cJSON *newBranch = cJSON_CreateObject();
175 cJSON *branchLoc = cJSON_Parse((*eventIt).getEventLoc().c_str());
176 if(branchLoc == nullptr) branchLoc = cJSON_CreateObject();
177 cJSON *branchCondition = cJSON_CreateString((*eventIt).getEventDescription().c_str());
178
179 cJSON_AddItemToObject(newBranch, "BranchLoc", branchLoc);
180 cJSON_AddItemToObject(newBranch, "BranchCond", branchCondition);
181
182 cJSON_AddItemToArray(pathInfo, newBranch);
183 }
184 cJSON_AddItemToObject(bugDescription, "DoubleFreePath", pathInfo);
185
186 return bugDescription;
187}
188
189void DoubleFreeBug::printBugToTerminal() const
190{
191 SVFUtil::errs() << SVFUtil::bugMsg2("\t Double Free :") << " memory allocation at : ("
192 << GenericBug::getLoc() << ")\n";
193
194 SVFUtil::errs() << "\t\t double free path: \n";
195 auto lastBranchEventIt = bugEventStack.end() - 1;
196 for(auto eventIt = bugEventStack.begin(); eventIt != lastBranchEventIt; eventIt++)
197 {
198 SVFUtil::errs() << "\t\t --> (" << (*eventIt).getEventLoc() << "|" << (*eventIt).getEventDescription() << ") \n";
199 }
200 SVFUtil::errs() << "\n";
201}
202
208
209void FileNeverCloseBug::printBugToTerminal() const
210{
211 SVFUtil::errs() << SVFUtil::bugMsg1("\t FileNeverClose :") << " file open location at : ("
212 << GenericBug::getLoc() << ")\n";
213}
214
215cJSON * FilePartialCloseBug::getBugDescription() const
216{
217 cJSON *bugDescription = cJSON_CreateObject();
218
219 cJSON *pathInfo = cJSON_CreateArray();
220
221 auto lastBranchEventIt = bugEventStack.end() - 1;
222 for(auto eventIt = bugEventStack.begin(); eventIt != lastBranchEventIt; eventIt++)
223 {
224 cJSON *newBranch = cJSON_CreateObject();
225 cJSON *branchLoc = cJSON_Parse((*eventIt).getEventLoc().c_str());
226 if(branchLoc == nullptr) branchLoc = cJSON_CreateObject();
227 cJSON *branchCondition = cJSON_CreateString((*eventIt).getEventDescription().c_str());
228
229 cJSON_AddItemToObject(newBranch, "BranchLoc", branchLoc);
230 cJSON_AddItemToObject(newBranch, "BranchCond", branchCondition);
231
232 cJSON_AddItemToArray(pathInfo, newBranch);
233 }
234 cJSON_AddItemToObject(bugDescription, "ConditionalFileClosePath", pathInfo);
235
236 return bugDescription;
237}
238
239void FilePartialCloseBug::printBugToTerminal() const
240{
241 SVFUtil::errs() << SVFUtil::bugMsg2("\t PartialFileClose :") << " file open location at : ("
242 << GenericBug::getLoc() << ")\n";
243
244 SVFUtil::errs() << "\t\t conditional file close path: \n";
245 auto lastBranchEventIt = bugEventStack.end() - 1;
246 for(auto eventIt = bugEventStack.begin(); eventIt != lastBranchEventIt; eventIt++)
247 {
248 SVFUtil::errs() << "\t\t --> (" << (*eventIt).getEventLoc() << "|" << (*eventIt).getEventDescription() << ") \n";
249 }
250 SVFUtil::errs() << "\n";
251}
252
258
259void FullNullPtrDereferenceBug::printBugToTerminal() const
260{
261 SVFUtil::errs() << SVFUtil::bugMsg2("\t FullNullPtrDereference :") << " dereference at : ("
262 << GenericBug::getLoc() << ")\n";
263}
264
270
271void PartialNullPtrDereferenceBug::printBugToTerminal() const
272{
273 SVFUtil::errs() << SVFUtil::bugMsg2("\t PartialNullPtrDereference :") << " dereference at : ("
274 << GenericBug::getLoc() << ")\n";
275}
276
277const std::string SVFBugEvent::getFuncName() const
278{
279 return eventInst->getFun()->getName();
280}
281
282const std::string SVFBugEvent::getEventLoc() const
283{
284 return eventInst->getSourceLoc();
285}
286
287const std::string SVFBugEvent::getEventDescription() const
288{
289 switch(getEventType())
290 {
291 case SVFBugEvent::Branch:
292 {
293 if (typeAndInfoFlag & BRANCHFLAGMASK)
294 {
295 return "True";
296 }
297 else
298 {
299 return "False";
300 }
301 break;
302 }
303 case SVFBugEvent::CallSite:
304 {
305 std::string description("calls ");
306 assert(SVFUtil::isa<CallICFGNode>(eventInst) && "not a call ICFGNode?");
307 const SVFFunction *callee = SVFUtil::cast<CallICFGNode>(eventInst)->getCalledFunction();
308 if(callee == nullptr)
309 {
310 description += "<unknown>";
311 }
312 else
313 {
314 description += callee->getName();
315 }
316 return description;
317 break;
318 }
319 case SVFBugEvent::SourceInst:
320 {
321 return "None";
322 }
323 default:
324 {
325 assert(false && "No such type of event!");
326 abort();
327 }
328 }
329}
330
331SVFBugReport::~SVFBugReport()
332{
333 for(auto bugIt: bugSet)
334 {
335 delete bugIt;
336 }
337}
338
339void SVFBugReport::dumpToJsonFile(const std::string& filePath) const
340{
341 std::map<u32_t, std::string> eventType2Str =
342 {
343 {SVFBugEvent::CallSite, "call site"},
344 {SVFBugEvent::Caller, "caller"},
345 {SVFBugEvent::Loop, "loop"},
346 {SVFBugEvent::Branch, "branch"}
347 };
348
349 ofstream jsonFile(filePath, ios::out);
350
351 jsonFile << "{\n";
352
354 jsonFile << "\"Defects\": [\n";
355 size_t commaCounter = bugSet.size() - 1;
356 for (auto bugPtr : bugSet)
357 {
358 cJSON *singleDefect = cJSON_CreateObject();
359
361 cJSON *bugType = cJSON_CreateString(
362 GenericBug::BugType2Str.at(bugPtr->getBugType()).c_str());
363 cJSON_AddItemToObject(singleDefect, "DefectType", bugType);
364
365 cJSON *bugLoc = cJSON_Parse(bugPtr->getLoc().c_str());
366 if (bugLoc == nullptr)
367 {
368 bugLoc = cJSON_CreateObject();
369 }
370 cJSON_AddItemToObject(singleDefect, "Location", bugLoc);
371
372 cJSON *bugFunction = cJSON_CreateString(
373 bugPtr->getFuncName().c_str());
374 cJSON_AddItemToObject(singleDefect, "Function", bugFunction);
375
376 cJSON_AddItemToObject(singleDefect, "Description",
377 bugPtr->getBugDescription());
378
380 cJSON *eventList = cJSON_CreateArray();
381 const GenericBug::EventStack &bugEventStack = bugPtr->getEventStack();
382 if (BufferOverflowBug::classof(bugPtr))
383 {
384 // Add only when bug is context sensitive
385 for (const SVFBugEvent &event : bugEventStack)
386 {
387 if (event.getEventType() == SVFBugEvent::SourceInst)
388 {
389 continue;
390 }
391
392 cJSON *singleEvent = cJSON_CreateObject();
393 // Event type
394 cJSON *eventType = cJSON_CreateString(
395 eventType2Str[event.getEventType()].c_str());
396 cJSON_AddItemToObject(singleEvent, "EventType", eventType);
397 // Function name
398 cJSON *eventFunc = cJSON_CreateString(
399 event.getFuncName().c_str());
400 cJSON_AddItemToObject(singleEvent, "Function", eventFunc);
401 // Event loc
402 cJSON *eventLoc = cJSON_Parse(event.getEventLoc().c_str());
403 if (eventLoc == nullptr)
404 {
405 eventLoc = cJSON_CreateObject();
406 }
407 cJSON_AddItemToObject(singleEvent, "Location", eventLoc);
408 // Event description
409 cJSON *eventDescription = cJSON_CreateString(
410 event.getEventDescription().c_str());
411 cJSON_AddItemToObject(singleEvent, "Description", eventDescription);
412
413 cJSON_AddItemToArray(eventList, singleEvent);
414 }
415 }
416 cJSON_AddItemToObject(singleDefect, "Events", eventList);
417
419 char *singleDefectStr = cJSON_Print(singleDefect);
420 jsonFile << singleDefectStr;
421 if (commaCounter != 0)
422 {
423 jsonFile << ",\n";
424 }
425 commaCounter--;
426
428 cJSON_Delete(singleDefect);
429 }
430 jsonFile << "\n],\n";
431
433 jsonFile << "\"Time\": " << time << ",\n";
434 jsonFile << "\"Memory\": \"" << mem << "\",\n";
435 jsonFile << "\"Coverage\": " << coverage << "\n";
436
437 jsonFile << "}";
438 jsonFile.close();
439}
BRANCHFLAGMASK
#define BRANCHFLAGMASK
Definition SVFBugReport.h:40
cJSON_Delete
cJSON_Delete(null)
SVF::BufferOverflowBug::getBugDescription
cJSON * getBugDescription() const
Definition SVFBugReport.cpp:63
SVF::BufferOverflowBug::classof
static bool classof(const GenericBug *bug)
ClassOf.
Definition SVFBugReport.h:138
SVF::BufferOverflowBug::printBugToTerminal
void printBugToTerminal() const
Definition SVFBugReport.cpp:79
SVF::DoubleFreeBug::getBugDescription
cJSON * getBugDescription() const
Definition SVFBugReport.cpp:166
SVF::DoubleFreeBug::printBugToTerminal
void printBugToTerminal() const
Definition SVFBugReport.cpp:189
SVF::FileNeverCloseBug::getBugDescription
cJSON * getBugDescription() const
Definition SVFBugReport.cpp:203
SVF::FileNeverCloseBug::printBugToTerminal
void printBugToTerminal() const
Definition SVFBugReport.cpp:209
SVF::FilePartialCloseBug::getBugDescription
cJSON * getBugDescription() const
Definition SVFBugReport.cpp:215
SVF::FullBufferOverflowBug::classof
static bool classof(const GenericBug *bug)
ClassOf.
Definition SVFBugReport.h:154
SVF::GenericBug::BugType2Str
static const std::map< GenericBug::BugType, std::string > BugType2Str
Definition SVFBugReport.h:87
SVF::GenericBug::getLoc
const std::string getLoc() const
returns bug location as json format string
Definition SVFBugReport.cpp:51
SVF::GenericBug::bugEventStack
const EventStack bugEventStack
Definition SVFBugReport.h:91
SVF::GenericBug::EventStack
std::vector< SVFBugEvent > EventStack
Definition SVFBugReport.h:83
SVF::GenericBug::getFuncName
const std::string getFuncName() const
return bug source function name
Definition SVFBugReport.cpp:57
SVF::ICFGNode::getFun
virtual const SVFFunction * getFun() const
Return the function of this ICFGNode.
Definition ICFGNode.h:76
SVF::NeverFreeBug::getBugDescription
cJSON * getBugDescription() const
Definition SVFBugReport.cpp:116
SVF::NeverFreeBug::printBugToTerminal
void printBugToTerminal() const
Definition SVFBugReport.cpp:122
SVF::PartialLeakBug::printBugToTerminal
void printBugToTerminal() const
Definition SVFBugReport.cpp:152
SVF::PartialLeakBug::getBugDescription
cJSON * getBugDescription() const
Definition SVFBugReport.cpp:128
SVF::SVFBaseNode::getSourceLoc
virtual const std::string getSourceLoc() const
Definition GenericGraph.h:257
SVF::SVFBugEvent::getEventLoc
virtual const std::string getEventLoc() const
Definition SVFBugReport.cpp:282
SVF::SVFBugEvent::getEventDescription
virtual const std::string getEventDescription() const
Definition SVFBugReport.cpp:287
SVF::SVFBugEvent::getEventType
u32_t getEventType() const
Definition SVFBugReport.h:71
SVF::SVFBugEvent::eventInst
const ICFGNode * eventInst
Definition SVFBugReport.h:65
SVF::SVFBugEvent::getFuncName
virtual const std::string getFuncName() const
Definition SVFBugReport.cpp:277
SVF::SVFBugReport::dumpToJsonFile
void dumpToJsonFile(const std::string &filePath) const
Definition SVFBugReport.cpp:339
SVF::SVFValue::getName
const std::string & getName() const
Definition SVFValue.h:243
SVF::SVFUtil::bugMsg1
std::string bugMsg1(const std::string &msg)
Definition SVFUtil.cpp:82
SVF::SVFUtil::errs
std::ostream & errs()
Overwrite llvm::errs()
Definition SVFUtil.h:56
SVF::SVFUtil::bugMsg2
std::string bugMsg2(const std::string &msg)
Definition SVFUtil.cpp:87
SVF
for isBitcode
Definition BasicTypes.h:68
SVF::IRBuilder
llvm::IRBuilder IRBuilder
Definition BasicTypes.h:74
cJSON
Definition cJSON.h:104
Generated by doxygen 1.9.8