SVF-doxygen/html/SrcSnkDDA_8cpp_source.html

//===- SrcSnkDDA.cpp -- Source-sink analyzer --------------------------------//

//

//                     SVF: Static Value-Flow Analysis

//

// Copyright (C) <2013->  <Yulei Sui>

//


// This program is free software: you can redistribute it and/or modify

// it under the terms of the GNU Affero General Public License as published by

// the Free Software Foundation, either version 3 of the License, or

// (at your option) any later version.


// This program is distributed in the hope that it will be useful,

// but WITHOUT ANY WARRANTY; without even the implied warranty of

// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

// GNU Affero General Public License for more details.


// You should have received a copy of the GNU Affero General Public License

// along with this program.  If not, see <http://www.gnu.org/licenses/>.

//

//===----------------------------------------------------------------------===//


/*

 * SrcSnkDDA.cpp

 *

 *  Created on: Apr 1, 2014

 *      Author: Yulei Sui

 */


#include "Util/Options.h"

#include "SABER/SrcSnkDDA.h"

#include "Graphs/SVFGStat.h"

#include "Util/Options.h"

#include "WPA/Andersen.h"


using namespace SVF;

using namespace SVFUtil;


void SrcSnkDDA::initialize(SVFModule* module)

{

    SVFIR* pag = PAG::getPAG();


    AndersenWaveDiff* ander = AndersenWaveDiff::createAndersenWaveDiff(pag);

    memSSA.setSaberCondAllocator(getSaberCondAllocator());

    if(Options::SABERFULLSVFG())

        svfg =  memSSA.buildFullSVFG(ander);

    else

        svfg =  memSSA.buildPTROnlySVFG(ander);

    setGraph(memSSA.getSVFG());

    callgraph = ander->getCallGraph();

    //AndersenWaveDiff::releaseAndersenWaveDiff();

    getSaberCondAllocator()->allocate(getPAG()->getModule());


    initSrcs();

    initSnks();

}


void SrcSnkDDA::analyze(SVFModule* module)

{


    initialize(module);


    ContextCond::setMaxCxtLen(Options::CxtLimit());


    for (SVFGNodeSetIter iter = sourcesBegin(), eiter = sourcesEnd();

            iter != eiter; ++iter)

    {

        setCurSlice(*iter);


        DBOUT(DGENERAL, outs() << "Analysing slice:" << (*iter)->getId() << ")\n");

        ContextCond cxt;

        DPIm item((*iter)->getId(),cxt);

        forwardTraverse(item);


        if (getCurSlice()->isReachGlobal())

        {

            DBOUT(DSaber, outs() << "Forward analysis reaches globals for slice:" << (*iter)->getId() << ")\n");

        }

        else

        {

            DBOUT(DSaber, outs() << "Forward process for slice:" << (*iter)->getId() << " (size = " << getCurSlice()->getForwardSliceSize() << ")\n");


            for (SVFGNodeSetIter sit = getCurSlice()->sinksBegin(), esit =

                        getCurSlice()->sinksEnd(); sit != esit; ++sit)

            {

                ContextCond cxt;

                DPIm item((*sit)->getId(),cxt);

                backwardTraverse(item);

            }


            DBOUT(DSaber, outs() << "Backward process for slice:" << (*iter)->getId() << " (size = " << getCurSlice()->getBackwardSliceSize() << ")\n");


            if(Options::DumpSlice())

                annotateSlice(_curSlice);


            if(_curSlice->AllPathReachableSolve())

                _curSlice->setAllReachable();


            DBOUT(DSaber, outs() << "Guard computation for slice:" << (*iter)->getId() << ")\n");

        }


        reportBug(getCurSlice());

    }

    finalize();


}


bool SrcSnkDDA::isInAWrapper(const SVFGNode* src, CallSiteSet& csIdSet)

{


    bool reachFunExit = false;


    WorkList worklist;

    worklist.push(src);

    SVFGNodeBS visited;

    u32_t step = 0;

    while (!worklist.empty())

    {

        const SVFGNode* node  = worklist.pop();


        if(visited.test(node->getId())==0)

            visited.set(node->getId());

        else

            continue;

        // reaching maximum steps when traversing on SVFG to identify a memory allocation wrapper

        if (step++ > Options::MaxStepInWrapper())

            return false;


        for (SVFGNode::const_iterator it = node->OutEdgeBegin(), eit =

                    node->OutEdgeEnd(); it != eit; ++it)

        {

            const SVFGEdge* edge = (*it);

            //assert(edge->isDirectVFGEdge() && "the edge should always be direct VF");

            // if this is a call edge

            if(edge->isCallDirectVFGEdge())

            {

                return false;

            }

            // if this is a return edge

            else if(edge->isRetDirectVFGEdge())

            {

                reachFunExit = true;

                csIdSet.insert(getSVFG()->getCallSite(SVFUtil::cast<RetDirSVFGEdge>(edge)->getCallSiteId()));

            }

            // (1) an intra direct edge, we will keep tracking

            // (2) an intra indirect edge, we only track if the succ SVFGNode is a load, which means we only track one level store-load pair .

            // (3) do not track for all other interprocedural edges.

            else

            {

                const SVFGNode* succ = edge->getDstNode();

                if(SVFUtil::isa<IntraDirSVFGEdge>(edge))

                {

                    if (SVFUtil::isa<CopySVFGNode, GepSVFGNode, PHISVFGNode,

                            FormalRetSVFGNode, ActualRetSVFGNode,

                            StoreSVFGNode>(succ))

                    {

                        worklist.push(succ);

                    }

                }

                else if(SVFUtil::isa<IntraIndSVFGEdge>(edge))

                {

                    if(SVFUtil::isa<LoadSVFGNode, IntraMSSAPHISVFGNode>(succ))

                    {

                        worklist.push(succ);

                    }

                }

                else

                    return false;

            }

        }

    }

    if(reachFunExit)

        return true;

    else

        return false;

}


void SrcSnkDDA::FWProcessOutgoingEdge(const DPIm& item, SVFGEdge* edge)

{

    DBOUT(DSaber,outs() << "\n##processing source: " << getCurSlice()->getSource()->getId() <<" forward propagate from (" << edge->getSrcID());


    // for indirect SVFGEdge, the propagation should follow the def-use chains

    // points-to on the edge indicate whether the object of source node can be propagated


    const SVFGNode* dstNode = edge->getDstNode();

    DPIm newItem(dstNode->getId(),item.getContexts());


    if(isGlobalSVFGNode(dstNode) || getCurSlice()->isReachGlobal())

    {

        getCurSlice()->setReachGlobal();

        return;

    }


    // push context for calling

    if (edge->isCallVFGEdge())

    {

        CallSiteID csId = 0;

        if(const CallDirSVFGEdge* callEdge = SVFUtil::dyn_cast<CallDirSVFGEdge>(edge))

            csId = callEdge->getCallSiteId();

        else

            csId = SVFUtil::cast<CallIndSVFGEdge>(edge)->getCallSiteId();


        newItem.pushContext(csId);

        DBOUT(DSaber, outs() << " push cxt [" << csId << "] ");

    }

    // match context for return

    else if (edge->isRetVFGEdge())

    {

        CallSiteID csId = 0;

        if(const RetDirSVFGEdge* callEdge = SVFUtil::dyn_cast<RetDirSVFGEdge>(edge))

            csId = callEdge->getCallSiteId();

        else

            csId = SVFUtil::cast<RetIndSVFGEdge>(edge)->getCallSiteId();


        if (newItem.matchContext(csId) == false)

        {

            DBOUT(DSaber, outs() << "-|-\n");

            return;

        }

        DBOUT(DSaber, outs() << " pop cxt [" << csId << "] ");

    }


    if(forwardVisited(dstNode,newItem))

    {

        DBOUT(DSaber,outs() << " node "<< dstNode->getId() <<" has been visited\n");

        return;

    }

    else

        addForwardVisited(dstNode, newItem);


    if(pushIntoWorklist(newItem))

        DBOUT(DSaber,outs() << " --> " << edge->getDstID() << ", cxt size: " << newItem.getContexts().cxtSize() <<")\n");


}


void SrcSnkDDA::BWProcessIncomingEdge(const DPIm&, SVFGEdge* edge)

{

    DBOUT(DSaber,outs() << "backward propagate from (" << edge->getDstID() << " --> " << edge->getSrcID() << ")\n");

    const SVFGNode* srcNode = edge->getSrcNode();

    if(backwardVisited(srcNode))

        return;

    else

        addBackwardVisited(srcNode);


    ContextCond cxt;

    DPIm newItem(srcNode->getId(), cxt);

    pushIntoWorklist(newItem);

}


void SrcSnkDDA::setCurSlice(const SVFGNode* src)

{

    if(_curSlice!=nullptr)

    {

        delete _curSlice;

        _curSlice = nullptr;

        clearVisitedMap();

    }


    _curSlice = new ProgSlice(src,getSaberCondAllocator(), getSVFG());

}


void SrcSnkDDA::annotateSlice(ProgSlice* slice)

{

    getSVFG()->getStat()->addToSources(slice->getSource());

    for(SVFGNodeSetIter it = slice->sinksBegin(), eit = slice->sinksEnd(); it!=eit; ++it )

        getSVFG()->getStat()->addToSinks(*it);

    for(SVFGNodeSetIter it = slice->forwardSliceBegin(), eit = slice->forwardSliceEnd(); it!=eit; ++it )

        getSVFG()->getStat()->addToForwardSlice(*it);

    for(SVFGNodeSetIter it = slice->backwardSliceBegin(), eit = slice->backwardSliceEnd(); it!=eit; ++it )

        getSVFG()->getStat()->addToBackwardSlice(*it);

}


void SrcSnkDDA::dumpSlices()

{


    if(Options::DumpSlice())

        const_cast<SVFG*>(getSVFG())->dump("Slice",true);

}


void SrcSnkDDA::printZ3Stat()

{


    outs() << "Z3 Mem usage: " << getSaberCondAllocator()->getMemUsage() << "\n";

    outs() << "Z3 Number: " << getSaberCondAllocator()->getCondNum() << "\n";

}


Andersen.h

Options.h

SVFGStat.h

DBOUT
#define DBOUT(TYPE, X)
LLVM debug macros, define type of your DBUG model of each pass.
Definition SVFType.h:484

DGENERAL
#define DGENERAL
Definition SVFType.h:490

DSaber
#define DSaber
Definition SVFType.h:504

SrcSnkDDA.h

item
cJSON * item
Definition cJSON.h:222

SVF::ActualRetVFGNode
Definition VFGNode.h:1019

SVF::AndersenWaveDiff
Definition Andersen.h:398

SVF::AndersenWaveDiff::createAndersenWaveDiff
static AndersenWaveDiff * createAndersenWaveDiff(SVFIR *_pag)
Create an singleton instance directly instead of invoking llvm pass manager.
Definition Andersen.h:408

SVF::CallDirSVFGEdge
Definition VFGEdge.h:212

SVF::ContextCond
Definition DPItem.h:207

SVF::ContextCond::setMaxCxtLen
static void setMaxCxtLen(u32_t max)
set max context limit
Definition DPItem.h:265

SVF::CopyVFGNode
Definition VFGNode.h:291

SVF::CxtDPItem
Definition DPItem.h:478

SVF::FormalRetVFGNode
Definition VFGNode.h:1081

SVF::GenericNode::OutEdgeEnd
iterator OutEdgeEnd()
Definition GenericGraph.h:459

SVF::GenericNode::OutEdgeBegin
iterator OutEdgeBegin()
iterators
Definition GenericGraph.h:455

SVF::GepVFGNode
Definition VFGNode.h:624

SVF::GraphReachSolver::setGraph
void setGraph(GraphType g)
Definition GraphReachSolver.h:78

SVF::GraphReachSolver::worklist
WorkList worklist
Worklist for resolution.
Definition GraphReachSolver.h:180

SVF::GraphReachSolver::pushIntoWorklist
bool pushIntoWorklist(DPIm &item)
Definition GraphReachSolver.h:160

SVF::GraphReachSolver::backwardTraverse
virtual void backwardTraverse(DPIm &it)
CFL forward traverse solve.
Definition GraphReachSolver.h:112

SVF::GraphReachSolver::forwardTraverse
virtual void forwardTraverse(DPIm &it)
CFL forward traverse solve.
Definition GraphReachSolver.h:93

SVF::Options::CxtLimit
static const Option< u32_t > CxtLimit
Definition Options.h:173

SVF::Options::SABERFULLSVFG
static const Option< bool > SABERFULLSVFG
Definition Options.h:222

SVF::Options::MaxStepInWrapper
static const Option< u32_t > MaxStepInWrapper
Definition Options.h:86

SVF::Options::DumpSlice
static const Option< bool > DumpSlice
Definition Options.h:172

SVF::PHIVFGNode
Definition VFGNode.h:669

SVF::PointerAnalysis::getCallGraph
PTACallGraph * getCallGraph() const
Return call graph.
Definition PointerAnalysis.h:171

SVF::ProgSlice
Definition ProgSlice.h:50

SVF::ProgSlice::setReachGlobal
bool setReachGlobal()
Definition ProgSlice.h:151

SVF::ProgSlice::AllPathReachableSolve
bool AllPathReachableSolve()
Guarded reachability solve.
Definition ProgSlice.cpp:43

SVF::ProgSlice::setAllReachable
void setAllReachable()
Definition ProgSlice.h:147

SVF::RetDirSVFGEdge
Definition VFGEdge.h:255

SVF::SVFBaseNode::getId
NodeID getId() const
Get ID.
Definition GenericGraph.h:236

SVF::SVFGBuilder::getSVFG
SVFG * getSVFG() const
Get SVFG instance.
Definition SVFGBuilder.h:61

SVF::SVFGBuilder::buildFullSVFG
SVFG * buildFullSVFG(BVDataPTAImpl *pta)
Definition SVFGBuilder.cpp:51

SVF::SVFGBuilder::buildPTROnlySVFG
SVFG * buildPTROnlySVFG(BVDataPTAImpl *pta)
Definition SVFGBuilder.cpp:43

SVF::SVFGStat::addToBackwardSlice
void addToBackwardSlice(const SVFGNode *node)
Definition SVFGStat.h:249

SVF::SVFGStat::addToSources
void addToSources(const SVFGNode *node)
Definition SVFGStat.h:237

SVF::SVFGStat::addToSinks
void addToSinks(const SVFGNode *node)
Definition SVFGStat.h:241

SVF::SVFGStat::addToForwardSlice
void addToForwardSlice(const SVFGNode *node)
Definition SVFGStat.h:245

SVF::SVFG
Definition SVFG.h:66

SVF::SVFG::getStat
SVFGStat * getStat() const
Return statistics.
Definition SVFG.h:126

SVF::SVFIR
Definition SVFIR.h:45

SVF::SVFIR::getPAG
static SVFIR * getPAG(bool buildFromFile=false)
Singleton design here to make sure we only have one instance during any analysis.
Definition SVFIR.h:116

SVF::SVFModule
Definition SVFModule.h:41

SVF::SaberCondAllocator::allocate
void allocate(const SVFModule *module)
Perform path allocation.
Definition SaberCondAllocator.cpp:59

SVF::SaberCondAllocator::getCondNum
u32_t getCondNum()
Definition SaberCondAllocator.h:79

SVF::SaberCondAllocator::getMemUsage
std::string getMemUsage()
Statistics.
Definition SaberCondAllocator.h:71

SVF::SaberSVFGBuilder::setSaberCondAllocator
void setSaberCondAllocator(SaberCondAllocator *allocator)
Definition SaberSVFGBuilder.h:68

SVF::SparseBitVector
Definition SparseBitVector.h:502

SVF::SparseBitVector::test
bool test(unsigned Idx) const
Definition SparseBitVector.h:750

SVF::SparseBitVector::set
void set(unsigned Idx)
Definition SparseBitVector.h:789

SVF::SrcSnkDDA::sourcesBegin
SVFGNodeSetIter sourcesBegin() const
Definition SrcSnkDDA.h:210

SVF::SrcSnkDDA::initSnks
virtual void initSnks()=0

SVF::SrcSnkDDA::initSrcs
virtual void initSrcs()=0

SVF::SrcSnkDDA::backwardVisited
bool backwardVisited(const SVFGNode *node)
Definition SrcSnkDDA.h:291

SVF::SrcSnkDDA::isGlobalSVFGNode
bool isGlobalSVFGNode(const SVFGNode *node) const
Whether this svfg node may access global variable.
Definition SrcSnkDDA.h:138

SVF::SrcSnkDDA::getPAG
SVFIR * getPAG() const
Get SVFIR.
Definition SrcSnkDDA.h:120

SVF::SrcSnkDDA::BWProcessIncomingEdge
void BWProcessIncomingEdge(const DPIm &item, SVFGEdge *edge) override
Propagate information backward without matching context, as forward analysis already did it.
Definition SrcSnkDDA.cpp:257

SVF::SrcSnkDDA::WorkList
ProgSlice::VFWorkList WorkList
Definition SrcSnkDDA.h:66

SVF::SrcSnkDDA::CallSiteSet
Set< const CallICFGNode * > CallSiteSet
Definition SrcSnkDDA.h:64

SVF::SrcSnkDDA::addForwardVisited
void addForwardVisited(const SVFGNode *node, const DPIm &item)
Definition SrcSnkDDA.h:287

SVF::SrcSnkDDA::callgraph
PTACallGraph * callgraph
Definition SrcSnkDDA.h:79

SVF::SrcSnkDDA::_curSlice
ProgSlice * _curSlice
Definition SrcSnkDDA.h:69

SVF::SrcSnkDDA::sinksBegin
SVFGNodeSetIter sinksBegin() const
Definition SrcSnkDDA.h:226

SVF::SrcSnkDDA::getCurSlice
ProgSlice * getCurSlice() const
Definition SrcSnkDDA.h:146

SVF::SrcSnkDDA::annotateSlice
void annotateSlice(ProgSlice *slice)
Definition SrcSnkDDA.cpp:284

SVF::SrcSnkDDA::initialize
virtual void initialize(SVFModule *module)
Initialize analysis.
Definition SrcSnkDDA.cpp:41

SVF::SrcSnkDDA::printZ3Stat
void printZ3Stat()
Definition SrcSnkDDA.cpp:302

SVF::SrcSnkDDA::forwardVisited
bool forwardVisited(const SVFGNode *node, const DPIm &item)
Whether has been visited or not, in order to avoid recursion on SVFG.
Definition SrcSnkDDA.h:279

SVF::SrcSnkDDA::addBackwardVisited
void addBackwardVisited(const SVFGNode *node)
Definition SrcSnkDDA.h:295

SVF::SrcSnkDDA::reportBug
virtual void reportBug(ProgSlice *slice)=0
report bug on the current analyzed slice

SVF::SrcSnkDDA::sinksEnd
SVFGNodeSetIter sinksEnd() const
Definition SrcSnkDDA.h:230

SVF::SrcSnkDDA::setCurSlice
virtual void setCurSlice(const SVFGNode *src)
Slice operations.
Definition SrcSnkDDA.cpp:272

SVF::SrcSnkDDA::memSSA
SaberSVFGBuilder memSSA
Definition SrcSnkDDA.h:77

SVF::SrcSnkDDA::analyze
virtual void analyze(SVFModule *module)
Start analysis here.
Definition SrcSnkDDA.cpp:61

SVF::SrcSnkDDA::dumpSlices
void dumpSlices()
Dump SVFG with annotated slice information.
Definition SrcSnkDDA.cpp:295

SVF::SrcSnkDDA::FWProcessOutgoingEdge
void FWProcessOutgoingEdge(const DPIm &item, SVFGEdge *edge) override
Propagate information forward by matching context.
Definition SrcSnkDDA.cpp:192

SVF::SrcSnkDDA::sourcesEnd
SVFGNodeSetIter sourcesEnd() const
Definition SrcSnkDDA.h:214

SVF::SrcSnkDDA::SVFGNodeSetIter
SVFGNodeSet::const_iterator SVFGNodeSetIter
Definition SrcSnkDDA.h:60

SVF::SrcSnkDDA::getSVFG
const SVFG * getSVFG() const
Get SVFG.
Definition SrcSnkDDA.h:126

SVF::SrcSnkDDA::getSaberCondAllocator
SaberCondAllocator * getSaberCondAllocator() const
Get saber condition allocator.
Definition SrcSnkDDA.h:241

SVF::SrcSnkDDA::svfg
SVFG * svfg
Definition SrcSnkDDA.h:78

SVF::SrcSnkDDA::clearVisitedMap
void clearVisitedMap()
Definition SrcSnkDDA.h:299

SVF::SrcSnkDDA::finalize
virtual void finalize()
Finalize analysis.
Definition SrcSnkDDA.h:114

SVF::SrcSnkDDA::isInAWrapper
bool isInAWrapper(const SVFGNode *src, CallSiteSet &csIdSet)
Identify allocation wrappers.
Definition SrcSnkDDA.cpp:118

SVF::StoreVFGNode
Definition VFGNode.h:246

SVF::VFGEdge
Definition VFGEdge.h:45

SVF::VFGNode
Definition VFGNode.h:47

SVF::VFGNode::const_iterator
VFGEdge::VFGEdgeSetTy::const_iterator const_iterator
Definition VFGNode.h:55

SVF::VFG::getCallSite
const CallICFGNode * getCallSite(CallSiteID id) const
Definition VFG.h:182

SVF::SVFUtil::isa
LLVM_NODISCARD bool isa(const Y &Val)
Definition Casting.h:241

SVF::SVFUtil::outs
std::ostream & outs()
Overwrite llvm::outs()
Definition SVFUtil.h:50

SVF
for isBitcode
Definition BasicTypes.h:68

SVF::CallSiteID
unsigned CallSiteID
Definition GeneralType.h:58

SVF::IRBuilder
llvm::IRBuilder IRBuilder
Definition BasicTypes.h:74

SVF::dump
void dump(const SparseBitVector< ElementSize > &LHS, std::ostream &out)
Definition SparseBitVector.h:1233

SVF::u32_t
unsigned u32_t
Definition GeneralType.h:46