Static Value-Flow Analysis
Public Member Functions | List of all members
SVF::DoubleFreeChecker Class Reference

#include <DoubleFreeChecker.h>

Inheritance diagram for SVF::DoubleFreeChecker:
SVF::LeakChecker SVF::SrcSnkDDA SVF::GraphReachSolver< GraphType, DPIm >

Public Member Functions

 DoubleFreeChecker ()
 Constructor. More...
 
virtual ~DoubleFreeChecker ()
 Destructor. More...
 
virtual bool runOnModule (SVFIR *pag) override
 We start from here. More...
 
void reportBug (ProgSlice *slice) override
 Report file/close bugs. More...
 
void testsValidation (ProgSlice *slice)
 Validate test cases for regression test purpose. More...
 
void validateSuccessTests (ProgSlice *slice, const SVFFunction *fun)
 
void validateExpectedFailureTests (ProgSlice *slice, const SVFFunction *fun)
 
- Public Member Functions inherited from SVF::LeakChecker
 LeakChecker ()
 Constructor. More...
 
virtual ~LeakChecker ()
 Destructor. More...
 
virtual void initSrcs () override
 Initialize sources and sinks. More...
 
virtual void initSnks () override
 
virtual bool isSourceLikeFun (const SVFFunction *fun) override
 Whether the function is a heap allocator/reallocator (allocate memory) More...
 
virtual bool isSinkLikeFun (const SVFFunction *fun) override
 Whether the function is a heap deallocator (free/release memory) More...
 
- Public Member Functions inherited from SVF::SrcSnkDDA
 SrcSnkDDA ()
 Bug Reporter. More...
 
 ~SrcSnkDDA () override
 Destructor. More...
 
virtual void analyze (SVFModule *module)
 Start analysis here. More...
 
virtual void initialize (SVFModule *module)
 Initialize analysis. More...
 
virtual void finalize ()
 Finalize analysis. More...
 
SVFIRgetPAG () const
 Get SVFIR. More...
 
const SVFGgetSVFG () const
 Get SVFG. More...
 
PTACallGraphgetCallgraph () const
 Get Callgraph. More...
 
bool isGlobalSVFGNode (const SVFGNode *node) const
 Whether this svfg node may access global variable. More...
 
virtual void setCurSlice (const SVFGNode *src)
 Slice operations. More...
 
ProgSlicegetCurSlice () const
 
void addSinkToCurSlice (const SVFGNode *node)
 
bool isInCurForwardSlice (const SVFGNode *node)
 
bool isInCurBackwardSlice (const SVFGNode *node)
 
void addToCurForwardSlice (const SVFGNode *node)
 
void addToCurBackwardSlice (const SVFGNode *node)
 
bool isInAWrapper (const SVFGNode *src, CallSiteSet &csIdSet)
 Identify allocation wrappers. More...
 
const SVFGNodeSetgetSources () const
 Get sources/sinks. More...
 
SVFGNodeSetIter sourcesBegin () const
 
SVFGNodeSetIter sourcesEnd () const
 
void addToSources (const SVFGNode *node)
 
const SVFGNodeSetgetSinks () const
 
SVFGNodeSetIter sinksBegin () const
 
SVFGNodeSetIter sinksEnd () const
 
void addToSinks (const SVFGNode *node)
 
SaberCondAllocatorgetSaberCondAllocator () const
 Get saber condition allocator. More...
 
const SVFBugReportgetBugReport () const
 
bool isSource (const SVFGNode *node) const
 
bool isSink (const SVFGNode *node) const
 

Additional Inherited Members

- Public Types inherited from SVF::LeakChecker
enum  LEAK_TYPE { NEVER_FREE_LEAK , CONTEXT_LEAK , PATH_LEAK , GLOBAL_LEAK }
 
typedef Map< const SVFGNode *, const CallICFGNode * > SVFGNodeToCSIDMap
 
typedef FIFOWorkList< const CallICFGNode * > CSWorkList
 
typedef ProgSlice::VFWorkList WorkList
 
typedef NodeBS SVFGNodeBS
 
- Public Types inherited from SVF::SrcSnkDDA
typedef ProgSlice::SVFGNodeSet SVFGNodeSet
 
typedef Map< const SVFGNode *, ProgSlice * > SVFGNodeToSliceMap
 
typedef SVFGNodeSet::const_iterator SVFGNodeSetIter
 
typedef CxtDPItem DPIm
 
typedef Set< DPImDPImSet
 dpitem set More...
 
typedef Map< const SVFGNode *, DPImSetSVFGNodeToDPItemsMap
 map a SVFGNode to its visited dpitems More...
 
typedef Set< const CallICFGNode * > CallSiteSet
 
typedef NodeBS SVFGNodeBS
 
typedef ProgSlice::VFWorkList WorkList
 
- Public Types inherited from SVF::GraphReachSolver< GraphType, DPIm >
typedef SVF::GenericGraphTraits< GraphType > GTraits
 Define the GTraits and node iterator. More...
 
typedef GTraits::NodeType GNODE
 
typedef GTraits::EdgeType GEDGE
 
typedef GTraits::nodes_iterator node_iterator
 
typedef GTraits::ChildIteratorType child_iterator
 
typedef SVF::GenericGraphTraits< SVF::Inverse< GNODE * > > InvGTraits
 Define inverse GTraits and note iterator. More...
 
typedef InvGTraits::ChildIteratorType inv_child_iterator
 
typedef FIFOWorkList< DPIm > WorkList
 Define worklist. More...
 
- Protected Member Functions inherited from SVF::LeakChecker
void testsValidation (const ProgSlice *slice)
 Validate test cases for regression test purpose. More...
 
void validateSuccessTests (const SVFGNode *source, const SVFFunction *fun)
 
void validateExpectedFailureTests (const SVFGNode *source, const SVFFunction *fun)
 
void addSrcToCSID (const SVFGNode *src, const CallICFGNode *cs)
 Record a source to its callsite. More...
 
const CallICFGNodegetSrcCSID (const SVFGNode *src)
 
- Protected Member Functions inherited from SVF::SrcSnkDDA
void FWProcessCurNode (const DPIm &item) override
 Forward traverse. More...
 
void BWProcessCurNode (const DPIm &item) override
 Backward traverse. More...
 
void FWProcessOutgoingEdge (const DPIm &item, SVFGEdge *edge) override
 Propagate information forward by matching context. More...
 
void BWProcessIncomingEdge (const DPIm &item, SVFGEdge *edge) override
 Propagate information backward without matching context, as forward analysis already did it. More...
 
bool forwardVisited (const SVFGNode *node, const DPIm &item)
 Whether has been visited or not, in order to avoid recursion on SVFG. More...
 
void addForwardVisited (const SVFGNode *node, const DPIm &item)
 
bool backwardVisited (const SVFGNode *node)
 
void addBackwardVisited (const SVFGNode *node)
 
void clearVisitedMap ()
 
virtual bool isAllPathReachable ()
 Whether it is all path reachable from a source. More...
 
virtual bool isSomePathReachable ()
 Whether it is some path reachable from a source. More...
 
void dumpSlices ()
 Dump SVFG with annotated slice information. More...
 
void annotateSlice (ProgSlice *slice)
 
void printZ3Stat ()
 
- Protected Member Functions inherited from SVF::GraphReachSolver< GraphType, DPIm >
 GraphReachSolver ()
 Constructor. More...
 
virtual ~GraphReachSolver ()
 Destructor. More...
 
const GraphType graph () const
 Get/Set graph methods. More...
 
void setGraph (GraphType g)
 
GNODEgetNode (NodeID id) const
 
virtual NodeID getNodeIDFromItem (const DPIm &item) const
 
virtual void forwardTraverse (DPIm &it)
 CFL forward traverse solve. More...
 
virtual void backwardTraverse (DPIm &it)
 CFL forward traverse solve. More...
 
virtual void FWProcessCurNode (const DPIm &)
 Process the DP item. More...
 
virtual void BWProcessCurNode (const DPIm &)
 
virtual void FWProcessOutgoingEdge (const DPIm &item, GEDGE *edge)
 Propagation for the solving, to be implemented in the child class. More...
 
virtual void BWProcessIncomingEdge (const DPIm &item, GEDGE *edge)
 
DPIm popFromWorklist ()
 Worklist operations. More...
 
bool pushIntoWorklist (DPIm &item)
 
bool isWorklistEmpty ()
 
bool isInWorklist (DPIm &item)
 
- Protected Attributes inherited from SVF::SrcSnkDDA
SaberSVFGBuilder memSSA
 
SVFGsvfg
 
PTACallGraphcallgraph
 
SVFBugReport report
 

Detailed Description

Double free checker to check deallocations of memory

Definition at line 42 of file DoubleFreeChecker.h.

Constructor & Destructor Documentation

◆ DoubleFreeChecker()

SVF::DoubleFreeChecker::DoubleFreeChecker ( )
inline

Constructor.

Definition at line 47 of file DoubleFreeChecker.h.

47  : LeakChecker()
48  {
49  }
SVF::LeakChecker::LeakChecker
LeakChecker()
Constructor.
Definition: LeakChecker.h:59

◆ ~DoubleFreeChecker()

virtual SVF::DoubleFreeChecker::~DoubleFreeChecker ( )
inlinevirtual

Destructor.

Definition at line 52 of file DoubleFreeChecker.h.

53  {
54  }

Member Function Documentation

◆ reportBug()

void DoubleFreeChecker::reportBug ( ProgSlice slice)
overridevirtual

Report file/close bugs.

Reimplemented from SVF::LeakChecker.

Definition at line 37 of file DoubleFreeChecker.cpp.

38 {
39 
40  if(slice->isSatisfiableForPairs() == false)
41  {
42  GenericBug::EventStack eventStack;
43  slice->evalFinalCond2Event(eventStack);
44  eventStack.push_back(
45  SVFBugEvent(SVFBugEvent::SourceInst, getSrcCSID(slice->getSource())));
46  report.addSaberBug(GenericBug::DOUBLEFREE, eventStack);
47  }
48  if(Options::ValidateTests())
49  testsValidation(slice);
50 }
SVF::DoubleFreeChecker::testsValidation
void testsValidation(ProgSlice *slice)
Validate test cases for regression test purpose.
Definition: DoubleFreeChecker.cpp:54
SVF::GenericBug::EventStack
std::vector< SVFBugEvent > EventStack
Definition: SVFBugReport.h:83
SVF::LeakChecker::getSrcCSID
const CallICFGNode * getSrcCSID(const SVFGNode *src)
Definition: LeakChecker.h:109
SVF::Options::ValidateTests
static const Option< bool > ValidateTests
Definition: Options.h:169
SVF::ProgSlice::evalFinalCond2Event
void evalFinalCond2Event(GenericBug::EventStack &eventStack) const
Add final condition to eventStack.
Definition: ProgSlice.cpp:196
SVF::ProgSlice::isSatisfiableForPairs
bool isSatisfiableForPairs()
Definition: ProgSlice.cpp:158
SVF::ProgSlice::getSource
const SVFGNode * getSource() const
root and sink operations
Definition: ProgSlice.h:123
SVF::SVFBugReport::addSaberBug
void addSaberBug(GenericBug::BugType bugType, const GenericBug::EventStack &eventStack)
Definition: SVFBugReport.h:315
SVF::SrcSnkDDA::report
SVFBugReport report
Definition: SrcSnkDDA.h:80

◆ runOnModule()

virtual bool SVF::DoubleFreeChecker::runOnModule ( SVFIR pag)
inlineoverridevirtual

We start from here.

start analysis

Reimplemented from SVF::LeakChecker.

Definition at line 57 of file DoubleFreeChecker.h.

58  {
60  analyze(pag->getModule());
61  return false;
62  }
SVF::SrcSnkDDA::analyze
virtual void analyze(SVFModule *module)
Start analysis here.
Definition: SrcSnkDDA.cpp:61

◆ testsValidation()

void DoubleFreeChecker::testsValidation ( ProgSlice slice)

Validate test cases for regression test purpose.

Definition at line 54 of file DoubleFreeChecker.cpp.

55 {
56  const SVFGNode* source = slice->getSource();
57  const CallICFGNode* cs = getSrcCSID(source);
58  const SVFFunction* fun = cs->getCalledFunction();
59  if(fun==nullptr)
60  return;
61  validateSuccessTests(slice,fun);
62  validateExpectedFailureTests(slice,fun);
63 }
SVF::CallICFGNode::getCalledFunction
const SVFFunction * getCalledFunction() const
Definition: ICFGNode.h:518
SVF::DoubleFreeChecker::validateSuccessTests
void validateSuccessTests(ProgSlice *slice, const SVFFunction *fun)
Definition: DoubleFreeChecker.cpp:65
SVF::DoubleFreeChecker::validateExpectedFailureTests
void validateExpectedFailureTests(ProgSlice *slice, const SVFFunction *fun)
Definition: DoubleFreeChecker.cpp:111

◆ validateExpectedFailureTests()

void DoubleFreeChecker::validateExpectedFailureTests ( ProgSlice slice,
const SVFFunction fun 
)

output safe but should be double free

output double free but should be safe

Definition at line 111 of file DoubleFreeChecker.cpp.

112 {
113  const SVFGNode* source = slice->getSource();
114  const CallICFGNode* cs = getSrcCSID(source);
115 
116  bool expectedFailure = false;
118  if(fun->getName() == "DOUBLEFREEMALLOCFN")
119  {
120  if(slice->isSatisfiableForPairs() == true)
121  expectedFailure = true;
122  }
123  else if(fun->getName() == "SAFEMALLOCFP")
124  {
125  if(slice->isSatisfiableForPairs() == false)
126  expectedFailure = true;
127  }
128  else if(fun->getName() == "SAFEMALLOC" || fun->getName() == "DOUBLEFREEMALLOC")
129  {
130  return;
131  }
132  else
133  {
134  writeWrnMsg("\t can not validate, check function not found, please put it at the right place!!");
135  return;
136  }
137 
138  std::string funName = source->getFun()->getName();
139 
140  if (expectedFailure)
141  {
142  outs() << sucMsg("\t EXPECTED-FAILURE :") << funName << " check <src id:" << source->getId()
143  << ", cs id:" << (getSrcCSID(source))->valueOnlyToString() << "> at ("
144  << cs->getSourceLoc() << ")\n";
145  outs() << "\t\t double free path: \n" << slice->evalFinalCond() << "\n";
146  }
147  else
148  {
149  SVFUtil::errs() << errMsg("\t UNEXPECTED FAILURE :") << funName
150  << " check <src id:" << source->getId()
151  << ", cs id:" << (getSrcCSID(source))->valueOnlyToString() << "> at ("
152  << cs->getSourceLoc() << ")\n";
153  SVFUtil::errs() << "\t\t double free path: \n" << slice->evalFinalCond() << "\n";
154  assert(false && "test case failed!");
155  }
156 }
string
const char *const string
Definition: cJSON.h:172
SVF::CallICFGNode::getSourceLoc
const std::string getSourceLoc() const override
Definition: ICFGNode.h:588
SVF::ProgSlice::evalFinalCond
std::string evalFinalCond() const
Evaluate final condition.
Definition: ProgSlice.cpp:220
SVF::SVFBaseNode::getId
NodeID getId() const
Get ID.
Definition: GenericGraph.h:260
SVF::SVFValue::getName
const std::string & getName() const
Definition: SVFValue.h:243
SVF::VFGNode::getFun
virtual const SVFFunction * getFun() const
Get the function of this SVFGNode.
Definition: VFGNode.h:79
SVF::SVFUtil::sucMsg
std::string sucMsg(const std::string &msg)
Returns successful message by converting a string into green string output.
Definition: SVFUtil.cpp:53
SVF::SVFUtil::errMsg
std::string errMsg(const std::string &msg)
Print error message by converting a string into red string output.
Definition: SVFUtil.cpp:76
SVF::SVFUtil::writeWrnMsg
void writeWrnMsg(const std::string &msg)
Writes a message run through wrnMsg.
Definition: SVFUtil.cpp:66
SVF::SVFUtil::errs
std::ostream & errs()
Overwrite llvm::errs()
Definition: SVFUtil.h:56
SVF::SVFUtil::outs
std::ostream & outs()
Overwrite llvm::outs()
Definition: SVFUtil.h:50

◆ validateSuccessTests()

void DoubleFreeChecker::validateSuccessTests ( ProgSlice slice,
const SVFFunction fun 
)

Definition at line 65 of file DoubleFreeChecker.cpp.

66 {
67  const SVFGNode* source = slice->getSource();
68  const CallICFGNode* cs = getSrcCSID(source);
69 
70  bool success = false;
71 
72  if(fun->getName() == "SAFEMALLOC")
73  {
74  if(slice->isSatisfiableForPairs() == true)
75  success = true;
76  }
77  else if(fun->getName() == "DOUBLEFREEMALLOC")
78  {
79  if(slice->isSatisfiableForPairs() == false)
80  success = true;
81  }
82  else if(fun->getName() == "DOUBLEFREEMALLOCFN" || fun->getName() == "SAFEMALLOCFP")
83  {
84  return;
85  }
86  else
87  {
88  writeWrnMsg("\t can not validate, check function not found, please put it at the right place!!");
89  return;
90  }
91 
92  std::string funName = source->getFun()->getName();
93 
94  if (success)
95  {
96  outs() << sucMsg("\t SUCCESS :") << funName << " check <src id:" << source->getId()
97  << ", cs id:" << (getSrcCSID(source))->valueOnlyToString() << "> at ("
98  << cs->getSourceLoc() << ")\n";
99  outs() << "\t\t double free path: \n" << slice->evalFinalCond() << "\n";
100  }
101  else
102  {
103  SVFUtil::errs() << errMsg("\t FAILURE :") << funName << " check <src id:" << source->getId()
104  << ", cs id:" << (getSrcCSID(source))->valueOnlyToString() << "> at ("
105  << cs->getSourceLoc() << ")\n";
106  SVFUtil::errs() << "\t\t double free path: \n" << slice->evalFinalCond() << "\n";
107  assert(false && "test case failed!");
108  }
109 }
The documentation for this class was generated from the following files:
Generated by doxygen 1.9.1