SVF::DoubleFreeChecker Class Reference

#include <DoubleFreeChecker.h>

Inheritance diagram for SVF::DoubleFreeChecker:

Public Member Functions
	DoubleFreeChecker ()
	Constructor.
virtual	~DoubleFreeChecker ()
	Destructor.
virtual bool	runOnModule (SVFIR *pag) override
	We start from here.
void	reportBug (ProgSlice *slice) override
	Report file/close bugs.
void	testsValidation (ProgSlice *slice)
	Validate test cases for regression test purpose.
void	validateSuccessTests (ProgSlice *slice, const FunObjVar *fun)
void	validateExpectedFailureTests (ProgSlice *slice, const FunObjVar *fun)
Public Member Functions inherited from SVF::LeakChecker
	LeakChecker ()
	Constructor.
virtual	~LeakChecker ()
	Destructor.
virtual void	initSrcs () override
	Initialize sources and sinks.
virtual void	initSnks () override
virtual bool	isSourceLikeFun (const FunObjVar *fun) override
	Whether the function is a heap allocator/reallocator (allocate memory)
virtual bool	isSinkLikeFun (const FunObjVar *fun) override
	Whether the function is a heap deallocator (free/release memory)
Public Member Functions inherited from SVF::SrcSnkDDA
	SrcSnkDDA ()
	Bug Reporter.
	~SrcSnkDDA () override
	Destructor.
virtual void	analyze ()
	Start analysis here.
virtual void	initialize ()
	Initialize analysis.
virtual void	finalize ()
	Finalize analysis.
SVFIR *	getPAG () const
	Get SVFIR.
const SVFG *	getSVFG () const
	Get SVFG.
CallGraph *	getCallgraph () const
	Get Callgraph.
bool	isGlobalSVFGNode (const SVFGNode *node) const
	Whether this svfg node may access global variable.
virtual void	setCurSlice (const SVFGNode *src)
	Slice operations.
ProgSlice *	getCurSlice () const
void	addSinkToCurSlice (const SVFGNode *node)
bool	isInCurForwardSlice (const SVFGNode *node)
bool	isInCurBackwardSlice (const SVFGNode *node)
void	addToCurForwardSlice (const SVFGNode *node)
void	addToCurBackwardSlice (const SVFGNode *node)
bool	isInAWrapper (const SVFGNode *src, CallSiteSet &csIdSet)
	Identify allocation wrappers.
const SVFGNodeSet &	getSources () const
	Get sources/sinks.
SVFGNodeSetIter	sourcesBegin () const
SVFGNodeSetIter	sourcesEnd () const
void	addToSources (const SVFGNode *node)
const SVFGNodeSet &	getSinks () const
SVFGNodeSetIter	sinksBegin () const
SVFGNodeSetIter	sinksEnd () const
void	addToSinks (const SVFGNode *node)
SaberCondAllocator *	getSaberCondAllocator () const
	Get saber condition allocator.
const SVFBugReport &	getBugReport () const
bool	isSource (const SVFGNode *node) const
bool	isSink (const SVFGNode *node) const

Additional Inherited Members
Public Types inherited from SVF::LeakChecker
enum	LEAK_TYPE { NEVER_FREE_LEAK , CONTEXT_LEAK , PATH_LEAK , GLOBAL_LEAK }
typedef Map< const SVFGNode *, const CallICFGNode * >	SVFGNodeToCSIDMap
typedef FIFOWorkList< const CallICFGNode * >	CSWorkList
typedef ProgSlice::VFWorkList	WorkList
typedef NodeBS	SVFGNodeBS
Public Types inherited from SVF::SrcSnkDDA
typedef ProgSlice::SVFGNodeSet	SVFGNodeSet
typedef Map< const SVFGNode *, ProgSlice * >	SVFGNodeToSliceMap
typedef SVFGNodeSet::const_iterator	SVFGNodeSetIter
typedef CxtDPItem	DPIm
typedef Set< DPIm >	DPImSet
	dpitem set
typedef Map< const SVFGNode *, DPImSet >	SVFGNodeToDPItemsMap
	map a SVFGNode to its visited dpitems
typedef Set< const CallICFGNode * >	CallSiteSet
typedef NodeBS	SVFGNodeBS
typedef ProgSlice::VFWorkList	WorkList
Public Types inherited from SVF::GraphReachSolver< GraphType, DPIm >
typedef SVF::GenericGraphTraits< GraphType >	GTraits
	Define the GTraits and node iterator.
typedef GTraits::NodeType	GNODE
typedef GTraits::EdgeType	GEDGE
typedef GTraits::nodes_iterator	node_iterator
typedef GTraits::ChildIteratorType	child_iterator
typedef SVF::GenericGraphTraits< SVF::Inverse< GNODE * > >	InvGTraits
	Define inverse GTraits and note iterator.
typedef InvGTraits::ChildIteratorType	inv_child_iterator
typedef FIFOWorkList< DPIm >	WorkList
	Define worklist.
Protected Member Functions inherited from SVF::LeakChecker
void	testsValidation (const ProgSlice *slice)
	Validate test cases for regression test purpose.
void	validateSuccessTests (const SVFGNode *source, const FunObjVar *fun)
void	validateExpectedFailureTests (const SVFGNode *source, const FunObjVar *fun)
void	addSrcToCSID (const SVFGNode *src, const CallICFGNode *cs)
	Record a source to its callsite.
const CallICFGNode *	getSrcCSID (const SVFGNode *src)
Protected Member Functions inherited from SVF::SrcSnkDDA
void	FWProcessCurNode (const DPIm &item) override
	Forward traverse.
void	BWProcessCurNode (const DPIm &item) override
	Backward traverse.
void	FWProcessOutgoingEdge (const DPIm &item, SVFGEdge *edge) override
	Propagate information forward by matching context.
void	BWProcessIncomingEdge (const DPIm &item, SVFGEdge *edge) override
	Propagate information backward without matching context, as forward analysis already did it.
bool	forwardVisited (const SVFGNode *node, const DPIm &item)
	Whether has been visited or not, in order to avoid recursion on SVFG.
void	addForwardVisited (const SVFGNode *node, const DPIm &item)
bool	backwardVisited (const SVFGNode *node)
void	addBackwardVisited (const SVFGNode *node)
void	clearVisitedMap ()
virtual bool	isAllPathReachable ()
	Whether it is all path reachable from a source.
virtual bool	isSomePathReachable ()
	Whether it is some path reachable from a source.
void	dumpSlices ()
	Dump SVFG with annotated slice information.
void	annotateSlice (ProgSlice *slice)
void	printZ3Stat ()
Protected Member Functions inherited from SVF::GraphReachSolver< GraphType, DPIm >
	GraphReachSolver ()
	Constructor.
virtual	~GraphReachSolver ()
	Destructor.
const GraphType	graph () const
	Get/Set graph methods.
void	setGraph (GraphType g)
GNODE *	getNode (NodeID id) const
virtual NodeID	getNodeIDFromItem (const DPIm &item) const
virtual void	forwardTraverse (DPIm &it)
	CFL forward traverse solve.
virtual void	backwardTraverse (DPIm &it)
	CFL forward traverse solve.
virtual void	FWProcessCurNode (const DPIm &)
	Process the DP item.
virtual void	BWProcessCurNode (const DPIm &)
virtual void	FWProcessOutgoingEdge (const DPIm &item, GEDGE *edge)
	Propagation for the solving, to be implemented in the child class.
virtual void	BWProcessIncomingEdge (const DPIm &item, GEDGE *edge)
DPIm	popFromWorklist ()
	Worklist operations.
bool	pushIntoWorklist (DPIm &item)
bool	isWorklistEmpty ()
bool	isInWorklist (DPIm &item)
Protected Attributes inherited from SVF::SrcSnkDDA
SaberSVFGBuilder	memSSA
SVFG *	svfg
CallGraph *	callgraph
SVFBugReport	report

Detailed Description

Double free checker to check deallocations of memory

Definition at line 42 of file DoubleFreeChecker.h.

Constructor & Destructor Documentation

DoubleFreeChecker()

SVF::DoubleFreeChecker::DoubleFreeChecker ( )

inline

Constructor.

Definition at line 47 of file DoubleFreeChecker.h.

                       : LeakChecker()
    {
    }

~DoubleFreeChecker()

virtual SVF::DoubleFreeChecker::~DoubleFreeChecker ( )

inlinevirtual

Destructor.

Definition at line 52 of file DoubleFreeChecker.h.

    {
    }

Member Function Documentation

reportBug()

void DoubleFreeChecker::reportBug ( ProgSlice *  slice )

overridevirtual

Report file/close bugs.

Reimplemented from SVF::LeakChecker.

Definition at line 37 of file DoubleFreeChecker.cpp.

{
 
    if(slice->isSatisfiableForPairs() == false)
    {
        GenericBug::EventStack eventStack;
        slice->evalFinalCond2Event(eventStack);
        eventStack.push_back(
            SVFBugEvent(SVFBugEvent::SourceInst, getSrcCSID(slice->getSource())));
        report.addSaberBug(GenericBug::DOUBLEFREE, eventStack);
    }
    if(Options::ValidateTests())
        testsValidation(slice);
}

runOnModule()

virtual bool SVF::DoubleFreeChecker::runOnModule ( SVFIR *  pag )

inlineoverridevirtual

We start from here.

start analysis

Reimplemented from SVF::LeakChecker.

Definition at line 57 of file DoubleFreeChecker.h.

    {
        analyze();
        return false;
    }

testsValidation()

void DoubleFreeChecker::testsValidation

(

ProgSlice *

slice

)

Validate test cases for regression test purpose.

Definition at line 54 of file DoubleFreeChecker.cpp.

{
    const SVFGNode* source = slice->getSource();
    const CallICFGNode* cs = getSrcCSID(source);
    const FunObjVar* fun = cs->getCalledFunction();
    if(fun==nullptr)
        return;
    validateSuccessTests(slice,fun);
    validateExpectedFailureTests(slice,fun);
}

validateExpectedFailureTests()

void DoubleFreeChecker::validateExpectedFailureTests	(	ProgSlice *	slice,
		const FunObjVar *	fun
	)

output safe but should be double free

output double free but should be safe

Definition at line 111 of file DoubleFreeChecker.cpp.

{
    const SVFGNode* source = slice->getSource();
    const CallICFGNode* cs = getSrcCSID(source);
 
    bool expectedFailure = false;
    if(fun->getName() == "DOUBLEFREEMALLOCFN")
    {
        if(slice->isSatisfiableForPairs() == true)
            expectedFailure = true;
    } 
    else if(fun->getName() == "SAFEMALLOCFP")
    {
        if(slice->isSatisfiableForPairs() == false)
            expectedFailure = true;
    }
    else if(fun->getName() == "SAFEMALLOC" || fun->getName() == "DOUBLEFREEMALLOC")
    {
        return;
    }
    else
    {
        writeWrnMsg("\t can not validate, check function not found, please put it at the right place!!");
        return;
    }
 
    std::string funName = source->getFun()->getName();
 
    if (expectedFailure)
    {
        outs() << sucMsg("\t EXPECTED-FAILURE :") << funName << " check <src id:" << source->getId()
               << ", cs id:" << (getSrcCSID(source))->valueOnlyToString() << "> at ("
               << cs->getSourceLoc() << ")\n";
        outs() << "\t\t double free path: \n" << slice->evalFinalCond() << "\n";
    }
    else
    {
        SVFUtil::errs() << errMsg("\t UNEXPECTED FAILURE :") << funName
                        << " check <src id:" << source->getId()
                        << ", cs id:" << (getSrcCSID(source))->valueOnlyToString() << "> at ("
                        << cs->getSourceLoc() << ")\n";
        SVFUtil::errs() << "\t\t double free path: \n" << slice->evalFinalCond() << "\n";
        assert(false && "test case failed!");
    }
}

validateSuccessTests()

void DoubleFreeChecker::validateSuccessTests	(	ProgSlice *	slice,
		const FunObjVar *	fun
	)

Definition at line 65 of file DoubleFreeChecker.cpp.

{
    const SVFGNode* source = slice->getSource();
    const CallICFGNode* cs = getSrcCSID(source);
 
    bool success = false;
 
    if(fun->getName() == "SAFEMALLOC")
    {
        if(slice->isSatisfiableForPairs() == true)
            success = true;
    }
    else if(fun->getName() == "DOUBLEFREEMALLOC")
    {
        if(slice->isSatisfiableForPairs() == false)
            success = true;
    }
    else if(fun->getName() == "DOUBLEFREEMALLOCFN" || fun->getName() == "SAFEMALLOCFP")
    {
        return;
    }
    else
    {
        writeWrnMsg("\t can not validate, check function not found, please put it at the right place!!");
        return;
    }
 
    std::string funName = source->getFun()->getName();
 
    if (success)
    {
        outs() << sucMsg("\t SUCCESS :") << funName << " check <src id:" << source->getId()
               << ", cs id:" << (getSrcCSID(source))->valueOnlyToString() << "> at ("
               << cs->getSourceLoc() << ")\n";
        outs() << "\t\t double free path: \n" << slice->evalFinalCond() << "\n";
    }
    else
    {
        SVFUtil::errs() << errMsg("\t FAILURE :") << funName << " check <src id:" << source->getId()
                        << ", cs id:" << (getSrcCSID(source))->valueOnlyToString() << "> at ("
                        << cs->getSourceLoc() << ")\n";
        SVFUtil::errs() << "\t\t double free path: \n" << slice->evalFinalCond() << "\n";
        assert(false && "test case failed!");
    }
}

---

The documentation for this class was generated from the following files:

• /home/runner/work/SVF/SVF/svf/include/SABER/DoubleFreeChecker.h
• /home/runner/work/SVF/SVF/svf/lib/SABER/DoubleFreeChecker.cpp