From ded62ab1974e9fd7d35c65a2f9c94f15a8b86bb2 Mon Sep 17 00:00:00 2001 From: jumormt Date: Thu, 19 Sep 2024 19:05:24 +1000 Subject: [PATCH 1/2] fix cdg null deref --- svf/include/Graphs/CDG.h | 6 +++--- svf/lib/Graphs/CDG.cpp | 2 +- svf/lib/Util/CDGBuilder.cpp | 41 ++++++++++++++++++++++++++++++++----- 3 files changed, 40 insertions(+), 9 deletions(-) diff --git a/svf/include/Graphs/CDG.h b/svf/include/Graphs/CDG.h index 0ebd6f1d7..1ffb4ce3b 100644 --- a/svf/include/Graphs/CDG.h +++ b/svf/include/Graphs/CDG.h @@ -42,7 +42,7 @@ typedef GenericEdge GenericCDGEdgeTy; class CDGEdge : public GenericCDGEdgeTy { public: - typedef std::pair BranchCondition; + typedef std::pair BranchCondition; /// Constructor CDGEdge(CDGNode *s, CDGNode *d) : GenericCDGEdgeTy(s, d, 0) @@ -73,7 +73,7 @@ class CDGEdge : public GenericCDGEdgeTy return brConditions; } - void insertBranchCondition(const SVFValue *pNode, s32_t branchID) + void insertBranchCondition(const SVFVar *pNode, s32_t branchID) { brConditions.insert(std::make_pair(pNode, branchID)); } @@ -288,7 +288,7 @@ class CDG : public GenericCDGTy } /// Add CDG edges from nodeid pair - void addCDGEdgeFromSrcDst(const ICFGNode *src, const ICFGNode *dst, const SVFValue *pNode, s32_t branchID); + void addCDGEdgeFromSrcDst(const ICFGNode *src, const ICFGNode *dst, const SVFVar *pNode, s32_t branchID); }; } // end namespace SVF diff --git a/svf/lib/Graphs/CDG.cpp b/svf/lib/Graphs/CDG.cpp index 806c2a3ee..2f7d45733 100644 --- a/svf/lib/Graphs/CDG.cpp +++ b/svf/lib/Graphs/CDG.cpp @@ -32,7 +32,7 @@ using namespace SVF; CDG *CDG::controlDg = nullptr; -void CDG::addCDGEdgeFromSrcDst(const ICFGNode *src, const ICFGNode *dst, const SVFValue *pNode, s32_t branchID) +void CDG::addCDGEdgeFromSrcDst(const ICFGNode *src, const ICFGNode *dst, const SVFVar *pNode, s32_t branchID) { if (!hasCDGNode(src->getId())) { diff --git a/svf/lib/Util/CDGBuilder.cpp b/svf/lib/Util/CDGBuilder.cpp index 8a6ead347..ce7ee3bef 100644 --- a/svf/lib/Util/CDGBuilder.cpp +++ b/svf/lib/Util/CDGBuilder.cpp @@ -88,6 +88,13 @@ s64_t CDGBuilder::getBBSuccessorBranchID(const SVFBasicBlock *BB, const SVFBasic ICFG *icfg = PAG::getPAG()->getICFG(); assert(!BB->getICFGNodeList().empty() && "empty bb?"); const ICFGNode *pred = BB->back(); + if (const CallICFGNode* callNode = dyn_cast(pred)) + { + // not a branch statement: + // invoke void %3(ptr noundef nonnull align 8 dereferenceable(8) %1, ptr noundef %2) + // to label %invoke.cont1 unwind label %lpad + pred = callNode->getRetICFGNode(); + } const ICFGEdge *edge = nullptr; for (const auto &node: Succ->getICFGNodeList()) { @@ -190,9 +197,15 @@ void CDGBuilder::buildICFGNodeControlMap() for (const auto &it2: it.second) { const SVFBasicBlock *controllingBB = it2.first; - // const ICFGNode *controlNode = _bbToNode[it.first].first; - // if(!controlNode) continue; const ICFGNode *controlNode = it.first->getICFGNodeList().back(); + if (const CallICFGNode* callNode = + SVFUtil::dyn_cast(controlNode)) + { + // not a branch statement: + // invoke void %3(ptr noundef nonnull align 8 dereferenceable(8) %1, ptr noundef %2) + // to label %invoke.cont1 unwind label %lpad + controlNode = callNode->getRetICFGNode(); + } if (!controlNode) continue; // controlNode control at pos for (const auto &controllee: controllingBB->getICFGNodeList()) @@ -201,9 +214,27 @@ void CDGBuilder::buildICFGNodeControlMap() _nodeDependentOnMap[controllee][controlNode].insert(it2.second.begin(), it2.second.end()); for (s32_t pos: it2.second) { - _controlDG->addCDGEdgeFromSrcDst(controlNode, controllee, - SVFUtil::dyn_cast(controlNode)->getInst(), - pos); + if (const IntraICFGNode* intraNode = + dyn_cast(controlNode)) + { + assert(intraNode->getSVFStmts().size() == 1 && + "not a branch stmt?"); + const SVFVar* condition = + SVFUtil::cast( + intraNode->getSVFStmts().front()) + ->getCondition(); + _controlDG->addCDGEdgeFromSrcDst(controlNode, controllee, + condition, + pos); + } else { + // not a branch statement: + // invoke void %3(ptr noundef nonnull align 8 dereferenceable(8) %1, ptr noundef %2) + // to label %invoke.cont1 unwind label %lpad + _controlDG->addCDGEdgeFromSrcDst(controlNode, controllee, + nullptr, + pos); + } + } } } From 658520e2f76ec895e70d7ed97791baa408acf72f Mon Sep 17 00:00:00 2001 From: jumormt Date: Thu, 19 Sep 2024 22:32:04 +1000 Subject: [PATCH 2/2] fix cdg null deref --- svf/lib/Util/CDGBuilder.cpp | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/svf/lib/Util/CDGBuilder.cpp b/svf/lib/Util/CDGBuilder.cpp index ce7ee3bef..ea5fb18bc 100644 --- a/svf/lib/Util/CDGBuilder.cpp +++ b/svf/lib/Util/CDGBuilder.cpp @@ -95,15 +95,7 @@ s64_t CDGBuilder::getBBSuccessorBranchID(const SVFBasicBlock *BB, const SVFBasic // to label %invoke.cont1 unwind label %lpad pred = callNode->getRetICFGNode(); } - const ICFGEdge *edge = nullptr; - for (const auto &node: Succ->getICFGNodeList()) - { - if (const ICFGEdge *e = icfg->getICFGEdge(pred, node, ICFGEdge::ICFGEdgeK::IntraCF)) - { - edge = e; - break; - } - } + const ICFGEdge *edge = icfg->getICFGEdge(pred, Succ->front(), ICFGEdge::ICFGEdgeK::IntraCF); if (const IntraCFGEdge *intraEdge = SVFUtil::dyn_cast(edge)) { if(intraEdge->getCondition()) @@ -230,9 +222,10 @@ void CDGBuilder::buildICFGNodeControlMap() // not a branch statement: // invoke void %3(ptr noundef nonnull align 8 dereferenceable(8) %1, ptr noundef %2) // to label %invoke.cont1 unwind label %lpad - _controlDG->addCDGEdgeFromSrcDst(controlNode, controllee, - nullptr, - pos); + SVFIR* pag = PAG::getPAG(); + _controlDG->addCDGEdgeFromSrcDst( + controlNode, controllee, + pag->getGNode(pag->getNullPtr()), pos); } }