Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question: the path of SVFG for branches #1306

Closed
ZcoderL opened this issue Dec 29, 2023 · 7 comments
Closed

Question: the path of SVFG for branches #1306

ZcoderL opened this issue Dec 29, 2023 · 7 comments

Comments

@ZcoderL
Copy link

ZcoderL commented Dec 29, 2023

When using Saber to test this test code, the expected results were not obtained
my codes:

#include<stdlib.h>
typedef struct Node {
    int data;           
    struct Node *next;  
} Node;
int main() {
    Node* head1 = (Node*)malloc(sizeof(Node)); 
    Node* head2 = (Node*)malloc(sizeof(Node)); 
    int a = 1;
    int b = 1;
    Node *p = head1;
    if(a == b){
        p = head2;
    }
    free(p);
    return 0;
}

The correct result should be that both head1 and head2 report PartialLeaf

But the test results show that head1 has no memory leak, while head2 reports PartialLeak

image

I checked the slice diagram and found that the path from the malloc node of head1 to the free node did not pass through if...then block, may I ask why this is?
@yuleisui
Copy link
Collaborator

@jumormt could you have a look?

@jumormt
Copy link
Contributor

jumormt commented Dec 29, 2023

This case is tricky. Different from head2, the conditional free path for head1 should be the if-else branch. It seems that the value-flow guard between p@Line 11 and p@Line 15 should be a != b instead of a true value.

Regarding why head1 does not pass through the if-then block, the points-to set of head1@Line 11 does not pass to p@Line 13 (i.e., no indirect value-flow between p@Line 11 and p@Line 13) because it is a strong update at Line 13. Therefore, saber removes that redundant indirect value-flow.

@yuleisui
Copy link
Collaborator

@ZcoderL could you upload the c file and its svfg? @jumormt the strong update should remove 11->13 but should keep 11->15 and the value-flow guard should have a condition a!=b?

@jumormt
Copy link
Contributor

jumormt commented Dec 30, 2023

Yes, 11->13 is removed due to a strong update. 11->15 is a normal direct def-use and is kept in SVFG. The source code with line number:

image

And the SVFG (relevant part):

image

The entire SVFG:

svfg

@yuleisui
Copy link
Collaborator

The value-flow guard for 11-15 is missing? If not missing, there is supposed to be a conditional free?

jumormt added a commit to jumormt/SVF-xiao that referenced this issue Dec 30, 2023
@jumormt
fix issue SVF-tools#1306: compute vf guard for strong update in anoth…
6c86c51 
…er branch
@jumormt jumormt mentioned this issue Dec 30, 2023
Merged
yuleisui pushed a commit that referenced this issue Dec 30, 2023
@jumormt
fix issue #1306: compute vf guard for strong update in another branch (
3dee455 
…#1309)

* fix issue #1306: compute vf guard for strong update in another branch

* update based on code review

* move removed edges to condallocator

* fix header bug

* add CFLSVFGBuilder

* add comments

* fix null dereference
@yuleisui
Copy link
Collaborator

@ZcoderL could you try the recent merge and see whether it fixes your issue?
#1309

@ZcoderL
Copy link
Author

ZcoderL commented Jan 2, 2024

Due to the holiday a few days ago, I didn't see your reply, sorry.

Your update fixes my issue, thank you

@ZcoderL ZcoderL closed this as completed Jan 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@yuleisui @jumormt @ZcoderL