Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handling inttoptr in SVFIR #1370

Closed
karthikbhata97 opened this issue Feb 12, 2024 · 5 comments
Closed

Handling inttoptr in SVFIR #1370

karthikbhata97 opened this issue Feb 12, 2024 · 5 comments

Comments

@karthikbhata97
Copy link

Hi,
Thanks for building this valuable tool.

I am interested in how a pointer and the value referenced by it flows through a program. So I am using a SVFIR to track Load/Store/Copy of a pointer. Here is the program I am analyzing

#include <cstdint>

struct Test {
    int a;
    char b;
};

void test(uint64_t ptr) {
    auto t = (Test *)ptr; // 2
    auto x = t->a;
}

int main() {
    auto t = new Test;

    test((uint64_t)t); // 1

    return 0;
}

I am analyzing the arguments to test function, and trying to log all the load instructions on the pointer passed to test. I am using PAG/SVFIR to walk through the graph. It works well, when pointer is passed.

Here the pointer is passed as an integer with ptrtoint (at 1), which is then type casted with inttoptr (at 2). And PAG has no links between them. (2) is treated as coming from a null.

image image
  • Is there any specific reason to mark the source as null?
  • Also, am I using the right method to track the "pointer flows and dereferences"?

Thanks again for building and maintaining SVF!
@karthikbhata97 karthikbhata97 changed the title Handling int2ptr in SVFIR Handling inttoptr in SVFIR Feb 12, 2024
@yuleisui
Copy link
Collaborator

This is a very good question. Previously, we treat int2ptr as sourcing from null or blackhole due to pointer analysis, which does not support analysing values across integers and pointers.

It looks to me that a COPY PAG edge is not a good option for the casting. We may need to define a special edge on PAG to maintain int2ptr if we would like it to be reflected on the graph.

@karthikbhata97
Copy link
Author

I see. Do you also recommend to change the edge type for the ptrtoint as well (currently a copy edge)?

Let me know your thoughts on the design/implementation for this change. I can try to take a shot at it.

@yuleisui
Copy link
Collaborator

The int2ptr has been added to PAG and this is the patch to fix it. @karthikbhata97

@Achillesed
Copy link

I found that int2ptr is reporting errors in wpa using Sparse flow sensitive pointer analysis,Does it need an add patch to fix it?
image
operate parameter:
wpa -fspta example.ll

Thanks for building and maintaining SVF!

@yuleisui
Copy link
Collaborator

Yes, please try to submit a patch. I think the reason might because the instruction was not added to the PAG

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@yuleisui @karthikbhata97 @Achillesed