How to create a CDG with SVF? about svf HOT 25 CLOSED

liushengahn commented on July 23, 2024

How to create a CDG with SVF?

from svf.

Comments (25)

liushengahn commented on July 23, 2024 1

mjs.zip

from svf.

liushengahn commented on July 23, 2024 1

非常感谢你的帮助！素未谋面的BYR，祝你一切顺利！

from svf.

liushengahn commented on July 23, 2024

I want to be able to use it in the runOnModule function of an LLVM PASS.

from svf.

jumormt commented on July 23, 2024

Hello, I want to use SVF to create a Control Dependence Graph (CDG). I noticed there are relevant interfaces in the CDG.h/cpp and CDGBuilder.h/cpp files. Could you please advise me on how to use them? It seems that the constructor of CDGBuilder doesn't take any parameters. How should I proceed with its usage?
CDGBuilder CDGB;
CDGB.build();
I'm not sure if this is the correct way to use it.

That is correct assuming that the svfir and icfg have been built before this. This is because CDGBuilder uses the svfir (a global singleton) as the input (https://github.com/SVF-tools/SVF/blob/master/svf/lib/Util/CDGBuilder.cpp#L80).

from svf.

liushengahn commented on July 23, 2024

I found that after using CDGBuilder to create a CDG, there is no interface provided by CDGBuilder to access the constructed CDG because it is private. For now, I have temporarily modified it to be public.

    SVF::SVFModule* svfModule = SVF::LLVMModuleSet::buildSVFModule(M);
    SVF::SVFIRBuilder builder(svfModule);
    SVF::SVFIR* pag = builder.build();

    SVF::CDGBuilder CDGbuilder;
    CDGbuilder.build();
    SVF::CDG* cdg = CDGbuilder._controlDG;
    cdg->dump("cdg");

from svf.

liushengahn commented on July 23, 2024

Perhaps we can add a public function to access the CDG?

from svf.

jumormt commented on July 23, 2024

You can get CDG through https://github.com/SVF-tools/SVF/blob/master/svf/include/Graphs/CDG.h#L149.

from svf.

liushengahn commented on July 23, 2024

thx, I get it. 👍

from svf.

liushengahn commented on July 23, 2024

I used the SVF in AFLGo. I tried to build CDG in the following way, and it runs fine on my small example, but when I try to run another program, it doesn't work.

  SVF::SVFModule *svfModule = SVF::LLVMModuleSet::buildSVFModule(M);
  SVF::SVFIRBuilder builder(svfModule);
  SVF::PAG *pag = builder.build();
  SVF::ICFG *icfg = SVF::PAG::getPAG()->getICFG();
  SVF::CDGBuilder CDGbuilder;
  CDGbuilder.build();

Stack dump:
0.      Program arguments: /usr/local/bin/clang-11 -cc1 -triple x86_64-unknown-linux-gnu -emit-llvm-bc -flto -flto-unit -disable-free -disable-llvm-verifier -discard-value-names -main-file-name mjs.c -mrelocation-model static -mframe-pointer=all -fmath-errno -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -fno-split-dwarf-inlining -debug-info-kind=limited -dwarf-version=4 -debugger-tuning=gdb -resource-dir /usr/local/lib/clang/11.0.0 -D MJS_MAIN -D __AFL_HAVE_MANUAL_CONTROL=1 -D __AFL_COMPILER=1 -D FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1 -D __AFL_LOOP(_A)=({ static volatile char *_B __attribute__((used));  _B = (char*)"##SIG_AFL_PERSISTENT##"; __attribute__((visibility("default"))) int _L(unsigned int) __asm__("__afl_persistent_loop"); _L(_A); }) -D __AFL_INIT()=do { static volatile char *_A __attribute__((used));  _A = (char*)"##SIG_AFL_DEFER_FORKSRV##"; __attribute__((visibility("default"))) void _I(void) __asm__("__afl_manual_init"); _I(); } while (0) -cxx-isystem /usr/local/include -cxx-isystem /usr/local/include -cxx-isystem . -internal-isystem /usr/local/include -internal-isystem /usr/local/lib/clang/11.0.0/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -fdebug-compilation-dir /root/aflgo/examples/mjs-issues-78 -ferror-limit 19 -funroll-loops -fgnuc-version=4.2.1 -fcolor-diagnostics -load /root/aflgo//instrument/aflgo-pass.so -mllvm -targets=/root/aflgo/examples/mjs-issues-78/obj-aflgo/temp/BBtargets.txt -mllvm -outdir=/root/aflgo/examples/mjs-issues-78/obj-aflgo/temp -faddrsig -o /tmp/mjs-b27f08.o -x c mjs.c 
1.      <eof> parser at end of file
2.      Per-module optimization passes
3.      Running pass 'Unnamed pass: implement Pass::getPassName()' on module 'mjs.c'.
 #0 0x0000556d93f0f6ae llvm::sys::PrintStackTrace(llvm::raw_ostream&) (/usr/local/bin/clang-11+0x1b976ae)
 #1 0x0000556d93f0d544 llvm::sys::RunSignalHandlers() (/usr/local/bin/clang-11+0x1b95544)
 #2 0x0000556d93f0d688 SignalHandler(int) (/usr/local/bin/clang-11+0x1b95688)
 #3 0x00007f3b68031420 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x14420)
 #4 0x00007f3b67ace00b raise /build/glibc-wuryBv/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:51:1
 #5 0x00007f3b67aad859 abort /build/glibc-wuryBv/glibc-2.31/stdlib/abort.c:81:7
 #6 0x00007f3b67aad729 get_sysdep_segment_value /build/glibc-wuryBv/glibc-2.31/intl/loadmsgcat.c:509:8
 #7 0x00007f3b67aad729 _nl_load_domain /build/glibc-wuryBv/glibc-2.31/intl/loadmsgcat.c:970:34
 #8 0x00007f3b67abefd6 (/lib/x86_64-linux-gnu/libc.so.6+0x33fd6)
 #9 0x00007f3b6793fcef SVF::SVFLoopAndDomInfo::findNearestCommonPDominator(SVF::SVFBasicBlock const*, SVF::SVFBasicBlock const*) const (/root/SVF/Release-build/svf/libSvfCore.so+0x2d8cef)
#10 0x00007f3b6794af9b SVF::CDGBuilder::buildControlDependence(SVF::SVFModule const*) (/root/SVF/Release-build/svf/libSvfCore.so+0x2e3f9b)
#11 0x00007f3b6794b275 SVF::CDGBuilder::build() (/root/SVF/Release-build/svf/libSvfCore.so+0x2e4275)
#12 0x00007f3b67a4b128 (anonymous namespace)::AFLCoverage::runOnModule(llvm::Module&) /root/aflgo/instrument/aflgo-pass.so.cc:319:7
#13 0x0000556d938836d0 llvm::legacy::PassManagerImpl::run(llvm::Module&) (/usr/local/bin/clang-11+0x150b6d0)
#14 0x0000556d941b20ad (anonymous namespace)::EmitAssemblyHelper::EmitAssembly(clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >) (/usr/local/bin/clang-11+0x1e3a0ad)
#15 0x0000556d941b3ace clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::HeaderSearchOptions const&, clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions const&, llvm::DataLayout const&, llvm::Module*, clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >) (/usr/local/bin/clang-11+0x1e3bace)
#16 0x0000556d94e297f1 clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&) (/usr/local/bin/clang-11+0x2ab17f1)
#17 0x0000556d95b19619 clang::ParseAST(clang::Sema&, bool, bool) (/usr/local/bin/clang-11+0x37a1619)
#18 0x0000556d947c3ac9 clang::FrontendAction::Execute() (/usr/local/bin/clang-11+0x244bac9)
#19 0x0000556d9477798b clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/usr/local/bin/clang-11+0x23ff98b)
#20 0x0000556d94896200 clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/usr/local/bin/clang-11+0x251e200)
#21 0x0000556d92e23687 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (/usr/local/bin/clang-11+0xaab687)
#22 0x0000556d92e2123b ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&) (/usr/local/bin/clang-11+0xaa923b)
#23 0x0000556d92db35fe main (/usr/local/bin/clang-11+0xa3b5fe)
#24 0x00007f3b67aaf083 __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:342:3
#25 0x0000556d92e20dce _start (/usr/local/bin/clang-11+0xaa8dce)
clang-11: error: unable to execute command: Aborted (core dumped)
clang-11: error: clang frontend command failed due to signal (use -v to see invocation)
clang version 11.0.0 (https://gitee.com/lsh-666/aflgo.git b1f8d483c4794bd199a57ec85fd8b3089855c45d)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /usr/local/bin
clang-11: note: diagnostic msg:

Do you know why? What should I do?
Thank you very much！

from svf.

jumormt commented on July 23, 2024

Can you attach the bitcode or a link to it?

from svf.

liushengahn commented on July 23, 2024

It indicates this error, what does it mean?

clang: /root/SVF/svf/lib/SVFIR/SVFValue.cpp:125: const SVF::SVFBasicBlock* SVF::SVFLoopAndDomInfo::findNearestCommonPDominator(const SVF::SVFBasicBlock*, const SVF::SVFBasicBlock*) const: Assertion `lvA != getBBPDomLevel().end() && lvB != getBBPDomLevel().end()' failed.

from svf.

jumormt commented on July 23, 2024

I mean attaching the bitcode you are analyzing. If it's too big, consider sending me through email or putting it on a link that I can access. Thanks.

from svf.

liushengahn commented on July 23, 2024

I'm using the examples from AFLGo, but none of them can run successfully.

git clone https://github.com/cesanta/mjs.git mjs-issues-57
cd mjs-issues-57; git checkout d6c06a6

git clone https://github.com/libming/libming.git libming-CVE-2018-8807
cd libming-CVE-2018-8807/; git checkout b72cc2f # version 0.4.8

from svf.

liushengahn commented on July 23, 2024

I picked two scripts as follows:

#!/bin/bash

set -euo pipefail

git clone https://github.com/cesanta/mjs.git mjs-issues-57
cd mjs-issues-57; git checkout d6c06a6
mkdir obj-aflgo; mkdir obj-aflgo/temp
export TMP_DIR=$PWD/obj-aflgo/temp
export CC=$AFLGO/instrument/aflgo-clang; export CXX=$AFLGO/instrument/aflgo-clang++
export LDFLAGS=-lpthread
export ADDITIONAL="-targets=$TMP_DIR/BBtargets.txt -outdir=$TMP_DIR -flto -fuse-ld=gold -Wl,-plugin-opt=save-temps"
echo $'mjs.c:13732' > $TMP_DIR/BBtargets.txt
$CC -DMJS_MAIN mjs.c $ADDITIONAL -ldl -g -o mjs-bin
cat $TMP_DIR/BBnames.txt | rev | cut -d: -f2- | rev | sort | uniq > $TMP_DIR/BBnames2.txt && mv $TMP_DIR/BBnames2.txt $TMP_DIR/BBnames.txt
cat $TMP_DIR/BBcalls.txt | sort | uniq > $TMP_DIR/BBcalls2.txt && mv $TMP_DIR/BBcalls2.txt $TMP_DIR/BBcalls.txt
$AFLGO/distance/gen_distance_orig.sh $PWD $TMP_DIR mjs-bin
$CC -DMJS_MAIN mjs.c -distance=$TMP_DIR/distance.cfg.txt -ldl -g -o mjs-bin
cd obj-aflgo; mkdir in; echo "" > in/in
$AFLGO/afl-2.57b/afl-fuzz -m none -z exp -c 45m -i in -o out ../mjs-bin -f @@
mkdir out; for i in {1..10}; do timeout -sHUP 180m $AFLGO/afl-2.57b/afl-fuzz -m none -z exp -c 45m -i in -o "out/out_$i" ../mjs-bin -f @@ > /dev/null 2>&1 & done

second

#!/bin/bash

set -euo pipefail

git clone https://github.com/libming/libming.git libming-CVE-2018-8807
cd libming-CVE-2018-8807/; git checkout b72cc2f # version 0.4.8
mkdir obj-aflgo; mkdir obj-aflgo/temp
export TMP_DIR=$PWD/obj-aflgo/temp
export CC=$AFLGO/instrument/aflgo-clang; export CXX=$AFLGO/instrument/aflgo-clang++
export LDFLAGS=-lpthread
export ADDITIONAL="-targets=$TMP_DIR/BBtargets.txt -outdir=$TMP_DIR -flto -fuse-ld=gold -Wl,-plugin-opt=save-temps"
echo $'decompile.c:349' > $TMP_DIR/BBtargets.txt
./autogen.sh;
cd obj-aflgo; CFLAGS="-fcommon $ADDITIONAL" CXXFLAGS="$ADDITIONAL" ../configure --disable-shared --prefix=`pwd`
make clean; make
cat $TMP_DIR/BBnames.txt | rev | cut -d: -f2- | rev | sort | uniq > $TMP_DIR/BBnames2.txt && mv $TMP_DIR/BBnames2.txt $TMP_DIR/BBnames.txt
cat $TMP_DIR/BBcalls.txt | sort | uniq > $TMP_DIR/BBcalls2.txt && mv $TMP_DIR/BBcalls2.txt $TMP_DIR/BBcalls.txt
cd util; $AFLGO/distance/gen_distance_orig.sh $PWD $TMP_DIR swftophp
cd -; CFLAGS="-fcommon -distance=$TMP_DIR/distance.cfg.txt" CXXFLAGS="-distance=$TMP_DIR/distance.cfg.txt" ../configure --disable-shared --prefix=`pwd`
make clean; make
mkdir in; wget -P in http://condor.depaul.edu/sjost/hci430/flash-examples/swf/bumble-bee1.swf
$AFLGO/afl-2.57b/afl-fuzz -m none -z exp -c 45m -i in -o out ./util/swftophp @@

# For "-fcommon" in CFLAGS please see
#  - https://github.com/libming/libming/issues/55
#  - https://github.com/libming/libming/issues/199
#  - https://github.com/squaresLab/security-repair-benchmarks/issues/19

from svf.

liushengahn commented on July 23, 2024

I don't think they are very large. Thank you very much for your help.

from svf.

jumormt commented on July 23, 2024

Could you compile these programs using LLVM 16 and extract their bitcodes for debugging in SVF? With the current limited information, it's challenging to diagnose the issues.

from svf.

liushengahn commented on July 23, 2024

I'll try to compile it with llvm-16 for you, but for now, I can only use llvm-11 to build my SVF and AFLGO. I'm not sure if this is universal.

from svf.

liushengahn commented on July 23, 2024

The error occurs when building the CDG. There were no errors when using SVF in the AFLGO LLVM Pass without building the CDG.

from svf.

liushengahn commented on July 23, 2024

Could you compile these programs using LLVM 16 and extract their bitcodes for debugging in SVF? With the current limited information, it's challenging to diagnose the issues.

I compiled the test case using clang-16, the bc file, how should I send it to you? I used the svf based on llvm-16 build, it still fails, but the error seems to be different.

from svf.

jumormt commented on July 23, 2024

mjs.zip

This case works fine on my side. Can you try the latest SVF to see whether it fails?

from svf.

liushengahn commented on July 23, 2024

How did you create the CDG? Could you share a code snippet?
I also would like to use the latest version of SVF, but AFLGO only supports llvm-11.

mjs.zip

This case works fine on my side. Can you try the latest SVF to see whether it fails?

from svf.

jumormt commented on July 23, 2024

How did you create the CDG? Could you share a code snippet? I also would like to use the latest version of SVF, but AFLGO only supports llvm-11.

mjs.zip

This case works fine on my side. Can you try the latest SVF to see whether it fails?

SVF::SVFModule *svfModule = SVF::LLVMModuleSet::buildSVFModule(M);
SVF::SVFIRBuilder builder(svfModule);
SVF::PAG *pag = builder.build();
SVF::ICFG *icfg = SVF::PAG::getPAG()->getICFG();
SVF::CDGBuilder CDGbuilder;
CDGbuilder.build();

from svf.

jumormt commented on July 23, 2024

You can try SVF-2.9 which still uses non-opaque pointer. But I am not sure whether it can be built with LLVM version 11.

from svf.

liushengahn commented on July 23, 2024

By comparing the differences with the latest version of the code, I found that there was one update in the findNearestCommonPDominator function. I applied this patch, and now it works. Thank you so much for your help. Really appreciate it.
https://github.com/SVF-tools/SVF/commit/4ea1ba318a24401a935652f0e461dd3ffa3b08dd

SVF/svf/lib/SVFIR/SVFValue.cpp

Line 132 in cc81fe9

if(A == NULL) return NULL;

from svf.

jumormt commented on July 23, 2024

No worries. Glad to hear!

from svf.

How to create a CDG with SVF? about svf HOT 25 CLOSED

Comments (25)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent