SVF CPP API - SVF-tools/Software-Security-Analysis GitHub Wiki

SVFUtil

Members Meanings
SVF::SVFUtil::outs output stream similar to std::outs
SVF::SVFUtil::isa instance of a class
SVF::SVFUtil::cast casting from a parent class to a child class
SVF::SVFUtil::dyn_cast dynamic casting from a parent class to a child class, return null if not successful
SVF::SVFUtil::getSourceLoc give an LLVM value and return the source code line number & file name of a C/CPP file
SVF::SVFUtil::isCallSite return true if an LLVM instruction is a call instruction
SVF::SVFUtil::isIRFile return true if the file is a LLVM IR file

ICFGNode

Members Meanings
ICFGNode::toString return the content of this ICFGNode in the form of a string consisting of the nodeID, llvm instructions ...
SVF::ICFGNode::getSVFStmts return a list of program statements residing in this ICFGNode
SVF::CallICFGNode::getCallSite return the LLVM callsite
SVF::RetICFGNode::getCallSite return the LLVM callsite
SVF::CallICFGNode::getRetICFGNode Given a CallICFGNode, return its corresponding RetICFGNode
SVF::RetICFGNode::getActualRet Get the return variable (SVFVar) of this RetICFGNode
SVF::CallICFGNode::getActualParms Get all the actual parameters of this CallICFGNode

ICFGEdge

Members Meanings
SVF::ICFGEdge::isIntraCFGEdge return true if it is an intra-procedural edge
SVF::ICFGEdge::isCallCFGEdge return true if it is a call edge
SVF::ICFGEdge::isRetCFGEdge return true if it is a return edge
SVF::CallCFGEdge::getCallSite return its corresponding llvm call instruction
SVF::RetCFGEdge::getCallSite return its corresponding llvm call instruction

Worklist operations

Members Meanings
SVF::AndersenBase::isWorklistEmpty() return true if the worklist is empty
SVF::AndersenBase::popFromWorklist() return a node identifier from the worklist and remove it from the worklist
SVF::AndersenBase::pushIntoWorklist(NodeID id) push/add a node into worklist

Points-to set operations

The following operations can be used for every pointer analysis implementation (e.g., AndersenPTA)

A points-to set, denoted as pts(ptr), in SVF is a mapping from pointer ptr to a set containing objects that ptr points to. Note that both the ptr and the objects are referred to as identifiers (NodeID type)

Members Meanings
SVF::BVDataPTAImpl::addPts(NodeID ptr, NodeID obj) add obj into the points-to set of ptr; return true if the points-to set of ptr is changed
SVF::BVDataPTAImpl::unionPts(NodeID ptr1, NodeID ptr2) union the points-to set of ptr2 into that of ptr1; return true if the points-to set of ptr1 is changed after the union
SVF::BVDataPTAImpl::getPts(NodeID ptr) return the points-to set of ptr
SVF::PointerAnalysis::dumpPts(NodeID ptr, PointsTo pts) print out the points-to set of ptr

Alias Relations

Two pointers (SVFVars) are aliases if their points-to sets share common object(s) determined by points-to analysis (e.g., AndersenPTA)

Members Meanings
SVF::BVDataPTAImpl::alias(NodeID ptr1, NodeID ptr2) Return true if the two pointers ptr1 and ptr2 are aliases

ConstraintGraph, ConstraintNode and ConstraintEdge

Members Meanings
SVF::ConstraintGraph::getConstraintNode(Node Id) return the ConstraintNode* based on its identifier
SVF::ConstraintGraph::hasEdge(ConstraintNode* src, ConstraintNode* dst, ConstraintEdge::ConstraintEdgeK kind) return true if the edge exists on the constraint graph, e.g., hasEdge(src,dst,ConstraintEdge::Copy)
SVF::ConstraintNode::getAddrInEdges() return all the incoming address constraint edges (AddrCGEdge) of this node
SVF::ConstraintNode::getAddrOutEdges() return all the outgoing address constraint edges (AddrCGEdge) of this node
SVF::ConstraintNode::getStoreInEdges() return all the incoming store constraint edges (StoreCGEdge) of this node
SVF::ConstraintNode::getStoreOutEdges() return all the outgoing store constraint edges (StoreCGEdge) of this node
SVF::ConstraintNode::getLoadInEdges() return all the incoming load constraint edges (LoadCGEdge) of this node
SVF::ConstraintNode::getLoadOutEdges() return all the outgoing load constraint edges (LoadCGEdge) of this node
SVF::ConstraintNode::getCopyInEdges() return all the incoming copy constraint edges of this node
SVF::ConstraintNode::getCopyOutEdges() return all the outgoing copy constraint edges of this node
SVF::ConstraintNode::getGepInEdges() return all the incoming gep (field access) constraint edges of this node
SVF::ConstraintNode::getGepOutEdges() return all the outgoing gep (field access) constraint edges of this node
SVF::ConstraintEdge::getSrcID() return the source node id of this edge
SVF::ConstraintEdge::getDstID() return the target node id of this edge
SVF::ConstraintEdge::getSrcNode() return the source node of this edge
SVF::ConstraintEdge::getDstNode() return the target node of this edge
SVF::AndersenPTA::addCopyEdge(NodeID src, NodeID dst) add a copy constraint edge (CopyCGEdge) from a source to a target node; return true if added successfully
SVF::ConstraintGraph::addCopyCGEdge(NodeID src, NodeID dst) add a copy constraint edge (CopyCGEdge) from a source to a target node; return true if added successfully
SVF::NormalGepCGEdge a subclass of ConstraintEdge which represents the field access of a struct object (Note that SVF::VariantGEPEdge as a subclass of GepCGEdge is used to model pointer arithmetic for field access in C. You don't need to handle VariantGEP in this assignment/course.)
SVF::NormalGepCGEdge::getConstantFieldIdx() return the field idx when accessing a struct field
SVF::ConstraintGraph::getGepObjVar(fieldIdx) return the field object given a field index

SVF::ConstraintGraph

  • Iterate every constraint node on the graph

    For example,

     for (ConstraintGraph::const_iterator nodeIt = consCG->begin(), nodeEit = consCG->end();
      nodeIt != nodeEit; nodeIt++) {
     ConstraintNode *cgNode = nodeIt->second;
 }

SVF::ConstraintGraph::getGepObjVar

  • Given an object o and a NormalGepCGEdge gepEdge, we could get the field object fldObj via the following code sample.

    NodeID fldObj = consCG->getGepObjVar(o, gepEdge->getConstantFieldIdx());

SVF::SVFUtil::outs()

  • Output the content of a node on ICFG

    For example,

     ICFGNode *inode = ...;  // subclass object CallICFGNode : %call = call i32 (...) @source(),
 SVFUtil::outs() << *inode << "\n"
 SVFUtil::outs() << inode->toString() << "\n"

    The output is IntraICFGNode 21 : %call = call i32 (...) @source() using one of the following two:

SVF::SVFUtil::isa<>()

  • The isa<> operator works similar to Java's “instanceof” operator. It returns true or false depending on whether a reference or pointer points to an instance of the specified class.

    For example,

    ICFGNode* inode subclass object is CallICFGNode so that we can use the following to check whether inode is of typeCallICFGNode:

    if (SVFUtil::isa<CallICFGNode>(inode)) { ... }

SVFUtil::cast<>()

  • Casting a pointer or reference to an instance of a specified class. This casting fails and abort the program if the object or reference is not the specified class at runtime.

    For example,

    SVFUtil::cast<CallICFGNode>(inode)->getCallSite()

SVFUtil::dyn_cast<>()

  • The dyn_cast<> operator is a "checking cast" operation. It checks to see if the operand is of the specified type, and if so, returns a pointer to it (this operator does not work with references). If the operand is not of the correct type, a null pointer is returned. Thus, this works very much like the dynamic_cast<> operator in C++, and should be used in the same circumstances.

    For example,

    if (CallICFGNode* callNode = SVFUtil::dyn_cast<CallICFGNode>(inode)) {
// ...
}

    This form of dyn_cast<> is an effective combination of isa<> and cast<> as below:

    if (SVFUtil::isa<CallICFGNode>(inode)) { 
     CallICFGNode* callNode =  SVFUtil::cast<CallICFGNode>(inode);
}

std::string SVFUtil::getSourceLoc(const Value* val)

  • return line number & file name of the original C/CPP source code

    For example,

    Assuming an Instruction val is %call = call i32 (...) @sink() in line 6, and you can use SVFUtil::getSourceLoc(val) to navigate the instruction v's location in the source code. SVFVars may have a value (check with SVFVar::hasValue() and retrieve with SVFVar::getValue()).

bool SVF::SVFUtil::isIRFile(const std::string &filename)

  • return true if a file is a LLVM IR file

inline const SVFStmtList& getSVFStmts() const

  • return the corresponding SVFStmtList of this ICFGNode,

    typedef std::list<const SVFStmt*> SVFStmtList;

    For example,

    Assuming that an ICFGNode* v (%0 = load i32, i32* %a, align 4), to collect all its SVFStmts, SVFStmtList stmts = v->getSVFStmts()

ICFGNode::toString()

  • return the content of this ICFGNode in the form of a string consisting of the nodeID, llvm instructions and its containing function

    Output Sample: NodeID: 15\nIntraICFGNode ID: 15 store i32 1, i32* %a, align 4 \{fun: main\}}

inline const Instruction* CallICFGNode::getCallSite() const

  • return the LLVM call instruction

    For example,

    Assuming that CallICFGNode* v is %call = call i32 (...) @sink(), you can use v->getCallSite() to fetch its LLVM call instruction.

inline const Instruction* RetICFGNode::getCallSite() const

  • return the LLVM call instruction, similar as that of CallICFGNode.

inline const Instruction* RetCFGEdge::getCallSite

  • return its corresponding llvm call instruction
⚠️ **GitHub.com Fallback** ⚠️