Add one more test for Assign-3 and add handleMemcpy in Python

update ass3

Author: yuleisui

Assignment-3/Python/Assignment_3_Helper.py

@@ -261,107 +261,36 @@ def updateGepObjOffsetFromBase(self, abstractState: pysvf.AbstractState, gepAddr
                         raise AssertionError("gepRhsObjVar has no gepObjOffsetFromBase")
 
 
-    def getStrlen(self, abstractState, strValue):
+    def handleMemcpy(self, abstractState: pysvf.AbstractState, dst: pysvf.SVFVar, src: pysvf.SVFVar, len: pysvf.IntervalValue, start_idx: int):
         """
-        Calculate the length of a string in the abstract state.
-
-        :param abstractState: The abstract state containing variable information.
-        :param strValue: The SVF variable representing the string.
-        :return: An IntervalValue representing the string length.
+        Handle a memcpy operation in the abstract state.
         """
-        value_id = strValue.getId()
-        dst_size = 0
-        max_limit = 10000  # Prevent infinite or corrupted symbolic memory
-
-        # Determine the size of the destination object
-        for addr in abstractState[value_id].getAddrs():
-            obj_id = abstractState.getIDFromAddr(addr)
-
-            try:
-                base_object = self.svfir.getBaseObject(obj_id)
-            except Exception as e:
-                print(f"[warn] failed to get base object for obj_id {obj_id}: {e}")
-                continue
-
-            if not base_object:
-                continue
-
-            if base_object.isConstantByteSize():
-                dst_size = base_object.getByteSizeOfObj()
-            else:
-                icfg_node = base_object.getICFGNode()
-                for stmt in icfg_node.getSVFStmts():
-                    if isinstance(stmt, pysvf.AddrStmt):
-                        try:
-                            dst_size = abstractState.getAllocaInstByteSize(stmt)
-                            break
-                        except Exception as e:
-                            print(f"[warn] failed to get alloca size: {e}")
-                            continue
-
-            # If we've determined a reasonable size, stop
-            if dst_size > 0:
-                break
-
-        # Safety cap
-        if dst_size == 0 or dst_size > max_limit:
-            dst_size = max_limit
-
-        length = 0
-        elem_size = 1
-
-        # Calculate string length
-        if abstractState.isAddr(value_id):
-            for index in range(dst_size):
-                try:
-                    expr0 = abstractState.getGepObjAddrs(value_id, pysvf.IntervalValue(index))
-                except Exception as e:
-                    print(f"[warn] getGepObjAddrs failed at index {index}: {e}")
-                    break
-
-                val = pysvf.AbstractValue()
-
-                for addr in expr0:
-                    try:
-                        val.join_with(abstractState.load(addr))
-                    except Exception as e:
-                        print(f"[warn] load from addr {addr} failed: {e}")
-                        continue
-
-                iv = val.getInterval()
-                if iv.isInterval():
-                    try:
-                        if chr(iv.getIntNumeral()) == '\0':
-                            break
-                    except:
-                        break
-                length += 1
-
-            # Determine element size
-            try:
-                ty = strValue.getType()
-                if ty.isArrayTy():
-                    elem_size = ty.getTypeOfElement().getByteSize()
-                elif ty.isPointerTy():
-                    elem_type = abstractState.getPointeeElement(value_id)
-                    if elem_type:
-                        if elem_type.isArrayTy():
-                            elem_size = elem_type.getTypeOfElement().getByteSize()
-                        else:
-                            elem_size = elem_type.getByteSize()
-                    else:
-                        elem_size = 1
+        dstId = dst.getId()
+        srcId = src.getId()
+        elemSize = 1
+        if isinstance(dst, pysvf.ValVar):
+            if dst.getType().isArrayTy():
+                elemSize = dst.getType().getTypeOfElement().getByteSize()
+            elif dst.getType().isPointerTy():
+                elemType = abstractState.getPointeeElement(dstId)
+                if elemType.isArrayTy():
+                    elemSize = elemType.getTypeOfElement().getByteSize()
                 else:
-                    raise AssertionError("Unsupported type")
-            except Exception as e:
-                print(f"[warn] failed to get element size: {e}")
-                elem_size = 1
-
-        # Return as IntervalValue
-        if length == 0:
-            return pysvf.IntervalValue(0, pysvf.Options.max_field_limit())
-        else:
-            return pysvf.IntervalValue(length * elem_size)
+                    elemSize = elemType.getByteSize()
+            else:
+                raise AssertionError("Unsupported type")
+        size = len.lb().getNumeral()
+        range_val = size/elemSize
+        if abstractState.inVarToAddrsTable(dstId) and abstractState.inVarToAddrsTable(srcId):
+            for index in range(0, int(range_val)):
+                expr_src = abstractState.getGepObjAddrs(srcId, pysvf.IntervalValue(index))
+                expr_dst = abstractState.getGepObjAddrs(dstId, pysvf.IntervalValue(index + start_idx))
+                for addr_src in expr_src:
+                    for addr_dst in expr_dst:
+                        objId = abstractState.getIDFromAddr(addr_src)
+                        if objId in abstractState.getLocToVal():
+                            lhs = abstractState.load(addr_src)
+                            abstractState.store(addr_dst, lhs)
 
 
     def getStrlen(self, abstractState, strValue):
@@ -1151,4 +1080,3 @@ def getAccessOffset(self, objId: int, gep: pysvf.GepStmt) -> pysvf.IntervalValue
         else:
             assert isinstance(obj, pysvf.DummyObjVar), "What other types of object?"
             return pysvf.IntervalValue.top()
-        

Assignment-3/Tests/buf/test6.c

@@ -0,0 +1,15 @@
+#include <stdbool.h>
+void mem_insert(void *buffer, const void *data, int data_size, int position);
+extern void OVERFLOW(void* data, int size);
+extern void svf_assert(bool condition);
+int main() {
+	char buffer[10] = {0};
+	mem_insert(buffer, "abcdef", 3, 5);
+    svf_assert(buffer[3] == 'a');
+    svf_assert(buffer[4] == 'b');
+    svf_assert(buffer[5] == 'c');
+    svf_assert(buffer[6] == 'd');
+    svf_assert(buffer[7] == 'e');
+    svf_assert(buffer[8] != 'f');
+    return 0;
+}

Assignment-3/Tests/buf/test6.ll

@@ -0,0 +1,114 @@
+; ModuleID = './test14.ll'
+source_filename = "test14.c"
+target datalayout = "e-m:o-i64:64-i128:128-n32:64-S128"
+target triple = "arm64-apple-macosx14.0.0"
+
+@.str = private unnamed_addr constant [7 x i8] c"abcdef\00", align 1, !dbg !0
+
+; Function Attrs: noinline nounwind ssp uwtable(sync)
+define i32 @main() #0 !dbg !16 {
+entry:
+  %buffer = alloca [10 x i8], align 1
+  call void @llvm.dbg.declare(metadata ptr %buffer, metadata !21, metadata !DIExpression()), !dbg !25
+  call void @llvm.memset.p0.i64(ptr align 1 %buffer, i8 0, i64 10, i1 false), !dbg !25
+  %arraydecay = getelementptr inbounds [10 x i8], ptr %buffer, i64 0, i64 0, !dbg !26
+  call void @mem_insert(ptr noundef %arraydecay, ptr noundef @.str, i32 noundef 3, i32 noundef 5), !dbg !27
+  %arrayidx = getelementptr inbounds [10 x i8], ptr %buffer, i64 0, i64 3, !dbg !28
+  %0 = load i8, ptr %arrayidx, align 1, !dbg !28
+  %conv = sext i8 %0 to i32, !dbg !28
+  %cmp = icmp eq i32 %conv, 97, !dbg !29
+  call void @svf_assert(i1 noundef zeroext %cmp), !dbg !30
+  %arrayidx2 = getelementptr inbounds [10 x i8], ptr %buffer, i64 0, i64 4, !dbg !31
+  %1 = load i8, ptr %arrayidx2, align 1, !dbg !31
+  %conv3 = sext i8 %1 to i32, !dbg !31
+  %cmp4 = icmp eq i32 %conv3, 98, !dbg !32
+  call void @svf_assert(i1 noundef zeroext %cmp4), !dbg !33
+  %arrayidx6 = getelementptr inbounds [10 x i8], ptr %buffer, i64 0, i64 5, !dbg !34
+  %2 = load i8, ptr %arrayidx6, align 1, !dbg !34
+  %conv7 = sext i8 %2 to i32, !dbg !34
+  %cmp8 = icmp eq i32 %conv7, 99, !dbg !35
+  call void @svf_assert(i1 noundef zeroext %cmp8), !dbg !36
+  %arrayidx10 = getelementptr inbounds [10 x i8], ptr %buffer, i64 0, i64 6, !dbg !37
+  %3 = load i8, ptr %arrayidx10, align 1, !dbg !37
+  %conv11 = sext i8 %3 to i32, !dbg !37
+  %cmp12 = icmp eq i32 %conv11, 100, !dbg !38
+  call void @svf_assert(i1 noundef zeroext %cmp12), !dbg !39
+  %arrayidx14 = getelementptr inbounds [10 x i8], ptr %buffer, i64 0, i64 7, !dbg !40
+  %4 = load i8, ptr %arrayidx14, align 1, !dbg !40
+  %conv15 = sext i8 %4 to i32, !dbg !40
+  %cmp16 = icmp eq i32 %conv15, 101, !dbg !41
+  call void @svf_assert(i1 noundef zeroext %cmp16), !dbg !42
+  %arrayidx18 = getelementptr inbounds [10 x i8], ptr %buffer, i64 0, i64 8, !dbg !43
+  %5 = load i8, ptr %arrayidx18, align 1, !dbg !43
+  %conv19 = sext i8 %5 to i32, !dbg !43
+  %cmp20 = icmp ne i32 %conv19, 102, !dbg !44
+  call void @svf_assert(i1 noundef zeroext %cmp20), !dbg !45
+  ret i32 0, !dbg !46
+}
+
+; Function Attrs: nocallback nofree nosync nounwind speculatable willreturn memory(none)
+declare void @llvm.dbg.declare(metadata, metadata, metadata) #1
+
+; Function Attrs: nocallback nofree nounwind willreturn memory(argmem: write)
+declare void @llvm.memset.p0.i64(ptr nocapture writeonly, i8, i64, i1 immarg) #2
+
+declare void @mem_insert(ptr noundef, ptr noundef, i32 noundef, i32 noundef) #3
+
+declare void @svf_assert(i1 noundef zeroext) #3
+
+attributes #0 = { noinline nounwind ssp uwtable(sync) "frame-pointer"="non-leaf" "no-trapping-math"="true" "stack-protector-buffer-size"="8" "target-cpu"="apple-m1" "target-features"="+aes,+crc,+crypto,+dotprod,+fp-armv8,+fp16fml,+fullfp16,+lse,+neon,+ras,+rcpc,+rdm,+sha2,+sha3,+sm4,+v8.1a,+v8.2a,+v8.3a,+v8.4a,+v8.5a,+v8a,+zcm,+zcz" }
+attributes #1 = { nocallback nofree nosync nounwind speculatable willreturn memory(none) }
+attributes #2 = { nocallback nofree nounwind willreturn memory(argmem: write) }
+attributes #3 = { "frame-pointer"="non-leaf" "no-trapping-math"="true" "stack-protector-buffer-size"="8" "target-cpu"="apple-m1" "target-features"="+aes,+crc,+crypto,+dotprod,+fp-armv8,+fp16fml,+fullfp16,+lse,+neon,+ras,+rcpc,+rdm,+sha2,+sha3,+sm4,+v8.1a,+v8.2a,+v8.3a,+v8.4a,+v8.5a,+v8a,+zcm,+zcz" }
+
+!llvm.dbg.cu = !{!7}
+!llvm.module.flags = !{!9, !10, !11, !12, !13, !14}
+!llvm.ident = !{!15}
+
+!0 = !DIGlobalVariableExpression(var: !1, expr: !DIExpression())
+!1 = distinct !DIGlobalVariable(scope: null, file: !2, line: 7, type: !3, isLocal: true, isDefinition: true)
+!2 = !DIFile(filename: "test14.c", directory: "/Users/z5489735/2023/0718/Software-Security-Analysis/Assignment-3/Tests/buf")
+!3 = !DICompositeType(tag: DW_TAG_array_type, baseType: !4, size: 56, elements: !5)
+!4 = !DIBasicType(name: "char", size: 8, encoding: DW_ATE_signed_char)
+!5 = !{!6}
+!6 = !DISubrange(count: 7)
+!7 = distinct !DICompileUnit(language: DW_LANG_C11, file: !2, producer: "Homebrew clang version 16.0.6", isOptimized: false, runtimeVersion: 0, emissionKind: FullDebug, globals: !8, splitDebugInlining: false, nameTableKind: None, sysroot: "/Library/Developer/CommandLineTools/SDKs/MacOSX14.sdk", sdk: "MacOSX14.sdk")
+!8 = !{!0}
+!9 = !{i32 7, !"Dwarf Version", i32 4}
+!10 = !{i32 2, !"Debug Info Version", i32 3}
+!11 = !{i32 1, !"wchar_size", i32 4}
+!12 = !{i32 8, !"PIC Level", i32 2}
+!13 = !{i32 7, !"uwtable", i32 1}
+!14 = !{i32 7, !"frame-pointer", i32 1}
+!15 = !{!"Homebrew clang version 16.0.6"}
+!16 = distinct !DISubprogram(name: "main", scope: !2, file: !2, line: 5, type: !17, scopeLine: 5, spFlags: DISPFlagDefinition, unit: !7, retainedNodes: !20)
+!17 = !DISubroutineType(types: !18)
+!18 = !{!19}
+!19 = !DIBasicType(name: "int", size: 32, encoding: DW_ATE_signed)
+!20 = !{}
+!21 = !DILocalVariable(name: "buffer", scope: !16, file: !2, line: 6, type: !22)
+!22 = !DICompositeType(tag: DW_TAG_array_type, baseType: !4, size: 80, elements: !23)
+!23 = !{!24}
+!24 = !DISubrange(count: 10)
+!25 = !DILocation(line: 6, column: 7, scope: !16)
+!26 = !DILocation(line: 7, column: 13, scope: !16)
+!27 = !DILocation(line: 7, column: 2, scope: !16)
+!28 = !DILocation(line: 8, column: 16, scope: !16)
+!29 = !DILocation(line: 8, column: 26, scope: !16)
+!30 = !DILocation(line: 8, column: 5, scope: !16)
+!31 = !DILocation(line: 9, column: 16, scope: !16)
+!32 = !DILocation(line: 9, column: 26, scope: !16)
+!33 = !DILocation(line: 9, column: 5, scope: !16)
+!34 = !DILocation(line: 10, column: 16, scope: !16)
+!35 = !DILocation(line: 10, column: 26, scope: !16)
+!36 = !DILocation(line: 10, column: 5, scope: !16)
+!37 = !DILocation(line: 11, column: 16, scope: !16)
+!38 = !DILocation(line: 11, column: 26, scope: !16)
+!39 = !DILocation(line: 11, column: 5, scope: !16)
+!40 = !DILocation(line: 12, column: 16, scope: !16)
+!41 = !DILocation(line: 12, column: 26, scope: !16)
+!42 = !DILocation(line: 12, column: 5, scope: !16)
+!43 = !DILocation(line: 13, column: 16, scope: !16)
+!44 = !DILocation(line: 13, column: 26, scope: !16)
+!45 = !DILocation(line: 13, column: 5, scope: !16)
+!46 = !DILocation(line: 14, column: 5, scope: !16)