SVF icon indicating copy to clipboard operation
SVF copied to clipboard
verified publisher icon SVF-tools

Getting StmtVFGNode from FormalParmVFGNode nodes for value flow in function arguments

Open Qcloud1223 opened this issue 2 years ago • 3 comments

Hi, I've had some hands-on experience with SVF and really appreciate your great work. Like many others who use SVF, I want to track the value flow of certain variables, or taint analysis.

Things went well for global variables, I can finish it via the following steps: (please kindly correct me if something is wrong)

  1. Get PAGNode for this variable
  2. Get its VFGNode via getDefSVFGNode
  3. Starting from this VFGNode, perform a VFG walkthrough
  4. Mark any attempts that touch getRevPts of this PAGNode

However, such method does not apply to function arguments:

  • getRevPts of PAGNode of type SVFArg is empty
  • getDefSVFGNode returns a FormalParmVFGNode, which does not correspond to any statement node.

My question is, is there any way to find StmtVFGNode corresponding to FormalParmVFGNode, such that I can again perform a VFG walkthrough, and find the actual "object" this node is pointing to?

Thank you very much!

Qcloud1223 avatar Nov 22 '23 15:11 Qcloud1223

Why not traverse forward or back from the FormalParmVFGNode

yuleisui avatar Nov 22 '23 21:11 yuleisui

Thanks for your reply!

I thought of that, and by inspecting the VFG I found FormalParmVFGNode always has one inbound edge from ActualParmVFGNode. I did not do this because I did not know if this holds all the time.

Is it correct to assume that FormalParmVFGNode has only one inbound node and that node has type ActualParmVFGNode?

Qcloud1223 avatar Nov 23 '23 02:11 Qcloud1223

It may have multiple incoming nodes which are ActualParmNode and also no incoming nodes if the callee function is not being called.

yuleisui avatar Nov 23 '23 04:11 yuleisui