Load to Source GEP offset using SVF

[Sengming]

Hi, I'll preface this question with an apology for any silly questions - I'm not a compiler guy and my knowledge in this area is limited, so thank you for the patience and help.

Was wondering if you had any pointers on how we could use SVF to get the malloc call source for a load instruction and subsequently get the nett offset that load instruction is loading from relative to the source allocation. Because there could be multiple casts and GEP instructions in between the call and the load.

Intuitively this seemed simple enough at first - just traverse the LLVM Value defs from the target load inst and check if each instruction isa Cast or GEP and add the offsets if it is GEP, but we were wondering if there are other gotchas or issues not addressable with this naive method which SVF would help solve.

Something similar to simplifying all the entire chain to a single GEP offset from that load to the call malloc instruction.

[yuleisui]

Can you provide a case for your purpose?

From my understanding, you can use points-to results of a pointer at a load instruction, then you can obtain the offset of each ObjectPN in that points-to set.

[Sengming]

Thanks for the quick reply! I'm not sure if this is a good example, but off the top of my head, a very simple case:

struct Two {
    void* target;  
};

struct One {
    int a;
    int b;
    struct Two inside; 
};

void main() {
    struct One *strptr = (struct One*)malloc(sizeof(struct One));
    
    /* We want to find the offset of target relative to the original malloc call */
    strptr->inside.target = 0xdeadbeef;
}

The end goal of this is we wish to get any load instruction matching a certain criteria and tag the malloc call + offset which it's loading from to perform some instrumentation on the malloc call.