bug: Callgraph changed in test program

Question

bug: Callgraph changed in test program

langston-barrett opened this issue 2 years ago · 5 comments

Recent changes introduced a bug. In particular, the callgraph for this program is different between the initial commit (e224763) and a later one (d96ff8d) even though no functional changes have been introduced during this time.

C program

/*
MIT License

Copyright (c) 2019 yuawn

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
*/

#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>

void init() {
  setvbuf(stdout, 0, 2, 0);
  setvbuf(stdin, 0, 2, 0);
  setvbuf(stderr, 0, 2, 0);
}

int read_int() {
  char buf[0x10];
  __read_chk(0, buf, 0xf, 0x10);
  return atoi(buf);
}

void welcome_func() { puts("Hello ~~~"); }

void bye_func() { puts("Bye ~~~"); }

void menu() {
  puts("1. add a box");
  puts("2. exit");
  puts(">");
}

struct MessageBox {
  void (*welcome)();
  void (*bye)();
};

void backdoor() { system("sh"); }

int main() {

  init();

  struct MessageBox *msgbox =
      (struct MessageBox *)malloc(sizeof(struct MessageBox));

  msgbox->welcome = welcome_func;
  msgbox->bye = bye_func;

  msgbox->welcome();
  free(msgbox);

  int n = 3, size;
  char *msg;

  while (n--) {
    printf("Size of your message: ");
    size = read_int();

    msg = (char *)malloc(size);

    printf("Message: ");
    read(0, msg, size);

    printf("Saved message: %s\n", msg);

    free(msg);
  }

  msgbox->bye();

  return 0;
}

Answer 1 · 2022-10-12T17:19:22.000Z

The issue is present in 63793e6; it is not yet present in 6a18607.

Answer 2 · 2022-10-12T17:28:14.000Z

It is not yet present in 8da3c20 nor 60d2059, so it must have been introduced in 63793e6.

Answer 3 · 2022-10-12T20:36:18.000Z

Full diff

[WARN] No relation at 60d2059/_landingpad_instruction_filter_clause.csv.gz
63793e6/indirect_call_or_invoke_instruction.csv differs from 60d2059/indirect_call_or_invoke_instruction.csv
--- 63793e6/indirect_call_or_invoke_instruction.csv	2022-10-12 20:56:56.826387002 +0000
+++ 60d2059/indirect_call_or_invoke_instruction.csv	2022-10-12 20:48:22.411161272 +0000
@@ -1,3 +1 @@
-<ntu-uaf.c>:main:17
 <ntu-uaf.c>:main:23
-<ntu-uaf.c>:read_int:3
63793e6/alloc_context.csv differs from 60d2059/alloc_context.csv
--- 63793e6/alloc_context.csv	2022-10-12 20:56:56.808387006 +0000
+++ 60d2059/alloc_context.csv	2022-10-12 20:48:22.396161252 +0000
@@ -9,12 +9,10 @@
 [<ntu-uaf.c>:main:12, nil]
 [<ntu-uaf.c>:main:15, nil]
 [<ntu-uaf.c>:main:16, nil]
-[<ntu-uaf.c>:main:17, nil]
 [<ntu-uaf.c>:main:18, nil]
 [<ntu-uaf.c>:main:19, nil]
 [<ntu-uaf.c>:main:8, nil]
 [<ntu-uaf.c>:read_int:2, nil]
-[<ntu-uaf.c>:read_int:3, nil]
 [<ntu-uaf.c>:read_int:5, nil]
 [<ntu-uaf.c>:welcome_func:0, nil]
 nil
63793e6/subset.callgraph.callgraph_edge.csv differs from 60d2059/subset.callgraph.callgraph_edge.csv
--- 63793e6/subset.callgraph.callgraph_edge.csv	2022-10-12 20:56:56.835387000 +0000
+++ 60d2059/subset.callgraph.callgraph_edge.csv	2022-10-12 20:48:22.420161285 +0000
@@ -1,3 +1,4 @@
+[<<main-context>>, nil]	<ntu-uaf.c>:read	[<<main-context>>, nil]	<ntu-uaf.c>:main:17
 [<ntu-uaf.c>:bye_func:0, nil]	<ntu-uaf.c>:puts	nil	<ntu-uaf.c>:bye_func:0
 [<ntu-uaf.c>:init:1, nil]	<ntu-uaf.c>:setvbuf	nil	<ntu-uaf.c>:init:1
 [<ntu-uaf.c>:init:3, nil]	<ntu-uaf.c>:setvbuf	nil	<ntu-uaf.c>:init:3
@@ -6,14 +7,13 @@
 [<ntu-uaf.c>:main:12, nil]	<ntu-uaf.c>:printf	[<<main-context>>, nil]	<ntu-uaf.c>:main:12
 [<ntu-uaf.c>:main:15, nil]	<ntu-uaf.c>:malloc	[<<main-context>>, nil]	<ntu-uaf.c>:main:15
 [<ntu-uaf.c>:main:16, nil]	<ntu-uaf.c>:printf	[<<main-context>>, nil]	<ntu-uaf.c>:main:16
-[<ntu-uaf.c>:main:17, nil]	<ntu-uaf.c>:read	[<<main-context>>, nil]	<ntu-uaf.c>:main:17
 [<ntu-uaf.c>:main:18, nil]	<ntu-uaf.c>:printf	[<<main-context>>, nil]	<ntu-uaf.c>:main:18
 [<ntu-uaf.c>:main:19, nil]	<ntu-uaf.c>:free	[<<main-context>>, nil]	<ntu-uaf.c>:main:19
 [<ntu-uaf.c>:main:8, nil]	<ntu-uaf.c>:free	[<<main-context>>, nil]	<ntu-uaf.c>:main:8
 [<ntu-uaf.c>:read_int:2, nil]	<ntu-uaf.c>:llvm.lifetime.start.p0i8	nil	<ntu-uaf.c>:read_int:2
-[<ntu-uaf.c>:read_int:3, nil]	<ntu-uaf.c>:__read_chk	nil	<ntu-uaf.c>:read_int:3
 [<ntu-uaf.c>:read_int:5, nil]	<ntu-uaf.c>:llvm.lifetime.end.p0i8	nil	<ntu-uaf.c>:read_int:5
 [<ntu-uaf.c>:welcome_func:0, nil]	<ntu-uaf.c>:puts	nil	<ntu-uaf.c>:welcome_func:0
+nil	<ntu-uaf.c>:__read_chk	nil	<ntu-uaf.c>:read_int:3
 nil	<ntu-uaf.c>:atoi	nil	<ntu-uaf.c>:read_int:4
 nil	<ntu-uaf.c>:bye_func	[<<main-context>>, nil]	<ntu-uaf.c>:main:23
 nil	<ntu-uaf.c>:init	[<<main-context>>, nil]	<ntu-uaf.c>:main:0
63793e6/drop_last.csv differs from 60d2059/drop_last.csv
--- 63793e6/drop_last.csv	2022-10-12 20:56:56.767387016 +0000
+++ 60d2059/drop_last.csv	2022-10-12 20:48:22.351161189 +0000
@@ -9,11 +9,9 @@
 nil	[<ntu-uaf.c>:main:12, nil]
 nil	[<ntu-uaf.c>:main:15, nil]
 nil	[<ntu-uaf.c>:main:16, nil]
-nil	[<ntu-uaf.c>:main:17, nil]
 nil	[<ntu-uaf.c>:main:18, nil]
 nil	[<ntu-uaf.c>:main:19, nil]
 nil	[<ntu-uaf.c>:main:8, nil]
 nil	[<ntu-uaf.c>:read_int:2, nil]
-nil	[<ntu-uaf.c>:read_int:3, nil]
 nil	[<ntu-uaf.c>:read_int:5, nil]
 nil	[<ntu-uaf.c>:welcome_func:0, nil]
[WARN] No relation at 60d2059/_landingpad_instruction_filter_clause.csv
63793e6/max_num_callsites.csv differs from 60d2059/max_num_callsites.csv
--- 63793e6/max_num_callsites.csv	2022-10-12 20:56:56.747387021 +0000
+++ 60d2059/max_num_callsites.csv	2022-10-12 20:48:22.332161163 +0000
@@ -1,4 +1,4 @@
-<ntu-uaf.c>:__read_chk	3
+<ntu-uaf.c>:__read_chk	1
 <ntu-uaf.c>:atoi	1
 <ntu-uaf.c>:backdoor	1
 <ntu-uaf.c>:bye_func	1
@@ -11,7 +11,7 @@
 <ntu-uaf.c>:menu	1
 <ntu-uaf.c>:printf	3
 <ntu-uaf.c>:puts	5
-<ntu-uaf.c>:read	3
+<ntu-uaf.c>:read	1
 <ntu-uaf.c>:read_int	1
 <ntu-uaf.c>:setvbuf	3
 <ntu-uaf.c>:strtol	1
[WARN] No relation at 60d2059/_phi_instruction_pair_label.csv.gz
[WARN] No relation at 60d2059/_switch_instruction_case_label.csv
63793e6/subset._merge.merge.csv differs from 60d2059/subset._merge.merge.csv
--- 63793e6/subset._merge.merge.csv	2022-10-12 20:56:56.835387000 +0000
+++ 60d2059/subset._merge.merge.csv	2022-10-12 20:48:22.421161286 +0000
@@ -1,3 +1,4 @@
+[<<main-context>>, nil]	<ntu-uaf.c>:main:17	[<<main-context>>, nil]
 [<ntu-uaf.c>:bye_func:0, nil]	<ntu-uaf.c>:bye_func:0	nil
 [<ntu-uaf.c>:init:1, nil]	<ntu-uaf.c>:init:1	nil
 [<ntu-uaf.c>:init:3, nil]	<ntu-uaf.c>:init:3	nil
@@ -6,12 +7,10 @@
 [<ntu-uaf.c>:main:12, nil]	<ntu-uaf.c>:main:12	[<<main-context>>, nil]
 [<ntu-uaf.c>:main:15, nil]	<ntu-uaf.c>:main:15	[<<main-context>>, nil]
 [<ntu-uaf.c>:main:16, nil]	<ntu-uaf.c>:main:16	[<<main-context>>, nil]
-[<ntu-uaf.c>:main:17, nil]	<ntu-uaf.c>:main:17	[<<main-context>>, nil]
 [<ntu-uaf.c>:main:18, nil]	<ntu-uaf.c>:main:18	[<<main-context>>, nil]
 [<ntu-uaf.c>:main:19, nil]	<ntu-uaf.c>:main:19	[<<main-context>>, nil]
 [<ntu-uaf.c>:main:8, nil]	<ntu-uaf.c>:main:8	[<<main-context>>, nil]
 [<ntu-uaf.c>:read_int:2, nil]	<ntu-uaf.c>:read_int:2	nil
-[<ntu-uaf.c>:read_int:3, nil]	<ntu-uaf.c>:read_int:3	nil
 [<ntu-uaf.c>:read_int:5, nil]	<ntu-uaf.c>:read_int:5	nil
 [<ntu-uaf.c>:welcome_func:0, nil]	<ntu-uaf.c>:welcome_func:0	nil
 nil	<ntu-uaf.c>:atoi:0	nil
@@ -19,4 +18,5 @@
 nil	<ntu-uaf.c>:main:13	[<<main-context>>, nil]
 nil	<ntu-uaf.c>:main:23	[<<main-context>>, nil]
 nil	<ntu-uaf.c>:main:7	[<<main-context>>, nil]
+nil	<ntu-uaf.c>:read_int:3	nil
 nil	<ntu-uaf.c>:read_int:4	nil
[WARN] No relation at 60d2059/_variable_in_function.csv
[WARN] No relation at 60d2059/_basicblock_preds.csv
63793e6/context_depth.csv differs from 60d2059/context_depth.csv
--- 63793e6/context_depth.csv	2022-10-12 20:56:56.764387017 +0000
+++ 60d2059/context_depth.csv	2022-10-12 20:48:22.349161186 +0000
@@ -10,11 +10,9 @@
 1	[<ntu-uaf.c>:main:12, nil]
 1	[<ntu-uaf.c>:main:15, nil]
 1	[<ntu-uaf.c>:main:16, nil]
-1	[<ntu-uaf.c>:main:17, nil]
 1	[<ntu-uaf.c>:main:18, nil]
 1	[<ntu-uaf.c>:main:19, nil]
 1	[<ntu-uaf.c>:main:8, nil]
 1	[<ntu-uaf.c>:read_int:2, nil]
-1	[<ntu-uaf.c>:read_int:3, nil]
 1	[<ntu-uaf.c>:read_int:5, nil]
 1	[<ntu-uaf.c>:welcome_func:0, nil]
[WARN] No relation at 60d2059/_basicblock_preds.csv.gz
[WARN] No relation at 60d2059/_variable_in_function.csv.gz
[WARN] No relation at 60d2059/_phi_instruction_pair_value.csv
63793e6/context_to_string.csv differs from 60d2059/context_to_string.csv
--- 63793e6/context_to_string.csv	2022-10-12 20:56:56.804387007 +0000
+++ 60d2059/context_to_string.csv	2022-10-12 20:48:22.391161245 +0000
@@ -9,12 +9,10 @@
 [<ntu-uaf.c>:main:12, nil]	<ntu-uaf.c>:main:12#nil
 [<ntu-uaf.c>:main:15, nil]	<ntu-uaf.c>:main:15#nil
 [<ntu-uaf.c>:main:16, nil]	<ntu-uaf.c>:main:16#nil
-[<ntu-uaf.c>:main:17, nil]	<ntu-uaf.c>:main:17#nil
 [<ntu-uaf.c>:main:18, nil]	<ntu-uaf.c>:main:18#nil
 [<ntu-uaf.c>:main:19, nil]	<ntu-uaf.c>:main:19#nil
 [<ntu-uaf.c>:main:8, nil]	<ntu-uaf.c>:main:8#nil
 [<ntu-uaf.c>:read_int:2, nil]	<ntu-uaf.c>:read_int:2#nil
-[<ntu-uaf.c>:read_int:3, nil]	<ntu-uaf.c>:read_int:3#nil
 [<ntu-uaf.c>:read_int:5, nil]	<ntu-uaf.c>:read_int:5#nil
 [<ntu-uaf.c>:welcome_func:0, nil]	<ntu-uaf.c>:welcome_func:0#nil
 nil	nil
[WARN] No relation at 60d2059/_switch_instruction_case_label.csv.gz
[WARN] No relation at 60d2059/_landingpad_instruction_catch_clause.csv.gz
63793e6/subset._merge.count_context_items.csv differs from 60d2059/subset._merge.count_context_items.csv
--- 63793e6/subset._merge.count_context_items.csv	2022-10-12 20:56:56.815387004 +0000
+++ 60d2059/subset._merge.count_context_items.csv	2022-10-12 20:48:22.402161260 +0000
@@ -6,7 +6,6 @@
 <ntu-uaf.c>:main:12	1
 <ntu-uaf.c>:main:15	1
 <ntu-uaf.c>:main:16	1
-<ntu-uaf.c>:main:17	1
 <ntu-uaf.c>:main:18	1
 <ntu-uaf.c>:main:19	1
 <ntu-uaf.c>:main:8	1
@@ -14,6 +13,5 @@
 <ntu-uaf.c>:menu:1	1
 <ntu-uaf.c>:menu:2	1
 <ntu-uaf.c>:read_int:2	1
-<ntu-uaf.c>:read_int:3	1
 <ntu-uaf.c>:read_int:5	1
 <ntu-uaf.c>:welcome_func:0	1
63793e6/context.csv differs from 60d2059/context.csv
--- 63793e6/context.csv	2022-10-12 20:56:56.786387011 +0000
+++ 60d2059/context.csv	2022-10-12 20:48:22.372161218 +0000
@@ -9,12 +9,10 @@
 [<ntu-uaf.c>:main:12, nil]
 [<ntu-uaf.c>:main:15, nil]
 [<ntu-uaf.c>:main:16, nil]
-[<ntu-uaf.c>:main:17, nil]
 [<ntu-uaf.c>:main:18, nil]
 [<ntu-uaf.c>:main:19, nil]
 [<ntu-uaf.c>:main:8, nil]
 [<ntu-uaf.c>:read_int:2, nil]
-[<ntu-uaf.c>:read_int:3, nil]
 [<ntu-uaf.c>:read_int:5, nil]
 [<ntu-uaf.c>:welcome_func:0, nil]
 nil
[WARN] No relation at 60d2059/_constant_in_function.csv.gz
[WARN] No relation at 60d2059/_switch_instruction_case_value.csv
63793e6/subset._merge.count_contexts.csv differs from 60d2059/subset._merge.count_contexts.csv
--- 63793e6/subset._merge.count_contexts.csv	2022-10-12 20:56:56.781387013 +0000
+++ 60d2059/subset._merge.count_contexts.csv	2022-10-12 20:48:22.366161210 +0000
@@ -6,7 +6,6 @@
 <ntu-uaf.c>:main:12	1
 <ntu-uaf.c>:main:15	1
 <ntu-uaf.c>:main:16	1
-<ntu-uaf.c>:main:17	1
 <ntu-uaf.c>:main:18	1
 <ntu-uaf.c>:main:19	1
 <ntu-uaf.c>:main:8	1
@@ -14,6 +13,5 @@
 <ntu-uaf.c>:menu:1	0
 <ntu-uaf.c>:menu:2	0
 <ntu-uaf.c>:read_int:2	1
-<ntu-uaf.c>:read_int:3	1
 <ntu-uaf.c>:read_int:5	1
 <ntu-uaf.c>:welcome_func:0	1
[WARN] No relation at 60d2059/_switch_instruction_case_value.csv.gz
[WARN] No relation at 60d2059/_instruction_bb_entry.csv
63793e6/context_item_by_invoc.csv differs from 60d2059/context_item_by_invoc.csv
--- 63793e6/context_item_by_invoc.csv	2022-10-12 20:56:56.821387003 +0000
+++ 60d2059/context_item_by_invoc.csv	2022-10-12 20:48:22.407161267 +0000
@@ -6,7 +6,6 @@
 <ntu-uaf.c>:main:12	<ntu-uaf.c>:main:12
 <ntu-uaf.c>:main:15	<ntu-uaf.c>:main:15
 <ntu-uaf.c>:main:16	<ntu-uaf.c>:main:16
-<ntu-uaf.c>:main:17	<ntu-uaf.c>:main:17
 <ntu-uaf.c>:main:18	<ntu-uaf.c>:main:18
 <ntu-uaf.c>:main:19	<ntu-uaf.c>:main:19
 <ntu-uaf.c>:main:8	<ntu-uaf.c>:main:8
@@ -14,6 +13,5 @@
 <ntu-uaf.c>:menu:1	<ntu-uaf.c>:menu:1
 <ntu-uaf.c>:menu:2	<ntu-uaf.c>:menu:2
 <ntu-uaf.c>:read_int:2	<ntu-uaf.c>:read_int:2
-<ntu-uaf.c>:read_int:3	<ntu-uaf.c>:read_int:3
 <ntu-uaf.c>:read_int:5	<ntu-uaf.c>:read_int:5
 <ntu-uaf.c>:welcome_func:0	<ntu-uaf.c>:welcome_func:0
[WARN] No relation at 60d2059/_phi_instruction_pair_value.csv.gz
63793e6/drop_context_item_by_invoc.csv differs from 60d2059/drop_context_item_by_invoc.csv
--- 63793e6/drop_context_item_by_invoc.csv	2022-10-12 20:56:56.790387011 +0000
+++ 60d2059/drop_context_item_by_invoc.csv	2022-10-12 20:48:22.376161224 +0000
@@ -1,4 +1,6 @@
 <ntu-uaf.c>:atoi:0
 <ntu-uaf.c>:backdoor:0
 <ntu-uaf.c>:main:13
+<ntu-uaf.c>:main:17
+<ntu-uaf.c>:read_int:3
 <ntu-uaf.c>:read_int:4
[WARN] No relation at 60d2059/_constant_in_function.csv
[WARN] No relation at 60d2059/_landingpad_instruction_catch_clause.csv
[WARN] No relation at 60d2059/_phi_instruction_pair_label.csv
63793e6/indirect_call_instruction.csv differs from 60d2059/indirect_call_instruction.csv
--- 63793e6/indirect_call_instruction.csv	2022-10-12 20:56:56.793387010 +0000
+++ 60d2059/indirect_call_instruction.csv	2022-10-12 20:48:22.380161229 +0000
@@ -1,3 +1 @@
-<ntu-uaf.c>:main:17
 <ntu-uaf.c>:main:23
-<ntu-uaf.c>:read_int:3
63793e6/num_indirect_calls_to_compatible_func.csv differs from 60d2059/num_indirect_calls_to_compatible_func.csv
--- 63793e6/num_indirect_calls_to_compatible_func.csv	2022-10-12 20:56:56.822387003 +0000
+++ 60d2059/num_indirect_calls_to_compatible_func.csv	2022-10-12 20:48:22.408161268 +0000
@@ -1,8 +1,10 @@
+0	<ntu-uaf.c>:__read_chk
 0	<ntu-uaf.c>:atoi
 0	<ntu-uaf.c>:main
 0	<ntu-uaf.c>:malloc
 0	<ntu-uaf.c>:printf
 0	<ntu-uaf.c>:puts
+0	<ntu-uaf.c>:read
 0	<ntu-uaf.c>:read_int
 0	<ntu-uaf.c>:setvbuf
 0	<ntu-uaf.c>:strtol
@@ -15,5 +17,3 @@
 1	<ntu-uaf.c>:llvm.lifetime.start.p0i8
 1	<ntu-uaf.c>:menu
 1	<ntu-uaf.c>:welcome_func
-2	<ntu-uaf.c>:__read_chk
-2	<ntu-uaf.c>:read
[WARN] No relation at 60d2059/_instruction_bb_entry.csv.gz
[WARN] No relation at 63793e6/switch_instruction_case_value.csv
[WARN] No relation at 63793e6/landingpad_instruction_catch_clause.csv.gz
[WARN] No relation at 63793e6/phi_instruction_pair_label.csv.gz
60d2059/indirect_call_or_invoke_instruction.csv differs from 63793e6/indirect_call_or_invoke_instruction.csv
--- 60d2059/indirect_call_or_invoke_instruction.csv	2022-10-12 20:48:22.411161272 +0000
+++ 63793e6/indirect_call_or_invoke_instruction.csv	2022-10-12 20:56:56.826387002 +0000
@@ -1 +1,3 @@
+<ntu-uaf.c>:main:17
 <ntu-uaf.c>:main:23
+<ntu-uaf.c>:read_int:3
60d2059/alloc_context.csv differs from 63793e6/alloc_context.csv
--- 60d2059/alloc_context.csv	2022-10-12 20:48:22.396161252 +0000
+++ 63793e6/alloc_context.csv	2022-10-12 20:56:56.808387006 +0000
@@ -9,10 +9,12 @@
 [<ntu-uaf.c>:main:12, nil]
 [<ntu-uaf.c>:main:15, nil]
 [<ntu-uaf.c>:main:16, nil]
+[<ntu-uaf.c>:main:17, nil]
 [<ntu-uaf.c>:main:18, nil]
 [<ntu-uaf.c>:main:19, nil]
 [<ntu-uaf.c>:main:8, nil]
 [<ntu-uaf.c>:read_int:2, nil]
+[<ntu-uaf.c>:read_int:3, nil]
 [<ntu-uaf.c>:read_int:5, nil]
 [<ntu-uaf.c>:welcome_func:0, nil]
 nil
60d2059/subset.callgraph.callgraph_edge.csv differs from 63793e6/subset.callgraph.callgraph_edge.csv
--- 60d2059/subset.callgraph.callgraph_edge.csv	2022-10-12 20:48:22.420161285 +0000
+++ 63793e6/subset.callgraph.callgraph_edge.csv	2022-10-12 20:56:56.835387000 +0000
@@ -1,4 +1,3 @@
-[<<main-context>>, nil]	<ntu-uaf.c>:read	[<<main-context>>, nil]	<ntu-uaf.c>:main:17
 [<ntu-uaf.c>:bye_func:0, nil]	<ntu-uaf.c>:puts	nil	<ntu-uaf.c>:bye_func:0
 [<ntu-uaf.c>:init:1, nil]	<ntu-uaf.c>:setvbuf	nil	<ntu-uaf.c>:init:1
 [<ntu-uaf.c>:init:3, nil]	<ntu-uaf.c>:setvbuf	nil	<ntu-uaf.c>:init:3
@@ -7,13 +6,14 @@
 [<ntu-uaf.c>:main:12, nil]	<ntu-uaf.c>:printf	[<<main-context>>, nil]	<ntu-uaf.c>:main:12
 [<ntu-uaf.c>:main:15, nil]	<ntu-uaf.c>:malloc	[<<main-context>>, nil]	<ntu-uaf.c>:main:15
 [<ntu-uaf.c>:main:16, nil]	<ntu-uaf.c>:printf	[<<main-context>>, nil]	<ntu-uaf.c>:main:16
+[<ntu-uaf.c>:main:17, nil]	<ntu-uaf.c>:read	[<<main-context>>, nil]	<ntu-uaf.c>:main:17
 [<ntu-uaf.c>:main:18, nil]	<ntu-uaf.c>:printf	[<<main-context>>, nil]	<ntu-uaf.c>:main:18
 [<ntu-uaf.c>:main:19, nil]	<ntu-uaf.c>:free	[<<main-context>>, nil]	<ntu-uaf.c>:main:19
 [<ntu-uaf.c>:main:8, nil]	<ntu-uaf.c>:free	[<<main-context>>, nil]	<ntu-uaf.c>:main:8
 [<ntu-uaf.c>:read_int:2, nil]	<ntu-uaf.c>:llvm.lifetime.start.p0i8	nil	<ntu-uaf.c>:read_int:2
+[<ntu-uaf.c>:read_int:3, nil]	<ntu-uaf.c>:__read_chk	nil	<ntu-uaf.c>:read_int:3
 [<ntu-uaf.c>:read_int:5, nil]	<ntu-uaf.c>:llvm.lifetime.end.p0i8	nil	<ntu-uaf.c>:read_int:5
 [<ntu-uaf.c>:welcome_func:0, nil]	<ntu-uaf.c>:puts	nil	<ntu-uaf.c>:welcome_func:0
-nil	<ntu-uaf.c>:__read_chk	nil	<ntu-uaf.c>:read_int:3
 nil	<ntu-uaf.c>:atoi	nil	<ntu-uaf.c>:read_int:4
 nil	<ntu-uaf.c>:bye_func	[<<main-context>>, nil]	<ntu-uaf.c>:main:23
 nil	<ntu-uaf.c>:init	[<<main-context>>, nil]	<ntu-uaf.c>:main:0
60d2059/drop_last.csv differs from 63793e6/drop_last.csv
--- 60d2059/drop_last.csv	2022-10-12 20:48:22.351161189 +0000
+++ 63793e6/drop_last.csv	2022-10-12 20:56:56.767387016 +0000
@@ -9,9 +9,11 @@
 nil	[<ntu-uaf.c>:main:12, nil]
 nil	[<ntu-uaf.c>:main:15, nil]
 nil	[<ntu-uaf.c>:main:16, nil]
+nil	[<ntu-uaf.c>:main:17, nil]
 nil	[<ntu-uaf.c>:main:18, nil]
 nil	[<ntu-uaf.c>:main:19, nil]
 nil	[<ntu-uaf.c>:main:8, nil]
 nil	[<ntu-uaf.c>:read_int:2, nil]
+nil	[<ntu-uaf.c>:read_int:3, nil]
 nil	[<ntu-uaf.c>:read_int:5, nil]
 nil	[<ntu-uaf.c>:welcome_func:0, nil]
[WARN] No relation at 63793e6/constant_in_fn.csv.gz
60d2059/max_num_callsites.csv differs from 63793e6/max_num_callsites.csv
--- 60d2059/max_num_callsites.csv	2022-10-12 20:48:22.332161163 +0000
+++ 63793e6/max_num_callsites.csv	2022-10-12 20:56:56.747387021 +0000
@@ -1,4 +1,4 @@
-<ntu-uaf.c>:__read_chk	1
+<ntu-uaf.c>:__read_chk	3
 <ntu-uaf.c>:atoi	1
 <ntu-uaf.c>:backdoor	1
 <ntu-uaf.c>:bye_func	1
@@ -11,7 +11,7 @@
 <ntu-uaf.c>:menu	1
 <ntu-uaf.c>:printf	3
 <ntu-uaf.c>:puts	5
-<ntu-uaf.c>:read	1
+<ntu-uaf.c>:read	3
 <ntu-uaf.c>:read_int	1
 <ntu-uaf.c>:setvbuf	3
 <ntu-uaf.c>:strtol	1
[WARN] No relation at 63793e6/landingpad_instruction_catch_clause.csv
[WARN] No relation at 63793e6/basicblock_preds.csv
60d2059/subset._merge.merge.csv differs from 63793e6/subset._merge.merge.csv
--- 60d2059/subset._merge.merge.csv	2022-10-12 20:48:22.421161286 +0000
+++ 63793e6/subset._merge.merge.csv	2022-10-12 20:56:56.835387000 +0000
@@ -1,4 +1,3 @@
-[<<main-context>>, nil]	<ntu-uaf.c>:main:17	[<<main-context>>, nil]
 [<ntu-uaf.c>:bye_func:0, nil]	<ntu-uaf.c>:bye_func:0	nil
 [<ntu-uaf.c>:init:1, nil]	<ntu-uaf.c>:init:1	nil
 [<ntu-uaf.c>:init:3, nil]	<ntu-uaf.c>:init:3	nil
@@ -7,10 +6,12 @@
 [<ntu-uaf.c>:main:12, nil]	<ntu-uaf.c>:main:12	[<<main-context>>, nil]
 [<ntu-uaf.c>:main:15, nil]	<ntu-uaf.c>:main:15	[<<main-context>>, nil]
 [<ntu-uaf.c>:main:16, nil]	<ntu-uaf.c>:main:16	[<<main-context>>, nil]
+[<ntu-uaf.c>:main:17, nil]	<ntu-uaf.c>:main:17	[<<main-context>>, nil]
 [<ntu-uaf.c>:main:18, nil]	<ntu-uaf.c>:main:18	[<<main-context>>, nil]
 [<ntu-uaf.c>:main:19, nil]	<ntu-uaf.c>:main:19	[<<main-context>>, nil]
 [<ntu-uaf.c>:main:8, nil]	<ntu-uaf.c>:main:8	[<<main-context>>, nil]
 [<ntu-uaf.c>:read_int:2, nil]	<ntu-uaf.c>:read_int:2	nil
+[<ntu-uaf.c>:read_int:3, nil]	<ntu-uaf.c>:read_int:3	nil
 [<ntu-uaf.c>:read_int:5, nil]	<ntu-uaf.c>:read_int:5	nil
 [<ntu-uaf.c>:welcome_func:0, nil]	<ntu-uaf.c>:welcome_func:0	nil
 nil	<ntu-uaf.c>:atoi:0	nil
@@ -18,5 +19,4 @@
 nil	<ntu-uaf.c>:main:13	[<<main-context>>, nil]
 nil	<ntu-uaf.c>:main:23	[<<main-context>>, nil]
 nil	<ntu-uaf.c>:main:7	[<<main-context>>, nil]
-nil	<ntu-uaf.c>:read_int:3	nil
 nil	<ntu-uaf.c>:read_int:4	nil
60d2059/context_depth.csv differs from 63793e6/context_depth.csv
--- 60d2059/context_depth.csv	2022-10-12 20:48:22.349161186 +0000
+++ 63793e6/context_depth.csv	2022-10-12 20:56:56.764387017 +0000
@@ -10,9 +10,11 @@
 1	[<ntu-uaf.c>:main:12, nil]
 1	[<ntu-uaf.c>:main:15, nil]
 1	[<ntu-uaf.c>:main:16, nil]
+1	[<ntu-uaf.c>:main:17, nil]
 1	[<ntu-uaf.c>:main:18, nil]
 1	[<ntu-uaf.c>:main:19, nil]
 1	[<ntu-uaf.c>:main:8, nil]
 1	[<ntu-uaf.c>:read_int:2, nil]
+1	[<ntu-uaf.c>:read_int:3, nil]
 1	[<ntu-uaf.c>:read_int:5, nil]
 1	[<ntu-uaf.c>:welcome_func:0, nil]
[WARN] No relation at 63793e6/landingpad_instruction_filter_clause.csv.gz
[WARN] No relation at 63793e6/landingpad_instruction_filter_clause.csv
[WARN] No relation at 63793e6/switch_instruction_case_label.csv
[WARN] No relation at 63793e6/switch_instruction_case_value.csv.gz
60d2059/context_to_string.csv differs from 63793e6/context_to_string.csv
--- 60d2059/context_to_string.csv	2022-10-12 20:48:22.391161245 +0000
+++ 63793e6/context_to_string.csv	2022-10-12 20:56:56.804387007 +0000
@@ -9,10 +9,12 @@
 [<ntu-uaf.c>:main:12, nil]	<ntu-uaf.c>:main:12#nil
 [<ntu-uaf.c>:main:15, nil]	<ntu-uaf.c>:main:15#nil
 [<ntu-uaf.c>:main:16, nil]	<ntu-uaf.c>:main:16#nil
+[<ntu-uaf.c>:main:17, nil]	<ntu-uaf.c>:main:17#nil
 [<ntu-uaf.c>:main:18, nil]	<ntu-uaf.c>:main:18#nil
 [<ntu-uaf.c>:main:19, nil]	<ntu-uaf.c>:main:19#nil
 [<ntu-uaf.c>:main:8, nil]	<ntu-uaf.c>:main:8#nil
 [<ntu-uaf.c>:read_int:2, nil]	<ntu-uaf.c>:read_int:2#nil
+[<ntu-uaf.c>:read_int:3, nil]	<ntu-uaf.c>:read_int:3#nil
 [<ntu-uaf.c>:read_int:5, nil]	<ntu-uaf.c>:read_int:5#nil
 [<ntu-uaf.c>:welcome_func:0, nil]	<ntu-uaf.c>:welcome_func:0#nil
 nil	nil
[WARN] No relation at 63793e6/phi_instruction_pair_value.csv.gz
[WARN] No relation at 63793e6/instruction_bb_entry.csv.gz
60d2059/subset._merge.count_context_items.csv differs from 63793e6/subset._merge.count_context_items.csv
--- 60d2059/subset._merge.count_context_items.csv	2022-10-12 20:48:22.402161260 +0000
+++ 63793e6/subset._merge.count_context_items.csv	2022-10-12 20:56:56.815387004 +0000
@@ -6,6 +6,7 @@
 <ntu-uaf.c>:main:12	1
 <ntu-uaf.c>:main:15	1
 <ntu-uaf.c>:main:16	1
+<ntu-uaf.c>:main:17	1
 <ntu-uaf.c>:main:18	1
 <ntu-uaf.c>:main:19	1
 <ntu-uaf.c>:main:8	1
@@ -13,5 +14,6 @@
 <ntu-uaf.c>:menu:1	1
 <ntu-uaf.c>:menu:2	1
 <ntu-uaf.c>:read_int:2	1
+<ntu-uaf.c>:read_int:3	1
 <ntu-uaf.c>:read_int:5	1
 <ntu-uaf.c>:welcome_func:0	1
[WARN] No relation at 63793e6/phi_instruction_pair_label.csv
60d2059/context.csv differs from 63793e6/context.csv
--- 60d2059/context.csv	2022-10-12 20:48:22.372161218 +0000
+++ 63793e6/context.csv	2022-10-12 20:56:56.786387011 +0000
@@ -9,10 +9,12 @@
 [<ntu-uaf.c>:main:12, nil]
 [<ntu-uaf.c>:main:15, nil]
 [<ntu-uaf.c>:main:16, nil]
+[<ntu-uaf.c>:main:17, nil]
 [<ntu-uaf.c>:main:18, nil]
 [<ntu-uaf.c>:main:19, nil]
 [<ntu-uaf.c>:main:8, nil]
 [<ntu-uaf.c>:read_int:2, nil]
+[<ntu-uaf.c>:read_int:3, nil]
 [<ntu-uaf.c>:read_int:5, nil]
 [<ntu-uaf.c>:welcome_func:0, nil]
 nil
[WARN] No relation at 63793e6/switch_instruction_case_label.csv.gz
[WARN] No relation at 63793e6/variable_in_fn.csv.gz
60d2059/subset._merge.count_contexts.csv differs from 63793e6/subset._merge.count_contexts.csv
--- 60d2059/subset._merge.count_contexts.csv	2022-10-12 20:48:22.366161210 +0000
+++ 63793e6/subset._merge.count_contexts.csv	2022-10-12 20:56:56.781387013 +0000
@@ -6,6 +6,7 @@
 <ntu-uaf.c>:main:12	1
 <ntu-uaf.c>:main:15	1
 <ntu-uaf.c>:main:16	1
+<ntu-uaf.c>:main:17	1
 <ntu-uaf.c>:main:18	1
 <ntu-uaf.c>:main:19	1
 <ntu-uaf.c>:main:8	1
@@ -13,5 +14,6 @@
 <ntu-uaf.c>:menu:1	0
 <ntu-uaf.c>:menu:2	0
 <ntu-uaf.c>:read_int:2	1
+<ntu-uaf.c>:read_int:3	1
 <ntu-uaf.c>:read_int:5	1
 <ntu-uaf.c>:welcome_func:0	1
60d2059/context_item_by_invoc.csv differs from 63793e6/context_item_by_invoc.csv
--- 60d2059/context_item_by_invoc.csv	2022-10-12 20:48:22.407161267 +0000
+++ 63793e6/context_item_by_invoc.csv	2022-10-12 20:56:56.821387003 +0000
@@ -6,6 +6,7 @@
 <ntu-uaf.c>:main:12	<ntu-uaf.c>:main:12
 <ntu-uaf.c>:main:15	<ntu-uaf.c>:main:15
 <ntu-uaf.c>:main:16	<ntu-uaf.c>:main:16
+<ntu-uaf.c>:main:17	<ntu-uaf.c>:main:17
 <ntu-uaf.c>:main:18	<ntu-uaf.c>:main:18
 <ntu-uaf.c>:main:19	<ntu-uaf.c>:main:19
 <ntu-uaf.c>:main:8	<ntu-uaf.c>:main:8
@@ -13,5 +14,6 @@
 <ntu-uaf.c>:menu:1	<ntu-uaf.c>:menu:1
 <ntu-uaf.c>:menu:2	<ntu-uaf.c>:menu:2
 <ntu-uaf.c>:read_int:2	<ntu-uaf.c>:read_int:2
+<ntu-uaf.c>:read_int:3	<ntu-uaf.c>:read_int:3
 <ntu-uaf.c>:read_int:5	<ntu-uaf.c>:read_int:5
 <ntu-uaf.c>:welcome_func:0	<ntu-uaf.c>:welcome_func:0
60d2059/drop_context_item_by_invoc.csv differs from 63793e6/drop_context_item_by_invoc.csv
--- 60d2059/drop_context_item_by_invoc.csv	2022-10-12 20:48:22.376161224 +0000
+++ 63793e6/drop_context_item_by_invoc.csv	2022-10-12 20:56:56.790387011 +0000
@@ -1,6 +1,4 @@
 <ntu-uaf.c>:atoi:0
 <ntu-uaf.c>:backdoor:0
 <ntu-uaf.c>:main:13
-<ntu-uaf.c>:main:17
-<ntu-uaf.c>:read_int:3
 <ntu-uaf.c>:read_int:4
[WARN] No relation at 63793e6/instruction_bb_entry.csv
[WARN] No relation at 63793e6/phi_instruction_pair_value.csv
[WARN] No relation at 63793e6/variable_in_fn.csv
60d2059/indirect_call_instruction.csv differs from 63793e6/indirect_call_instruction.csv
--- 60d2059/indirect_call_instruction.csv	2022-10-12 20:48:22.380161229 +0000
+++ 63793e6/indirect_call_instruction.csv	2022-10-12 20:56:56.793387010 +0000
@@ -1 +1,3 @@
+<ntu-uaf.c>:main:17
 <ntu-uaf.c>:main:23
+<ntu-uaf.c>:read_int:3
60d2059/num_indirect_calls_to_compatible_func.csv differs from 63793e6/num_indirect_calls_to_compatible_func.csv
--- 60d2059/num_indirect_calls_to_compatible_func.csv	2022-10-12 20:48:22.408161268 +0000
+++ 63793e6/num_indirect_calls_to_compatible_func.csv	2022-10-12 20:56:56.822387003 +0000
@@ -1,10 +1,8 @@
-0	<ntu-uaf.c>:__read_chk
 0	<ntu-uaf.c>:atoi
 0	<ntu-uaf.c>:main
 0	<ntu-uaf.c>:malloc
 0	<ntu-uaf.c>:printf
 0	<ntu-uaf.c>:puts
-0	<ntu-uaf.c>:read
 0	<ntu-uaf.c>:read_int
 0	<ntu-uaf.c>:setvbuf
 0	<ntu-uaf.c>:strtol
@@ -17,3 +15,5 @@
 1	<ntu-uaf.c>:llvm.lifetime.start.p0i8
 1	<ntu-uaf.c>:menu
 1	<ntu-uaf.c>:welcome_func
+2	<ntu-uaf.c>:__read_chk
+2	<ntu-uaf.c>:read
[WARN] No relation at 63793e6/constant_in_fn.csv
[WARN] No relation at 63793e6/basicblock_preds.csv.gz

Hypothesis: The problem stems from indirect_call_instruction:

63793e6/indirect_call_instruction.csv differs from 60d2059/indirect_call_instruction.csv
--- 63793e6/indirect_call_instruction.csv	2022-10-12 20:56:56.793387010 +0000
+++ 60d2059/indirect_call_instruction.csv	2022-10-12 20:48:22.380161229 +0000
@@ -1,3 +1 @@
-<ntu-uaf.c>:main:17
 <ntu-uaf.c>:main:23
-<ntu-uaf.c>:read_int:3

This relation has one rule:

indirect_call_instruction(Instr) :-
   call_instruction_fn_operand(Instr, Variable),
   variable(Variable).

However,

diff -u 63793e6/call_instruction_fn_operand.csv 60d2059/call_instruction_fn_operand.csv
diff -u 63793e6/variable.csv 60d2059/variable.csv

show no differences.

Answer 4 · 2022-10-12T21:15:51.000Z

Looks like the new version added several .input pragmas that weren't there before:

git checkout 63793e6
mcpp -e utf8 -W0 -I "." datalog/import/import.dl > new.dl
cat datalog/import/import-* > old.dl

(remove rules, comments, newlines, filenames, etc. from old.dl and new.dl; sort both)

diff -u old.dl new.dl           

--- old.dl	2022-10-12 17:12:29.985174659 -0400
+++ new.dl	2022-10-12 17:12:29.374161860 -0400
@@ -62,13 +62,16 @@
 .input cmpxchg_instruction_is_volatile
 .input cmpxchg_instruction_new_value
 .input cmpxchg_instruction_ordering
+.input cmpxchg_instruction_type
 .input constant
 .input constant_array
 .input constant_array_has_size
 .input constant_array_index
 .input constant_expression
+.input constant_expression
 .input constant_has_type
 .input constant_has_value
+.input constant_hashes_to
 .input constant_struct
 .input constant_struct_has_size
 .input constant_struct_index
@@ -76,6 +79,8 @@
 .input constant_vector
 .input constant_vector_has_size
 .input constant_vector_index
+.input direct_call_instruction
+.input direct_invoke_instruction
 .input extractelement_instruction
 .input extractelement_instruction_base
 .input extractelement_instruction_index
@@ -168,6 +173,8 @@
 .input icmp_instruction_condition
 .input icmp_instruction_first_operand
 .input icmp_instruction_second_operand
+.input indirect_call_instruction
+.input indirect_invoke_instruction
 .input indirectbr_instruction
 .input indirectbr_instruction_address
 .input indirectbr_instruction_label

Answer 5 · 2022-10-12T21:27:01.000Z

Current conclusions: when a relation is marked as .input, Soufflé will not attempt to apply any rules provided for it. The fact generator had been generating indirect_invoke_instr &co., but the analysis had a different, non-input relation with the same name. Hence, when import-*.dl was generated from predicates.inc, these relations became imported rather than computed and had different content.

This is a great example of the confusion that can arise when there are multiple sources of truth as to which relations are input relations...

This is all supported by the fact that the following diff (when applied to 63793e6) seems to fix the problem.

diff --git a/FactGenerator/include/predicates.inc b/FactGenerator/include/predicates.inc
index 610e326..51d55ff 100644
--- a/FactGenerator/include/predicates.inc
+++ b/FactGenerator/include/predicates.inc
@@ -218,8 +218,6 @@ GROUP_END(resume)
 
 GROUP_BEGIN(invoke)
 PREDICATE(invoke, instr, invoke_instruction)
-PREDICATE(invoke, instr_direct, direct_invoke_instruction)
-PREDICATE(invoke, instr_indirect, indirect_invoke_instruction)
 PREDICATE(invoke, function, invoke_instruction_fn_operand)
 PREDICATE(invoke, arg, invoke_instruction_arg)
 PREDICATE(invoke, calling_conv, invoke_instruction_with_calling_convention)
@@ -440,8 +438,6 @@ GROUP_END(va_arg)
 
 GROUP_BEGIN(call)
 PREDICATE(call, instr, call_instruction)
-PREDICATE(call, instr_direct, direct_call_instruction)
-PREDICATE(call, instr_indirect, indirect_call_instruction)
 PREDICATE(call, function, call_instruction_fn_operand)
 PREDICATE(call, arg, call_instruction_arg)
 PREDICATE(call, calling_conv, call_instruction_with_calling_convention)
diff --git a/FactGenerator/src/InstructionVisitor.cpp b/FactGenerator/src/InstructionVisitor.cpp
index 7133c3e..83e6a4b 100644
--- a/FactGenerator/src/InstructionVisitor.cpp
+++ b/FactGenerator/src/InstructionVisitor.cpp
@@ -276,11 +276,6 @@ void InstructionVisitor::visitIndirectBrInst(const llvm::IndirectBrInst &IBR) {
 void InstructionVisitor::visitInvokeInst(const llvm::InvokeInst &II) {
   refmode_t iref = recordInstruction(pred::invoke::instr, II);
 
-  gen.writeFact(
-      II.getCalledFunction() ? pred::invoke::instr_direct
-                             : pred::invoke::instr_indirect,
-      iref);
-
 #if LLVM_VERSION_MAJOR > 12
   const llvm::Value *invokeOp = II.getCalledOperand();
 #else
@@ -544,17 +539,6 @@ void InstructionVisitor::visitCallInst(const llvm::CallInst &CI) {
   // instructions due to the constraint that all direct calls must
   // be able to determine the function to be called.
 
-  if (!CI.isInlineAsm()) {
-    // Record if instruction is direct or indirect. This is
-    // probably redundant since it is inferred by the logic
-    // itself, according to the kind of the function operand.
-
-    gen.writeFact(
-        CI.getCalledFunction() ? pred::call::instr_direct
-                               : pred::call::instr_indirect,
-        iref);
-  }
-
 #if LLVM_VERSION_MAJOR > 12
   const llvm::Value *callOp = CI.getCalledOperand();
 #else