# PySVF tutorial: SVFG (Static Value-Flow Graph)

### Introduction
This tutorial demonstrates how to use PySVF to generate SVFG (Static Value-Flow Graph) from a given source code. The SVFG is a graph representation of the program, where nodes represent program statements and edges represent the data and control dependencies between the statements. The SVFG is a powerful representation that can be used for various program analysis tasks, such as program slicing, program comprehension, and vulnerability detection.

### Prerequisites

Before running this tutorial, make sure you have studied [SVFIR](svfir.ipynb) tutorial and [ICFG](icfg.ipynb) tutorial. Make sure you have installed PySVF and its dependencies. 



In [1]:
# Install the pysvf library
# You might need to run this command in your terminal or use a Jupyter magic command
# !pip install pysvf

# Import necessary libraries
import pysvf

# Load the LLVM bitcode file
bitcode_file = "demo.ll"

# Get the pag(SVFIR) from the bitcode file, specifying that we want to build the SVFG
svfir = pysvf.getPAG(bitcode_file, build_svfg=True)

# Get the static value-flow graph (SVFG) from the pag
svfg = pysvf.getSVFG()

# Dump the SVFG to a file, the output file will be named "demo.svfg.dot"
svfg.dump("demo.svfg")


*********General Stats***************
################ (program : demo.ll)###############
AddrsNum            21
BBWith2Succ         1
BBWith3Succ         0
CallsNum            3
ConstArrayObj       0
ConstStructObj      0
ConstantObj         14
CopysNum            2
FIObjNum            13
FSObjNum            9
FunctionObjs        5
GepsNum             10
GlobalObjs          1
HeapObjs            1
IndCallSites        0
LoadsNum            3
MaxStructSize       0
NonPtrObj           22
ReturnsNum          1
StackObjs           2
StoresNum           7
TotalCallSite       4
TotalFieldObjects   2
TotalObjects        25
TotalPTASVFStmts    22
TotalPointers       70
TotalSVFStmts       56
VarArrayObj         1
VarStructObj        0
----------------Time and memory stats--------------------
LLVMIRTime          0.006
SVFIRTime           0.001
SymbolTableTime     0.001
#######################################################

*********PTACallGraph Stats (Andersen analysis)***************
######


### Traversing the SVFG

The SVFG (Sparse Value-Flow Graph) allows for the analysis of value flow between functions and supports various analyses on the program's structure.

### Basic Operations on SVFG

#### SVFG Class
- **APIs**
  ```python
  def getDefSVFGNode(self, val: SVFVar) -> List[VFGNode]: ...
  # Retrieve the definition SVFG node for a given SVF variable

  def getActualOUTSVFGNodes(self, cs: CallICFGNode) -> List[ActualOUTSVFGNode]: ...
  # Retrieve the actual out SVFG nodes for a call site

  def getActualINSVFGNodes(self, cs: CallICFGNode) -> List[ActualINSVFGNode]: ...
  # Retrieve the actual in SVFG nodes for a call site

  def getFormalOUTSVFGNodes(self, fun: FunObjVar) -> List[FormalOUTSVFGNode]: ...
  # Retrieve the formal out SVFG nodes for a function

  def getFormalINSVFGNodes(self, fun: FunObjVar) -> List[FormalINSVFGNode]: ...
  # Retrieve the formal in SVFG nodes for a function

  def dump(self) -> None: ...
  # Output the SVFG

  def view(self) -> None: ...
  # Visualize the SVFG

  def hasActualOUTSVFGNodes(self, cs: CallICFGNode) -> bool: ...
  # Check for actual out SVFG nodes at a call site

  def hasActualINSVFGNodes(self, cs: CallICFGNode) -> bool: ...
  # Check for actual in SVFG nodes at a call site

  def hasFormalOUTSVFGNodes(self, fun: FunObjVar) -> bool: ...
  # Check for formal out SVFG nodes for a function

  def hasFormalINSVFGNodes(self, fun: FunObjVar) -> bool: ...
  # Check for formal in SVFG nodes for a function
  ```

#### SVFGNode Class
- **APIs**
  ```python
  def toString(self) -> str: ...
  # Get the string representation of the SVFG node

  def __str__(self) -> str: ...
  # Get the string representation of the SVFG node

  def getId(self) -> int: ...
  # Retrieve the ID of the SVFG node

  def getICFGNode(self) -> ICFGNode: ...
  # Retrieve the ICFG node associated with the SVFG node

  def getDefSVFVars(self) -> List[SVFVar]: ...
  # Retrieve the defined SVF variables

  def getOutEdges(self) -> List[VFGEdge]: ...
  # Retrieve the outgoing edges

  def getInEdges(self) -> List[VFGEdge]: ...
  # Retrieve the incoming edges

  def isStmtVFGNode(self) -> bool: ...
  # Check if the node is a statement VFG node

  def isPhiVFGNode(self) -> bool: ...
  # Check if the node is a PHI VFG node

  def isArgumentVFGNode(self) -> bool: ...
  # Check if the node is an argument VFG node

  def isCmpVFGNode(self) -> bool: ...
  # Check if the node is a compare VFG node

  def isBinaryOpVFGNode(self) -> bool: ...
  # Check if the node is a binary operation VFG node

  def isUnaryOpVFGNode(self) -> bool: ...
  # Check if the node is a unary operation VFG node

  def isBranchVFGNode(self) -> bool: ...
  # Check if the node is a branch VFG node

  def asStmtVFGNode(self) -> StmtVFGNode: ...
  # Downcast to StmtVFGNode

  def asPhiVFGNode(self) -> PHIVFGNode: ...
  # Downcast to PHIVFGNode

  def asArgumentVFGNode(self) -> ArgumentVFGNode: ...
  # Downcast to ArgumentVFGNode

  def asCmpVFGNode(self) -> CmpVFGNode: ...
  # Downcast to CmpVFGNode

  def asBinaryOpVFGNode(self) -> BinaryOPVFGNode: ...
  # Downcast to BinaryOPVFGNode

  def asUnaryOpVFGNode(self) -> UnaryOPVFGNode: ...
  # Downcast to UnaryOPVFGNode

  def asBranchVFGNode(self) -> BranchVFGNode: ...
  # Downcast to BranchVFGNode

  def getValue(self) -> SVFVar: ...
  # Retrieve the value of the SVFG node
  ```

#### SVFGEdge Class
- **APIs**
  ```python
  def toString(self) -> str: ...
  # Get the string representation of the SVFG edge

  def __str__(self) -> str: ...
  # Get the string representation of the SVFG edge

  def isDirectVFGEdge(self) -> bool: ...
  # Check if the edge is a direct VFG edge

  def isIndirectVFGEdge(self) -> bool: ...
  # Check if the edge is an indirect VFG edge

  def isCallVFGEdge(self) -> bool: ...
  # Check if the edge is a call VFG edge

  def isRetVFGEdge(self) -> bool: ...
  # Check if the edge is a return VFG edge

  def isCallDirectVFGEdge(self) -> bool: ...
  # Check if the edge is a call direct VFG edge

  def isRetDirectVFGEdge(self) -> bool: ...
  # Check if the edge is a return direct VFG edge

  def isCallIndirectVFGEdge(self) -> bool: ...
  # Check if the edge is a call indirect VFG edge

  def isRetIndirectVFGEdge(self) -> bool: ...
  # Check if the edge is a return indirect VFG edge

  def isIntraVFGEdge(self) -> bool: ...
  # Check if the edge is an intra VFG edge

  def isThreadMHPIndirectVFGEdge(self) -> bool: ...
  # Check if the edge is a thread MHP indirect VFG edge

  def getSrc(self) -> VFGNode: ...
  # Retrieve the source node

  def getDst(self) -> VFGNode: ...
  # Retrieve the destination node

  def asDirectSVFGEdge(self) -> DirectSVFGEdge: ...
  # Downcast to DirectSVFGEdge

  def asIndirectSVFGEdge(self) -> IndirectSVFGEdge: ...
  # Downcast to IndirectSVFGEdge
  ```

When printing all nodes in the SVFG, be aware that the output may be extensive for large programs.


In [2]:
for node in svfg.getNodes():
    print(node)

NullPtrVFGNode ID: 0 PAGNode ID: 0

AddrVFGNode ID: 1 AddrStmt: [Var5 <-- Var6]	
ConstIntValVar ID: 5
 i8 37 { constant data }
AddrVFGNode ID: 2 AddrStmt: [Var7 <-- Var8]	
ConstIntValVar ID: 7
 i8 100 { constant data }
AddrVFGNode ID: 3 AddrStmt: [Var9 <-- Var10]	
ConstIntValVar ID: 9
 i8 10 { constant data }
AddrVFGNode ID: 4 AddrStmt: [Var11 <-- Var12]	
ConstIntValVar ID: 11
 i8 0 { constant data }
AddrVFGNode ID: 5 AddrStmt: [Var4 <-- Var13]	
GlobalValVar ID: 4
 @.str = private unnamed_addr constant [4 x i8] c"%d\0A\00", align 1 { Glob  }
AddrVFGNode ID: 6 AddrStmt: [Var14 <-- Var15]	
FunValVar ID: 14
add_or_sub
AddrVFGNode ID: 7 AddrStmt: [Var21 <-- Var22]	
ConstIntValVar ID: 21
 i32 0 { constant data }
AddrVFGNode ID: 8 AddrStmt: [Var31 <-- Var32]	
FunValVar ID: 31
main
AddrVFGNode ID: 9 AddrStmt: [Var34 <-- Var35]	
ValVar ID: 34
   %0 = alloca i8, i64 8, align 8 
AddrVFGNode ID: 10 AddrStmt: [Var36 <-- Var37]	
ConstIntValVar ID: 36
 i64 8 { constant data }
AddrVFGNode ID: 11 Addr

From the output above, we can see the list of SVFG nodes in the program, each representing a program statement. We can also traverse the edges in the SVFG to analyze the data and control dependencies between the statements.

#### Visualizing the SVFG

To visualize the SVFG, we can use the `graphviz` library to generate a graphical representation of the control flow between functions. The `dump` function of the SVFG class generates a DOT file that can be rendered using Graphviz.

![Alt text](svfgdot.png)

### Exploring the SVFG

We can explore the SVFG to analyze the data and control dependencies between the statements in the program. We can use the APIs provided by the SVFG class to get the definition SVFG node for a given SVF variable, get the actual out SVFG nodes for a call site, get the formal out SVFG nodes for a function, and so on.

#### SVFGNode

We can use the APIs provided by the SVFGNode class to get the ID of the SVFG node, get the ICFG node associated with the SVFG node, get the defined SVF variables, get the outgoing edges, get the incoming edges, and so on.

```
classDiagram
    VFGNode <|-- StmtVFGNode
    VFGNode <|-- PHIVFGNode
    VFGNode <|-- ArgumentVFGNode
    VFGNode <|-- CmpVFGNode
    VFGNode <|-- BinaryOPVFGNode
    VFGNode <|-- UnaryOPVFGNode
    VFGNode <|-- BranchVFGNode
    VFGNode <|-- MRSVFGNode
    VFGNode <|-- DummyVersionPropSVFGNode

    StmtVFGNode <|-- LoadVFGNode
    StmtVFGNode <|-- StoreVFGNode
    StmtVFGNode <|-- CopyVFGNode
    StmtVFGNode <|-- GepVFGNode
    StmtVFGNode <|-- AddrVFGNode

    PHIVFGNode <|-- IntraPHIVFGNode
    PHIVFGNode <|-- InterPHIVFGNode

    ArgumentVFGNode <|-- ActualParmVFGNode
    ArgumentVFGNode <|-- FormalParmVFGNode
    ArgumentVFGNode <|-- ActualRetVFGNode
    ArgumentVFGNode <|-- FormalRetVFGNode

    MRSVFGNode <|-- FormalINSVFGNode
    MRSVFGNode <|-- FormalOUTSVFGNode
    MRSVFGNode <|-- ActualINSVFGNode
    MRSVFGNode <|-- ActualOUTSVFGNode
    MRSVFGNode <|-- MSSAPHISVFGNode

    MSSAPHISVFGNode <|-- IntraMSSAPHISVFGNode
    MSSAPHISVFGNode <|-- InterMSSAPHISVFGNode
```
#### SVFGEdge
```
classDiagram
    VFGEdge <|-- DirectSVFGEdge
    VFGEdge <|-- IndirectSVFGEdge

    DirectSVFGEdge <|-- IntraDirSVFGEdge
    DirectSVFGEdge <|-- CallDirSVFGEdge
    DirectSVFGEdge <|-- RetDirSVFGEdge

    IndirectSVFGEdge <|-- IntraIndSVFGEdge
    IndirectSVFGEdge <|-- CallIndSVFGEdge
    IndirectSVFGEdge <|-- RetIndSVFGEdge
    IndirectSVFGEdge <|-- ThreadMHPIndSVFGEdge
```



In [6]:
for node in svfg.getNodes():
    if isinstance(node, pysvf.StmtVFGNode):
        stmt_vfg_node = node.asStmtVFGNode()
        print("ID: {}, SVFGNode: {}, ICFGNode: {}, SVFVar: {}".format(node.getId(), node, node.getId(), stmt_vfg_node.getValue()))
    # for other types of nodes, you can use the corresponding class name

ID: 1, SVFGNode: AddrVFGNode ID: 1 AddrStmt: [Var5 <-- Var6]	
ConstIntValVar ID: 5
 i8 37 { constant data }, ICFGNode: GlobalICFGNode0
CopyStmt: [Var1 <-- Var0]	
ConstNullPtrValVar ID: 0
 ptr null { constant data }
AddrStmt: [Var11 <-- Var12]	
ConstIntValVar ID: 11
 i8 0 { constant data }
AddrStmt: [Var7 <-- Var8]	
ConstIntValVar ID: 7
 i8 100 { constant data }
AddrStmt: [Var55 <-- Var56]	
ConstIntValVar ID: 55
 i32 1 { constant data }
AddrStmt: [Var39 <-- Var40]	
ConstIntValVar ID: 39
 i64 0 { constant data }
AddrStmt: [Var36 <-- Var37]	
ConstIntValVar ID: 36
 i64 8 { constant data }
AddrStmt: [Var60 <-- Var61]	
ConstIntValVar ID: 60
 i1 false { constant data }
AddrStmt: [Var21 <-- Var22]	
ConstIntValVar ID: 21
 i32 0 { constant data }
AddrStmt: [Var9 <-- Var10]	
ConstIntValVar ID: 9
 i8 10 { constant data }
AddrStmt: [Var42 <-- Var43]	
ConstIntValVar ID: 42
 i32 5 { constant data }
AddrStmt: [Var45 <-- Var46]	
ConstIntValVar ID: 45
 i64 1 { constant data }
AddrStmt: [Var48 <-- Var49]

### Connect with SVFVar and ICFGNode

The SVFG nodes are connected with SVFVar and ICFGNode. We can use the APIs provided by the SVFGNode class to get the SVFVar and ICFGNode associated with the SVFG node.

For example, we can see ID: 66 as follows.

```
IntraPHIVFGNode ID: 66 PAGNode: [29 = PHI(27, 24, )]	    %result.0 = phi i32 [ %add, %if.then ], [ %sub, %if.else ] 
```

We know it is a PHI node, and the corresponding PAGNode is `PHI(27, 24, )`, and the ICFGNode should have a PHI SVFStmt.

In [5]:
node = svfg.getGNode(66)
if isinstance(node, pysvf.PHIVFGNode):
    phi_svfg_node = node.asPhiVFGNode()
    svf_var = phi_svfg_node.getValue()
    icfg_node = phi_svfg_node.getICFGNode()
    print("SVFGNode: {}, corresponding ICFGNode: {}, corresponding SVFVar: {}".format(node, icfg_node, svf_var))


SVFGNode: IntraPHIVFGNode ID: 66 PAGNode: [29 = PHI(27, 24, )]	    %result.0 = phi i32 [ %add, %if.then ], [ %sub, %if.else ] , corresponding ICFGNode: IntraICFGNode11 {fun: add_or_sub}
PhiStmt: [Var29 <-- ([Var24, ICFGNode9],[Var27, ICFGNode10],)]	
ValVar ID: 29
   %result.0 = phi i32 [ %add, %if.then ], [ %sub, %if.else ] 
, corresponding SVFVar: ValVar ID: 29
   %result.0 = phi i32 [ %add, %if.then ], [ %sub, %if.else ] 


From the output above, we can see the SVFG node with ID 66 is a PHI node, and the corresponding PAGNode is `ValVar ID: 29
   %result.0 = phi i32 [ %add, %if.then ], [ %sub, %if.else ]`. The ICFGNode associated with the SVFG node is `IntraICFGNode11 {fun: add_or_sub}
PhiStmt: [Var29 <-- ([Var24, ICFGNode9],[Var27, ICFGNode10],)]	
ValVar ID: 29
   %result.0 = phi i32 [ %add, %if.then ], [ %sub, %if.else ] `. Although they are different types of nodes and ids, they are connected through these apis.
   
### Summary
This tutorial demonstrates how to use PySVF to generate SVFG from a given source code. We can use the SVFG to analyze the data and control dependencies between the statements in the program, especially for its connections to SVFVar and ICFGNode. The SVFG is a powerful representation that can be used for various program analysis tasks, such as program slicing, program comprehension, and vulnerability detection.