svf-tools 1.0.1083 → 1.0.1084

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "svf-tools",
-  "version": "1.0.1083",
+  "version": "1.0.1084",
   "description": "* <b>[TypeClone](https://github.com/SVF-tools/SVF/wiki/TypeClone) published in our [ECOOP paper](https://yuleisui.github.io/publications/ecoop20.pdf) is now available in SVF </b> * <b>SVF now uses a single script for its build. Just type [`source ./build.sh`](https://github.com/SVF-tools/SVF/blob/master/build.sh) in your terminal, that's it!</b> * <b>SVF now supports LLVM-10.0.0! </b> * <b>We thank [bsauce](https://github.com/bsauce) for writing a user manual of SVF ([link1](https://www.jianshu.com/p/068a08ec749c) and [link2](https://www.jianshu.com/p/777c30d4240e)) in Chinese </b> * <b>SVF now supports LLVM-9.0.0 (Thank [Byoungyoung Lee](https://github.com/SVF-tools/SVF/issues/142) for his help!). </b> * <b>SVF now supports a set of [field-sensitive pointer analyses](https://yuleisui.github.io/publications/sas2019a.pdf). </b> * <b>[Use SVF as an external lib](https://github.com/SVF-tools/SVF/wiki/Using-SVF-as-a-lib-in-your-own-tool) for your own project (Contributed by [Hongxu Chen](https://github.com/HongxuChen)). </b> * <b>SVF now supports LLVM-7.0.0. </b> * <b>SVF now supports Docker. [Try SVF in Docker](https://github.com/SVF-tools/SVF/wiki/Try-SVF-in-Docker)! </b> * <b>SVF now supports [LLVM-6.0.0](https://github.com/svf-tools/SVF/pull/38) (Contributed by [Jack Anthony](https://github.com/jackanth)). </b> * <b>SVF now supports [LLVM-4.0.0](https://github.com/svf-tools/SVF/pull/23) (Contributed by Jared Carlson. Thank [Jared](https://github.com/jcarlson23) and [Will](https://github.com/dtzWill) for their in-depth [discussions](https://github.com/svf-tools/SVF/pull/18) about updating SVF!) </b> * <b>SVF now supports analysis for C++ programs.</b> <br />",
   "main": "index.js",
   "scripts": {

package/svf/include/AE/Core/AbstractState.h

@@ -61,8 +61,9 @@ class AbstractState
     friend class RelationSolver;
 public:
     typedef Map<u32_t, AbstractValue> VarToAbsValMap;
-
     typedef VarToAbsValMap AddrToAbsValMap;
+    Set<NodeID> _freedAddrs;
+
 
 public:
     /// default constructor
@@ -73,7 +74,7 @@ public:
     AbstractState(VarToAbsValMap&_varToValMap, AddrToAbsValMap&_locToValMap) : _varToAbsVal(_varToValMap), _addrToAbsVal(_locToValMap) {}
 
     /// copy constructor
-    AbstractState(const AbstractState&rhs) : _varToAbsVal(rhs.getVarToVal()), _addrToAbsVal(rhs.getLocToVal())
+    AbstractState(const AbstractState&rhs) : _freedAddrs(rhs._freedAddrs), _varToAbsVal(rhs.getVarToVal()), _addrToAbsVal(rhs.getLocToVal())
     {
 
     }
@@ -110,15 +111,10 @@ public:
         return AddressValue::isVirtualMemAddress(val);
     }
 
-    /// Return the internal index if idx is an address otherwise return the value of idx
-    static inline u32_t getInternalID(u32_t idx)
-    {
-        return AddressValue::getInternalID(idx);
-    }
-
-    static inline bool isNullPtr(u32_t addr)
+    /// Return the internal index if addr is an address otherwise return the value of idx
+    inline u32_t getIDFromAddr(u32_t addr)
     {
-        return getInternalID(addr) == 0;
+        return _freedAddrs.count(addr) ?  AddressValue::getInternalID(InvalidMemAddr) : AddressValue::getInternalID(addr);
     }
 
     AbstractState&operator=(const AbstractState&rhs)
@@ -127,6 +123,7 @@ public:
         {
             _varToAbsVal = rhs._varToAbsVal;
             _addrToAbsVal = rhs._addrToAbsVal;
+            _freedAddrs = rhs._freedAddrs;
         }
         return *this;
     }
@@ -145,6 +142,7 @@ public:
         {
             _varToAbsVal = std::move(rhs._varToAbsVal);
             _addrToAbsVal = std::move(rhs._addrToAbsVal);
+            _freedAddrs = std::move(rhs._freedAddrs);
         }
         return *this;
     }
@@ -184,6 +182,17 @@ public:
         return inv;
     }
 
+    static inline bool isNullMem(u32_t addr)
+    {
+        return AddressValue::getInternalID(addr) == NullMemAddr;
+    }
+
+    static inline bool isInvalidMem(u32_t addr)
+    {
+        return AddressValue::getInternalID(addr) == InvalidMemAddr;
+    }
+
+
 protected:
     VarToAbsValMap _varToAbsVal; ///< Map a variable (symbol) to its abstract value
     AddrToAbsValMap
@@ -279,10 +288,19 @@ public:
     /// domain join with other, important! other widen this.
     void joinWith(const AbstractState&other);
 
-
     /// domain meet with other, important! other widen this.
     void meetWith(const AbstractState&other);
 
+    void addToFreedAddrs(NodeID addr) {
+        _freedAddrs.insert(addr);
+    }
+
+    bool isFreedMem(u32_t addr) const
+    {
+        return _freedAddrs.find(addr) != _freedAddrs.end();
+    }
+
+
     /**
     * if this NodeID in SVFIR is a pointer, get the pointee type
     * e.g  arr = (int*) malloc(10*sizeof(int))
@@ -299,20 +317,19 @@ public:
     inline void store(u32_t addr, const AbstractValue &val)
     {
         assert(isVirtualMemAddress(addr) && "not virtual address?");
-        if (isNullPtr(addr)) return;
-        u32_t objId = getInternalID(addr);
+        u32_t objId = getIDFromAddr(addr);
+        if (isNullMem(addr)) return;
         _addrToAbsVal[objId] = val;
     }
 
     inline virtual AbstractValue &load(u32_t addr)
     {
         assert(isVirtualMemAddress(addr) && "not virtual address?");
-        u32_t objId = getInternalID(addr);
+        u32_t objId = getIDFromAddr(addr);
         return _addrToAbsVal[objId];
 
     }
 
-
     void printAbstractState() const;
 
     std::string toString() const
@@ -396,6 +413,7 @@ public:
     {
         _addrToAbsVal.clear();
         _varToAbsVal.clear();
+        _freedAddrs.clear();
     }
 
 };

package/svf/include/AE/Core/AddressValue.h

@@ -32,8 +32,12 @@
 
 #define AddressMask 0x7f000000
 #define FlippedAddressMask (AddressMask^0xffffffff)
-// the address of the black hole, getVirtualMemAddress(2);
-#define BlackHoleAddr 0x7f000000 + 2
+// the address of InvalidMem(the black hole), getVirtualMemAddress(2);
+#define InvalidMemAddr 0x7f000000 + 2
+// the address of NullMem, getVirtualMemAddress(0);
+#define NullMemAddr 0x7f000000
+
+
 
 #include "Util/GeneralType.h"
 #include <sstream>
@@ -42,10 +46,19 @@ namespace SVF
 {
 class AddressValue
 {
+    friend class AbstractState;
+    friend class RelExeState;
 public:
     typedef Set<u32_t> AddrSet;
 private:
     AddrSet _addrs;
+
+    /// Return the internal index if idx is an address otherwise return the value of idx
+    static inline u32_t getInternalID(u32_t idx)
+    {
+        return (idx & FlippedAddressMask);
+    }
+
 public:
     /// Default constructor
     AddressValue() {}
@@ -168,26 +181,11 @@ public:
         return !v.empty();
     }
 
-    inline bool isTop() const
-    {
-        return *this->begin() == BlackHoleAddr;
-    }
-
     inline bool isBottom() const
     {
         return empty();
     }
 
-    inline void setTop()
-    {
-        *this = AddressValue(BlackHoleAddr);
-    }
-
-    inline void setBottom()
-    {
-        _addrs.clear();
-    }
-
     const std::string toString() const
     {
         std::string str;
@@ -222,11 +220,6 @@ public:
         return (val & 0xff000000) == AddressMask && val != AddressMask + 0;
     }
 
-    /// Return the internal index if idx is an address otherwise return the value of idx
-    static inline u32_t getInternalID(u32_t idx)
-    {
-        return (idx & FlippedAddressMask);
-    }
 };
 } // end namespace SVF
 #endif //Z3_EXAMPLE_ADDRESSVALUE_H

package/svf/include/AE/Svfexe/AEDetector.h

@@ -45,6 +45,7 @@ public:
     enum DetectorKind
     {
         BUF_OVERFLOW,   ///< Detector for buffer overflow issues.
+        NULL_DEREF,  ///< Detector for nullptr dereference issues.
         UNKNOWN,    ///< Default type if the kind is not specified.
     };
 
@@ -164,7 +165,8 @@ public:
      * @param objAddrs Address value for the object.
      * @param offset The interval value of the offset.
      */
-    void updateGepObjOffsetFromBase(AddressValue gepAddrs,
+    void updateGepObjOffsetFromBase(AbstractState& as,
+                                    AddressValue gepAddrs,
                                     AddressValue objAddrs,
                                     IntervalValue offset);
 
@@ -320,4 +322,115 @@ private:
     SVFBugReport recoder; ///< Recorder for abstract execution bugs.
     Map<const ICFGNode*, std::string> nodeToBugInfo; ///< Maps ICFG nodes to bug information.
 };
+class NullptrDerefDetector : public AEDetector{
+    friend class AbstractInterpretation;
+public:
+    NullptrDerefDetector()
+    {
+        kind = NULL_DEREF;
+    }
+
+    ~NullptrDerefDetector() = default;
+
+    static bool classof(const AEDetector* detector)
+    {
+        return detector->getKind() == AEDetector::NULL_DEREF;
+    }
+
+    /**
+     * @brief Detects nullptr dereferences issues within a node.
+     * @param as Reference to the abstract state.
+     * @param node Pointer to the ICFG node.
+     */
+    void detect(AbstractState& as, const ICFGNode* node);
+
+    /**
+     * @brief Handles external API calls related to nullptr dereferences.
+     * @param call Pointer to the call ICFG node.
+     */
+    void handleStubFunctions(const CallICFGNode* call);
+
+    /**
+     * @brief Checks if an Abstract Value is uninitialized.
+     * @param v The Abstract Value to check.
+     * @return True if the value is uninitialized, false otherwise.
+     */
+    bool isUninit(AbstractValue v) 
+    {
+        bool is = v.getAddrs().isBottom() && v.getInterval().isBottom();
+        return is;
+    }
+
+     /**
+     * @brief Adds a bug to the reporter based on an exception.
+     * @param e The exception that was thrown.
+     * @param node Pointer to the ICFG node where the bug was detected.
+     */
+    void addBugToReporter(const AEException& e, const ICFGNode* node)
+    {
+        GenericBug::EventStack eventStack;
+        SVFBugEvent sourceInstEvent(SVFBugEvent::EventType::SourceInst, node);
+        eventStack.push_back(sourceInstEvent); // Add the source instruction event to the event stack
+
+        if (eventStack.empty())
+        {
+            return; // If the event stack is empty, return early
+        }
+        std::string loc = eventStack.back().getEventLoc(); // Get the location of the last event in the stack
+
+        // Check if the bug at this location has already been reported
+        if (bugLoc.find(loc) != bugLoc.end())
+        {
+            return; // If the bug location is already reported, return early
+        }
+        else
+        {
+            bugLoc.insert(loc); // Otherwise, mark this location as reported
+        }
+        recoder.addAbsExecBug(GenericBug::FULLNULLPTRDEREFERENCE, eventStack, 0, 0, 0, 0);
+        nodeToBugInfo[node] = e.what(); // Record the exception information for the node
+    }
+    
+    /**
+     * @brief Reports all detected nullptr dereference bugs.
+     */
+    void reportBug()
+    {
+        if (!nodeToBugInfo.empty())
+        {
+            std::cerr << "###################### Nullptr Dereference (" + std::to_string(nodeToBugInfo.size())
+                      + " found)######################\n";
+            std::cerr << "---------------------------------------------\n";
+            for (const auto& it : nodeToBugInfo)
+            {
+                std::cerr << it.second << "\n---------------------------------------------\n";
+            }
+        }
+    }
+
+    /**
+     * @brief Handle external API calls related to nullptr dereferences.
+     * @param as Reference to the abstract state.
+     * @param call Pointer to the call ICFG node.
+     */
+    void detectExtAPI(AbstractState& as, const CallICFGNode* call);
+
+ 
+    /**
+     * @brief Check if an Abstract Value is NULL (or uninitialized).
+     *
+     * @param v An Abstract Value of loaded from an address in an Abstract State.
+     */
+    bool isNull(AbstractValue v)
+    {
+        return !v.isAddr() && !v.isInterval();
+    }
+
+    bool canSafelyDerefPtr(AbstractState& as, const SVFVar* ptr);
+ 
+private:
+    Set<std::string> bugLoc; ///< Set of locations where bugs have been reported.
+    SVFBugReport recoder; ///< Recorder for abstract execution bugs.
+    Map<const ICFGNode*, std::string> nodeToBugInfo; ///< Maps ICFG nodes to bug information.
+};
 }

package/svf/include/AE/Svfexe/AbstractInterpretation.h

@@ -105,6 +105,7 @@ class AbstractInterpretation
     friend class AEStat;
     friend class AEAPI;
     friend class BufOverflowDetector;
+    friend class NullptrDerefDetector;
 
 public:
     typedef SCCDetection<CallGraph*> CallGraphSCC;
@@ -155,6 +156,25 @@ public:
 
     Set<const CallICFGNode*> checkpoints; // for CI check
 
+    /**
+     * @brief Retrieves the abstract state from the trace for a given ICFG node.
+     * @param node Pointer to the ICFG node.
+     * @return Reference to the abstract state.
+     * @throws Assertion if no trace exists for the node.
+     */
+    AbstractState& getAbsStateFromTrace(const ICFGNode* node)
+    {
+        const ICFGNode* repNode = icfg->getRepNode(node);
+        if (abstractTrace.count(repNode) == 0)
+        {
+            assert(false && "No preAbsTrace for this node");
+        }
+        else
+        {
+            return abstractTrace[repNode];
+        }
+    }
+
 private:
     /// Global ICFGNode is handled at the entry of the program,
     virtual void handleGlobalNode();
@@ -280,19 +300,6 @@ private:
     Set<const FunObjVar*> recursiveFuns;
 
 
-    AbstractState& getAbsStateFromTrace(const ICFGNode* node)
-    {
-        const ICFGNode* repNode = icfg->getRepNode(node);
-        if (abstractTrace.count(repNode) == 0)
-        {
-            assert(0 && "No preAbsTrace for this node");
-        }
-        else
-        {
-            return abstractTrace[repNode];
-        }
-    }
-
     bool hasAbsStateFromTrace(const ICFGNode* node)
     {
         const ICFGNode* repNode = icfg->getRepNode(node);

package/svf/include/Util/Options.h

@@ -253,6 +253,8 @@ public:
     static const Option<std::string> OutputName;
     /// buffer overflow checker, Default: false
     static const Option<bool> BufferOverflowCheck;
+    /// nullptr dereference checker, Default: false
+    static const Option<bool> NullDerefCheck;
     /// memory leak check, Default: false
     static const Option<bool> MemoryLeakCheck;
     /// file open close checker, Default: false

package/svf/lib/AE/Core/AbstractState.cpp

@@ -127,6 +127,7 @@ void AbstractState::joinWith(const AbstractState& other)
             _addrToAbsVal.emplace(key, it->second);
         }
     }
+    _freedAddrs.insert(other._freedAddrs.begin(), other._freedAddrs.end());
 }
 
 /// domain meet with other, important! other widen this.
@@ -150,6 +151,11 @@ void AbstractState::meetWith(const AbstractState& other)
             oit->second.meet_with(it->second);
         }
     }
+    Set<NodeID> intersection;
+    std::set_intersection(_freedAddrs.begin(), _freedAddrs.end(),
+                          other._freedAddrs.begin(), other._freedAddrs.end(),
+                          std::inserter(intersection, intersection.begin()));
+    _freedAddrs = std::move(intersection);
 }
 
 // getGepObjAddrs
@@ -165,7 +171,7 @@ AddressValue AbstractState::getGepObjAddrs(u32_t pointer, IntervalValue offset)
         AbstractValue addrs = (*this)[pointer];
         for (const auto& addr : addrs.getAddrs())
         {
-            s64_t baseObj = AbstractState::getInternalID(addr);
+            s64_t baseObj = getIDFromAddr(addr);
             assert(SVFUtil::isa<ObjVar>(PAG::getPAG()->getGNode(baseObj)) && "Fail to get the base object address!");
             NodeID gepObj = PAG::getPAG()->getGepObjVar(baseObj, i);
             (*this)[gepObj] = AddressValue(AbstractState::getVirtualMemAddress(gepObj));
@@ -470,7 +476,7 @@ const SVFType* AbstractState::getPointeeElement(NodeID id)
         const AbstractValue& addrs = (*this)[id];
         for (auto addr: addrs.getAddrs())
         {
-            NodeID addr_id = AbstractState::getInternalID(addr);
+            NodeID addr_id = getIDFromAddr(addr);
             if (addr_id == 0) // nullptr skip
                 continue;
             return svfir->getBaseObject(addr_id)->getType();