svf-tools 1.0.1083 → 1.0.1085

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "svf-tools",
-  "version": "1.0.1083",
+  "version": "1.0.1085",
   "description": "* <b>[TypeClone](https://github.com/SVF-tools/SVF/wiki/TypeClone) published in our [ECOOP paper](https://yuleisui.github.io/publications/ecoop20.pdf) is now available in SVF </b> * <b>SVF now uses a single script for its build. Just type [`source ./build.sh`](https://github.com/SVF-tools/SVF/blob/master/build.sh) in your terminal, that's it!</b> * <b>SVF now supports LLVM-10.0.0! </b> * <b>We thank [bsauce](https://github.com/bsauce) for writing a user manual of SVF ([link1](https://www.jianshu.com/p/068a08ec749c) and [link2](https://www.jianshu.com/p/777c30d4240e)) in Chinese </b> * <b>SVF now supports LLVM-9.0.0 (Thank [Byoungyoung Lee](https://github.com/SVF-tools/SVF/issues/142) for his help!). </b> * <b>SVF now supports a set of [field-sensitive pointer analyses](https://yuleisui.github.io/publications/sas2019a.pdf). </b> * <b>[Use SVF as an external lib](https://github.com/SVF-tools/SVF/wiki/Using-SVF-as-a-lib-in-your-own-tool) for your own project (Contributed by [Hongxu Chen](https://github.com/HongxuChen)). </b> * <b>SVF now supports LLVM-7.0.0. </b> * <b>SVF now supports Docker. [Try SVF in Docker](https://github.com/SVF-tools/SVF/wiki/Try-SVF-in-Docker)! </b> * <b>SVF now supports [LLVM-6.0.0](https://github.com/svf-tools/SVF/pull/38) (Contributed by [Jack Anthony](https://github.com/jackanth)). </b> * <b>SVF now supports [LLVM-4.0.0](https://github.com/svf-tools/SVF/pull/23) (Contributed by Jared Carlson. Thank [Jared](https://github.com/jcarlson23) and [Will](https://github.com/dtzWill) for their in-depth [discussions](https://github.com/svf-tools/SVF/pull/18) about updating SVF!) </b> * <b>SVF now supports analysis for C++ programs.</b> <br />",
   "main": "index.js",
   "scripts": {

package/svf/include/AE/Core/AbstractState.h

@@ -61,8 +61,9 @@ class AbstractState
     friend class RelationSolver;
 public:
     typedef Map<u32_t, AbstractValue> VarToAbsValMap;
-
     typedef VarToAbsValMap AddrToAbsValMap;
+    Set<NodeID> _freedAddrs;
+
 
 public:
     /// default constructor
@@ -73,7 +74,7 @@ public:
     AbstractState(VarToAbsValMap&_varToValMap, AddrToAbsValMap&_locToValMap) : _varToAbsVal(_varToValMap), _addrToAbsVal(_locToValMap) {}
 
     /// copy constructor
-    AbstractState(const AbstractState&rhs) : _varToAbsVal(rhs.getVarToVal()), _addrToAbsVal(rhs.getLocToVal())
+    AbstractState(const AbstractState&rhs) : _freedAddrs(rhs._freedAddrs), _varToAbsVal(rhs.getVarToVal()), _addrToAbsVal(rhs.getLocToVal())
     {
 
     }
@@ -110,15 +111,10 @@ public:
         return AddressValue::isVirtualMemAddress(val);
     }
 
-    /// Return the internal index if idx is an address otherwise return the value of idx
-    static inline u32_t getInternalID(u32_t idx)
-    {
-        return AddressValue::getInternalID(idx);
-    }
-
-    static inline bool isNullPtr(u32_t addr)
+    /// Return the internal index if addr is an address otherwise return the value of idx
+    inline u32_t getIDFromAddr(u32_t addr)
     {
-        return getInternalID(addr) == 0;
+        return _freedAddrs.count(addr) ?  AddressValue::getInternalID(InvalidMemAddr) : AddressValue::getInternalID(addr);
     }
 
     AbstractState&operator=(const AbstractState&rhs)
@@ -127,6 +123,7 @@ public:
         {
             _varToAbsVal = rhs._varToAbsVal;
             _addrToAbsVal = rhs._addrToAbsVal;
+            _freedAddrs = rhs._freedAddrs;
         }
         return *this;
     }
@@ -145,6 +142,7 @@ public:
         {
             _varToAbsVal = std::move(rhs._varToAbsVal);
             _addrToAbsVal = std::move(rhs._addrToAbsVal);
+            _freedAddrs = std::move(rhs._freedAddrs);
         }
         return *this;
     }
@@ -184,6 +182,17 @@ public:
         return inv;
     }
 
+    static inline bool isNullMem(u32_t addr)
+    {
+        return AddressValue::getInternalID(addr) == NullMemAddr;
+    }
+
+    static inline bool isInvalidMem(u32_t addr)
+    {
+        return AddressValue::getInternalID(addr) == InvalidMemAddr;
+    }
+
+
 protected:
     VarToAbsValMap _varToAbsVal; ///< Map a variable (symbol) to its abstract value
     AddrToAbsValMap
@@ -279,10 +288,20 @@ public:
     /// domain join with other, important! other widen this.
     void joinWith(const AbstractState&other);
 
-
     /// domain meet with other, important! other widen this.
     void meetWith(const AbstractState&other);
 
+    void addToFreedAddrs(NodeID addr)
+    {
+        _freedAddrs.insert(addr);
+    }
+
+    bool isFreedMem(u32_t addr) const
+    {
+        return _freedAddrs.find(addr) != _freedAddrs.end();
+    }
+
+
     /**
     * if this NodeID in SVFIR is a pointer, get the pointee type
     * e.g  arr = (int*) malloc(10*sizeof(int))
@@ -299,20 +318,19 @@ public:
     inline void store(u32_t addr, const AbstractValue &val)
     {
         assert(isVirtualMemAddress(addr) && "not virtual address?");
-        if (isNullPtr(addr)) return;
-        u32_t objId = getInternalID(addr);
+        u32_t objId = getIDFromAddr(addr);
+        if (isNullMem(addr)) return;
         _addrToAbsVal[objId] = val;
     }
 
     inline virtual AbstractValue &load(u32_t addr)
     {
         assert(isVirtualMemAddress(addr) && "not virtual address?");
-        u32_t objId = getInternalID(addr);
+        u32_t objId = getIDFromAddr(addr);
         return _addrToAbsVal[objId];
 
     }
 
-
     void printAbstractState() const;
 
     std::string toString() const
@@ -396,6 +414,7 @@ public:
     {
         _addrToAbsVal.clear();
         _varToAbsVal.clear();
+        _freedAddrs.clear();
     }
 
 };

package/svf/include/AE/Core/AddressValue.h

@@ -32,8 +32,12 @@
 
 #define AddressMask 0x7f000000
 #define FlippedAddressMask (AddressMask^0xffffffff)
-// the address of the black hole, getVirtualMemAddress(2);
-#define BlackHoleAddr 0x7f000000 + 2
+// the address of InvalidMem(the black hole), getVirtualMemAddress(2);
+#define InvalidMemAddr 0x7f000000 + 2
+// the address of NullMem, getVirtualMemAddress(0);
+#define NullMemAddr 0x7f000000
+
+
 
 #include "Util/GeneralType.h"
 #include <sstream>
@@ -42,10 +46,19 @@ namespace SVF
 {
 class AddressValue
 {
+    friend class AbstractState;
+    friend class RelExeState;
 public:
     typedef Set<u32_t> AddrSet;
 private:
     AddrSet _addrs;
+
+    /// Return the internal index if idx is an address otherwise return the value of idx
+    static inline u32_t getInternalID(u32_t idx)
+    {
+        return (idx & FlippedAddressMask);
+    }
+
 public:
     /// Default constructor
     AddressValue() {}
@@ -168,26 +181,11 @@ public:
         return !v.empty();
     }
 
-    inline bool isTop() const
-    {
-        return *this->begin() == BlackHoleAddr;
-    }
-
     inline bool isBottom() const
     {
         return empty();
     }
 
-    inline void setTop()
-    {
-        *this = AddressValue(BlackHoleAddr);
-    }
-
-    inline void setBottom()
-    {
-        _addrs.clear();
-    }
-
     const std::string toString() const
     {
         std::string str;
@@ -222,11 +220,6 @@ public:
         return (val & 0xff000000) == AddressMask && val != AddressMask + 0;
     }
 
-    /// Return the internal index if idx is an address otherwise return the value of idx
-    static inline u32_t getInternalID(u32_t idx)
-    {
-        return (idx & FlippedAddressMask);
-    }
 };
 } // end namespace SVF
 #endif //Z3_EXAMPLE_ADDRESSVALUE_H

package/svf/include/AE/Svfexe/AEDetector.h

@@ -45,6 +45,7 @@ public:
     enum DetectorKind
     {
         BUF_OVERFLOW,   ///< Detector for buffer overflow issues.
+        NULL_DEREF,  ///< Detector for nullptr dereference issues.
         UNKNOWN,    ///< Default type if the kind is not specified.
     };
 
@@ -164,7 +165,8 @@ public:
      * @param objAddrs Address value for the object.
      * @param offset The interval value of the offset.
      */
-    void updateGepObjOffsetFromBase(AddressValue gepAddrs,
+    void updateGepObjOffsetFromBase(AbstractState& as,
+                                    AddressValue gepAddrs,
                                     AddressValue objAddrs,
                                     IntervalValue offset);
 
@@ -320,4 +322,116 @@ private:
     SVFBugReport recoder; ///< Recorder for abstract execution bugs.
     Map<const ICFGNode*, std::string> nodeToBugInfo; ///< Maps ICFG nodes to bug information.
 };
+class NullptrDerefDetector : public AEDetector
+{
+    friend class AbstractInterpretation;
+public:
+    NullptrDerefDetector()
+    {
+        kind = NULL_DEREF;
+    }
+
+    ~NullptrDerefDetector() = default;
+
+    static bool classof(const AEDetector* detector)
+    {
+        return detector->getKind() == AEDetector::NULL_DEREF;
+    }
+
+    /**
+     * @brief Detects nullptr dereferences issues within a node.
+     * @param as Reference to the abstract state.
+     * @param node Pointer to the ICFG node.
+     */
+    void detect(AbstractState& as, const ICFGNode* node);
+
+    /**
+     * @brief Handles external API calls related to nullptr dereferences.
+     * @param call Pointer to the call ICFG node.
+     */
+    void handleStubFunctions(const CallICFGNode* call);
+
+    /**
+     * @brief Checks if an Abstract Value is uninitialized.
+     * @param v The Abstract Value to check.
+     * @return True if the value is uninitialized, false otherwise.
+     */
+    bool isUninit(AbstractValue v)
+    {
+        bool is = v.getAddrs().isBottom() && v.getInterval().isBottom();
+        return is;
+    }
+
+    /**
+    * @brief Adds a bug to the reporter based on an exception.
+    * @param e The exception that was thrown.
+    * @param node Pointer to the ICFG node where the bug was detected.
+    */
+    void addBugToReporter(const AEException& e, const ICFGNode* node)
+    {
+        GenericBug::EventStack eventStack;
+        SVFBugEvent sourceInstEvent(SVFBugEvent::EventType::SourceInst, node);
+        eventStack.push_back(sourceInstEvent); // Add the source instruction event to the event stack
+
+        if (eventStack.empty())
+        {
+            return; // If the event stack is empty, return early
+        }
+        std::string loc = eventStack.back().getEventLoc(); // Get the location of the last event in the stack
+
+        // Check if the bug at this location has already been reported
+        if (bugLoc.find(loc) != bugLoc.end())
+        {
+            return; // If the bug location is already reported, return early
+        }
+        else
+        {
+            bugLoc.insert(loc); // Otherwise, mark this location as reported
+        }
+        recoder.addAbsExecBug(GenericBug::FULLNULLPTRDEREFERENCE, eventStack, 0, 0, 0, 0);
+        nodeToBugInfo[node] = e.what(); // Record the exception information for the node
+    }
+
+    /**
+     * @brief Reports all detected nullptr dereference bugs.
+     */
+    void reportBug()
+    {
+        if (!nodeToBugInfo.empty())
+        {
+            std::cerr << "###################### Nullptr Dereference (" + std::to_string(nodeToBugInfo.size())
+                      + " found)######################\n";
+            std::cerr << "---------------------------------------------\n";
+            for (const auto& it : nodeToBugInfo)
+            {
+                std::cerr << it.second << "\n---------------------------------------------\n";
+            }
+        }
+    }
+
+    /**
+     * @brief Handle external API calls related to nullptr dereferences.
+     * @param as Reference to the abstract state.
+     * @param call Pointer to the call ICFG node.
+     */
+    void detectExtAPI(AbstractState& as, const CallICFGNode* call);
+
+
+    /**
+     * @brief Check if an Abstract Value is NULL (or uninitialized).
+     *
+     * @param v An Abstract Value of loaded from an address in an Abstract State.
+     */
+    bool isNull(AbstractValue v)
+    {
+        return !v.isAddr() && !v.isInterval();
+    }
+
+    bool canSafelyDerefPtr(AbstractState& as, const SVFVar* ptr);
+
+private:
+    Set<std::string> bugLoc; ///< Set of locations where bugs have been reported.
+    SVFBugReport recoder; ///< Recorder for abstract execution bugs.
+    Map<const ICFGNode*, std::string> nodeToBugInfo; ///< Maps ICFG nodes to bug information.
+};
 }

package/svf/include/AE/Svfexe/AbstractInterpretation.h

@@ -105,6 +105,7 @@ class AbstractInterpretation
     friend class AEStat;
     friend class AEAPI;
     friend class BufOverflowDetector;
+    friend class NullptrDerefDetector;
 
 public:
     typedef SCCDetection<CallGraph*> CallGraphSCC;
@@ -155,6 +156,25 @@ public:
 
     Set<const CallICFGNode*> checkpoints; // for CI check
 
+    /**
+     * @brief Retrieves the abstract state from the trace for a given ICFG node.
+     * @param node Pointer to the ICFG node.
+     * @return Reference to the abstract state.
+     * @throws Assertion if no trace exists for the node.
+     */
+    AbstractState& getAbsStateFromTrace(const ICFGNode* node)
+    {
+        const ICFGNode* repNode = icfg->getRepNode(node);
+        if (abstractTrace.count(repNode) == 0)
+        {
+            assert(false && "No preAbsTrace for this node");
+        }
+        else
+        {
+            return abstractTrace[repNode];
+        }
+    }
+
 private:
     /// Global ICFGNode is handled at the entry of the program,
     virtual void handleGlobalNode();
@@ -280,19 +300,6 @@ private:
     Set<const FunObjVar*> recursiveFuns;
 
 
-    AbstractState& getAbsStateFromTrace(const ICFGNode* node)
-    {
-        const ICFGNode* repNode = icfg->getRepNode(node);
-        if (abstractTrace.count(repNode) == 0)
-        {
-            assert(0 && "No preAbsTrace for this node");
-        }
-        else
-        {
-            return abstractTrace[repNode];
-        }
-    }
-
     bool hasAbsStateFromTrace(const ICFGNode* node)
     {
         const ICFGNode* repNode = icfg->getRepNode(node);

package/svf/include/Util/Options.h

@@ -253,6 +253,8 @@ public:
     static const Option<std::string> OutputName;
     /// buffer overflow checker, Default: false
     static const Option<bool> BufferOverflowCheck;
+    /// nullptr dereference checker, Default: false
+    static const Option<bool> NullDerefCheck;
     /// memory leak check, Default: false
     static const Option<bool> MemoryLeakCheck;
     /// file open close checker, Default: false

package/svf/lib/AE/Core/AbstractState.cpp

@@ -127,6 +127,7 @@ void AbstractState::joinWith(const AbstractState& other)
             _addrToAbsVal.emplace(key, it->second);
         }
     }
+    _freedAddrs.insert(other._freedAddrs.begin(), other._freedAddrs.end());
 }
 
 /// domain meet with other, important! other widen this.
@@ -150,6 +151,11 @@ void AbstractState::meetWith(const AbstractState& other)
             oit->second.meet_with(it->second);
         }
     }
+    Set<NodeID> intersection;
+    std::set_intersection(_freedAddrs.begin(), _freedAddrs.end(),
+                          other._freedAddrs.begin(), other._freedAddrs.end(),
+                          std::inserter(intersection, intersection.begin()));
+    _freedAddrs = std::move(intersection);
 }
 
 // getGepObjAddrs
@@ -165,7 +171,7 @@ AddressValue AbstractState::getGepObjAddrs(u32_t pointer, IntervalValue offset)
         AbstractValue addrs = (*this)[pointer];
         for (const auto& addr : addrs.getAddrs())
         {
-            s64_t baseObj = AbstractState::getInternalID(addr);
+            s64_t baseObj = getIDFromAddr(addr);
             assert(SVFUtil::isa<ObjVar>(PAG::getPAG()->getGNode(baseObj)) && "Fail to get the base object address!");
             NodeID gepObj = PAG::getPAG()->getGepObjVar(baseObj, i);
             (*this)[gepObj] = AddressValue(AbstractState::getVirtualMemAddress(gepObj));
@@ -470,7 +476,7 @@ const SVFType* AbstractState::getPointeeElement(NodeID id)
         const AbstractValue& addrs = (*this)[id];
         for (auto addr: addrs.getAddrs())
         {
-            NodeID addr_id = AbstractState::getInternalID(addr);
+            NodeID addr_id = getIDFromAddr(addr);
             if (addr_id == 0) // nullptr skip
                 continue;
             return svfir->getBaseObject(addr_id)->getType();

package/svf/lib/AE/Svfexe/AEDetector.cpp

@@ -28,9 +28,9 @@
 #include <AE/Svfexe/AEDetector.h>
 #include <AE/Svfexe/AbsExtAPI.h>
 #include <AE/Svfexe/AbstractInterpretation.h>
+#include "AE/Core/AddressValue.h"
 
 using namespace SVF;
-
 /**
  * @brief Detects buffer overflow issues within a given ICFG node.
  *
@@ -55,15 +55,14 @@ void BufOverflowDetector::detect(AbstractState& as, const ICFGNode* node)
                 NodeID rhs = gep->getRHSVarID();
 
                 // Update the GEP object offset from its base
-                updateGepObjOffsetFromBase(as[lhs].getAddrs(), as[rhs].getAddrs(), as.getByteOffset(gep));
+                updateGepObjOffsetFromBase(as, as[lhs].getAddrs(), as[rhs].getAddrs(), as.getByteOffset(gep));
 
                 IntervalValue baseObjSize = IntervalValue::bottom();
                 AddressValue objAddrs = as[gep->getRHSVarID()].getAddrs();
                 for (const auto& addr : objAddrs)
                 {
-                    NodeID objId = AbstractState::getInternalID(addr);
+                    NodeID objId = as.getIDFromAddr(addr);
                     u32_t size = 0;
-
                     if (svfir->getBaseObject(objId)->isConstantByteSize())
                     {
                         size = svfir->getBaseObject(objId)->getByteSizeOfObj();
@@ -342,22 +341,28 @@ IntervalValue BufOverflowDetector::getAccessOffset(SVF::AbstractState& as, SVF::
  * @param objAddrs The addresses of the base objects.
  * @param offset The interval value of the offset.
  */
-void BufOverflowDetector::updateGepObjOffsetFromBase(SVF::AddressValue gepAddrs, SVF::AddressValue objAddrs, SVF::IntervalValue offset)
+void BufOverflowDetector::updateGepObjOffsetFromBase(AbstractState& as, SVF::AddressValue gepAddrs, SVF::AddressValue objAddrs, SVF::IntervalValue offset)
 {
     SVFIR* svfir = PAG::getPAG();
 
     for (const auto& objAddr : objAddrs)
     {
-        NodeID objId = AbstractState::getInternalID(objAddr);
+        NodeID objId = as.getIDFromAddr(objAddr);
         auto obj = svfir->getGNode(objId);
         // if the object is a BaseObjVar, add the offset directly
         if (SVFUtil::isa<BaseObjVar>(obj))
         {
             for (const auto& gepAddr : gepAddrs)
             {
-                NodeID gepObj = AbstractState::getInternalID(gepAddr);
-                const GepObjVar* gepObjVar = SVFUtil::cast<GepObjVar>(svfir->getGNode(gepObj));
-                addToGepObjOffsetFromBase(gepObjVar, offset);
+                NodeID gepObj = as.getIDFromAddr(gepAddr);
+                if (const GepObjVar* gepObjVar = SVFUtil::dyn_cast<GepObjVar>(svfir->getGNode(gepObj)))
+                {
+                    addToGepObjOffsetFromBase(gepObjVar, offset);
+                }
+                else
+                {
+                    assert(AbstractState::isInvalidMem(gepAddr) && "GEP object is neither a GepObjVar nor an invalid memory address");
+                }
             }
         }
         else if (SVFUtil::isa<GepObjVar>(obj))
@@ -366,17 +371,26 @@ void BufOverflowDetector::updateGepObjOffsetFromBase(SVF::AddressValue gepAddrs,
             const GepObjVar* objVar = SVFUtil::cast<GepObjVar>(obj);
             for (const auto& gepAddr : gepAddrs)
             {
-                NodeID gepObj = AbstractState::getInternalID(gepAddr);
-                const GepObjVar* gepObjVar = SVFUtil::cast<GepObjVar>(svfir->getGNode(gepObj));
-                if (hasGepObjOffsetFromBase(objVar))
+                NodeID gepObj = as.getIDFromAddr(gepAddr);
+                if (const GepObjVar* gepObjVar = SVFUtil::dyn_cast<GepObjVar>(svfir->getGNode(gepObj)))
                 {
-                    IntervalValue objOffsetFromBase = getGepObjOffsetFromBase(objVar);
-                    if (!hasGepObjOffsetFromBase(gepObjVar))
-                        addToGepObjOffsetFromBase(gepObjVar, objOffsetFromBase + offset);
+                    if (hasGepObjOffsetFromBase(objVar))
+                    {
+                        IntervalValue objOffsetFromBase =
+                            getGepObjOffsetFromBase(objVar);
+                        if (!hasGepObjOffsetFromBase(gepObjVar))
+                            addToGepObjOffsetFromBase(
+                                gepObjVar, objOffsetFromBase + offset);
+                    }
+                    else
+                    {
+                        assert(false &&
+                               "GEP RHS object has no offset from base");
+                    }
                 }
                 else
                 {
-                    assert(false && "GEP RHS object has no offset from base");
+                    assert(AbstractState::isInvalidMem(gepAddr) && "GEP object is neither a GepObjVar nor an invalid memory address");
                 }
             }
         }
@@ -460,9 +474,8 @@ bool BufOverflowDetector::canSafelyAccessMemory(AbstractState& as, const SVF::SV
     assert(as[value_id].isAddr());
     for (const auto& addr : as[value_id].getAddrs())
     {
-        NodeID objId = AbstractState::getInternalID(addr);
+        NodeID objId = as.getIDFromAddr(addr);
         u32_t size = 0;
-
         // if the object is a constant size object, get the size directly
         if (svfir->getBaseObject(objId)->isConstantByteSize())
         {
@@ -487,11 +500,12 @@ bool BufOverflowDetector::canSafelyAccessMemory(AbstractState& as, const SVF::SV
         {
             offset = getGepObjOffsetFromBase(SVFUtil::cast<GepObjVar>(svfir->getGNode(objId))) + len;
         }
-        else
+        else if (SVFUtil::isa<BaseObjVar>(svfir->getGNode(objId)))
         {
             // if the object is a BaseObjVar, get the offset directly
             offset = len;
         }
+
         // if the offset is greater than the size, return false
         if (offset.ub().getIntNumeral() >= size)
         {
@@ -500,3 +514,172 @@ bool BufOverflowDetector::canSafelyAccessMemory(AbstractState& as, const SVF::SV
     }
     return true;
 }
+
+void NullptrDerefDetector::detect(AbstractState& as, const ICFGNode* node)
+{
+    if (SVFUtil::isa<CallICFGNode>(node))
+    {
+        const CallICFGNode* callNode = SVFUtil::cast<CallICFGNode>(node);
+        if (SVFUtil::isExtCall(callNode->getCalledFunction()))
+        {
+            detectExtAPI(as, callNode);
+        }
+    }
+    else
+    {
+        for (const auto& stmt: node->getSVFStmts())
+        {
+            if (const GepStmt* gep = SVFUtil::dyn_cast<GepStmt>(stmt))
+            {
+                SVFVar* rhs = gep->getRHSVar();
+                if (!canSafelyDerefPtr(as, rhs))
+                {
+                    AEException bug(stmt->toString());
+                    addBugToReporter(bug, stmt->getICFGNode());
+                }
+            }
+            else if (const LoadStmt* load = SVFUtil::dyn_cast<LoadStmt>(stmt))
+            {
+                SVFVar* lhs = load->getLHSVar();
+                if ( !canSafelyDerefPtr(as, lhs))
+                {
+                    AEException bug(stmt->toString());
+                    addBugToReporter(bug, stmt->getICFGNode());
+                }
+            }
+        }
+    }
+}
+
+
+void NullptrDerefDetector::handleStubFunctions(const CallICFGNode* callNode)
+{
+    std::string funcName = callNode->getCalledFunction()->getName();
+    if (funcName == "UNSAFE_LOAD")
+    {
+        // void UNSAFE_LOAD(void* ptr);
+        AbstractInterpretation::getAEInstance().checkpoints.erase(callNode);
+        if (callNode->arg_size() < 1)
+            return;
+        AbstractState& as = AbstractInterpretation::getAEInstance().getAbsStateFromTrace(callNode);
+
+        const SVFVar* arg0Val = callNode->getArgument(0);
+        // opt may directly dereference a null pointer and call UNSAFE_LOAD(null)
+        bool isSafe = canSafelyDerefPtr(as, arg0Val) && arg0Val->getId() != 0;
+        if (!isSafe)
+        {
+            std::cout << "detect null pointer deference success: " << callNode->toString() << std::endl;
+            return;
+        }
+        else
+        {
+            std::string err_msg = "this UNSAFE_LOAD should be a null pointer dereference but not detected. Pos: ";
+            err_msg += callNode->getSourceLoc();
+            std::cerr << err_msg << std::endl;
+            assert(false);
+        }
+    }
+    else if (funcName == "SAFE_LOAD")
+    {
+        // void SAFE_LOAD(void* ptr);
+        AbstractInterpretation::getAEInstance().checkpoints.erase(callNode);
+        if (callNode->arg_size() < 1) return;
+        AbstractState&as = AbstractInterpretation::getAEInstance().getAbsStateFromTrace(callNode);
+        const SVFVar* arg0Val = callNode->getArgument(0);
+        // opt may directly dereference a null pointer and call UNSAFE_LOAD(null)ols
+        bool isSafe = canSafelyDerefPtr(as, arg0Val) && arg0Val->getId() != 0;
+        if (isSafe)
+        {
+            std::cout << "safe load pointer success: " << callNode->toString() << std::endl;
+            return;
+        }
+        else
+        {
+            std::string err_msg = "this SAFE_LOAD should be a safe but a null pointer dereference detected. Pos: ";
+            err_msg += callNode->getSourceLoc();
+            std::cerr << err_msg << std::endl;
+            assert(false);
+        }
+    }
+}
+
+void NullptrDerefDetector::detectExtAPI(AbstractState& as, const CallICFGNode* call)
+{
+    assert(call->getCalledFunction() && "FunObjVar* is nullptr");
+    // get ext type
+    // get argument index which are nullptr deref checkpoints for extapi
+    std::vector<u32_t> tmp_args;
+    for (const std::string &annotation: ExtAPI::getExtAPI()->getExtFuncAnnotations(call->getCalledFunction()))
+    {
+        if (annotation.find("MEMCPY") != std::string::npos)
+        {
+            if (call->arg_size() < 4)
+            {
+                // for memcpy(void* dest, const void* src, size_t n)
+                tmp_args.push_back(0);
+                tmp_args.push_back(1);
+            }
+            else
+            {
+                // for unsigned long iconv(void* cd, char **restrict inbuf, unsigned long *restrict inbytesleft, char **restrict outbuf, unsigned long *restrict outbytesleft)
+                tmp_args.push_back(1);
+                tmp_args.push_back(2);
+                tmp_args.push_back(3);
+                tmp_args.push_back(4);
+            }
+        }
+        else if (annotation.find("MEMSET") != std::string::npos)
+        {
+            // for memset(void* dest, elem, sz)
+            tmp_args.push_back(0);
+        }
+        else if (annotation.find("STRCPY") != std::string::npos)
+        {
+            // for strcpy(void* dest, void* src)
+            tmp_args.push_back(0);
+            tmp_args.push_back(1);
+        }
+        else if (annotation.find("STRCAT") != std::string::npos)
+        {
+            // for strcat(void* dest, const void* src)
+            // for strncat(void* dest, const void* src, size_t n)
+            tmp_args.push_back(0);
+            tmp_args.push_back(1);
+        }
+    }
+
+    for (const auto &arg: tmp_args)
+    {
+        if (call->arg_size() <= arg)
+            continue;
+        const SVFVar* argVal = call->getArgument(arg);
+        if (argVal && !canSafelyDerefPtr(as, argVal))
+        {
+            AEException bug(call->toString());
+            addBugToReporter(bug, call);
+        }
+    }
+}
+
+
+bool NullptrDerefDetector::canSafelyDerefPtr(AbstractState& as, const SVFVar* value)
+{
+    NodeID value_id = value->getId();
+    AbstractValue AbsVal = as[value_id];
+    if (isUninit(AbsVal)) return false;
+    if (!AbsVal.isAddr()) return true;
+    for (const auto &addr: AbsVal.getAddrs())
+    {
+        if (AbstractState::isInvalidMem(addr))
+        {
+            return false;
+        }
+        else if (AbstractState::isNullMem(addr))
+            return false;
+        else if (as.isFreedMem(addr))
+            return false;
+    }
+
+
+    return true;
+}

package/svf/lib/AE/Svfexe/AbsExtAPI.cpp

@@ -162,7 +162,7 @@ void AbsExtAPI::initExtFunMap()
             AbstractValue Addrs = as[dst_id];
             for (auto vaddr: Addrs.getAddrs())
             {
-                u32_t objId = AbstractState::getInternalID(vaddr);
+                u32_t objId = as.getIDFromAddr(vaddr);
                 AbstractValue range = getRangeLimitFromType(svfir->getGNode(objId)->getType());
                 as.store(vaddr, range);
             }
@@ -182,7 +182,7 @@ void AbsExtAPI::initExtFunMap()
             AbstractValue Addrs = as[dst_id];
             for (auto vaddr: Addrs.getAddrs())
             {
-                u32_t objId = AbstractState::getInternalID(vaddr);
+                u32_t objId = as.getIDFromAddr(vaddr);
                 AbstractValue range = getRangeLimitFromType(svfir->getGNode(objId)->getType());
                 as.store(vaddr, range);
             }
@@ -279,7 +279,7 @@ void AbsExtAPI::initExtFunMap()
         u32_t dst_size = 0;
         for (const auto& addr : as[value_id].getAddrs())
         {
-            NodeID objId = AbstractState::getInternalID(addr);
+            NodeID objId = as.getIDFromAddr(addr);
             if (svfir->getBaseObject(objId)->isConstantByteSize())
             {
                 dst_size = svfir->getBaseObject(objId)->getByteSizeOfObj();
@@ -340,6 +340,37 @@ void AbsExtAPI::initExtFunMap()
     };
     func_map["recv"] = sse_recv;
     func_map["__recv"] = sse_recv;
+
+    auto sse_free = [&](const CallICFGNode *callNode)
+    {
+        if (callNode->arg_size() < 1) return;
+        AbstractState& as = getAbsStateFromTrace(callNode);
+        const u32_t freePtr = callNode->getArgument(0)->getId();
+        for (auto addr: as[freePtr].getAddrs())
+        {
+            if (AbstractState::isInvalidMem(addr))
+            {
+                // double free here.
+            }
+            else
+            {
+                as.addToFreedAddrs(addr);
+            }
+        }
+    };
+    // Add all free-related functions to func_map
+    std::vector<std::string> freeFunctions =
+    {
+        "VOS_MemFree", "cfree", "free", "free_all_mem", "freeaddrinfo",
+        "gcry_mpi_release", "gcry_sexp_release", "globfree", "nhfree",
+        "obstack_free", "safe_cfree", "safe_free", "safefree", "safexfree",
+        "sm_free", "vim_free", "xfree", "SSL_CTX_free", "SSL_free", "XFree"
+    };
+
+    for (const auto& name : freeFunctions)
+    {
+        func_map[name] = sse_free;
+    }
 };
 
 AbstractState& AbsExtAPI::getAbsStateFromTrace(const SVF::ICFGNode* node)
@@ -473,7 +504,7 @@ IntervalValue AbsExtAPI::getStrlen(AbstractState& as, const SVF::SVFVar *strValu
     u32_t dst_size = 0;
     for (const auto& addr : as[value_id].getAddrs())
     {
-        NodeID objId = AbstractState::getInternalID(addr);
+        NodeID objId = as.getIDFromAddr(addr);
         if (svfir->getBaseObject(objId)->isConstantByteSize())
         {
             dst_size = svfir->getBaseObject(objId)->getByteSizeOfObj();
@@ -621,7 +652,7 @@ void AbsExtAPI::handleMemcpy(AbstractState& as, const SVF::SVFVar *dst, const SV
             {
                 for (const auto &src: expr_src.getAddrs())
                 {
-                    u32_t objId = AbstractState::getInternalID(src);
+                    u32_t objId = as.getIDFromAddr(src);
                     if (as.inAddrToValTable(objId))
                     {
                         as.store(dst, as.load(src));
@@ -670,7 +701,7 @@ void AbsExtAPI::handleMemset(AbstractState& as, const SVF::SVFVar *dst, Interval
             AbstractValue lhs_gep = as.getGepObjAddrs(dstId, IntervalValue(index));
             for (const auto &addr: lhs_gep.getAddrs())
             {
-                u32_t objId = AbstractState::getInternalID(addr);
+                u32_t objId = as.getIDFromAddr(addr);
                 if (as.inAddrToValTable(objId))
                 {
                     AbstractValue tmp = as.load(addr);

package/svf/lib/AE/Svfexe/AbstractInterpretation.cpp

@@ -274,7 +274,12 @@ bool AbstractInterpretation::isCmpBranchFeasible(const CmpStmt* cmpStmt, s64_t s
     NodeID op1 = cmpStmt->getOpVarID(1);
     NodeID res_id = cmpStmt->getResID();
     s32_t predicate = cmpStmt->getPredicate();
-
+    // if op0 or op1 is nullptr, no need to change value, just copy the state
+    if (op0 == IRGraph::NullPtr || op1 == IRGraph::NullPtr)
+    {
+        as = new_es;
+        return true;
+    }
     // if op0 or op1 is undefined, return;
     // skip address compare
     if (new_es.inVarToAddrsTable(op0) || new_es.inVarToAddrsTable(op1))
@@ -387,7 +392,7 @@ bool AbstractInterpretation::isCmpBranchFeasible(const CmpStmt* cmpStmt, s64_t s
         // if lhs is register value, we should also change its mem obj
         for (const auto &addr: addrs)
         {
-            NodeID objId = new_es.getInternalID(addr);
+            NodeID objId = new_es.getIDFromAddr(addr);
             if (new_es.inAddrToValTable(objId))
             {
                 new_es.load(addr).meet_with(rhs);
@@ -409,7 +414,7 @@ bool AbstractInterpretation::isCmpBranchFeasible(const CmpStmt* cmpStmt, s64_t s
         // if lhs is register value, we should also change its mem obj
         for (const auto &addr: addrs)
         {
-            NodeID objId = new_es.getInternalID(addr);
+            NodeID objId = new_es.getIDFromAddr(addr);
             if (new_es.inAddrToValTable(objId))
             {
                 new_es.load(addr).meet_with(
@@ -427,7 +432,7 @@ bool AbstractInterpretation::isCmpBranchFeasible(const CmpStmt* cmpStmt, s64_t s
         // if lhs is register value, we should also change its mem obj
         for (const auto &addr: addrs)
         {
-            NodeID objId = new_es.getInternalID(addr);
+            NodeID objId = new_es.getIDFromAddr(addr);
             if (new_es.inAddrToValTable(objId))
             {
                 new_es.load(addr).meet_with(
@@ -446,7 +451,7 @@ bool AbstractInterpretation::isCmpBranchFeasible(const CmpStmt* cmpStmt, s64_t s
         // if lhs is register value, we should also change its mem obj
         for (const auto &addr: addrs)
         {
-            NodeID objId = new_es.getInternalID(addr);
+            NodeID objId = new_es.getIDFromAddr(addr);
             if (new_es.inAddrToValTable(objId))
             {
                 new_es.load(addr).meet_with(
@@ -465,7 +470,7 @@ bool AbstractInterpretation::isCmpBranchFeasible(const CmpStmt* cmpStmt, s64_t s
         // if lhs is register value, we should also change its mem obj
         for (const auto &addr: addrs)
         {
-            NodeID objId = new_es.getInternalID(addr);
+            NodeID objId = new_es.getIDFromAddr(addr);
             if (new_es.inAddrToValTable(objId))
             {
                 new_es.load(addr).meet_with(
@@ -517,7 +522,7 @@ bool AbstractInterpretation::isSwitchBranchFeasible(const SVFVar* var, s64_t suc
                 AddressValue &addrs = new_es[load->getRHSVarID()].getAddrs();
                 for (const auto &addr: addrs)
                 {
-                    NodeID objId = new_es.getInternalID(addr);
+                    NodeID objId = new_es.getIDFromAddr(addr);
                     if (new_es.inAddrToValTable(objId))
                     {
                         new_es.load(addr).meet_with(switch_cond);
@@ -748,7 +753,7 @@ void AbstractInterpretation::indirectCallFunPass(const CallICFGNode *callNode)
     }
     AbstractValue Addrs = as[call_id];
     NodeID addr = *Addrs.getAddrs().begin();
-    SVFVar *func_var = svfir->getGNode(AbstractState::getInternalID(addr));
+    SVFVar *func_var = svfir->getGNode(as.getIDFromAddr(addr));
 
     if(const FunObjVar* funObjVar = SVFUtil::dyn_cast<FunObjVar>(func_var))
     {
@@ -928,6 +933,9 @@ void AbstractInterpretation::handleSVFStatement(const SVFStmt *stmt)
     }
     else
         assert(false && "implement this part");
+    // NullPtr is index 0, it should not be changed
+    assert(!getAbsStateFromTrace(stmt->getICFGNode())[IRGraph::NullPtr].isInterval() &&
+           !getAbsStateFromTrace(stmt->getICFGNode())[IRGraph::NullPtr].isAddr());
 }
 
 void AbstractInterpretation::SkipRecursiveCall(const CallICFGNode *callNode)
@@ -1078,6 +1086,7 @@ void AbstractInterpretation::collectCheckPoint()
     // traverse every ICFGNode
     Set<std::string> ae_checkpoint_names = {"svf_assert"};
     Set<std::string> buf_checkpoint_names = {"UNSAFE_BUFACCESS", "SAFE_BUFACCESS"};
+    Set<std::string> nullptr_checkpoint_names = {"UNSAFE_LOAD", "SAFE_LOAD"};
 
     for (auto it = svfir->getICFG()->begin(); it != svfir->getICFG()->end(); ++it)
     {
@@ -1099,6 +1108,14 @@ void AbstractInterpretation::collectCheckPoint()
                         checkpoints.insert(call);
                     }
                 }
+                if (Options::NullDerefCheck())
+                {
+                    if (nullptr_checkpoint_names.find(fun->getName()) !=
+                            nullptr_checkpoint_names.end())
+                    {
+                        checkpoints.insert(call);
+                    }
+                }
             }
         }
     }
@@ -1308,6 +1325,13 @@ void AbstractInterpretation::updateStateOnCmp(const CmpStmt *cmp)
         }
         as[res] = resVal;
     }
+    // if op0 or op1 is nullptr, compare abstractValue instead of touching addr or interval
+    else if (op0 == IRGraph::NullPtr || op1 == IRGraph::NullPtr)
+    {
+        u32_t res = cmp->getResID();
+        IntervalValue resVal = (as[op0].equals(as[op1])) ? IntervalValue(1, 1) : IntervalValue(0, 0);
+        as[res] = resVal;
+    }
     else
     {
         if (!as.inVarToValTable(op0))

package/svf/lib/Util/Options.cpp

@@ -804,6 +804,8 @@ const Option<std::string> Options::OutputName(
     "output","output db file","output.db");
 const Option<bool> Options::BufferOverflowCheck(
     "overflow","Buffer Overflow Detection",false);
+const Option<bool> Options::NullDerefCheck(
+    "null-deref","Null Pointer Dereference Detection",false);
 const Option<bool> Options::MemoryLeakCheck(
     "leak", "Memory Leak Detection",false);
 const Option<bool> Options::FileCheck(

package/svf-llvm/tools/AE/ae.cpp

@@ -885,6 +885,8 @@ int main(int argc, char** argv)
     AbstractInterpretation& ae = AbstractInterpretation::getAEInstance();
     if (Options::BufferOverflowCheck())
         ae.addDetector(std::make_unique<BufOverflowDetector>());
+    if (Options::NullDerefCheck())
+        ae.addDetector(std::make_unique<NullptrDerefDetector>());
     ae.runOnModule(pag->getICFG());
 
     AndersenWaveDiff::releaseAndersenWaveDiff();