#include <AEDetector.h>
Inheritance diagram for SVF::NullptrDerefDetector:
Public Member Functions | |
| NullptrDerefDetector () | |
| ~NullptrDerefDetector ()=default | |
| void | detect (AbstractState &as, const ICFGNode *node) |
| Detects nullptr dereferences issues within a node. | |
| void | handleStubFunctions (const CallICFGNode *call) |
| Handles external API calls related to nullptr dereferences. | |
| bool | isUninit (AbstractValue v) |
| Checks if an Abstract Value is uninitialized. | |
| void | addBugToReporter (const AEException &e, const ICFGNode *node) |
| Adds a bug to the reporter based on an exception. | |
| void | reportBug () |
| Reports all detected nullptr dereference bugs. | |
| void | detectExtAPI (AbstractState &as, const CallICFGNode *call) |
| Handle external API calls related to nullptr dereferences. | |
| bool | isNull (AbstractValue v) |
| Check if an Abstract Value is NULL (or uninitialized). | |
| bool | canSafelyDerefPtr (AbstractState &as, const SVFVar *ptr) |
 Public Member Functions inherited from SVF::AEDetector | |
| AEDetector () | |
| Constructor initializes the detector kind to UNKNOWN. | |
| virtual | ~AEDetector ()=default |
| Virtual destructor for safe polymorphic use. | |
| DetectorKind | getKind () const |
| Get the kind of the detector. | |
Static Public Member Functions | |
| static bool | classof (const AEDetector *detector) |
| Static Public Member Functions inherited from SVF::AEDetector | |
| static bool | classof (const AEDetector *detector) |
| Check if the detector is of the UNKNOWN kind. | |
Private Attributes | |
| Set< std::string > | bugLoc |
| Set of locations where bugs have been reported. | |
| SVFBugReport | recoder |
| Recorder for abstract execution bugs. | |
| Map< const ICFGNode *, std::string > | nodeToBugInfo |
| Maps ICFG nodes to bug information. | |
Friends | |
| class | AbstractInterpretation |
Additional Inherited Members | |
| Public Types inherited from SVF::AEDetector | |
| enum | DetectorKind { BUF_OVERFLOW , NULL_DEREF , UNKNOWN } |
| Enumerates the types of detectors available. More... | |
| Protected Attributes inherited from SVF::AEDetector | |
| DetectorKind | kind |
| The kind of the detector. | |
Detailed Description
Definition at line 330 of file AEDetector.h.
Constructor & Destructor Documentation
◆ NullptrDerefDetector()
|
inline |
Definition at line 334 of file AEDetector.h.
◆ ~NullptrDerefDetector()
|
default |
Member Function Documentation
◆ addBugToReporter()
|
inline |
Adds a bug to the reporter based on an exception.
- Parameters
-
e The exception that was thrown. node Pointer to the ICFG node where the bug was detected.
Definition at line 376 of file AEDetector.h.
377 {
381
383 {
384 return; // If the event stack is empty, return early
385 }
386 std::string loc = eventStack.back().getEventLoc(); // Get the location of the last event in the stack
387
388 // Check if the bug at this location has already been reported
390 {
391 return; // If the bug location is already reported, return early
392 }
393 else
394 {
396 }
399 }
Map< const ICFGNode *, std::string > nodeToBugInfo
Maps ICFG nodes to bug information.
Definition AEDetector.h:441
void addAbsExecBug(GenericBug::BugType bugType, const GenericBug::EventStack &eventStack, s64_t allocLowerBound, s64_t allocUpperBound, s64_t accessLowerBound, s64_t accessUpperBound)
Definition SVFBugReport.h:367
◆ canSafelyDerefPtr()
| bool NullptrDerefDetector::canSafelyDerefPtr | ( | AbstractState & | as, |
| const SVFVar * | ptr | ||
| ) |
Definition at line 679 of file AEDetector.cpp.
680{
683 // uninit value cannot be dereferenced, return unsafe
685 // Interval Value (non-addr) is not the checkpoint of nullptr dereference, return safe
688 {
689 // if the addr itself is invalid mem, report unsafe
691 return false;
692 // if nullptr is detected, return unsafe
694 return false;
695 // if addr is labeled freed mem, report unsafe
697 return false;
698 }
699
700
701 return true;
702}
Definition AbstractValue.h:35
bool isUninit(AbstractValue v)
Checks if an Abstract Value is uninitialized.
Definition AEDetector.h:364
◆ classof()
|
inlinestatic |
Definition at line 341 of file AEDetector.h.
◆ detect()
|
virtual |
Detects nullptr dereferences issues within a node.
- Parameters
-
as Reference to the abstract state. node Pointer to the ICFG node.
Implements SVF::AEDetector.
Definition at line 526 of file AEDetector.cpp.
527{
528 if (SVFUtil::isa<CallICFGNode>(node))
529 {
530 // external API like memset(*dst, elem, sz)
531 // we check if it's external api and check the corrisponding index
534 {
536 }
537 }
538 else
539 {
541 {
543 {
544 // like llvm bitcode `p = gep p, idx`
545 // we check rhs p's all address are valid mem
548 {
551 }
552 }
554 {
555 // like llvm bitcode `p = load q`
556 // we check lhs p's all address are valid mem
559 {
562 }
563 }
564 }
565 }
566}
Exception class for handling errors in Abstract Execution.
Definition AEDetector.h:109
Definition ICFGNode.h:417
Definition SVFStatements.h:524
Definition SVFStatements.h:487
bool canSafelyDerefPtr(AbstractState &as, const SVFVar *ptr)
Definition AEDetector.cpp:679
void addBugToReporter(const AEException &e, const ICFGNode *node)
Adds a bug to the reporter based on an exception.
Definition AEDetector.h:376
void detectExtAPI(AbstractState &as, const CallICFGNode *call)
Handle external API calls related to nullptr dereferences.
Definition AEDetector.cpp:620
Definition SVFVariables.h:49
◆ detectExtAPI()
| void NullptrDerefDetector::detectExtAPI | ( | AbstractState & | as, |
| const CallICFGNode * | call | ||
| ) |
Handle external API calls related to nullptr dereferences.
- Parameters
-
as Reference to the abstract state. call Pointer to the call ICFG node.
Definition at line 620 of file AEDetector.cpp.
621{
623 // get ext type
624 // get argument index which are nullptr deref checkpoints for extapi
625 std::vector<u32_t> tmp_args;
626 for (const std::string &annotation: ExtAPI::getExtAPI()->getExtFuncAnnotations(call->getCalledFunction()))
627 {
629 {
631 {
632 // for memcpy(void* dest, const void* src, size_t n)
633 tmp_args.push_back(0);
634 tmp_args.push_back(1);
635 }
636 else
637 {
638 // for unsigned long iconv(void* cd, char **restrict inbuf, unsigned long *restrict inbytesleft, char **restrict outbuf, unsigned long *restrict outbytesleft)
639 tmp_args.push_back(1);
640 tmp_args.push_back(2);
641 tmp_args.push_back(3);
642 tmp_args.push_back(4);
643 }
644 }
646 {
647 // for memset(void* dest, elem, sz)
648 tmp_args.push_back(0);
649 }
651 {
652 // for strcpy(void* dest, void* src)
653 tmp_args.push_back(0);
654 tmp_args.push_back(1);
655 }
657 {
658 // for strcat(void* dest, const void* src)
659 // for strncat(void* dest, const void* src, size_t n)
660 tmp_args.push_back(0);
661 tmp_args.push_back(1);
662 }
663 }
664
666 {
668 continue;
671 {
674 }
675 }
676}
const FunObjVar * getCalledFunction() const
Definition ICFGNode.h:512
Definition ExtAPI.h:47
◆ handleStubFunctions()
|
virtual |
Handles external API calls related to nullptr dereferences.
- Parameters
-
call Pointer to the call ICFG node.
Implements SVF::AEDetector.
Definition at line 569 of file AEDetector.cpp.
570{
571 std::string funcName = callNode->getCalledFunction()->getName();
572 if (funcName == "UNSAFE_LOAD")
573 {
574 // void UNSAFE_LOAD(void* ptr);
577 return;
579
581 // opt may directly dereference a null pointer and call UNSAFE_LOAD(null)
584 {
587 return;
588 }
589 else
590 {
591 SVFUtil::outs() << SVFUtil::errMsg("failure: null dereference expected at UNSAFE_LOAD, but none detected")
594 }
595 }
596 else if (funcName == "SAFE_LOAD")
597 {
598 // void SAFE_LOAD(void* ptr);
603 // opt may directly dereference a null pointer and call UNSAFE_LOAD(null)ols
606 {
609 return;
610 }
611 else
612 {
616 }
617 }
618}
static AbstractInterpretation & getAEInstance()
Definition AbstractInterpretation.h:147
AbstractState & getAbsStateFromTrace(const ICFGNode *node)
Retrieves the abstract state from the trace for a given ICFG node.
Definition AbstractInterpretation.h:166
Set< const CallICFGNode * > checkpoints
Definition AbstractInterpretation.h:158
Definition AbstractState.h:59
std::string sucMsg(const std::string &msg)
Returns successful message by converting a string into green string output.
Definition SVFUtil.cpp:55
std::string errMsg(const std::string &msg)
Print error message by converting a string into red string output.
Definition SVFUtil.cpp:78
◆ isNull()
|
inline |
Check if an Abstract Value is NULL (or uninitialized).
- Parameters
-
v An Abstract Value of loaded from an address in an Abstract State.
Definition at line 431 of file AEDetector.h.
◆ isUninit()
|
inline |
Checks if an Abstract Value is uninitialized.
- Parameters
-
v The Abstract Value to check.
- Returns
- True if the value is uninitialized, false otherwise.
Definition at line 364 of file AEDetector.h.
◆ reportBug()
|
inlinevirtual |
Reports all detected nullptr dereference bugs.
Implements SVF::AEDetector.
Definition at line 404 of file AEDetector.h.
405 {
407 {
408 std::cerr << "###################### Nullptr Dereference (" + std::to_string(nodeToBugInfo.size())
409 + " found)######################\n";
410 std::cerr << "---------------------------------------------\n";
412 {
414 }
415 }
416 }
Friends And Related Symbol Documentation
◆ AbstractInterpretation
|
friend |
Definition at line 332 of file AEDetector.h.
Member Data Documentation
◆ bugLoc
|
private |
Set of locations where bugs have been reported.
Definition at line 439 of file AEDetector.h.
◆ nodeToBugInfo
Maps ICFG nodes to bug information.
Definition at line 441 of file AEDetector.h.
◆ recoder
|
private |
Recorder for abstract execution bugs.
Definition at line 440 of file AEDetector.h.
The documentation for this class was generated from the following files:
- /home/runner/work/SVF/SVF/svf/include/AE/Svfexe/AEDetector.h
- /home/runner/work/SVF/SVF/svf/lib/AE/Svfexe/AEDetector.cpp
