#include <AEDetector.h>
Inheritance diagram for SVF::NullptrDerefDetector:
Public Member Functions | |
| NullptrDerefDetector () | |
| ~NullptrDerefDetector ()=default | |
| void | detect (AbstractState &as, const ICFGNode *node) |
| Detects nullptr dereferences issues within a node. | |
| void | handleStubFunctions (const CallICFGNode *call) |
| Handles external API calls related to nullptr dereferences. | |
| bool | isUninit (AbstractValue v) |
| Checks if an Abstract Value is uninitialized. | |
| void | addBugToReporter (const AEException &e, const ICFGNode *node) |
| Adds a bug to the reporter based on an exception. | |
| void | reportBug () |
| Reports all detected nullptr dereference bugs. | |
| void | detectExtAPI (AbstractState &as, const CallICFGNode *call) |
| Handle external API calls related to nullptr dereferences. | |
| bool | isNull (AbstractValue v) |
| Check if an Abstract Value is NULL (or uninitialized). | |
| bool | canSafelyDerefPtr (AbstractState &as, const SVFVar *ptr) |
 Public Member Functions inherited from SVF::AEDetector | |
| AEDetector () | |
| Constructor initializes the detector kind to UNKNOWN. | |
| virtual | ~AEDetector ()=default |
| Virtual destructor for safe polymorphic use. | |
| DetectorKind | getKind () const |
| Get the kind of the detector. | |
Static Public Member Functions | |
| static bool | classof (const AEDetector *detector) |
| Static Public Member Functions inherited from SVF::AEDetector | |
| static bool | classof (const AEDetector *detector) |
| Check if the detector is of the UNKNOWN kind. | |
Private Attributes | |
| Set< std::string > | bugLoc |
| Set of locations where bugs have been reported. | |
| SVFBugReport | recoder |
| Recorder for abstract execution bugs. | |
| Map< const ICFGNode *, std::string > | nodeToBugInfo |
| Maps ICFG nodes to bug information. | |
Friends | |
| class | AbstractInterpretation |
Additional Inherited Members | |
| Public Types inherited from SVF::AEDetector | |
| enum | DetectorKind { BUF_OVERFLOW , NULL_DEREF , UNKNOWN } |
| Enumerates the types of detectors available. More... | |
| Protected Attributes inherited from SVF::AEDetector | |
| DetectorKind | kind |
| The kind of the detector. | |
Detailed Description
Definition at line 330 of file AEDetector.h.
Constructor & Destructor Documentation
◆ NullptrDerefDetector()
|
inline |
Definition at line 334 of file AEDetector.h.
◆ ~NullptrDerefDetector()
|
default |
Member Function Documentation
◆ addBugToReporter()
|
inline |
Adds a bug to the reporter based on an exception.
- Parameters
-
e The exception that was thrown. node Pointer to the ICFG node where the bug was detected.
Definition at line 376 of file AEDetector.h.
377 {
381
383 {
384 return; // If the event stack is empty, return early
385 }
386 std::string loc = eventStack.back().getEventLoc(); // Get the location of the last event in the stack
387
388 // Check if the bug at this location has already been reported
390 {
391 return; // If the bug location is already reported, return early
392 }
393 else
394 {
396 }
399 }
Map< const ICFGNode *, std::string > nodeToBugInfo
Maps ICFG nodes to bug information.
Definition AEDetector.h:441
void addAbsExecBug(GenericBug::BugType bugType, const GenericBug::EventStack &eventStack, s64_t allocLowerBound, s64_t allocUpperBound, s64_t accessLowerBound, s64_t accessUpperBound)
Definition SVFBugReport.h:367
◆ canSafelyDerefPtr()
| bool NullptrDerefDetector::canSafelyDerefPtr | ( | AbstractState & | as, |
| const SVFVar * | ptr | ||
| ) |
Definition at line 695 of file AEDetector.cpp.
696{
699 // uninit value cannot be dereferenced, return unsafe
701 // Interval Value (non-addr) is not the checkpoint of nullptr dereference, return safe
704 {
705 // if the addr itself is invalid mem, report unsafe
707 return false;
708 // if nullptr is detected, return unsafe
710 return false;
711 // if addr is labeled freed mem, report unsafe
713 return false;
714 }
715
716
717 return true;
718}
static bool isBlackHoleObjAddr(u32_t addr)
Definition AbstractState.h:190
Definition AbstractValue.h:35
bool isUninit(AbstractValue v)
Checks if an Abstract Value is uninitialized.
Definition AEDetector.h:364
◆ classof()
|
inlinestatic |
Definition at line 341 of file AEDetector.h.
◆ detect()
|
virtual |
Detects nullptr dereferences issues within a node.
- Parameters
-
as Reference to the abstract state. node Pointer to the ICFG node.
Implements SVF::AEDetector.
Definition at line 542 of file AEDetector.cpp.
543{
544 if (SVFUtil::isa<CallICFGNode>(node))
545 {
546 // external API like memset(*dst, elem, sz)
547 // we check if it's external api and check the corrisponding index
550 {
552 }
553 }
554 else
555 {
557 {
559 {
560 // like llvm bitcode `p = gep p, idx`
561 // we check rhs p's all address are valid mem
564 {
567 }
568 }
570 {
571 // like llvm bitcode `p = load q`
572 // we check lhs p's all address are valid mem
575 {
578 }
579 }
580 }
581 }
582}
Exception class for handling errors in Abstract Execution.
Definition AEDetector.h:109
Definition ICFGNode.h:407
Definition SVFStatements.h:589
Definition SVFStatements.h:555
bool canSafelyDerefPtr(AbstractState &as, const SVFVar *ptr)
Definition AEDetector.cpp:695
void addBugToReporter(const AEException &e, const ICFGNode *node)
Adds a bug to the reporter based on an exception.
Definition AEDetector.h:376
void detectExtAPI(AbstractState &as, const CallICFGNode *call)
Handle external API calls related to nullptr dereferences.
Definition AEDetector.cpp:636
Definition SVFVariables.h:49
◆ detectExtAPI()
| void NullptrDerefDetector::detectExtAPI | ( | AbstractState & | as, |
| const CallICFGNode * | call | ||
| ) |
Handle external API calls related to nullptr dereferences.
- Parameters
-
as Reference to the abstract state. call Pointer to the call ICFG node.
Definition at line 636 of file AEDetector.cpp.
637{
639 // get ext type
640 // get argument index which are nullptr deref checkpoints for extapi
641 std::vector<u32_t> tmp_args;
642 for (const std::string &annotation: ExtAPI::getExtAPI()->getExtFuncAnnotations(call->getCalledFunction()))
643 {
645 {
647 {
648 // for memcpy(void* dest, const void* src, size_t n)
649 tmp_args.push_back(0);
650 tmp_args.push_back(1);
651 }
652 else
653 {
654 // for unsigned long iconv(void* cd, char **restrict inbuf, unsigned long *restrict inbytesleft, char **restrict outbuf, unsigned long *restrict outbytesleft)
655 tmp_args.push_back(1);
656 tmp_args.push_back(2);
657 tmp_args.push_back(3);
658 tmp_args.push_back(4);
659 }
660 }
662 {
663 // for memset(void* dest, elem, sz)
664 tmp_args.push_back(0);
665 }
667 {
668 // for strcpy(void* dest, void* src)
669 tmp_args.push_back(0);
670 tmp_args.push_back(1);
671 }
673 {
674 // for strcat(void* dest, const void* src)
675 // for strncat(void* dest, const void* src, size_t n)
676 tmp_args.push_back(0);
677 tmp_args.push_back(1);
678 }
679 }
680
682 {
684 continue;
687 {
690 }
691 }
692}
const FunObjVar * getCalledFunction() const
Definition ICFGNode.h:500
Definition ExtAPI.h:47
◆ handleStubFunctions()
|
virtual |
Handles external API calls related to nullptr dereferences.
- Parameters
-
call Pointer to the call ICFG node.
Implements SVF::AEDetector.
Definition at line 585 of file AEDetector.cpp.
586{
587 std::string funcName = callNode->getCalledFunction()->getName();
588 if (funcName == "UNSAFE_LOAD")
589 {
590 // void UNSAFE_LOAD(void* ptr);
593 return;
595
597 // opt may directly dereference a null pointer and call UNSAFE_LOAD(null)
600 {
603 return;
604 }
605 else
606 {
607 SVFUtil::outs() << SVFUtil::errMsg("failure: null dereference expected at UNSAFE_LOAD, but none detected")
610 }
611 }
612 else if (funcName == "SAFE_LOAD")
613 {
614 // void SAFE_LOAD(void* ptr);
619 // opt may directly dereference a null pointer and call UNSAFE_LOAD(null)ols
622 {
625 return;
626 }
627 else
628 {
632 }
633 }
634}
static AbstractInterpretation & getAEInstance()
Definition AbstractInterpretation.h:155
AbstractState & getAbsStateFromTrace(const ICFGNode *node)
Retrieves the abstract state from the trace for a given ICFG node.
Definition AbstractInterpretation.h:174
Set< const CallICFGNode * > checkpoints
Definition AbstractInterpretation.h:166
Definition AbstractState.h:59
std::string sucMsg(const std::string &msg)
Returns successful message by converting a string into green string output.
Definition SVFUtil.cpp:55
std::string errMsg(const std::string &msg)
Print error message by converting a string into red string output.
Definition SVFUtil.cpp:78
◆ isNull()
|
inline |
Check if an Abstract Value is NULL (or uninitialized).
- Parameters
-
v An Abstract Value of loaded from an address in an Abstract State.
Definition at line 431 of file AEDetector.h.
◆ isUninit()
|
inline |
Checks if an Abstract Value is uninitialized.
- Parameters
-
v The Abstract Value to check.
- Returns
- True if the value is uninitialized, false otherwise.
Definition at line 364 of file AEDetector.h.
◆ reportBug()
|
inlinevirtual |
Reports all detected nullptr dereference bugs.
Implements SVF::AEDetector.
Definition at line 404 of file AEDetector.h.
405 {
407 {
408 std::cerr << "###################### Nullptr Dereference (" + std::to_string(nodeToBugInfo.size())
409 + " found)######################\n";
410 std::cerr << "---------------------------------------------\n";
412 {
414 }
415 }
416 }
Friends And Related Symbol Documentation
◆ AbstractInterpretation
|
friend |
Definition at line 332 of file AEDetector.h.
Member Data Documentation
◆ bugLoc
|
private |
Set of locations where bugs have been reported.
Definition at line 439 of file AEDetector.h.
◆ nodeToBugInfo
Maps ICFG nodes to bug information.
Definition at line 441 of file AEDetector.h.
◆ recoder
|
private |
Recorder for abstract execution bugs.
Definition at line 440 of file AEDetector.h.
The documentation for this class was generated from the following files:
- /home/runner/work/SVF/SVF/svf/include/AE/Svfexe/AEDetector.h
- /home/runner/work/SVF/SVF/svf/lib/AE/Svfexe/AEDetector.cpp
