SVF::NullptrDerefDetector Class Reference

#include <AEDetector.h>

Inheritance diagram for SVF::NullptrDerefDetector:

Public Member Functions
	NullptrDerefDetector ()
	~NullptrDerefDetector ()=default
void	detect (const ICFGNode *node) override
	Detects nullptr dereferences issues within a node.
void	handleStubFunctions (const CallICFGNode *call) override
	Handles external API calls related to nullptr dereferences.
bool	isUninit (AbstractValue v)
	Checks if an Abstract Value is uninitialized.
void	addBugToReporter (const AEException &e, const ICFGNode *node)
	Adds a bug to the reporter based on an exception.
void	reportBug () override
	Reports all detected nullptr dereference bugs.
void	detectExtAPI (const CallICFGNode *call)
	Handle external API calls related to nullptr dereferences.
bool	isNull (AbstractValue v)
	Check if an Abstract Value is NULL (or uninitialized).
bool	canSafelyDerefPtr (const ValVar *ptr, const ICFGNode *node)
Public Member Functions inherited from SVF::AEDetector
	AEDetector ()
	Constructor initializes the detector kind to UNKNOWN.
virtual	~AEDetector ()=default
	Virtual destructor for safe polymorphic use.
DetectorKind	getKind () const
	Get the kind of the detector.

Static Public Member Functions
static bool	classof (const AEDetector *detector)
Static Public Member Functions inherited from SVF::AEDetector
static bool	classof (const AEDetector *detector)
	Check if the detector is of the UNKNOWN kind.

Private Attributes
Set< std::string >	bugLoc
	Set of locations where bugs have been reported.
SVFBugReport	recoder
	Recorder for abstract execution bugs.
Map< const ICFGNode *, std::string >	nodeToBugInfo
	Maps ICFG nodes to bug information.

Friends
class	AbstractInterpretation

Additional Inherited Members
Public Types inherited from SVF::AEDetector
enum	DetectorKind { BUF_OVERFLOW , NULL_DEREF , UNKNOWN }
	Enumerates the types of detectors available. More...
Protected Attributes inherited from SVF::AEDetector
DetectorKind	kind
	The kind of the detector.

Detailed Description

Definition at line 331 of file AEDetector.h.

Constructor & Destructor Documentation

NullptrDerefDetector()

SVF::NullptrDerefDetector::NullptrDerefDetector ( )

inline

Definition at line 335 of file AEDetector.h.

    {
        kind = NULL_DEREF;
    }

~NullptrDerefDetector()

SVF::NullptrDerefDetector::~NullptrDerefDetector ( )

default

Member Function Documentation

addBugToReporter()

void SVF::NullptrDerefDetector::addBugToReporter ( const AEException &  e, const ICFGNode *  node  )

inline

Adds a bug to the reporter based on an exception.

Parameters

e	The exception that was thrown.
node	Pointer to the ICFG node where the bug was detected.

Definition at line 377 of file AEDetector.h.

    {
        GenericBug::EventStack eventStack;
        SVFBugEvent sourceInstEvent(SVFBugEvent::EventType::SourceInst, node);
        eventStack.push_back(sourceInstEvent); // Add the source instruction event to the event stack
 
        if (eventStack.empty())
        {
            return; // If the event stack is empty, return early
        }
        std::string loc = eventStack.back().getEventLoc(); // Get the location of the last event in the stack
 
        // Check if the bug at this location has already been reported
        if (bugLoc.find(loc) != bugLoc.end())
        {
            return; // If the bug location is already reported, return early
        }
        else
        {
            bugLoc.insert(loc); // Otherwise, mark this location as reported
        }
        recoder.addAbsExecBug(GenericBug::FULLNULLPTRDEREFERENCE, eventStack, 0, 0, 0, 0);
        nodeToBugInfo[node] = e.what(); // Record the exception information for the node
    }

canSafelyDerefPtr()

bool NullptrDerefDetector::canSafelyDerefPtr	(	const ValVar *	ptr,
		const ICFGNode *	node
	)

Definition at line 669 of file AEDetector.cpp.

{
    auto& ae = AbstractInterpretation::getAEInstance();
    const AbstractValue& AbsVal = ae.getAbsValue(value, node);
    if (isUninit(AbsVal)) return false;
    if (!AbsVal.isAddr()) return true;
    for (const auto &addr: AbsVal.getAddrs())
    {
        // if the addr itself is invalid mem, report unsafe
        if (AbstractState::isBlackHoleObjAddr(addr))
            return false;
        // if nullptr is detected, return unsafe
        else if (AbstractState::isNullMem(addr))
            return false;
        // if addr is labeled freed mem, report unsafe
        else if (ae.getAbsState(node).isFreedMem(addr))
            return false;
    }
    return true;
}

classof()

static bool SVF::NullptrDerefDetector::classof ( const AEDetector *  detector )

inlinestatic

Definition at line 342 of file AEDetector.h.

    {
        return detector->getKind() == AEDetector::NULL_DEREF;
    }

detect()

void NullptrDerefDetector::detect ( const ICFGNode *  node )

overridevirtual

Detects nullptr dereferences issues within a node.

Parameters

as	Reference to the abstract state.
node	Pointer to the ICFG node.

Implements SVF::AEDetector.

Definition at line 514 of file AEDetector.cpp.

{
    if (SVFUtil::isa<CallICFGNode>(node))
    {
        // external API like memset(*dst, elem, sz)
        // we check if it's external api and check the corrisponding index
        const CallICFGNode* callNode = SVFUtil::cast<CallICFGNode>(node);
        if (SVFUtil::isExtCall(callNode->getCalledFunction()))
        {
            detectExtAPI(callNode);
        }
    }
    else
    {
        for (const auto& stmt: node->getSVFStmts())
        {
            if (const GepStmt* gep = SVFUtil::dyn_cast<GepStmt>(stmt))
            {
                // like llvm bitcode `p = gep p, idx`
                // we check rhs p's all address are valid mem
                const ValVar* rhs = gep->getRHSVar();
                if (!canSafelyDerefPtr(rhs, node))
                {
                    AEException bug(stmt->toString());
                    addBugToReporter(bug, stmt->getICFGNode());
                }
            }
            else if (const LoadStmt* load = SVFUtil::dyn_cast<LoadStmt>(stmt))
            {
                // like llvm bitcode `p = load q`
                // we check lhs p's all address are valid mem
                const ValVar* lhs = load->getLHSVar();
                if (!canSafelyDerefPtr(lhs, node))
                {
                    AEException bug(stmt->toString());
                    addBugToReporter(bug, stmt->getICFGNode());
                }
            }
        }
    }
}

detectExtAPI()

void NullptrDerefDetector::detectExtAPI

(

const CallICFGNode *

call

)

Handle external API calls related to nullptr dereferences.

Parameters

as	Reference to the abstract state.
call	Pointer to the call ICFG node.

Definition at line 610 of file AEDetector.cpp.

{
    assert(call->getCalledFunction() && "FunObjVar* is nullptr");
    // get ext type
    // get argument index which are nullptr deref checkpoints for extapi
    std::vector<u32_t> tmp_args;
    for (const std::string &annotation: ExtAPI::getExtAPI()->getExtFuncAnnotations(call->getCalledFunction()))
    {
        if (annotation.find("MEMCPY") != std::string::npos)
        {
            if (call->arg_size() < 4)
            {
                // for memcpy(void* dest, const void* src, size_t n)
                tmp_args.push_back(0);
                tmp_args.push_back(1);
            }
            else
            {
                // for unsigned long iconv(void* cd, char **restrict inbuf, unsigned long *restrict inbytesleft, char **restrict outbuf, unsigned long *restrict outbytesleft)
                tmp_args.push_back(1);
                tmp_args.push_back(2);
                tmp_args.push_back(3);
                tmp_args.push_back(4);
            }
        }
        else if (annotation.find("MEMSET") != std::string::npos)
        {
            // for memset(void* dest, elem, sz)
            tmp_args.push_back(0);
        }
        else if (annotation.find("STRCPY") != std::string::npos)
        {
            // for strcpy(void* dest, void* src)
            tmp_args.push_back(0);
            tmp_args.push_back(1);
        }
        else if (annotation.find("STRCAT") != std::string::npos)
        {
            // for strcat(void* dest, const void* src)
            // for strncat(void* dest, const void* src, size_t n)
            tmp_args.push_back(0);
            tmp_args.push_back(1);
        }
    }
 
    for (const auto &arg: tmp_args)
    {
        if (call->arg_size() <= arg)
            continue;
        const ValVar* argVal = call->getArgument(arg);
        if (argVal && !canSafelyDerefPtr(argVal, call))
        {
            AEException bug(call->toString());
            addBugToReporter(bug, call);
        }
    }
}

handleStubFunctions()

void NullptrDerefDetector::handleStubFunctions ( const CallICFGNode *  call )

overridevirtual

Handles external API calls related to nullptr dereferences.

Parameters

call	Pointer to the call ICFG node.

Implements SVF::AEDetector.

Definition at line 557 of file AEDetector.cpp.

{
    std::string funcName = callNode->getCalledFunction()->getName();
    auto& ae = AbstractInterpretation::getAEInstance();
    if (funcName == "UNSAFE_LOAD")
    {
        // void UNSAFE_LOAD(void* ptr);
        ae.getUtils()->checkpoints.erase(callNode);
        if (callNode->arg_size() < 1)
            return;
 
        const ValVar* arg0Val = callNode->getArgument(0);
        // opt may directly dereference a null pointer and call UNSAFE_LOAD(null)
        bool isSafe = canSafelyDerefPtr(arg0Val, callNode) && arg0Val->getId() != 0;
        SVFUtil::outs() << "[UNSAFE_LOAD] node=" << callNode->getId()
                        << " arg0=" << arg0Val->getId() << " isSafe=" << isSafe
                        << "\n";
        if (!isSafe)
        {
            SVFUtil::outs() << SVFUtil::sucMsg("success: expected null dereference at UNSAFE_LOAD")
                            << " — " << callNode->toString() << "\n";
            return;
        }
        else
        {
            SVFUtil::outs() << SVFUtil::errMsg("failure: null dereference expected at UNSAFE_LOAD, but none detected")
                            << " — Position: " << callNode->getSourceLoc() << "\n";
            assert(false);
        }
    }
    else if (funcName == "SAFE_LOAD")
    {
        // void SAFE_LOAD(void* ptr);
        ae.getUtils()->checkpoints.erase(callNode);
        if (callNode->arg_size() < 1) return;
        const ValVar* arg0Val = callNode->getArgument(0);
        // opt may directly dereference a null pointer and call UNSAFE_LOAD(null)ols
        bool isSafe = canSafelyDerefPtr(arg0Val, callNode) && arg0Val->getId() != 0;
        if (isSafe)
        {
            SVFUtil::outs() << SVFUtil::sucMsg("success: expected safe dereference at SAFE_LOAD")
                            << " — " << callNode->toString() << "\n";
            return;
        }
        else
        {
            SVFUtil::outs() << SVFUtil::errMsg("failure: unexpected null dereference at SAFE_LOAD")
                            << " — Position: " << callNode->getSourceLoc() << "\n";
            assert(false);
        }
    }
}

isNull()

bool SVF::NullptrDerefDetector::isNull ( AbstractValue  v )

inline

Check if an Abstract Value is NULL (or uninitialized).

Parameters

v	An Abstract Value of loaded from an address in an Abstract State.

Definition at line 432 of file AEDetector.h.

    {
        return !v.isAddr() && !v.isInterval();
    }

isUninit()

bool SVF::NullptrDerefDetector::isUninit ( AbstractValue  v )

inline

Checks if an Abstract Value is uninitialized.

Parameters

v	The Abstract Value to check.

Returns

True if the value is uninitialized, false otherwise.

Definition at line 365 of file AEDetector.h.

    {
        // uninitialized value has neither interval value nor address value
        bool is = v.getAddrs().isBottom() && v.getInterval().isBottom();
        return is;
    }

reportBug()

void SVF::NullptrDerefDetector::reportBug ( )

inlineoverridevirtual

Reports all detected nullptr dereference bugs.

Implements SVF::AEDetector.

Definition at line 405 of file AEDetector.h.

    {
        if (!nodeToBugInfo.empty())
        {
            std::cerr << "###################### Nullptr Dereference (" + std::to_string(nodeToBugInfo.size())
                      + " found)######################\n";
            std::cerr << "---------------------------------------------\n";
            for (const auto& it : nodeToBugInfo)
            {
                std::cerr << it.second << "\n---------------------------------------------\n";
            }
        }
    }

Friends And Related Symbol Documentation

AbstractInterpretation

friend class AbstractInterpretation

friend

Definition at line 333 of file AEDetector.h.

Member Data Documentation

bugLoc

Set<std::string> SVF::NullptrDerefDetector::bugLoc

private

Set of locations where bugs have been reported.

Definition at line 440 of file AEDetector.h.

nodeToBugInfo

Map<const ICFGNode*, std::string> SVF::NullptrDerefDetector::nodeToBugInfo

private

Maps ICFG nodes to bug information.

Definition at line 442 of file AEDetector.h.

recoder

SVFBugReport SVF::NullptrDerefDetector::recoder

private

Recorder for abstract execution bugs.

Definition at line 441 of file AEDetector.h.

---

The documentation for this class was generated from the following files:

• /home/runner/work/SVF/SVF/svf/include/AE/Svfexe/AEDetector.h
• /home/runner/work/SVF/SVF/svf/lib/AE/Svfexe/AEDetector.cpp