#include <AEDetector.h>
Inheritance diagram for SVF::NullptrDerefDetector:
Public Member Functions | |
| NullptrDerefDetector () | |
| ~NullptrDerefDetector ()=default | |
| void | detect (AbstractState &as, const ICFGNode *node) |
| Detects nullptr dereferences issues within a node. | |
| void | handleStubFunctions (const CallICFGNode *call) |
| Handles external API calls related to nullptr dereferences. | |
| bool | isUninit (AbstractValue v) |
| Checks if an Abstract Value is uninitialized. | |
| void | addBugToReporter (const AEException &e, const ICFGNode *node) |
| Adds a bug to the reporter based on an exception. | |
| void | reportBug () |
| Reports all detected nullptr dereference bugs. | |
| void | detectExtAPI (AbstractState &as, const CallICFGNode *call) |
| Handle external API calls related to nullptr dereferences. | |
| bool | isNull (AbstractValue v) |
| Check if an Abstract Value is NULL (or uninitialized). | |
| bool | canSafelyDerefPtr (AbstractState &as, const SVFVar *ptr) |
 Public Member Functions inherited from SVF::AEDetector | |
| AEDetector () | |
| Constructor initializes the detector kind to UNKNOWN. | |
| virtual | ~AEDetector ()=default |
| Virtual destructor for safe polymorphic use. | |
| DetectorKind | getKind () const |
| Get the kind of the detector. | |
Static Public Member Functions | |
| static bool | classof (const AEDetector *detector) |
| Static Public Member Functions inherited from SVF::AEDetector | |
| static bool | classof (const AEDetector *detector) |
| Check if the detector is of the UNKNOWN kind. | |
Private Attributes | |
| Set< std::string > | bugLoc |
| Set of locations where bugs have been reported. | |
| SVFBugReport | recoder |
| Recorder for abstract execution bugs. | |
| Map< const ICFGNode *, std::string > | nodeToBugInfo |
| Maps ICFG nodes to bug information. | |
Friends | |
| class | AbstractInterpretation |
Additional Inherited Members | |
| Public Types inherited from SVF::AEDetector | |
| enum | DetectorKind { BUF_OVERFLOW , NULL_DEREF , UNKNOWN } |
| Enumerates the types of detectors available. More... | |
| Protected Attributes inherited from SVF::AEDetector | |
| DetectorKind | kind |
| The kind of the detector. | |
Detailed Description
Definition at line 326 of file AEDetector.h.
Constructor & Destructor Documentation
◆ NullptrDerefDetector()
|
inline |
Definition at line 330 of file AEDetector.h.
◆ ~NullptrDerefDetector()
|
default |
Member Function Documentation
◆ addBugToReporter()
|
inline |
Adds a bug to the reporter based on an exception.
- Parameters
-
e The exception that was thrown. node Pointer to the ICFG node where the bug was detected.
Definition at line 372 of file AEDetector.h.
373 {
377
379 {
380 return; // If the event stack is empty, return early
381 }
382 std::string loc = eventStack.back().getEventLoc(); // Get the location of the last event in the stack
383
384 // Check if the bug at this location has already been reported
386 {
387 return; // If the bug location is already reported, return early
388 }
389 else
390 {
392 }
395 }
Map< const ICFGNode *, std::string > nodeToBugInfo
Maps ICFG nodes to bug information.
Definition AEDetector.h:437
void addAbsExecBug(GenericBug::BugType bugType, const GenericBug::EventStack &eventStack, s64_t allocLowerBound, s64_t allocUpperBound, s64_t accessLowerBound, s64_t accessUpperBound)
Definition SVFBugReport.h:367
◆ canSafelyDerefPtr()
| bool NullptrDerefDetector::canSafelyDerefPtr | ( | AbstractState & | as, |
| const SVFVar * | ptr | ||
| ) |
Definition at line 678 of file AEDetector.cpp.
679{
682 // uninit value cannot be dereferenced, return unsafe
684 // Interval Value (non-addr) is not the checkpoint of nullptr dereference, return safe
687 {
688 // if the addr itself is invalid mem, report unsafe
690 return false;
691 // if nullptr is detected, return unsafe
693 return false;
694 // if addr is labeled freed mem, report unsafe
696 return false;
697 }
698
699
700 return true;
701}
Definition AbstractValue.h:35
bool isUninit(AbstractValue v)
Checks if an Abstract Value is uninitialized.
Definition AEDetector.h:360
◆ classof()
|
inlinestatic |
Definition at line 337 of file AEDetector.h.
◆ detect()
|
virtual |
Detects nullptr dereferences issues within a node.
- Parameters
-
as Reference to the abstract state. node Pointer to the ICFG node.
Implements SVF::AEDetector.
Definition at line 525 of file AEDetector.cpp.
526{
527 if (SVFUtil::isa<CallICFGNode>(node))
528 {
529 // external API like memset(*dst, elem, sz)
530 // we check if it's external api and check the corrisponding index
533 {
535 }
536 }
537 else
538 {
540 {
542 {
543 // like llvm bitcode `p = gep p, idx`
544 // we check rhs p's all address are valid mem
547 {
550 }
551 }
553 {
554 // like llvm bitcode `p = load q`
555 // we check lhs p's all address are valid mem
558 {
561 }
562 }
563 }
564 }
565}
Exception class for handling errors in Abstract Execution.
Definition AEDetector.h:108
Definition ICFGNode.h:417
Definition SVFStatements.h:524
Definition SVFStatements.h:487
bool canSafelyDerefPtr(AbstractState &as, const SVFVar *ptr)
Definition AEDetector.cpp:678
void addBugToReporter(const AEException &e, const ICFGNode *node)
Adds a bug to the reporter based on an exception.
Definition AEDetector.h:372
void detectExtAPI(AbstractState &as, const CallICFGNode *call)
Handle external API calls related to nullptr dereferences.
Definition AEDetector.cpp:619
Definition SVFVariables.h:47
◆ detectExtAPI()
| void NullptrDerefDetector::detectExtAPI | ( | AbstractState & | as, |
| const CallICFGNode * | call | ||
| ) |
Handle external API calls related to nullptr dereferences.
- Parameters
-
as Reference to the abstract state. call Pointer to the call ICFG node.
Definition at line 619 of file AEDetector.cpp.
620{
622 // get ext type
623 // get argument index which are nullptr deref checkpoints for extapi
624 std::vector<u32_t> tmp_args;
625 for (const std::string &annotation: ExtAPI::getExtAPI()->getExtFuncAnnotations(call->getCalledFunction()))
626 {
628 {
630 {
631 // for memcpy(void* dest, const void* src, size_t n)
632 tmp_args.push_back(0);
633 tmp_args.push_back(1);
634 }
635 else
636 {
637 // for unsigned long iconv(void* cd, char **restrict inbuf, unsigned long *restrict inbytesleft, char **restrict outbuf, unsigned long *restrict outbytesleft)
638 tmp_args.push_back(1);
639 tmp_args.push_back(2);
640 tmp_args.push_back(3);
641 tmp_args.push_back(4);
642 }
643 }
645 {
646 // for memset(void* dest, elem, sz)
647 tmp_args.push_back(0);
648 }
650 {
651 // for strcpy(void* dest, void* src)
652 tmp_args.push_back(0);
653 tmp_args.push_back(1);
654 }
656 {
657 // for strcat(void* dest, const void* src)
658 // for strncat(void* dest, const void* src, size_t n)
659 tmp_args.push_back(0);
660 tmp_args.push_back(1);
661 }
662 }
663
665 {
667 continue;
670 {
673 }
674 }
675}
const FunObjVar * getCalledFunction() const
Definition ICFGNode.h:512
Definition ExtAPI.h:47
◆ handleStubFunctions()
|
virtual |
Handles external API calls related to nullptr dereferences.
- Parameters
-
call Pointer to the call ICFG node.
Implements SVF::AEDetector.
Definition at line 568 of file AEDetector.cpp.
569{
570 std::string funcName = callNode->getCalledFunction()->getName();
571 if (funcName == "UNSAFE_LOAD")
572 {
573 // void UNSAFE_LOAD(void* ptr);
576 return;
578
580 // opt may directly dereference a null pointer and call UNSAFE_LOAD(null)
583 {
586 return;
587 }
588 else
589 {
590 SVFUtil::outs() << SVFUtil::errMsg("failure: null dereference expected at UNSAFE_LOAD, but none detected")
593 }
594 }
595 else if (funcName == "SAFE_LOAD")
596 {
597 // void SAFE_LOAD(void* ptr);
602 // opt may directly dereference a null pointer and call UNSAFE_LOAD(null)ols
605 {
608 return;
609 }
610 else
611 {
615 }
616 }
617}
static AbstractInterpretation & getAEInstance()
Definition AbstractInterpretation.h:146
AbstractState & getAbsStateFromTrace(const ICFGNode *node)
Retrieves the abstract state from the trace for a given ICFG node.
Definition AbstractInterpretation.h:165
Set< const CallICFGNode * > checkpoints
Definition AbstractInterpretation.h:157
Definition AbstractState.h:59
std::string sucMsg(const std::string &msg)
Returns successful message by converting a string into green string output.
Definition SVFUtil.cpp:55
std::string errMsg(const std::string &msg)
Print error message by converting a string into red string output.
Definition SVFUtil.cpp:78
◆ isNull()
|
inline |
Check if an Abstract Value is NULL (or uninitialized).
- Parameters
-
v An Abstract Value of loaded from an address in an Abstract State.
Definition at line 427 of file AEDetector.h.
◆ isUninit()
|
inline |
Checks if an Abstract Value is uninitialized.
- Parameters
-
v The Abstract Value to check.
- Returns
- True if the value is uninitialized, false otherwise.
Definition at line 360 of file AEDetector.h.
◆ reportBug()
|
inlinevirtual |
Reports all detected nullptr dereference bugs.
Implements SVF::AEDetector.
Definition at line 400 of file AEDetector.h.
401 {
403 {
404 std::cerr << "###################### Nullptr Dereference (" + std::to_string(nodeToBugInfo.size())
405 + " found)######################\n";
406 std::cerr << "---------------------------------------------\n";
408 {
410 }
411 }
412 }
Friends And Related Symbol Documentation
◆ AbstractInterpretation
|
friend |
Definition at line 328 of file AEDetector.h.
Member Data Documentation
◆ bugLoc
|
private |
Set of locations where bugs have been reported.
Definition at line 435 of file AEDetector.h.
◆ nodeToBugInfo
Maps ICFG nodes to bug information.
Definition at line 437 of file AEDetector.h.
◆ recoder
|
private |
Recorder for abstract execution bugs.
Definition at line 436 of file AEDetector.h.
The documentation for this class was generated from the following files:
- /home/runner/work/SVF/SVF/svf/include/AE/Svfexe/AEDetector.h
- /home/runner/work/SVF/SVF/svf/lib/AE/Svfexe/AEDetector.cpp
