Nullptr dereference tests

CMakeLists.txt

@@ -328,6 +328,16 @@ foreach(filename ${ae_overflow_files})
   )
 endforeach()
 
+# loops over ae_nullptr_files and run "ae $bc_file"
+file(GLOB ae_nullptr_files RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "${CMAKE_CURRENT_SOURCE_DIR}/test_cases_bc/ae_nullptr_deref_tests/*.bc")
+
+foreach(filename ${ae_nullptr_files})
+  add_test(
+          NAME ae_nullptr/${filename}
+          COMMAND ae -nullptr ${CMAKE_CURRENT_SOURCE_DIR}/${filename}
+          WORKING_DIRECTORY ${CMAKE_BINARY_DIR}/bin
+  )
+endforeach()
 
 ## symbolic abstraction tests  (ctest -R symabs -VV)
 set(cmd "ae  -symabs")

generate_bc.sh

@@ -18,6 +18,7 @@ test_dirs="
   objtype_tests
   ae_overflow_tests
   ae_assert_tests
+  ae_nullptr_deref_tests
 "
 
 

src/ae_assert_tests/LOOP_while01-1.c

@@ -0,0 +1,12 @@
+#include "stdbool.h"
+extern void svf_assert(bool);
+
+int main(){
+    int x;
+    x=10;
+    while(x>0) {
+        x--;
+    }
+    svf_assert(x == 0);
+    return 0;
+}

src/ae_assert_tests/LOOP_while02-0.c

@@ -0,0 +1,12 @@
+#include "stdbool.h"
+extern void svf_assert(bool);
+
+int main(){
+    int x;
+    x=1;
+    while(x<128) {
+        x*=2;
+    }
+    svf_assert(x == 128);
+    return 0;
+}

src/ae_assert_tests/LOOP_while02-1.c

@@ -0,0 +1,12 @@
+#include "stdbool.h"
+extern void svf_assert(bool);
+
+int main(){
+    int x;
+    x=128;
+    while(x>4) {
+        x/=2;
+    }
+    svf_assert(x == 4);
+    return 0;
+}

src/ae_nullptr_deref_tests/array_2d_big.c

@@ -0,0 +1,23 @@
+#include <stdio.h>
+
+extern void UNSAFE_LOAD(void *ptr);
+
+#define SIZE 100
+
+int main() {
+    int *arr[SIZE][SIZE];
+
+    for (int i = 0; i < SIZE; i++) {
+        for (int j = 0; j < SIZE; j++) {
+            arr[i][j] = NULL;
+        }
+    }
+
+    for (int m = 0; m < SIZE; m++) {
+        for (int n = 0; n < SIZE; n++) {
+            UNSAFE_LOAD(arr[m][n]);
+        }
+    }
+
+    return 0;
+}

src/ae_nullptr_deref_tests/array_2d_small.c

@@ -0,0 +1,16 @@
+#include <stdio.h>
+
+extern void UNSAFE_LOAD(void *ptr);
+
+int main() {
+    int *arr[2][2];
+    arr[0][0] = NULL;
+    arr[0][1] = NULL;
+    arr[1][0] = NULL;
+    arr[1][1] = NULL;
+
+    UNSAFE_LOAD(arr[0][0]);
+    UNSAFE_LOAD(arr[0][1]);
+    UNSAFE_LOAD(arr[1][0]);
+    UNSAFE_LOAD(arr[1][1]);
+}

src/ae_nullptr_deref_tests/array_2d_small_partial_null.c

@@ -0,0 +1,21 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+extern void SAFE_LOAD(void *ptr);
+extern void UNSAFE_LOAD(void *ptr);
+
+int main() {
+    int *arr[2][2];
+    arr[0][0] = NULL;
+    arr[0][1] = NULL;
+    arr[1][0] = malloc(sizeof(int));
+    arr[1][1] = malloc(sizeof(int));
+
+    *arr[1][0] = 123;
+    *arr[1][1] = 456;
+
+    UNSAFE_LOAD(arr[0][0]);
+    UNSAFE_LOAD(arr[0][1]);
+    SAFE_LOAD(arr[1][0]);
+    SAFE_LOAD(arr[1][1]);
+}

src/ae_nullptr_deref_tests/array_all_nullptr.c

@@ -0,0 +1,13 @@
+#include <stdio.h>
+
+extern void UNSAFE_LOAD(void *ptr);
+
+int main() {    
+    int *n = NULL;
+    int *ptrs[5] = {n, n, n, n, n};
+    for (int i = 0; i < 5; i++) {
+        UNSAFE_LOAD(ptrs[i]);
+    }
+
+    return 0;
+}

src/ae_nullptr_deref_tests/array_of_struct.c

@@ -0,0 +1,23 @@
+#include <stdlib.h>
+
+extern void SAFE_LOAD(void *ptr);
+extern void UNSAFE_LOAD(void *ptr);
+
+struct S {
+    int *intPtr;
+};
+
+int main() {    
+    struct S arrStruct[3];
+
+    arrStruct[0].intPtr = malloc(sizeof(int));
+    *arrStruct[0].intPtr = 1024;
+
+    arrStruct[1].intPtr = NULL;
+
+    SAFE_LOAD(arrStruct[0].intPtr);     // malloc
+    UNSAFE_LOAD(arrStruct[1].intPtr);   // NULL
+    UNSAFE_LOAD(arrStruct[2].intPtr);   // uninitialized
+
+    return 0;
+}

src/ae_nullptr_deref_tests/char_ptr_arg.c

@@ -0,0 +1,15 @@
+#include <stdio.h>
+
+extern void UNSAFE_LOAD(void *ptr);
+
+void foo(char *ptr) {
+    UNSAFE_LOAD(ptr);  // Dereferencing the NULL pointer
+}
+
+int main() {
+    char *ptr = NULL;
+
+    foo(ptr);  // Passing a NULL pointer to the function
+
+    return 0;
+}

src/ae_nullptr_deref_tests/char_ptr_arithmetic.c

@@ -0,0 +1,13 @@
+#include <stdio.h>
+
+extern void UNSAFE_LOAD(void *ptr);
+
+int main() {
+    char *ptr = NULL;
+
+    char *newPtr = ptr + 5;  // Perform pointer arithmetic on NULL pointer
+
+    UNSAFE_LOAD(newPtr);  // Dereference the result
+
+    return 0;
+}

src/ae_nullptr_deref_tests/char_ptr_branch.c

@@ -0,0 +1,18 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+extern void UNSAFE_LOAD(void *ptr);
+
+int main() {
+    char *ptr = (char *)malloc(sizeof(char));  // Allocate memory
+
+    int a = 0;
+
+    if (a >= 0) {
+        ptr = NULL;
+    }
+
+    UNSAFE_LOAD(ptr);
+
+    return 0;
+}

src/ae_nullptr_deref_tests/char_ptr_doubleptr.c

@@ -0,0 +1,11 @@
+#include <stdio.h>
+
+extern void UNSAFE_LOAD(void *ptr);
+
+int main() {    
+
+    char **double_ptr = NULL;
+    UNSAFE_LOAD(double_ptr);  // This will trigger a null pointer dereference
+
+    return 0;
+}

src/ae_nullptr_deref_tests/char_ptr_func_return_val.c

@@ -0,0 +1,15 @@
+#include <stdio.h>
+
+extern void UNSAFE_LOAD(void *ptr);
+
+char *getNullPointer() {
+    return NULL;  // Function returns a NULL pointer
+}
+
+int main() {
+    char *ptr = getNullPointer();
+
+    UNSAFE_LOAD(ptr);
+
+    return 0;
+}

src/ae_nullptr_deref_tests/char_ptr_in_struct_null.c

@@ -0,0 +1,20 @@
+//
+// Created by Ethan Lin on 30/9/2024.
+//
+
+#include <stdio.h>
+
+extern void UNSAFE_LOAD(void *ptr);
+
+struct S {
+    char *ptr;
+};
+
+int main() {
+    struct S myStruct;
+    myStruct.ptr = NULL;
+
+    UNSAFE_LOAD(myStruct.ptr);
+
+    return 0;
+}

src/ae_nullptr_deref_tests/char_ptr_in_struct_uninitialized.c

@@ -0,0 +1,19 @@
+//
+// Created by Ethan Lin on 30/9/2024.
+//
+
+#include <stdio.h>
+
+extern void UNSAFE_LOAD(void *ptr);
+
+struct S {
+    char *ptr;
+};
+
+int main() {
+    struct S myStruct;
+
+    UNSAFE_LOAD(myStruct.ptr);
+
+    return 0;
+}

src/ae_nullptr_deref_tests/char_ptr_indirect_func_return_val.c

@@ -0,0 +1,20 @@
+#include <stdio.h>
+
+extern void UNSAFE_LOAD(void *ptr);
+
+char *getNullPointer() {
+    return NULL;  // Function returns a NULL pointer
+}
+
+char *foo() {
+    char *p = getNullPointer();
+    return p;
+}
+
+int main() {
+    char *ptr = foo();
+
+    UNSAFE_LOAD(ptr);  // Dereferencing the NULL pointer
+
+    return 0;
+}

src/ae_nullptr_deref_tests/char_ptr_partial_nullptr.c

@@ -0,0 +1,11 @@
+#include <stdlib.h>
+
+extern void UNSAFE_LOAD(void *ptr);
+
+int main() {
+    char *p = malloc(sizeof(char) * 100);
+    *p = 'This string can be stored.';
+    free(p);
+    p = NULL;
+    UNSAFE_LOAD(p);
+}

src/ae_nullptr_deref_tests/char_ptr_simple.c

@@ -0,0 +1,8 @@
+#include <stdlib.h>
+
+extern void UNSAFE_LOAD(void *ptr);
+
+int main() {
+  char *p = NULL;
+  UNSAFE_LOAD(p);
+}

src/ae_nullptr_deref_tests/char_ptr_uninit_ptr.c

@@ -0,0 +1,7 @@
+
+extern void UNSAFE_LOAD(void *ptr);
+
+int main() {
+    char *p;
+    UNSAFE_LOAD(p);
+}

src/ae_nullptr_deref_tests/dangleptr_safe_branch.c

@@ -0,0 +1,28 @@
+//
+// Created by Ethan Lin on 11/11/2024.
+//
+
+#include <stdlib.h>
+
+extern void SAFE_LOAD(void *p);
+extern void UNSAFE_LOAD(void *p);
+
+int main() {
+    int a = 5;
+
+    int *myPtr;
+
+    myPtr = (int*)malloc(sizeof(int));
+    free(myPtr);
+    UNSAFE_LOAD(myPtr);
+    if (a > 0)
+    {
+        myPtr = &a;
+    } else
+    {
+        /* Do nothing */
+    }
+
+    SAFE_LOAD(myPtr);
+    return 0;
+}

src/ae_nullptr_deref_tests/dangleptr_safe_free_and_reassign.c

@@ -0,0 +1,21 @@
+//
+// Created by Ethan Lin on 11/11/2024.
+//
+
+#include <stdlib.h>
+
+extern void SAFE_LOAD(void *p);
+extern void UNSAFE_LOAD(void *p);
+
+int main() {
+    int a = 5;
+
+    int *myPtr;
+
+    myPtr = (int*)malloc(sizeof(int));
+    free(myPtr);
+    // UNSAFE_LOAD(myPtr);
+    myPtr = &a;
+    SAFE_LOAD(myPtr);
+    return 0;
+}