Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhance detection of buffer overflows by introducing variable for length of array/blob #1330

Draft
wants to merge 133 commits into
base: master
Choose a base branch
from
Draft

Enhance detection of buffer overflows by introducing variable for length of array/blob #1330

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
133 commits
Select commit Hold shift + click to select a range
61f9b47
Fix Todos
FungOliver Oct 20, 2023
0a12f47
add simple test case
FungOliver Nov 6, 2023
d4fbdbd
enable ana.int.interval when ana.arrayoob is enabled
FungOliver Dec 17, 2023
3660b10
add new Query MayBeOutOfBounds
FungOliver Dec 20, 2023
137c00a
add new examples for relational oob VLA check
FungOliver Dec 20, 2023
bbcad29
update method signature to include index expression for VLA and depth…
FungOliver Dec 20, 2023
045ee7f
update richvarinfo to allow global Varinfos and different types
FungOliver Dec 20, 2023
650055f
implement relational VLA OOB check
FungOliver Dec 20, 2023
ceb804b
fix error in array_oob_check
FungOliver Dec 22, 2023
ca227ab
fix flag in wrapperFunctionAnalysis
FungOliver Jan 15, 2024
0c7aef3
add new Queries MayOverflow and AllocMayBeOutOfBounds
FungOliver Jan 15, 2024
3ce652c
add overflow flag to intdomain
FungOliver Jan 15, 2024
bca3b1d
fix relationAnalysis Overflow analysis
FungOliver Jan 16, 2024
352aa16
fix overflow analysis
FungOliver Jan 16, 2024
4e34984
add memOutOfBoundsCheck
FungOliver Jan 16, 2024
0995bd3
add test for previous unsound cases
FungOliver Jan 16, 2024
e93a54e
add test cases
FungOliver Jan 16, 2024
1e0ac40
fix pointerLength not being available after return
FungOliver Jan 16, 2024
dbae0fc
simplify memOutOfBounds logic
FungOliver Jan 17, 2024
dcf5285
add pointer Tracking option
FungOliver Jan 17, 2024
e8de1c9
fix minor issues with top in Intdomain
FungOliver Jan 17, 2024
ae68820
activate ana.int.interval default for memOutOfBounds
FungOliver Jan 17, 2024
83bad7f
add helper functions back to memOutOfBounds.ml
FungOliver Jan 19, 2024
5e65842
move query to memOutOfBounds
FungOliver Jan 19, 2024
0f28db7
update query MayBeOutOfBounds
FungOliver Jan 19, 2024
5b83fd7
remove binop in VDQ
FungOliver Jan 19, 2024
848c496
remove duplicate code in relationaAnalysis and fix structOffset not u…
FungOliver Jan 21, 2024
65fc909
rename depth to Dimension
FungOliver Jan 21, 2024
8428c56
derive functions in VarinfoMappings and refactor to conform code style
FungOliver Jan 21, 2024
bb5c986
rename sizePointer and add comment
FungOliver Jan 21, 2024
2d22ecf
rename c parameter
FungOliver Jan 21, 2024
450775b
rename sizePointer in relationalAnalysis
FungOliver Jan 21, 2024
4837a39
fix bug Z.Overflow
FungOliver Jan 22, 2024
c6b56a7
renaming argPointerMapping
FungOliver Jan 22, 2024
0444184
extract common code
FungOliver Jan 22, 2024
3ed62c0
fix offset not being calculated correctly
FungOliver Jan 22, 2024
629d6d6
fix arithmetic on bot exception
FungOliver Jan 22, 2024
bd02229
don't remove allocSize vars if they are assigned to a global pointer …
FungOliver Jan 22, 2024
cafe85e
deduplicate computation of size in bytes
FungOliver Jan 22, 2024
4f74bad
rename depth to dimension
FungOliver Jan 22, 2024
c244068
make isGlobal a named parameter
FungOliver Jan 22, 2024
726a267
convert tabs to spaces
FungOliver Jan 22, 2024
8eff976
rename c to arrExpDim
FungOliver Jan 22, 2024
6ba8b6e
Rebase master onto relationalArray
FungOliver Jan 24, 2024
ed2930f
clean up trace statement
FungOliver Jan 24, 2024
8a8db42
clean up even more trace statements
FungOliver Jan 24, 2024
2a1efdb
revert space in base.ml
FungOliver Jan 24, 2024
46e12d8
clean up more code
FungOliver Jan 24, 2024
f80ad68
Revert changes signs.ml
FungOliver Jan 24, 2024
ec6068f
clean up arrayDomain.ml
FungOliver Jan 24, 2024
d4d16e2
fix Semgrep Finding: semgrep.list-map-flatten
FungOliver Jan 24, 2024
699d5be
fix bug lval not being correctly evaluated
FungOliver Jan 24, 2024
dc47fc3
fix sizeOf expression not recognized in apron
FungOliver Jan 25, 2024
13b046b
shorten variable names in memOutOfBounds
FungOliver Jan 25, 2024
2924cc3
remove activation of ana.int.interval for memOutOfBounds.ml
FungOliver Jan 25, 2024
b6807ce
adding more test cases and reformat
FungOliver Jan 25, 2024
248b4e7
update comment in get_size_of_ptr_target
FungOliver Jan 25, 2024
2c84ef0
simplify query logic
FungOliver Jan 26, 2024
2849a68
remove german comment
FungOliver Jan 26, 2024
fcdf932
rebase Fix `NullPtr` assignment crash in relation analysis
FungOliver Jan 26, 2024
ea9d00b
adapt test cases to prevent them from failing
FungOliver Jan 26, 2024
4d38398
trying out exp does not contain top
FungOliver Jan 28, 2024
33c5fb5
disable cachedqueries to fix no_overflow computation
FungOliver Jan 28, 2024
e367de8
rename duplicate test file
FungOliver Jan 29, 2024
1954ba3
Update src/analyses/apron/relationAnalysis.apron.ml
FungOliver Jan 30, 2024
054259c
update no_overflow computation
FungOliver Jan 30, 2024
a252d24
add new analysis allocVarEscaped
FungOliver Jan 30, 2024
415f71b
update name of MayOverflow query
FungOliver Jan 30, 2024
d8d77e2
add new query allocvarescaped
FungOliver Jan 30, 2024
63c5921
rename test case with number 100
FungOliver Jan 30, 2024
d9ae187
rename folder numbers from 99 98 to 86 85
FungOliver Jan 30, 2024
0a2beca
update test cases
FungOliver Jan 31, 2024
eb132e1
fix Nooverflow computation recursive calls
FungOliver Jan 31, 2024
19f9ba3
remove test case 86 04
FungOliver Jan 31, 2024
b5a259a
clean up code in memOutOfBounds
FungOliver Jan 31, 2024
c8a94a0
clean up code
FungOliver Jan 31, 2024
269e6db
rename test cases after rebase
FungOliver Jan 31, 2024
6763785
fix ikind mismatch and make consistent use of ptrdiff type
FungOliver Jan 31, 2024
e9562b6
revert CastE in replaceSizeOf
FungOliver Jan 31, 2024
26c03ac
change query result from ID.t to FlatBool.t
FungOliver Feb 1, 2024
54715f6
fix ikind mismatch due to replaceSizeOf
FungOliver Feb 1, 2024
ac11834
add new test case 85 14
FungOliver Feb 1, 2024
0514219
format test case 85 14
FungOliver Feb 1, 2024
38f17e5
use ProdFlatBool instead of ProdID and also check min/max in relation…
FungOliver Feb 1, 2024
624bdcc
disable Hashtbl. update during NoOverflow query
FungOliver Feb 1, 2024
88816f7
add comments and clean up code
FungOliver Feb 1, 2024
86e4fe5
add json confs
FungOliver Feb 1, 2024
56ef428
add source to test case
FungOliver Feb 1, 2024
6627ed5
add new comments
FungOliver Feb 2, 2024
139690a
include ctx in allocVarEscaped
FungOliver Feb 2, 2024
3e67b1d
rename assignVariable to assignLval
FungOliver Feb 2, 2024
2ba6127
add multithreading support
FungOliver Feb 2, 2024
6ae0cef
replace sizeOf in texpr
FungOliver Feb 2, 2024
b74ab71
add attribute to ghost variables
FungOliver Feb 2, 2024
e655c6b
fix memOutOfBounds not supporting expression other than lval and binop
FungOliver Feb 3, 2024
24c7e6a
update richvarinfo to lazy load the type and add isGlobal parameter t…
FungOliver Feb 9, 2024
623c408
add new Query AddressOfPointerTaken and fix type of allocAssignedToGl…
FungOliver Feb 9, 2024
b17c675
fix unsoundness in pointer_tracking when addressOf a pointer is taken
FungOliver Feb 9, 2024
43e71e2
fix indentation and tests
FungOliver Feb 9, 2024
b30eef1
fix query not having a top return
FungOliver Feb 9, 2024
b3e7c46
clean up code
FungOliver Feb 9, 2024
2738e1b
move json conf to new folder
FungOliver Feb 9, 2024
132d5d4
fix test case 85 09
FungOliver Feb 9, 2024
c13382d
update test case
FungOliver Feb 9, 2024
5d9d20d
add test case 86 04 again
FungOliver Feb 9, 2024
3e9bb74
fix bug
FungOliver Feb 9, 2024
361f5bc
rever removal of TODO
FungOliver Feb 9, 2024
5183c50
fix missing/duplicate case in queries
FungOliver Feb 10, 2024
9f13e4a
add new test and clean up previous tests
FungOliver Feb 10, 2024
d29014e
undo comments in test
FungOliver Feb 10, 2024
d3d56d1
add new test case
FungOliver Feb 10, 2024
5fe82ce
skip test case due to timeout
FungOliver Feb 10, 2024
27a61fc
format test case 86 06
FungOliver Feb 10, 2024
6aa4e15
fix bug in pointer not correctly invalidated
FungOliver Feb 10, 2024
eea98e3
fix bug in addressOfPointer
FungOliver Feb 10, 2024
4166740
expand test case 85 18 85 01
FungOliver Feb 10, 2024
705ade6
remove polyhedar domain
FungOliver Feb 10, 2024
942b311
add a new test case and fix existing ones
FungOliver Feb 10, 2024
0b100bb
add new test case 85 19
FungOliver Feb 10, 2024
c1ee198
clean up code
FungOliver Feb 11, 2024
333e7cb
clean up code
FungOliver Feb 12, 2024
a02e7f6
update json conf files
FungOliver Feb 12, 2024
bca0f0f
fix conf
FungOliver Feb 12, 2024
49fbccd
add useAfterFree analysis to conf files
FungOliver Feb 12, 2024
00642c5
fix conf files
FungOliver Feb 12, 2024
07e51af
fix exception in sizeOfTyp
FungOliver Feb 13, 2024
87d0568
fix mistake in conf file
FungOliver Feb 13, 2024
b919e9c
fix TypeOfError in AllocMayBeOutOfBounds
FungOliver Feb 13, 2024
9657391
update conf files and fix mistake with addressOfPointer
FungOliver Feb 20, 2024
ba89107
catch a few exceptions in relationalAnalaysis
FungOliver Feb 21, 2024
e0f4607
fix Fixpoint not reached exception in Pointer Tracking
FungOliver Feb 26, 2024
bb9e223
call assignLval instead of assign
FungOliver Feb 26, 2024
1e59d65
fix fixpoint errors in conf files
FungOliver Feb 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
157 changes: 157 additions & 0 deletions conf/PR-relational-array/malloc-new-analysis+pointer_tracking.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,157 @@
{
"ana": {
"sv-comp": {
"enabled": true,
"functions": true
},
"int": {
"def_exc": true,
"enums": false,
"interval": true
},
"float": {
"interval": true
},
"apron": {
"domain": "octagon",
"pointer_tracking" : true
},
"activated": [
"base",
"threadid",
"threadflag",
"threadreturn",
"mallocWrapper",
"mutexEvents",
"mutex",
"access",
"race",
"escape",
"expRelation",
"mhp",
"assert",
"var_eq",
"symb_locks",
"region",
"thread",
"threadJoins",
"apron",
"memOutOfBounds",
"taintPartialContexts",
"memLeak",
"apron",
"allocVarEscaped",
"addressOfPointer",
"useAfterFree"
],
"path_sens": [
"mutex",
"malloc_null",
"uninit",
"expsplit",
"activeSetjmp",
"memLeak",
"threadflag"
],
"context": {
"widen": false
},
"malloc": {
"wrappers": [
"kmalloc",
"__kmalloc",
"usb_alloc_urb",
"__builtin_alloca",
"kzalloc",
"ldv_malloc",
"kzalloc_node",
"ldv_zalloc",
"kmalloc_array",
"kcalloc",
"ldv_xmalloc",
"ldv_xzalloc",
"ldv_calloc",
"ldv_kzalloc"
]
},
"base": {
"arrays": {
"domain": "partitioned"
},
"invariant":{
"unassume": "fixpoint"
}
},
"race": {
"free": false,
"call": false
},
"autotune": {
"enabled": true,
"activated": [
"singleThreaded",
"mallocWrappers",
"noRecursiveIntervals",
"enums",
"congruence",
"wideningThresholds",
"loopUnrollHeuristic",
"termination",
"tmpSpecialAnalysis"
]
}
},
"exp": {
"region-offsets": true
},
"solver": "td3",
"sem": {
"unknown_function": {
"spawn": false
},
"int": {
"signed_overflow": "assume_none"
},
"null-pointer": {
"dereference": "assume_none"
}
},
"witness": {
"graphml": {
"enabled": true,
"id": "enumerate",
"unknown": false
},
"yaml": {
"enabled": true,
"format-version": "2.0",
"entry-types": [
"invariant_set"
],
"invariant-types": [
"loop_invariant"
]
},
"invariant": {
"loop-head": true,
"after-lock": false,
"other": false,
"accessed": false,
"exact": true,
"exclude-vars": [
"tmp\\(___[0-9]+\\)?",
"cond",
"RETURN",
"__\\(cil_\\)?tmp_?[0-9]*\\(_[0-9]+\\)?",
".*____CPAchecker_TMP_[0-9]+",
"__VERIFIER_assert__cond",
"__ksymtab_.*",
"\\(ldv_state_variable\\|ldv_timer_state\\|ldv_timer_list\\|ldv_irq_\\(line_\\|data_\\)?[0-9]+\\|ldv_retval\\)_[0-9]+",
".*\\$len.$"
]
}
},
"pre": {
"enabled": false
}
}
154 changes: 154 additions & 0 deletions conf/PR-relational-array/malloc-new-analysis.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,154 @@
{
"ana": {
"sv-comp": {
"enabled": true,
"functions": true
},
"int": {
"def_exc": true,
"enums": false,
"interval": true
},
"float": {
"interval": true
},
"apron": {
"domain": "octagon"
},
"activated": [
"base",
"threadid",
"threadflag",
"threadreturn",
"mallocWrapper",
"mutexEvents",
"mutex",
"access",
"race",
"escape",
"expRelation",
"mhp",
"assert",
"var_eq",
"symb_locks",
"region",
"thread",
"threadJoins",
"apron",
"memOutOfBounds",
"taintPartialContexts",
"memLeak",
"apron",
"useAfterFree"
],
"path_sens": [
"mutex",
"malloc_null",
"uninit",
"expsplit",
"activeSetjmp",
"memLeak",
"threadflag"
],
"context": {
"widen": false
},
"malloc": {
"wrappers": [
"kmalloc",
"__kmalloc",
"usb_alloc_urb",
"__builtin_alloca",
"kzalloc",
"ldv_malloc",
"kzalloc_node",
"ldv_zalloc",
"kmalloc_array",
"kcalloc",
"ldv_xmalloc",
"ldv_xzalloc",
"ldv_calloc",
"ldv_kzalloc"
]
},
"base": {
"arrays": {
"domain": "partitioned"
},
"invariant":{
"unassume": "fixpoint"
}
},
"race": {
"free": false,
"call": false
},
"autotune": {
"enabled": true,
"activated": [
"singleThreaded",
"mallocWrappers",
"noRecursiveIntervals",
"enums",
"congruence",
"wideningThresholds",
"loopUnrollHeuristic",
"termination",
"tmpSpecialAnalysis"
]
}
},
"exp": {
"region-offsets": true
},
"solver": "td3",
"sem": {
"unknown_function": {
"spawn": false
},
"int": {
"signed_overflow": "assume_none"
},
"null-pointer": {
"dereference": "assume_none"
}
},
"witness": {
"graphml": {
"enabled": true,
"id": "enumerate",
"unknown": false
},
"yaml": {
"enabled": true,
"format-version": "2.0",
"entry-types": [
"invariant_set"
],
"invariant-types": [
"loop_invariant"
]
},
"invariant": {
"loop-head": true,
"after-lock": false,
"other": false,
"accessed": false,
"exact": true,
"exclude-vars": [
"tmp\\(___[0-9]+\\)?",
"cond",
"RETURN",
"__\\(cil_\\)?tmp_?[0-9]*\\(_[0-9]+\\)?",
".*____CPAchecker_TMP_[0-9]+",
"__VERIFIER_assert__cond",
"__ksymtab_.*",
"\\(ldv_state_variable\\|ldv_timer_state\\|ldv_timer_list\\|ldv_irq_\\(line_\\|data_\\)?[0-9]+\\|ldv_retval\\)_[0-9]+",
".*\\$len.$"
]
}
},
"pre": {
"enabled": false
}
}
Loading