Import null pointer information from PDG into static analysis #1086
Commits on Jun 15, 2024
-
Handle nested fields and other projections
Record field and index projections for pointers by recording a Project event with a base and target pointer pair.
-
Build PDG exclusively on provenance
The event source- and assignment-based PDG construction steps were giving incorrect results for indirect accesses, so remove them completely.
-
Pointer provenance improvements
Track the provenance of pointers with finer granularity by storing the size of every allocation, local, and constant inside the corresponding events. With this information, we can keep track of the boundaries of every object and track whether a projected pointer falls inside the original allocation.
-
Add size of locals to AddrOfLocal events
Keep track of the size of every local for the new provenance algorithm.
-
Add constant size information to events
Add a new AddrOfConst event and use it to keep track of the sizes of all global constants for the new provenance algorithm.
-
Add corner case for Offset(0, _, _) nodes
Handle Offset nodes with a base pointer of 0 where the offset is non-zero, potentially resulting in a brand new pointer. One such case occurs in mod_cgi from lighttpd: const uintptr_t baseptr = (uintptr_t)env->b->ptr; for (i = 0; i < env->oused; ++i) envp[i] += baseptr; -
Add is_null flag to PDG graphs
Mark each PDG graph with a boolean flag that represents whether that graph corresponds to the null pointer or not. The PDG construction algorithm seems to build one unique graph for all null pointers in the entire program.
-
Add an extra null pointer test to analysis example
Add one test where a function argument can be either null or non-null in the recur() function of the analysis/tests/misc example code.
-
Use PDG to remove NON_NULL from pointers in static analysis
Remove the NON_NULL permission from all nodes in the null graph from the PDG.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.