SVF-tools
diff --git a/‎src/ae_nullptr_deref_tests/EexAPI_strcat.c‎
Lines changed: 44 additions & 0 deletions b/‎src/ae_nullptr_deref_tests/EexAPI_strcat.c‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎src/ae_nullptr_deref_tests/ExtAPI_memcpy.c‎
Lines changed: 45 additions & 0 deletions b/‎src/ae_nullptr_deref_tests/ExtAPI_memcpy.c‎
Lines changed: 45 additions & 0 deletions
diff --git a/‎src/ae_nullptr_deref_tests/ExtAPI_memcpy_char_ptr.c‎
Lines changed: 25 additions & 0 deletions b/‎src/ae_nullptr_deref_tests/ExtAPI_memcpy_char_ptr.c‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎src/ae_nullptr_deref_tests/ExtAPI_memcpy_int_ptr.c‎
Lines changed: 27 additions & 0 deletions b/‎src/ae_nullptr_deref_tests/ExtAPI_memcpy_int_ptr.c‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎src/ae_nullptr_deref_tests/ExtAPI_memcpy_null_ptr.c‎
Lines changed: 20 additions & 0 deletions b/‎src/ae_nullptr_deref_tests/ExtAPI_memcpy_null_ptr.c‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎src/ae_nullptr_deref_tests/ExtAPI_memcpy_stack_ptr.c‎
Lines changed: 21 additions & 0 deletions b/‎src/ae_nullptr_deref_tests/ExtAPI_memcpy_stack_ptr.c‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎src/ae_nullptr_deref_tests/ExtAPI_memcpy_void_ptr.c‎
Lines changed: 24 additions & 0 deletions b/‎src/ae_nullptr_deref_tests/ExtAPI_memcpy_void_ptr.c‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎src/ae_nullptr_deref_tests/ExtAPI_memset.c‎
Lines changed: 29 additions & 0 deletions b/‎src/ae_nullptr_deref_tests/ExtAPI_memset.c‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎src/ae_nullptr_deref_tests/ExtAPI_memset_char_ptr.c‎
Lines changed: 18 additions & 0 deletions b/‎src/ae_nullptr_deref_tests/ExtAPI_memset_char_ptr.c‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎src/ae_nullptr_deref_tests/ExtAPI_memset_int_ptr.c‎
Lines changed: 18 additions & 0 deletions b/‎src/ae_nullptr_deref_tests/ExtAPI_memset_int_ptr.c‎
Lines changed: 18 additions & 0 deletions
@@ -0,0 +1,44 @@
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+extern void SAFE_LOAD(void *ptr);
+extern void UNSAFE_LOAD(void *ptr);
+
+void test_safe_strcat() {
+    char *a = (char *)malloc(20);
+    char *b = (char *)malloc(20);
+    if (a && b) {
+        strcpy(a, "Hello");
+        strcpy(b, " World");
+
+        // Safe usage
+        SAFE_LOAD(a);  // Access before strcat
+        SAFE_LOAD(b);
+
+        strcat(a, b);  // Concatenate strings
+    }
+    free(a);
+    free(b);
+}
+
+void test_unsafe_strcat() {
+    char *a = NULL;
+    char *b = (char *)malloc(20);
+    if (b) {
+        strcpy(b, " World");
+
+        // Unsafe usage
+        UNSAFE_LOAD(a);  // a is NULL — this is unsafe
+        SAFE_LOAD(b);  // b is valid
+
+        strcat(a, b);  // Undefined behavior (null dereference)
+    }
+    free(b);
+}
+
+int main() {
+    test_safe_strcat();
+    test_unsafe_strcat();  // This will likely crash — intended for static analysis tools like SVF
+    return 0;
+}
@@ -0,0 +1,45 @@
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+extern void SAFE_LOAD(void *ptr);
+extern void UNSAFE_LOAD(void *ptr);
+
+void test_safe_memcpy() {
+    int *a = (int *)malloc(5 * sizeof(int));
+    int *b = (int *)malloc(5 * sizeof(int));
+    if (a && b) {
+        for (int i = 0; i < 5; ++i) {
+            b[i] = i;
+        }
+
+        SAFE_LOAD(a);
+        SAFE_LOAD(b);
+
+        memcpy(a, b, 5 * sizeof(int));  // Safe copy of 5 integers
+    }
+    free(a);
+    free(b);
+}
+
+void test_unsafe_memcpy() {
+    int *a = NULL;
+    int *b = (int *)malloc(5 * sizeof(int));
+    if (b) {
+        for (int i = 0; i < 5; ++i) {
+            b[i] = i;
+        }
+
+        UNSAFE_LOAD(a);  // a is NULL — unsafe
+        SAFE_LOAD(b);  // b is valid
+
+        memcpy(a, b, 5 * sizeof(int));  // Undefined behavior
+    }
+    free(b);
+}
+
+int main() {
+    test_safe_memcpy();
+    test_unsafe_memcpy();  // Likely crash
+    return 0;
+}
@@ -0,0 +1,25 @@
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+extern void SAFE_LOAD(void *ptr);  // This pointer is guaranteed safe
+extern void UNSAFE_LOAD(void *ptr);  // This pointer is guaranteed unsafe
+
+int main() {
+    char* buf = (char*)malloc(10 * sizeof(char));  // Dynamically allocate memory
+    char* buf_copy = (char*)malloc(10 * sizeof(char));  // Dynamically allocate memory for copy
+
+    memcpy(buf, "Hello", 5);  // Copy "Hello" into buf (valid pointer)
+    memcpy(buf_copy, buf, 5);  // Copy the content of buf into buf_copy
+
+    SAFE_LOAD(buf);  // Safe load: buf is valid
+    SAFE_LOAD(buf_copy);  // Safe load: buf_copy is valid
+
+    free(buf);  // Free allocated memory for buf
+    UNSAFE_LOAD(buf);  // Unsafe load: buf is now invalid
+
+    free(buf_copy);  // Free allocated memory for buf_copy
+    UNSAFE_LOAD(buf_copy);  // Unsafe load: buf_copy is now invalid
+
+    return 0;
+}
@@ -0,0 +1,27 @@
+#include <string.h>
+#include <stdlib.h>
+
+extern void SAFE_LOAD(void *ptr);  // This pointer is guaranteed safe
+extern void UNSAFE_LOAD(void *ptr);  // This pointer is guaranteed unsafe
+
+int main() {
+    int* arr = (int*)malloc(5 * sizeof(int));  // Dynamically allocate memory for 5 integers
+    int* arr_copy = (int*)malloc(5 * sizeof(int));  // Dynamically allocate memory for the copy
+
+    for (int i = 0; i < 5; i++) {
+        arr[i] = i;  // Initialize the array
+    }
+
+    memcpy(arr_copy, arr, 5 * sizeof(int));  // Copy the content of arr to arr_copy
+
+    SAFE_LOAD(arr);  // Safe load: arr is valid
+    SAFE_LOAD(arr_copy);  // Safe load: arr_copy is valid
+
+    free(arr);  // Free allocated memory for arr
+    UNSAFE_LOAD(arr);  // Unsafe load: arr is now invalid
+
+    free(arr_copy);  // Free allocated memory for arr_copy
+    UNSAFE_LOAD(arr_copy);  // Unsafe load: arr_copy is now invalid
+
+    return 0;
+}
@@ -0,0 +1,20 @@
+#include <string.h>
+#include <stdlib.h>
+
+extern void UNSAFE_LOAD(void *ptr);  // This pointer is guaranteed unsafe
+
+int main() {
+    char* p = NULL;  // NULL pointer
+    char* p_copy = malloc(10 * sizeof(char));  // Dynamically allocate memory for copy
+
+    memcpy(p_copy, "Hello", 5);  // Copy "Hello" into p_copy (valid pointer)
+    memcpy(p, p_copy, 5);  // Unsafe operation: p is NULL, this is invalid
+
+    free(p_copy);  // Free allocated memory for p_copy
+    UNSAFE_LOAD(p_copy);  // Unsafe load: p_copy is now invalid
+
+    free(p);  // Freeing a NULL pointer is safe, but p is still unsafe
+    UNSAFE_LOAD(p);  // Unsafe load: p is still NULL after free
+
+    return 0;
+}
@@ -0,0 +1,21 @@
+#include <string.h>
+#include <stdlib.h>
+
+extern void SAFE_LOAD(void *ptr);  // This pointer is guaranteed safe
+extern void UNSAFE_LOAD(void *ptr);  // This pointer is guaranteed unsafe
+
+int main() {
+    char c;
+    char* p = &c;  // Pointer to local variable
+    char* p_copy = (char*)malloc(sizeof(char));  // Dynamically allocate memory for copy
+
+    memcpy(p_copy, "A", 1);  // Copy 'A' into p_copy (valid pointer)
+
+    SAFE_LOAD(p);  // Safe load: p points to a valid local variable
+    SAFE_LOAD(p_copy);  // Safe load: p_copy is valid
+
+    free(p_copy);  // Free allocated memory for p_copy
+    UNSAFE_LOAD(p_copy);  // Unsafe load: p_copy is now invalid
+
+    return 0;
+}
@@ -0,0 +1,24 @@
+#include <string.h>
+#include <stdlib.h>
+
+extern void SAFE_LOAD(void *ptr);  // This pointer is guaranteed safe
+extern void UNSAFE_LOAD(void *ptr);  // This pointer is guaranteed unsafe
+
+int main() {
+    void* p = malloc(20);  // Dynamically allocate 20 bytes of memory
+    void* p_copy = malloc(20);  // Dynamically allocate memory for copy
+
+    memcpy(p, "Hello", 5);  // Copy "Hello" into p
+    memcpy(p_copy, p, 5);   // Copy the content of p into p_copy
+
+    SAFE_LOAD(p);  // Safe load: p is valid
+    SAFE_LOAD(p_copy);  // Safe load: p_copy is valid
+
+    free(p);  // Free allocated memory for p
+    UNSAFE_LOAD(p);  // Unsafe load: p is now invalid
+
+    free(p_copy);  // Free allocated memory for p_copy
+    UNSAFE_LOAD(p_copy);  // Unsafe load: p_copy is now invalid
+
+    return 0;
+}
@@ -0,0 +1,29 @@
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+extern void SAFE_LOAD(void *ptr);
+extern void UNSAFE_LOAD(void *ptr);
+
+void test_safe_memset() {
+    int *a = (int *)malloc(5 * sizeof(int));
+    if (a) {
+        SAFE_LOAD(a);
+        memset(a, 0, 5 * sizeof(int));  // Safe memset of 5 integers
+    }
+    free(a);
+}
+
+void test_unsafe_memset() {
+    int *a = NULL;
+
+    UNSAFE_LOAD(a);  // a is NULL — unsafe
+
+    memset(a, 0, 5 * sizeof(int));  // Undefined behavior
+}
+
+int main() {
+    test_safe_memset();
+    test_unsafe_memset();  // Likely crash
+    return 0;
+}
@@ -0,0 +1,18 @@
+#include <string.h>
+#include <stdlib.h>
+
+extern void SAFE_LOAD(void *ptr);  // This pointer is guaranteed safe
+extern void UNSAFE_LOAD(void *ptr);  // This pointer is guaranteed unsafe
+
+int main() {
+    char* buf = (char*)malloc(10 * sizeof(char));  // Dynamically allocate memory
+    memset(buf, 0, 10);  // Set all 10 bytes to 0 (valid pointer)
+
+    SAFE_LOAD(buf);  // Safe load: buf is guaranteed to be valid
+
+    free(buf);  // Free allocated memory
+
+    UNSAFE_LOAD(buf);  // Unsafe load: buf is now invalid, as it points to freed memory
+
+    return 0;
+}
@@ -0,0 +1,18 @@
+#include <string.h>
+#include <stdlib.h>
+
+extern void SAFE_LOAD(void *ptr);  // This pointer is guaranteed safe
+extern void UNSAFE_LOAD(void *ptr);  // This pointer is guaranteed unsafe
+
+int main() {
+    int* arr = (int*)malloc(5 * sizeof(int));  // Dynamically allocate memory for 5 integers
+    memset(arr, 0, 5 * sizeof(int));  // Set all 5 integers to 0 (valid pointer)
+
+    SAFE_LOAD(arr);  // Safe load: arr is guaranteed to be valid
+
+    free(arr);  // Free allocated memory
+
+    UNSAFE_LOAD(arr);  // Unsafe load: arr is now invalid, as it points to freed memory
+
+    return 0;
+}