Description
Hi there,
Context: I am trying to use JBMC to verify the presence of vulnerabilities in source code of test cases of the Juliet 1.3 testsuite. I started with CWE113 and could run JBMC on a test case but realized JBMC was not dealing with the URL encoding bytcode as I was expecting.
Test case: here is a simplified example to test.
package jbmc_issues.urlencoder;
import java.net.URLEncoder;
public class EncodeTest
{
public static void main(String[] args) throws Throwable
{
String data = "Hello world";
String d = URLEncoder.encode(data, "UTF-8");
if(d!=null && !d.isEmpty()) {
// d = d.replace("\r", " ");
assert(!d.contains("\r"));
}
}
}
Run command for jbmc : $JBMC_PATH/jbmc jbmc_issues/urlencoder/EncodeTest --max-nondet-string-length 10 --unwind 50 --classpath $JBMC_PATH../../../jbmc/lib/java-models-library/target/core-models.jar:. --main-class EncodeTest --trace
Expected behavior: verification succeeds, no counter-example
Observerd behavior: the verification of the assert fails, the trace seems to indicate that the encode function can throw a NPE but I am not sure I understand the trace properly and if my understanding is correct, why an NPE could be thrown.
Additional comment: if you uncomment the line d = d.replace("\r", " ");, the verification succeeds.
Thanks for your help on this!