[feat] Distinct kinds of NPE.

Author: S1eGa

lib/Core/ExecutionState.cpp

@@ -163,7 +163,9 @@ ExecutionState::~ExecutionState() {
 ExecutionState::ExecutionState(const ExecutionState &state)
     : initPC(state.initPC), pc(state.pc), prevPC(state.prevPC),
       stack(state.stack), stackBalance(state.stackBalance),
-      incomingBBIndex(state.incomingBBIndex), depth(state.depth),
+      incomingBBIndex(state.incomingBBIndex),
+      lastBrConfidently(state.lastBrConfidently),
+      outOfMemoryMarkers(state.outOfMemoryMarkers), depth(state.depth),
       level(state.level), addressSpace(state.addressSpace),
       constraints(state.constraints), eventsRecorder(state.eventsRecorder),
       targetForest(state.targetForest), pathOS(state.pathOS),

lib/Core/ExecutionState.h

@@ -320,6 +320,9 @@ class ExecutionState {
   /// @brief: TODO:
   bool lastBrConfidently = true;
 
+  /// @brief: TODO:
+  ImmutableList<ref<Expr>> outOfMemoryMarkers;
+
   /// @brief Exploration depth, i.e., number of times KLEE branched for this
   /// state
   std::uint32_t depth = 0;

lib/Core/Executor.cpp

@@ -62,6 +62,7 @@
 #include "klee/Solver/Common.h"
 #include "klee/Solver/Solver.h"
 #include "klee/Solver/SolverCmdLine.h"
+#include "klee/Solver/SolverUtil.h"
 #include "klee/Statistics/TimerStatIncrementer.h"
 #include "klee/Support/Casting.h"
 #include "klee/Support/ErrorHandling.h"
@@ -5424,6 +5425,7 @@ void Executor::executeAlloc(ExecutionState &state, ref<Expr> size, bool isLocal,
             makeMockValue(state, "symCheckOutOfMemory", Expr::Bool);
         address = SelectExpr::create(symCheckOutOfMemoryExpr,
                                      Expr::createPointer(0), address);
+        state.outOfMemoryMarkers.push_back(symCheckOutOfMemoryExpr);
       }
 
       // state.addPointerResolution(address, mo);
@@ -6317,12 +6319,91 @@ void Executor::executeMemoryOperation(
   StatePair branches =
       forkInternal(estate, Expr::createIsZero(base), BranchType::MemOp);
   ExecutionState *bound = branches.first;
+
   if (bound) {
-    auto error = isReadFromSymbolicArray(uniqueBase)
-                     ? ReachWithError::MayBeNullPointerException
-                     : ReachWithError::MustBeNullPointerException;
-    terminateStateOnTargetError(*bound, error);
+    // If there are no markers on `malloc` returning nullptr,
+    // then `confidence` depends on presence of `unbound` state.
+    if (!bound->outOfMemoryMarkers.empty()) {
+      // bound constraints already contain `Expr::createIsZero()`
+      std::vector<const Array *> markersArrays;
+      markersArrays.reserve(bound->outOfMemoryMarkers.size());
+      findSymbolicObjects(bound->outOfMemoryMarkers.begin(),
+                          bound->outOfMemoryMarkers.end(), markersArrays);
+
+      // Do some iterations (2-3) to figure out if error is confident.
+      ref<Expr> allExcludedVectorsOfMarkers = Expr::createTrue();
+
+      bool convinced = false;
+      for (int tpCheckIteration = 0; tpCheckIteration < 2; ++tpCheckIteration) {
+        ref<SolverResponse> isConfidentResponse;
+        if (!solver->getResponse(bound->constraints.cs(),
+                                 allExcludedVectorsOfMarkers,
+                                 isConfidentResponse, bound->queryMetaData)) {
+          terminateStateOnSolverError(*bound, "Query timeout");
+        }
+
+        if (isa<ValidResponse>(isConfidentResponse)) {
+          reportStateOnTargetError(*bound,
+                                   ReachWithError::MustBeNullPointerException);
+
+          terminateStateOnProgramError(
+              *bound,
+              new ErrorEvent(locationOf(*bound), StateTerminationType::Ptr,
+                             "memory error: null pointer exception"),
+              StateTerminationConfidenceCategory::CONFIDENT);
+          convinced = true;
+          break;
+        }
+
+        // Receive current values of markers
+        std::vector<SparseStorage<unsigned char>> boundSetSolution;
+        isConfidentResponse->tryGetInitialValuesFor(markersArrays,
+                                                    boundSetSolution);
+        Assignment nonConfidentResponseAssignment(markersArrays,
+                                                  boundSetSolution);
+
+        // Exclude this combinations of markers
+
+        ref<Expr> conjExcludedVectorOfMarkers = Expr::createTrue();
+        for (ref<Expr> marker : bound->outOfMemoryMarkers) {
+          conjExcludedVectorOfMarkers = AndExpr::create(
+              conjExcludedVectorOfMarkers,
+              EqExpr::create(marker,
+                             nonConfidentResponseAssignment.evaluate(marker)));
+        }
+
+        allExcludedVectorsOfMarkers =
+            OrExpr::create(allExcludedVectorsOfMarkers,
+                           NotExpr::create(conjExcludedVectorOfMarkers));
+      }
+
+      if (!convinced) {
+        reportStateOnTargetError(*bound,
+                                 ReachWithError::MayBeNullPointerException);
+
+        terminateStateOnProgramError(
+            *bound,
+            new ErrorEvent(locationOf(*bound), StateTerminationType::Ptr,
+                           "memory error: null pointer exception"),
+            StateTerminationConfidenceCategory::PROBABLY);
+      }
+
+    } else {
+      auto error = branches.second != nullptr
+                       ? ReachWithError::MayBeNullPointerException
+                       : ReachWithError::MustBeNullPointerException;
+      reportStateOnTargetError(*bound, error);
+
+      terminateStateOnProgramError(
+          *bound,
+          new ErrorEvent(locationOf(*bound), StateTerminationType::Ptr,
+                         "memory error: null pointer exception"),
+          branches.second != nullptr
+              ? StateTerminationConfidenceCategory::PROBABLY
+              : StateTerminationConfidenceCategory::CONFIDENT);
+    }
   }
+
   if (!branches.second)
     return;
   ExecutionState *state = branches.second;
@@ -6916,7 +6997,8 @@ void Executor::executeMakeSymbolic(ExecutionState &state,
                (!AllowSeedTruncation && obj->numBytes > mo->size))) {
             std::stringstream msg;
             msg << "replace size mismatch: " << mo->name << "[" << mo->size
-                << "]" << " vs " << obj->name << "[" << obj->numBytes << "]"
+                << "]"
+                << " vs " << obj->name << "[" << obj->numBytes << "]"
                 << " in test\n";
 
             terminateStateOnUserError(state, msg.str());
@@ -7360,7 +7442,8 @@ void Executor::logState(const ExecutionState &state, int id,
     *f << "Address memory object: " << object.first->address << "\n";
     *f << "Memory object size: " << object.first->size << "\n";
   }
-  *f << state.symbolics.size() << " symbolics total. " << "Symbolics:\n";
+  *f << state.symbolics.size() << " symbolics total. "
+     << "Symbolics:\n";
   size_t sc = 0;
   for (const auto &symbolic : state.symbolics) {
     *f << "Symbolic number " << sc++ << "\n";

lib/Expr/ExprUtil.cpp

@@ -8,6 +8,7 @@
 //===----------------------------------------------------------------------===//
 
 #include "klee/Expr/ExprUtil.h"
+#include "klee/ADT/ImmutableList.h"
 #include "klee/Expr/Expr.h"
 #include "klee/Expr/ExprHashMap.h"
 #include "klee/Expr/ExprVisitor.h"
@@ -176,6 +177,9 @@ template void klee::findSymbolicObjects<B>(B, B, std::vector<const Array *> &);
 typedef ExprHashSet::iterator C;
 template void klee::findSymbolicObjects<C>(C, C, std::vector<const Array *> &);
 
+typedef ImmutableList<ref<Expr>>::iterator D;
+template void klee::findSymbolicObjects<D>(D, D, std::vector<const Array *> &);
+
 typedef std::vector<ref<Expr>>::iterator A;
 template void klee::findObjects<A>(A, A, std::vector<const Array *> &);