You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
hello , I found several bugs of null pointer dereference in source code of csmith , would you help me check if these bus are true?
btw,the way these bugs happen is very similar, so it doesn't seem to take much time.thank you very much for your patience and effort.
there are several potential bugs of NULL Pointer Dereference :
step 1 :
In file csmith/src/StatementExpr.cpp , function StatementExpr::get_dereferenced_ptrs line 133:
Select the true branch at this point (this->get_invoke()==null is true)
step 2 :
In file csmith/src/StatementExpr.cpp , function StatementExpr::get_dereferenced_ptrs line 133:
null assigned to func_call reaches here
step 3 :
In file csmith/src/StatementExpr.cpp , function StatementExpr::get_dereferenced_ptrs line 134:
(func_call->param_value) is passed as the this pointer to function size
step 1 :
In file csmith/src/Function.cpp , function get_fact_mgr_for_func line 115:
Return null to caller
step 2 :
In file csmith/src/Function.cpp , function get_fact_mgr line 124:
Return the return value of function get_fact_mgr_for_func to caller
step 3 :
In file csmith/src/StatementContinue.cpp , function StatementContinue::make_random line 62 :
Function get_fact_mgr executes and stores the return value to fm (fm can be null)
step 4 :
In file csmith/src/StatementContinue.cpp , function StatementContinue::make_random line 80 :
fm is passed as the this pointer to function create_cfg_edge (fm can be null)
==============================================================================
step 1:
In file csmith/src/Function.cpp , function get_fact_mgr_for_func line 115:
Return null to caller
step 2 :
In file csmith/src/Statement.cpp , function Statement::shortcut_analysis line 587 :
Function get_fact_mgr_for_func executes and stores the return value to fm (fm can be null)
step 3 :
In file csmith/src/Statement.cpp , function Statement::shortcut_analysis line 591 :
(fm->map_facts_in) is passed as the this pointer to function operator[]
step 1 :
In file csmith/src/Block.cpp , function Block::get_last_stm line 327 :
Select the false branch at this point (istms->size() is false)
step 2 :
In file csmith/src/Block.cpp , function Block::get_last_stm line 333 :
Return null to caller
step 3 :
In file csmith/src/Block.cpp , function Block::must_return line 362 :
Function get_last_stm executes and returns
step 4 :
In file csmith/src/Block.cpp , function Block::must_return line 362 :
Call a virtual function on this->get_last_stm()
==============================================================================
step 1 :
In file csmith/src/Function.cpp , function get_fact_mgr_for_func line 115:
Return null to caller
step 2 :
In file csmith/src/Function.cpp , function get_fact_mgr line 124:
Return the return value of function get_fact_mgr_for_func to caller
step 3 :
In file csmith/src/Block.cpp , function Block::set_accumulated_effect line 641 :
Function get_fact_mgr executes and stores the return value to fm (fm can be null)
step 4 :
In file csmith/src/Block.cpp , function Block::set_accumulated_effect line 644 :
(fm->map_stm_effect) is passed as the this pointer to function operator[]
step 1 :
In file csmith/src/Block.cpp , function Block::get_last_stm line 327 :
Select the false branch at this point (istms->size() is false)
step 2 :
In file csmith/src/Block.cpp , function Block::get_last_stm line 333 :
Return null to caller
step 3 :
In file csmith/src/Block.cpp , function Block::must_jump line 384 :
Function get_last_stm executes and returns
step 4 :
In file csmith/src/Block.cpp , function Block::must_jump line 384 :
Call a virtual function on this->get_last_stm()
==============================================================================
step 1 :
In file csmith/src/Function.cpp , function get_fact_mgr_for_func line 115:
Return null to caller
step 2 :
In file csmith/src/Function.cpp , function get_fact_mgr line 124:
Return the return value of function get_fact_mgr_for_func to caller
step 3 :
In file csmith/src/Statement.cpp , function Statement::stm_visit_facts line 653 :
Function get_fact_mgr executes and stores the return value to fm (fm can be null)
step 4 :
In file csmith/src/Statement.cpp , function Statement::stm_visit_facts line 662 :
derefer fm which can be null
==============================================================================
step 1 :
In file csmith/src/Function.cpp , function get_fact_mgr_for_func line 115 :
Return null to caller
step 2 :
In file csmith/src/Function.cpp , function get_fact_mgr line 124:
Return the return value of function get_fact_mgr_for_func to caller
step 3 :
In file csmith/src/StatementContinue.cpp , function StatementContinue::visit_facts line 146 :
Function get_fact_mgr executes and stores the return value to fm (fm can be null)
step 4 :
In file csmith/src/StatementContinue.cpp , function StatementContinue::visit_facts line 147 :
(fm->map_facts_out_final) is passed as the this pointer to function operator[]
step 1 :
In file csmith/src/Block.cpp , function Block::get_last_stm line 327 :
Select the false branch at this point (istms->size() is false)
step 2 :
In file csmith/src/Block.cpp , function Block::get_last_stm line 333 :
Return null to caller
step 3 :
In file csmith/src/Block.cpp , function Block::must_break_or_return line 393 :
Function get_last_stm executes and returns
step 4 :
In file csmith/src/Block.cpp , function Block::must_break_or_return line 393 :
Call a virtual function on this->get_last_stm()
==============================================================================
step 1 :
In file csmith/src/Function.cpp , function get_fact_mgr_for_func line 115:
Return null to caller
step 2 :
In file csmith/src/Function.cpp , function get_fact_mgr line 124:
Return the return value of function get_fact_mgr_for_func to caller
step 3 :
In file csmith/src/Statement.cpp , function Statement::set_accumulated_effect_after_block line 555 :
Function get_fact_mgr executes and stores the return value to fm (fm can be null)
step 4 :
In file csmith/src/Statement.cpp , function Statement::set_accumulated_effect_after_block line 556 :
(fm->map_stm_effect) is passed as the this pointer to function operator[]
step 1 :
In file csmith/src/Block.cpp , function Block::get_last_stm line 327 :
Select the false branch at this point (istms->size() is false)
step 2 :
In file csmith/src/Block.cpp , function Block::get_last_stm line 333 :
Return null to caller
step 3 :
In file csmith/src/Block.cpp , function Block::from_tail_to_head line 416 :
Function get_last_stm executes and stores the return value to s (s can be null)
step 4 :
In file csmith/src/Block.cpp , function Block::from_tail_to_head line 418 :
Call a virtual function on s
step 1 :
In file csmith/src/FunctionInvocation.cpp , function FunctionInvocation::get_qualifiers line 492 :
Select the true branch at this point (this==null is true)
step 2 :
In file csmith/src/FunctionInvocation.cpp , function FunctionInvocation::get_qualifiers line 492 :
null assigned to func_call reaches here
step 3 :
In file csmith/src/FunctionInvocation.cpp , function FunctionInvocation::get_qualifiers line 493 :
derefer func_call which can be null
step 1 :
In file csmith/src/Function.cpp , function get_fact_mgr_for_func line 115:
Return null to caller
step 2 :
In file csmith/src/Block.cpp , function Block::contains_back_edge line 553 :
Function get_fact_mgr_for_func executes and stores the return value to fm (fm can be null)
step 3 :
In file csmith/src/Block.cpp , function Block::contains_back_edge line 555 :
(fm->cfg_edges) is passed as the this pointer to function size
==============================================================================
step 1 :
In file csmith/src/Function.cpp , function get_fact_mgr_for_func line 115:
Return null to caller
step 2 :
In file csmith/src/Function.cpp , function get_fact_mgr line 124:
Return the return value of function get_fact_mgr_for_func to caller
step 3 :
In file csmith/src/StatementExpr.cpp , function StatementExpr::visit_facts line 120 :
Function get_fact_mgr executes and stores the return value to fm (fm can be null)
step 4 :
In file csmith/src/StatementExpr.cpp , function StatementExpr::visit_facts line 121 :
(fm->map_facts_out_final) is passed as the this pointer to function operator[]
==============================================================================
step 1 :
In file csmith/src/CGContext.cpp , function CGContext::get_current_block line 575 :
Return null to caller
step 2:
In file csmith/src/StatementContinue.cpp , function StatementContinue::make_random line 66 :
Function get_current_block executes and stores the return value to b (b can be null)
step 3:
In file csmith/src/StatementContinue.cpp , function StatementContinue::make_random line 67 :
b is passed as the this pointer to function get_last_stm (b can be null)
hello , I found several bugs of null pointer dereference in source code of csmith , would you help me check if these bus are true?
btw,the way these bugs happen is very similar, so it doesn't seem to take much time.thank you very much for your patience and effort.
there are several potential bugs of NULL Pointer Dereference :
==============================================================================
step 1 :
In file csmith/src/StatementExpr.cpp , function StatementExpr::get_dereferenced_ptrs line 133:
Select the true branch at this point (this->get_invoke()==null is true)
step 2 :
In file csmith/src/StatementExpr.cpp , function StatementExpr::get_dereferenced_ptrs line 133:
null assigned to func_call reaches here
step 3 :
In file csmith/src/StatementExpr.cpp , function StatementExpr::get_dereferenced_ptrs line 134:
(func_call->param_value) is passed as the this pointer to function size
==============================================================================
step 1 :
In file csmith/src/Function.cpp , function get_fact_mgr_for_func line 115:
Return null to caller
step 2 :
In file csmith/src/Function.cpp , function get_fact_mgr line 124:
Return the return value of function get_fact_mgr_for_func to caller
step 3 :
In file csmith/src/StatementContinue.cpp , function StatementContinue::make_random line 62 :
Function get_fact_mgr executes and stores the return value to fm (fm can be null)
step 4 :
In file csmith/src/StatementContinue.cpp , function StatementContinue::make_random line 80 :
fm is passed as the this pointer to function create_cfg_edge (fm can be null)
==============================================================================
step 1:
In file csmith/src/Function.cpp , function get_fact_mgr_for_func line 115:
Return null to caller
step 2 :
In file csmith/src/Statement.cpp , function Statement::shortcut_analysis line 587 :
Function get_fact_mgr_for_func executes and stores the return value to fm (fm can be null)
step 3 :
In file csmith/src/Statement.cpp , function Statement::shortcut_analysis line 591 :
(fm->map_facts_in) is passed as the this pointer to function operator[]
==============================================================================
step 1 :
In file csmith/src/Block.cpp , function Block::get_last_stm line 327 :
Select the false branch at this point (istms->size() is false)
step 2 :
In file csmith/src/Block.cpp , function Block::get_last_stm line 333 :
Return null to caller
step 3 :
In file csmith/src/Block.cpp , function Block::must_return line 362 :
Function get_last_stm executes and returns
step 4 :
In file csmith/src/Block.cpp , function Block::must_return line 362 :
Call a virtual function on this->get_last_stm()
==============================================================================
step 1 :
In file csmith/src/Function.cpp , function get_fact_mgr_for_func line 115:
Return null to caller
step 2 :
In file csmith/src/Function.cpp , function get_fact_mgr line 124:
Return the return value of function get_fact_mgr_for_func to caller
step 3 :
In file csmith/src/Block.cpp , function Block::set_accumulated_effect line 641 :
Function get_fact_mgr executes and stores the return value to fm (fm can be null)
step 4 :
In file csmith/src/Block.cpp , function Block::set_accumulated_effect line 644 :
(fm->map_stm_effect) is passed as the this pointer to function operator[]
==============================================================================
step 1 :
In file csmith/src/Block.cpp , function Block::get_last_stm line 327 :
Select the false branch at this point (istms->size() is false)
step 2 :
In file csmith/src/Block.cpp , function Block::get_last_stm line 333 :
Return null to caller
step 3 :
In file csmith/src/Block.cpp , function Block::must_jump line 384 :
Function get_last_stm executes and returns
step 4 :
In file csmith/src/Block.cpp , function Block::must_jump line 384 :
Call a virtual function on this->get_last_stm()
==============================================================================
step 1 :
In file csmith/src/Function.cpp , function get_fact_mgr_for_func line 115:
Return null to caller
step 2 :
In file csmith/src/Function.cpp , function get_fact_mgr line 124:
Return the return value of function get_fact_mgr_for_func to caller
step 3 :
In file csmith/src/Statement.cpp , function Statement::stm_visit_facts line 653 :
Function get_fact_mgr executes and stores the return value to fm (fm can be null)
step 4 :
In file csmith/src/Statement.cpp , function Statement::stm_visit_facts line 662 :
derefer fm which can be null
==============================================================================
step 1 :
In file csmith/src/Function.cpp , function get_fact_mgr_for_func line 115 :
Return null to caller
step 2 :
In file csmith/src/Function.cpp , function get_fact_mgr line 124:
Return the return value of function get_fact_mgr_for_func to caller
step 3 :
In file csmith/src/StatementContinue.cpp , function StatementContinue::visit_facts line 146 :
Function get_fact_mgr executes and stores the return value to fm (fm can be null)
step 4 :
In file csmith/src/StatementContinue.cpp , function StatementContinue::visit_facts line 147 :
(fm->map_facts_out_final) is passed as the this pointer to function operator[]
==============================================================================
step 1 :
In file csmith/src/Block.cpp , function Block::get_last_stm line 327 :
Select the false branch at this point (istms->size() is false)
step 2 :
In file csmith/src/Block.cpp , function Block::get_last_stm line 333 :
Return null to caller
step 3 :
In file csmith/src/Block.cpp , function Block::must_break_or_return line 393 :
Function get_last_stm executes and returns
step 4 :
In file csmith/src/Block.cpp , function Block::must_break_or_return line 393 :
Call a virtual function on this->get_last_stm()
==============================================================================
step 1 :
In file csmith/src/Function.cpp , function get_fact_mgr_for_func line 115:
Return null to caller
step 2 :
In file csmith/src/Function.cpp , function get_fact_mgr line 124:
Return the return value of function get_fact_mgr_for_func to caller
step 3 :
In file csmith/src/Statement.cpp , function Statement::set_accumulated_effect_after_block line 555 :
Function get_fact_mgr executes and stores the return value to fm (fm can be null)
step 4 :
In file csmith/src/Statement.cpp , function Statement::set_accumulated_effect_after_block line 556 :
(fm->map_stm_effect) is passed as the this pointer to function operator[]
==============================================================================
step 1 :
In file csmith/src/Block.cpp , function Block::get_last_stm line 327 :
Select the false branch at this point (istms->size() is false)
step 2 :
In file csmith/src/Block.cpp , function Block::get_last_stm line 333 :
Return null to caller
step 3 :
In file csmith/src/Block.cpp , function Block::from_tail_to_head line 416 :
Function get_last_stm executes and stores the return value to s (s can be null)
step 4 :
In file csmith/src/Block.cpp , function Block::from_tail_to_head line 418 :
Call a virtual function on s
==============================================================================
step 1 :
In file csmith/src/FunctionInvocation.cpp , function FunctionInvocation::get_qualifiers line 492 :
Select the true branch at this point (this==null is true)
step 2 :
In file csmith/src/FunctionInvocation.cpp , function FunctionInvocation::get_qualifiers line 492 :
null assigned to func_call reaches here
step 3 :
In file csmith/src/FunctionInvocation.cpp , function FunctionInvocation::get_qualifiers line 493 :
derefer func_call which can be null
==============================================================================
step 1 :
In file csmith/src/Function.cpp , function get_fact_mgr_for_func line 115:
Return null to caller
step 2 :
In file csmith/src/Block.cpp , function Block::contains_back_edge line 553 :
Function get_fact_mgr_for_func executes and stores the return value to fm (fm can be null)
step 3 :
In file csmith/src/Block.cpp , function Block::contains_back_edge line 555 :
(fm->cfg_edges) is passed as the this pointer to function size
==============================================================================
step 1 :
In file csmith/src/Function.cpp , function get_fact_mgr_for_func line 115:
Return null to caller
step 2 :
In file csmith/src/Function.cpp , function get_fact_mgr line 124:
Return the return value of function get_fact_mgr_for_func to caller
step 3 :
In file csmith/src/StatementExpr.cpp , function StatementExpr::visit_facts line 120 :
Function get_fact_mgr executes and stores the return value to fm (fm can be null)
step 4 :
In file csmith/src/StatementExpr.cpp , function StatementExpr::visit_facts line 121 :
(fm->map_facts_out_final) is passed as the this pointer to function operator[]
==============================================================================
step 1 :
In file csmith/src/CGContext.cpp , function CGContext::get_current_block line 575 :
Return null to caller
step 2:
In file csmith/src/StatementContinue.cpp , function StatementContinue::make_random line 66 :
Function get_current_block executes and stores the return value to b (b can be null)
step 3:
In file csmith/src/StatementContinue.cpp , function StatementContinue::make_random line 67 :
b is passed as the this pointer to function get_last_stm (b can be null)
==============================================================================
The text was updated successfully, but these errors were encountered: