├── src ├── targets │ └── __init__.py ├── tests │ ├── __init__.py │ ├── commit_v8.txt │ └── commit_id.txt ├── backends │ └── __init__.py ├── llm_keys_example.yaml ├── kparser │ └── kparser.py └── kernel_commands.py ├── assets └── icon.png ├── checker_database ├── Taint │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── uninit │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ ├── pattern.md │ └── plan.md ├── Iterator │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── MIGChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── CloneChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── ErrnoChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── GTestChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── MoveChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── VforkChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── double-free │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ ├── pattern.md │ └── plan.md ├── CStringChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── CastSizeChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── ChrootChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── DebugCheckers │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── DivZeroChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ ├── pattern.md │ └── plan.md ├── ErrnoModeling │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── MallocChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── NSErrorChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── PaddingChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── SmartPtrChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── StreamChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── StringChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ ├── pattern.md │ └── plan.md ├── UnixAPIChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── VLASizeChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── ValistChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── ArrayBoundChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ ├── pattern.md │ └── plan.md ├── CXXDeleteChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── CastValueChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── CheckObjCDealloc │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── CheckPlacementNew │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ ├── pattern.md │ └── plan.md ├── ContainerModeling │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── ConversionChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── DeadStoresChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── IteratorModeling │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── MacOSXAPIChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── ObjCAtSyncChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── PointerSubChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── SmartPtrModeling │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── StdVariantChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ ├── pattern.md │ └── plan.md ├── TraversalChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── AnalysisOrderChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── AnalyzerStatsChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── ArrayBoundCheckerV2 │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── BitwiseShiftChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── CStringSyntaxChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── CastToStructChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── CheckSizeofPointer │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── CheckerDocumentation │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── DereferenceChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── DirectIvarAssignment │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── DynamicTypeChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── ErrnoTesterChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── FixedAddressChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── FuchsiaHandleChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── GenericTaintChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── IdenticalExprChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── InnerPointerChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── IteratorRangeChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── LocalizationChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── MallocSizeofChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── MmapWriteExecChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── NonNullParamChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── NullabilityChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── OSObjectCStyleCast │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── ObjCPropertyChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── ObjCSelfInitChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── PointerArithChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── PthreadLockChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── ReturnUndefChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── ReturnValueChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── STLAlgorithmModeling │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── SimpleStreamChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── TaintTesterChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ ├── pattern.md │ ├── plan.md │ └── checker.cpp ├── TrustNonnullChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── UndefBranchChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ ├── pattern.md │ └── plan.md ├── UndefResultChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── VirtualCallChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── null-ptr-derefence │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ ├── pattern.md │ └── plan.md ├── BoolAssignmentChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── BuiltinFunctionChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── CallAndMessageChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── DebugContainerModeling │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── DebugIteratorModeling │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── DynamicTypePropagation │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── ExprInspectionChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── GCDAntipatternChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── LLVMConventionsChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── ObjCContainersChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── ObjCUnusedIVarsChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── PointerSortingChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── StackAddrEscapeChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── UnreachableCodeChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── BasicObjCFoundationChecks │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── CXXSelfAssignmentChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── CheckSecuritySyntaxOnly │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── EnumCastOutOfRangeChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ ├── pattern.md │ └── plan.md ├── IvarInvalidationChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── MacOSKeychainAPIChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── MismatchedIteratorChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── NSAutoreleasePoolChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ ├── pattern.md │ └── plan.md ├── NoReturnFunctionChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── ObjCContainersASTChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── ObjCSuperDeallocChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── PointerIterationChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── ReturnPointerRangeChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── TestAfterDivZeroChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── CheckObjCInstMethSignature │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── InvalidatedIteratorChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── ObjCAutoreleaseWriteChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── ObjCMissingSuperCallChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── StdLibraryFunctionsChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── TrustReturnsNonnullChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ ├── pattern.md │ ├── plan.md │ └── checker.cpp ├── UndefinedAssignmentChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── BlockInCriticalSectionChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── MallocOverflowSecurityChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── NonnullGlobalConstantsChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── NumberObjectConversionChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── RunLoopAutoreleaseLeakChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ ├── pattern.md │ └── plan.md ├── UndefCapturedBlockVarChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ └── pattern.md ├── UndefinedArraySubscriptChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ ├── pattern.md │ └── plan.md └── UndefinedNewArraySizeChecker │ ├── plan_embedding.pt │ ├── pattern_embedding.pt │ ├── pattern.md │ └── plan.md ├── commits ├── commits-debug.txt └── commits-sampled.txt ├── config-example.yaml ├── requirements.txt ├── .gitmodules ├── prompt_template ├── examples │ ├── null-ptr-derefence │ │ ├── pattern.md │ │ └── plan.md │ ├── double-free │ │ ├── pattern.md │ │ └── plan.md │ └── uninit │ │ ├── pattern.md │ │ └── plan.md ├── patch2pattern.md ├── patch2pattern-general.md ├── plan2checker-no-utility.md ├── plan2checker.md ├── patch2checker.md ├── knowledge │ └── template.md └── repair_FP.md ├── .gitignore ├── .pre-commit-config.yaml ├── .dockerignore ├── COMMON-ISSUES.md ├── docker-compose.yml └── scripts ├── count_errors.py ├── count_tokens.py └── README.md /src/targets/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /src/tests/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /src/tests/commit_v8.txt: -------------------------------------------------------------------------------- 1 | 5666bca708c0a2f888b78e34281b00ed20356cb2 -------------------------------------------------------------------------------- /src/tests/commit_id.txt: -------------------------------------------------------------------------------- 1 | 3948abaa4e2be938ccdfc289385a27342fb13d43 2 | -------------------------------------------------------------------------------- /src/backends/__init__.py: -------------------------------------------------------------------------------- 1 | # from backends.factory import BackendFactory 2 | -------------------------------------------------------------------------------- /assets/icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/assets/icon.png -------------------------------------------------------------------------------- /checker_database/Taint/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/Taint/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/uninit/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/uninit/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/Iterator/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/Iterator/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/MIGChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/MIGChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/Taint/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/Taint/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/uninit/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/uninit/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/CloneChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/CloneChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/ErrnoChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ErrnoChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/GTestChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/GTestChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/Iterator/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/Iterator/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/MoveChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/MoveChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/VforkChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/VforkChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/double-free/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/double-free/plan_embedding.pt -------------------------------------------------------------------------------- /commits/commits-debug.txt: -------------------------------------------------------------------------------- 1 | 1f886a7bfb3faf4c1021e73f045538008ce7634e,Null-Pointer-Dereference 2 | ad297cd2db8953e2202970e9504cab247b6c7cb4,UAF 3 | -------------------------------------------------------------------------------- /checker_database/CStringChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/CStringChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/CastSizeChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/CastSizeChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/ChrootChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ChrootChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/CloneChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/CloneChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/DebugCheckers/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/DebugCheckers/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/DivZeroChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/DivZeroChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/ErrnoChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ErrnoChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/ErrnoModeling/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ErrnoModeling/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/GTestChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/GTestChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/MIGChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/MIGChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/MallocChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/MallocChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/MoveChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/MoveChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/NSErrorChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/NSErrorChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/PaddingChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/PaddingChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/SmartPtrChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/SmartPtrChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/StreamChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/StreamChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/StringChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/StringChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/UnixAPIChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/UnixAPIChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/VLASizeChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/VLASizeChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/ValistChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ValistChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/VforkChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/VforkChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/double-free/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/double-free/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/ArrayBoundChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ArrayBoundChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/CStringChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/CStringChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/CXXDeleteChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/CXXDeleteChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/CastValueChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/CastValueChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/CheckObjCDealloc/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/CheckObjCDealloc/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/CheckPlacementNew/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/CheckPlacementNew/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/ChrootChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ChrootChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/ContainerModeling/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ContainerModeling/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/ConversionChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ConversionChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/DeadStoresChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/DeadStoresChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/DebugCheckers/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/DebugCheckers/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/DivZeroChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/DivZeroChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/ErrnoModeling/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ErrnoModeling/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/IteratorModeling/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/IteratorModeling/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/MacOSXAPIChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/MacOSXAPIChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/MallocChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/MallocChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/NSErrorChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/NSErrorChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/ObjCAtSyncChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ObjCAtSyncChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/PaddingChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/PaddingChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/PointerSubChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/PointerSubChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/SmartPtrModeling/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/SmartPtrModeling/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/StdVariantChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/StdVariantChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/StreamChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/StreamChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/StringChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/StringChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/TraversalChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/TraversalChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/UnixAPIChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/UnixAPIChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/VLASizeChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/VLASizeChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/ValistChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ValistChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/AnalysisOrderChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/AnalysisOrderChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/AnalyzerStatsChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/AnalyzerStatsChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/ArrayBoundChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ArrayBoundChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/ArrayBoundCheckerV2/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ArrayBoundCheckerV2/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/BitwiseShiftChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/BitwiseShiftChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/CStringSyntaxChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/CStringSyntaxChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/CXXDeleteChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/CXXDeleteChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/CastSizeChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/CastSizeChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/CastToStructChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/CastToStructChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/CastValueChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/CastValueChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/CheckObjCDealloc/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/CheckObjCDealloc/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/CheckPlacementNew/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/CheckPlacementNew/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/CheckSizeofPointer/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/CheckSizeofPointer/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/CheckerDocumentation/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/CheckerDocumentation/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/ContainerModeling/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ContainerModeling/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/ConversionChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ConversionChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/DeadStoresChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/DeadStoresChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/DereferenceChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/DereferenceChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/DirectIvarAssignment/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/DirectIvarAssignment/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/DynamicTypeChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/DynamicTypeChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/ErrnoTesterChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ErrnoTesterChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/FixedAddressChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/FixedAddressChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/FuchsiaHandleChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/FuchsiaHandleChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/GenericTaintChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/GenericTaintChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/IdenticalExprChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/IdenticalExprChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/InnerPointerChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/InnerPointerChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/IteratorModeling/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/IteratorModeling/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/IteratorRangeChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/IteratorRangeChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/LocalizationChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/LocalizationChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/MacOSXAPIChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/MacOSXAPIChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/MallocSizeofChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/MallocSizeofChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/MmapWriteExecChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/MmapWriteExecChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/NonNullParamChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/NonNullParamChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/NullabilityChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/NullabilityChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/OSObjectCStyleCast/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/OSObjectCStyleCast/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/ObjCAtSyncChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ObjCAtSyncChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/ObjCPropertyChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ObjCPropertyChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/ObjCSelfInitChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ObjCSelfInitChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/PointerArithChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/PointerArithChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/PointerSubChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/PointerSubChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/PthreadLockChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/PthreadLockChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/ReturnUndefChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ReturnUndefChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/ReturnValueChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ReturnValueChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/STLAlgorithmModeling/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/STLAlgorithmModeling/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/SimpleStreamChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/SimpleStreamChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/SmartPtrChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/SmartPtrChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/SmartPtrModeling/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/SmartPtrModeling/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/StdVariantChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/StdVariantChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/TaintTesterChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/TaintTesterChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/TraversalChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/TraversalChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/TrustNonnullChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/TrustNonnullChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/UndefBranchChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/UndefBranchChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/UndefResultChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/UndefResultChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/VirtualCallChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/VirtualCallChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/null-ptr-derefence/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/null-ptr-derefence/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/ArrayBoundCheckerV2/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ArrayBoundCheckerV2/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/BitwiseShiftChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/BitwiseShiftChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/BoolAssignmentChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/BoolAssignmentChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/BuiltinFunctionChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/BuiltinFunctionChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/CallAndMessageChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/CallAndMessageChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/CastToStructChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/CastToStructChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/CheckSizeofPointer/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/CheckSizeofPointer/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/DebugContainerModeling/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/DebugContainerModeling/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/DebugIteratorModeling/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/DebugIteratorModeling/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/DereferenceChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/DereferenceChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/DynamicTypeChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/DynamicTypeChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/DynamicTypePropagation/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/DynamicTypePropagation/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/ErrnoTesterChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ErrnoTesterChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/ExprInspectionChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ExprInspectionChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/FixedAddressChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/FixedAddressChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/GCDAntipatternChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/GCDAntipatternChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/GenericTaintChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/GenericTaintChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/InnerPointerChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/InnerPointerChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/LLVMConventionsChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/LLVMConventionsChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/LocalizationChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/LocalizationChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/MallocSizeofChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/MallocSizeofChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/NonNullParamChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/NonNullParamChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/NullabilityChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/NullabilityChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/OSObjectCStyleCast/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/OSObjectCStyleCast/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/ObjCContainersChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ObjCContainersChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/ObjCPropertyChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ObjCPropertyChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/ObjCSelfInitChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ObjCSelfInitChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/ObjCUnusedIVarsChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ObjCUnusedIVarsChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/PointerArithChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/PointerArithChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/PointerSortingChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/PointerSortingChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/PthreadLockChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/PthreadLockChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/ReturnUndefChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ReturnUndefChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/ReturnValueChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ReturnValueChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/SimpleStreamChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/SimpleStreamChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/StackAddrEscapeChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/StackAddrEscapeChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/TaintTesterChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/TaintTesterChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/TrustNonnullChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/TrustNonnullChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/UndefBranchChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/UndefBranchChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/UndefResultChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/UndefResultChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/UnreachableCodeChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/UnreachableCodeChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/VirtualCallChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/VirtualCallChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/null-ptr-derefence/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/null-ptr-derefence/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/AnalysisOrderChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/AnalysisOrderChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/AnalyzerStatsChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/AnalyzerStatsChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/BasicObjCFoundationChecks/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/BasicObjCFoundationChecks/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/BoolAssignmentChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/BoolAssignmentChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/BuiltinFunctionChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/BuiltinFunctionChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/CStringSyntaxChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/CStringSyntaxChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/CXXSelfAssignmentChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/CXXSelfAssignmentChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/CallAndMessageChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/CallAndMessageChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/CheckSecuritySyntaxOnly/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/CheckSecuritySyntaxOnly/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/CheckerDocumentation/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/CheckerDocumentation/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/DebugContainerModeling/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/DebugContainerModeling/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/DebugIteratorModeling/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/DebugIteratorModeling/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/DirectIvarAssignment/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/DirectIvarAssignment/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/DynamicTypePropagation/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/DynamicTypePropagation/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/EnumCastOutOfRangeChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/EnumCastOutOfRangeChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/ExprInspectionChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ExprInspectionChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/FuchsiaHandleChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/FuchsiaHandleChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/GCDAntipatternChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/GCDAntipatternChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/IdenticalExprChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/IdenticalExprChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/IteratorRangeChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/IteratorRangeChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/IvarInvalidationChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/IvarInvalidationChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/LLVMConventionsChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/LLVMConventionsChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/MacOSKeychainAPIChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/MacOSKeychainAPIChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/MismatchedIteratorChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/MismatchedIteratorChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/MmapWriteExecChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/MmapWriteExecChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/NSAutoreleasePoolChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/NSAutoreleasePoolChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/NoReturnFunctionChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/NoReturnFunctionChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/ObjCContainersASTChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ObjCContainersASTChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/ObjCContainersChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ObjCContainersChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/ObjCSuperDeallocChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ObjCSuperDeallocChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/ObjCUnusedIVarsChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ObjCUnusedIVarsChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/PointerIterationChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/PointerIterationChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/PointerSortingChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/PointerSortingChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/ReturnPointerRangeChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ReturnPointerRangeChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/STLAlgorithmModeling/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/STLAlgorithmModeling/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/StackAddrEscapeChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/StackAddrEscapeChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/TestAfterDivZeroChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/TestAfterDivZeroChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/UnreachableCodeChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/UnreachableCodeChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/CXXSelfAssignmentChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/CXXSelfAssignmentChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/CheckObjCInstMethSignature/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/CheckObjCInstMethSignature/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/CheckSecuritySyntaxOnly/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/CheckSecuritySyntaxOnly/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/InvalidatedIteratorChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/InvalidatedIteratorChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/IvarInvalidationChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/IvarInvalidationChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/MacOSKeychainAPIChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/MacOSKeychainAPIChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/NSAutoreleasePoolChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/NSAutoreleasePoolChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/NoReturnFunctionChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/NoReturnFunctionChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/ObjCAutoreleaseWriteChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ObjCAutoreleaseWriteChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/ObjCContainersASTChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ObjCContainersASTChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/ObjCMissingSuperCallChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ObjCMissingSuperCallChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/ObjCSuperDeallocChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ObjCSuperDeallocChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/PointerIterationChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/PointerIterationChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/StdLibraryFunctionsChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/StdLibraryFunctionsChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/TestAfterDivZeroChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/TestAfterDivZeroChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/TrustReturnsNonnullChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/TrustReturnsNonnullChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/UndefinedAssignmentChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/UndefinedAssignmentChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/BasicObjCFoundationChecks/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/BasicObjCFoundationChecks/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/BlockInCriticalSectionChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/BlockInCriticalSectionChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/CheckObjCInstMethSignature/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/CheckObjCInstMethSignature/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/EnumCastOutOfRangeChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/EnumCastOutOfRangeChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/InvalidatedIteratorChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/InvalidatedIteratorChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/MallocOverflowSecurityChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/MallocOverflowSecurityChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/MismatchedIteratorChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/MismatchedIteratorChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/NonnullGlobalConstantsChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/NonnullGlobalConstantsChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/NumberObjectConversionChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/NumberObjectConversionChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/ObjCAutoreleaseWriteChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ObjCAutoreleaseWriteChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/ObjCMissingSuperCallChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ObjCMissingSuperCallChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/ReturnPointerRangeChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/ReturnPointerRangeChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/RunLoopAutoreleaseLeakChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/RunLoopAutoreleaseLeakChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/StdLibraryFunctionsChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/StdLibraryFunctionsChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/TrustReturnsNonnullChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/TrustReturnsNonnullChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/UndefCapturedBlockVarChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/UndefCapturedBlockVarChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/UndefinedArraySubscriptChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/UndefinedArraySubscriptChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/UndefinedAssignmentChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/UndefinedAssignmentChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/UndefinedNewArraySizeChecker/plan_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/UndefinedNewArraySizeChecker/plan_embedding.pt -------------------------------------------------------------------------------- /checker_database/BlockInCriticalSectionChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/BlockInCriticalSectionChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/MallocOverflowSecurityChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/MallocOverflowSecurityChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/NonnullGlobalConstantsChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/NonnullGlobalConstantsChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/NumberObjectConversionChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/NumberObjectConversionChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/RunLoopAutoreleaseLeakChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/RunLoopAutoreleaseLeakChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/UndefCapturedBlockVarChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/UndefCapturedBlockVarChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/UndefinedNewArraySizeChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/UndefinedNewArraySizeChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /checker_database/UndefinedArraySubscriptChecker/pattern_embedding.pt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ise-uiuc/KNighter/HEAD/checker_database/UndefinedArraySubscriptChecker/pattern_embedding.pt -------------------------------------------------------------------------------- /config-example.yaml: -------------------------------------------------------------------------------- 1 | result_dir: "/absolute-patch/results/debug" 2 | LLVM_dir: "/absolute-patch/llvm" 3 | checker_nums: 10 4 | linux_dir: "/absolute-patch/linux" 5 | key_file: "llm_keys.yaml" 6 | model: "o3-mini" 7 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | openai==1.56.1 2 | loguru 3 | tiktoken 4 | GitPython 5 | tree-sitter==0.21.3 6 | rich 7 | html2text 8 | fire 9 | pre-commit 10 | torch 11 | azure-ai-inference 12 | google-genai 13 | bs4 14 | psutil 15 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "tree-sitter-cpp"] 2 | path = src/kparser/tree-sitter-cpp 3 | url = https://github.com/tree-sitter/tree-sitter-cpp.git 4 | [submodule "src/kparser/tree-sitter-cpp"] 5 | path = src/kparser/tree-sitter-cpp 6 | url = https://github.com/tree-sitter/tree-sitter-cpp.git 7 | -------------------------------------------------------------------------------- /checker_database/EnumCastOutOfRangeChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Casting an integer to an enumeration type where the integer value does not match any of the enumeration’s defined constant values. This results in producing an out-of-range (or undefined) enum value, which may lead to undefined behavior. -------------------------------------------------------------------------------- /checker_database/VLASizeChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Declaring a variable-length array (VLA) with an invalid size expression – that is, when the size is derived from a value that is undefined, zero, negative, overflowing, or tainted – which can lead to an invalid memory extent and potential runtime errors. -------------------------------------------------------------------------------- /checker_database/SmartPtrChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Dereferencing a C++ smart pointer without first verifying that it is not null. In this case, the checker detects calls (using operator* or operator->) on a smart pointer whose underlying pointer is null, which can lead to a null pointer dereference and undefined behavior. -------------------------------------------------------------------------------- /checker_database/ReturnUndefChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Returning a value that has not been defined—i.e., an uninitialized or "garbage" value—or returning a null reference from a function. This pattern occurs when a function produces a return value whose state is undefined, leading the caller to operate on potentially invalid data. -------------------------------------------------------------------------------- /checker_database/TaintTesterChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | Using data that is marked as tainted without proper sanitization. In this pattern, expressions (or values) that satisfy a taint condition are used unchecked, which may allow unsafe or untrusted data to propagate through the program and trigger security issues. 5 | ``` -------------------------------------------------------------------------------- /checker_database/UndefinedAssignmentChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Assigning an undefined (uninitialized) value to a program variable or memory location. This pattern occurs when a computed or assigned value has not been properly initialized before use, which can lead to the propagation of garbage data and subsequent erroneous behavior. -------------------------------------------------------------------------------- /checker_database/DirectIvarAssignment/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Direct assignment to an instance variable (ivar) that backs an Objective-C property instead of using the property's setter. This pattern bypasses any custom logic, memory management, or side effects implemented in the setter method, potentially leading to unexpected behavior or bugs. -------------------------------------------------------------------------------- /checker_database/DivZeroChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Performing a division or remainder operation where the denominator is a symbolic value that may be zero (or potentially tainted), without first ensuring it is nonzero. This pattern involves using an unchecked value as the divisor, which can lead to undefined behavior due to a division-by-zero error. -------------------------------------------------------------------------------- /checker_database/UndefResultChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Binary operations that yield undefined results because one or both operands are uninitialized or contain garbage values. This pattern occurs when a binary operator is applied to operands that haven't been properly initialized, leading to an undefined result, potentially exacerbated by miscomputed array indices. -------------------------------------------------------------------------------- /checker_database/UndefBranchChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | The checker detects cases where a branch condition is computed from an uninitialized (undefined) value. In essence, it flags patterns where control-flow decisions (e.g., in if/while statements) depend on an expression that has not been properly initialized, leading to unpredictable or garbage behavior. 5 | ``` -------------------------------------------------------------------------------- /checker_database/ObjCMissingSuperCallChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | A subclass overrides a method that is required to invoke the superclass’s implementation, but it fails to do so. In other words, the checker flags methods where the expected super call (e.g., [super methodName]) is missing, which can lead to improper initialization or cleanup as defined by the superclass’s contract. -------------------------------------------------------------------------------- /checker_database/FixedAddressChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | The bug pattern is the assignment of a fixed, hard-coded (non-zero constant) address to a pointer. This pattern is characterized by directly assigning a constant pointer value—which is not zero—to a pointer variable, leading to portability issues because the fixed address may not be valid in different environments or platforms. -------------------------------------------------------------------------------- /src/llm_keys_example.yaml: -------------------------------------------------------------------------------- 1 | # Simple LLM configuration 2 | 3 | # API Keys 4 | openai_key: "sk-..." 5 | claude_key: "sk-ant-..." 6 | google_key: "AIza..." 7 | deepseek_key: "sk-..." 8 | 9 | # For local models (optional) 10 | # In config, use "local:model_name" format to use local models 11 | # Like "local:openai/gpt-oss-120b" 12 | base_url: "http://localhost:8000/v1" 13 | api_key: "dummy" 14 | -------------------------------------------------------------------------------- /checker_database/DeadStoresChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Storing a value into a local variable (or performing an assignment) whose result is never subsequently read. This pattern occurs when an assignment, initialization, or nested assignment computes a value that is not used in any later computation or observable behavior, making the store effectively “dead” and possibly indicating a logic error. -------------------------------------------------------------------------------- /checker_database/StdVariantChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Incorrectly retrieving a value from a std::variant using std::get with a type or index that does not match the variant’s active held type. This pattern occurs when the program assumes the variant holds one type (or is in one state) but in reality it holds another, leading to type mismatches that trigger runtime errors or unexpected behavior. -------------------------------------------------------------------------------- /checker_database/ObjCSuperDeallocChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Using an object after it has been deallocated. In this pattern, a message (or any memory access) is applied to an object that has already been deallocated—typically by calling [super dealloc]. This leads to a situation where methods or instance variable accesses occur on an object that no longer exists, causing undefined behavior or crashes. -------------------------------------------------------------------------------- /checker_database/CheckObjCInstMethSignature/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | Overriding an Objective-C instance method in a subclass with a return type that is not compatible with the return type declared in the superclass (or interface). This mismatch in method signatures—specifically in the return types—can lead to undefined behavior for clients expecting a consistent type across the inheritance chain. 5 | ``` -------------------------------------------------------------------------------- /checker_database/TrustReturnsNonnullChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | Trusting a function’s non-null guarantee solely based on its "returns_nonnull" attribute, without performing any explicit runtime check. In this pattern, pointers returned from functions annotated with "returns_nonnull" are automatically assumed to be non-null, which can mask issues if the function mistakenly returns a null pointer. 5 | ``` -------------------------------------------------------------------------------- /checker_database/UnreachableCodeChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | The checker identifies code segments that are never executed by detecting CFG blocks that have no corresponding execution paths (i.e. no ExplodedGraph nodes reached them). This indicates unreachable or dead code, usually caused by flawed control flow logic where conditions or branching structure inadvertently exclude some code paths. 5 | ``` -------------------------------------------------------------------------------- /checker_database/ObjCAutoreleaseWriteChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Writing to an autoreleasing out parameter (e.g. an NSError** marked with __autoreleasing) from within a block or an inner autorelease pool. This pattern occurs when the parameter is modified (e.g. via dereference assignment) in a context where an autorelease pool may prematurely drain and free the object, leading to crashes on subsequent dereferences. -------------------------------------------------------------------------------- /checker_database/null-ptr-derefence/pattern.md: -------------------------------------------------------------------------------- 1 | ### Bug Pattern 2 | 3 | The bug pattern is that the function `devm_kasprintf()` can return NULL if it fails to allocate memory. When the return value is not checked and is subsequently dereferenced, it can lead to a NULL pointer dereference. This pattern can cause the program to crash if it tries to use the pointer returned by `devm_kasprintf()` without ensuring it is non-NULL. 4 | -------------------------------------------------------------------------------- /checker_database/CastToStructChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | Casting a pointer to a structure type when the original pointer does not refer to a structure, or converting between structure pointers where the target structure is wider than the original. This pattern leads to potential memory access errors or data corruption because fields may be accessed beyond the actual storage layout of the original data. 5 | ``` -------------------------------------------------------------------------------- /checker_database/CastSizeChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Casting a pointer to a memory region whose actual allocated size isn’t a multiple of the destination type’s size. This mismatch indicates that the allocated memory may not correctly accommodate an array of the destination type, potentially leading to misaligned accesses, buffer overruns, or unintended behavior—especially when handling structures with flexible array members. -------------------------------------------------------------------------------- /checker_database/OSObjectCStyleCast/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Using a C-style cast on an OSObject-derived instance instead of using safer, explicit casting mechanisms (e.g., OSRequiredCast or OSDynamicCast). This pattern occurs when an OSObject (or any object derived from OSMetaClassBase/OSObject) is cast using an implicit C-style cast, bypassing proper type checking, which may lead to type confusion and potential security issues. -------------------------------------------------------------------------------- /prompt_template/examples/null-ptr-derefence/pattern.md: -------------------------------------------------------------------------------- 1 | ### Bug Pattern 2 | 3 | The bug pattern is that the function `devm_kasprintf()` can return NULL if it fails to allocate memory. When the return value is not checked and is subsequently dereferenced, it can lead to a NULL pointer dereference. This pattern can cause the program to crash if it tries to use the pointer returned by `devm_kasprintf()` without ensuring it is non-NULL. 4 | -------------------------------------------------------------------------------- /checker_database/BoolAssignmentChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Assigning a value to a Boolean variable that isn’t ensured to be strictly a 0 or a 1. In this pattern, a non-Boolean expression may yield values outside the expected Boolean range, leading to unintended conversion behavior. This issue is particularly problematic when the value is tainted, as it may not have been properly normalized to Boolean semantics before assignment. -------------------------------------------------------------------------------- /checker_database/PointerSortingChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | Using standard sorting algorithms (e.g. std::sort, std::stable_sort, etc.) on containers holding pointer-like elements can lead to non-deterministic orderings. This is because the sort is based on the memory addresses of the pointers rather than on the values they point to, which may vary between runs, resulting in inconsistent or unpredictable ordering. 5 | ``` -------------------------------------------------------------------------------- /checker_database/UndefinedArraySubscriptChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Using an undefined value as the array subscript. In this bug pattern, the index in an array access expression is not properly defined (i.e., it is undefined), which can lead to unpredictable behavior. The checker warns when such an undefined index is used (except in special cases like defaulted constructors where the compiler generates anonymous array variables). -------------------------------------------------------------------------------- /checker_database/PointerSubChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | Subtracting two pointers that refer to different underlying memory regions (i.e., not from the same memory chunk) can lead to undefined behavior or incorrect results. This bug pattern arises when pointer arithmetic is performed on pointers derived from distinct allocations or non-overlapping memory buffers, a situation that should be detected and warned against. 5 | ``` -------------------------------------------------------------------------------- /checker_database/StringChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | Passing a null pointer as the first argument to the std::basic_string constructor that expects a non-null C-string, which will later be dereferenced. This pattern occurs when code invokes the string constructor overload that takes (const char*, Allocator) without first ensuring that the const char* argument is non-null, leading to a potential null pointer dereference. 5 | ``` -------------------------------------------------------------------------------- /checker_database/ArrayBoundChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | The checker detects situations where an array element is accessed using an index that goes beyond the dynamically determined size of the array. In other words, if a computed index of an element (extracted as part of an ElementRegion) is found to be outside the range defined by the dynamic extent of the array, it is flagged as an out-of-bound access (i.e., a potential buffer overflow). -------------------------------------------------------------------------------- /checker_database/MacOSXAPIChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Using a transient, non-static memory region (such as a local, stack, block, or instance variable) as the predicate for a one-time initialization function (e.g., dispatch_once or dispatch_once_f). This pattern is problematic because the predicate is expected to have a static storage duration; using temporary memory can lead to unsafe behavior if that memory is not reliably persistent. -------------------------------------------------------------------------------- /checker_database/MallocOverflowSecurityChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | The pattern occurs when a malloc size argument is computed using an arithmetic expression—typically multiplying an untrusted or unchecked value by a constant—without properly guarding against integer overflow. When the multiplication overflows, the actual allocation size becomes much smaller than intended, which can lead to buffer overflows and potential security exploits. -------------------------------------------------------------------------------- /checker_database/UndefinedNewArraySizeChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | This checker identifies cases where the size argument in a new[] expression is undefined. In other words, it looks for scenarios where an uninitialized or indeterminate value is used to specify how many elements to allocate in an array. This can lead to memory allocation errors and unpredictable behavior, since the array size is not determined by a valid, well-defined value. -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Ignore Mac system files 2 | .DS_Store 3 | 4 | # Ignore result 5 | result/ 6 | 7 | # Ignore __pycache__ 8 | __pycache__/ 9 | 10 | # Ignore test 11 | test/ 12 | 13 | # Skip config files 14 | # config.json 15 | 16 | # Ignore temp data 17 | tmp/ 18 | 19 | # Ignore key files 20 | llm_keys.yaml 21 | 22 | # Ignore result dir 23 | result* 24 | 25 | */logs/ 26 | 27 | llvm-* 28 | *.zip 29 | 30 | */tmp 31 | -------------------------------------------------------------------------------- /checker_database/ChrootChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | A process changes its root directory with chroot() without immediately following it with a chdir("/") call to complete the transition into a restricted “jail” environment. This improper sequencing leaves the process in an insecure state (i.e., a “root changed” state rather than a fully entered jail), potentially allowing operations that could compromise the intended isolation. 5 | ``` -------------------------------------------------------------------------------- /checker_database/NSAutoreleasePoolChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | The bug pattern is the misuse of NSAutoreleasePool in a garbage-collected environment by sending it a -release message instead of calling -drain. This arises when code explicitly sends the -release message to an NSAutoreleasePool object while running with Objective-C garbage collection enabled, even though -drain is the appropriate method to invoke in that context. 5 | ``` -------------------------------------------------------------------------------- /checker_database/CheckPlacementNew/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | Placement new is used with a storage buffer that does not meet the memory requirements of the allocated type. This pattern involves providing a storage region whose capacity is insufficient (or over-specified in case of arrays) or whose alignment does not match the alignment required by the type being constructed. Such misuse can lead to undefined behavior and memory corruption. 5 | ``` -------------------------------------------------------------------------------- /checker_database/ReturnPointerRangeChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Returning a pointer computed via array or pointer arithmetic where the resulting offset is out-of-bounds with respect to the original object. Specifically, the checker detects when a function returns a pointer that points to an element outside the valid range (other than the allowed one-past-end iterator) of the underlying array, potentially leading to buffer overflow vulnerabilities. -------------------------------------------------------------------------------- /checker_database/PointerIterationChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Iterating over pointer-like elements stored in unordered containers (such as std::unordered_set) can lead to non-deterministic iteration order. This pattern arises when using range-based for loops or similar constructs on unordered collections of pointers, where the order is not guaranteed. Relying on a specific iteration order in such contexts might introduce subtle bugs or inconsistent behavior. -------------------------------------------------------------------------------- /checker_database/DynamicTypeChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Casting a pointer where the object's dynamically determined type does not match its static type—specifically, an implicit bitcast between Objective-C object pointer types is performed without verifying that the dynamic type is compatible with the static type. This unchecked conversion can lead to type errors, as the actual object type (tracked dynamically) may be entirely unrelated to the expected static type. -------------------------------------------------------------------------------- /checker_database/InvalidatedIteratorChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | The bug pattern is the use of iterators after they have been invalidated. Specifically, code that continues to dereference or access iterators without verifying that their underlying position remains valid (after container modifications, for example) risks undefined behavior. This pattern occurs when iterator validity is not checked before operations that assume a valid iterator state. 5 | ``` -------------------------------------------------------------------------------- /checker_database/MmapWriteExecChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | The bug pattern is the unsafe combination of memory protection flags that permit a memory region to be both writable and executable. In other words, if a call to mmap or mprotect sets the protection parameter such that both PROT_WRITE and PROT_EXEC are enabled, the memory region becomes susceptible to attacks because it can be modified and then executed, violating the W^X security policy. 5 | ``` -------------------------------------------------------------------------------- /checker_database/ObjCAtSyncChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | The bug pattern is using an uninitialized or null object as the mutex in a synchronized block (i.e., in an @synchronized statement). When the expression used as the lock is either undefined or evaluates to nil, no actual synchronization occurs. This often stems from failing to verify that the mutex is valid (non-null) before using it for synchronization, which can lead to race conditions and unsynchronized access. -------------------------------------------------------------------------------- /checker_database/NonNullParamChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Passing a null pointer as an argument to a function when the corresponding parameter is required to be non-null (either by an explicit 'nonnull' attribute or because it is a reference). This pattern occurs when a function’s interface promises that a valid, non-null pointer will always be provided, but a null value is passed instead, potentially leading to undefined behavior or crashes when the pointer is dereferenced. -------------------------------------------------------------------------------- /checker_database/UndefCapturedBlockVarChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | Capturing a local variable in a block without first initializing it. When a block captures a variable that has an undefined value at the time of capture, it may later lead to the use of uninitialized data when the block is executed. This pattern applies to any situation where a block (or closure) forms a reference to a variable that has not been properly initialized in its original context. 5 | ``` -------------------------------------------------------------------------------- /checker_database/StdLibraryFunctionsChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Calls to well‐known library functions where one or more arguments do not meet the expected constraints—such as being within a prescribed numeric range, non‑NULL, or having adequate buffer size—which violates the function’s specification. This mismatch between the caller’s argument values and the function’s documented preconditions (as captured by summary constraints) can lead to undefined behavior or runtime errors. -------------------------------------------------------------------------------- /checker_database/TestAfterDivZeroChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | The checker identifies cases where a divisor is used in a division (or related modulo operation) without first confirming that it is non-zero, and then later the same value is compared against zero in a branch condition. In essence, the bug pattern is “testing a divisor for zero after it has already been used in a division operation,” meaning the safety check comes too late to prevent a division-by-zero error. 5 | ``` -------------------------------------------------------------------------------- /checker_database/CallAndMessageChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | The checker flags cases where call or message expressions use uninitialized, undefined, or null function pointers or arguments. In other words, it detects when a function, method, or block is invoked using a callee or arguments that have not been properly set up (e.g. an uninitialized function pointer, a nil/undef Objective-C receiver, or uninitialized value passed as an argument), leading to potential undefined behavior or crashes. -------------------------------------------------------------------------------- /checker_database/MallocSizeofChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | The bug pattern occurs when a memory allocation call (such as malloc, calloc, or realloc) is cast to a pointer of one type, but the allocation size is computed using a sizeof expression for a different, incompatible type. This mismatch between the pointed-to type and the type used in the size calculation can lead to allocating the wrong amount of memory and result in potential memory errors such as buffer overflows or inefficient memory usage. -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | repos: 2 | - repo: https://github.com/pycqa/isort 3 | rev: 5.12.0 4 | hooks: 5 | - id: isort 6 | name: isort (python) 7 | args: ["--profile", "black"] 8 | - repo: https://github.com/psf/black 9 | rev: 22.6.0 10 | hooks: 11 | - id: black 12 | - repo: https://github.com/pre-commit/pre-commit-hooks 13 | rev: v4.3.0 14 | hooks: 15 | - id: check-yaml 16 | - id: end-of-file-fixer 17 | - id: trailing-whitespace 18 | -------------------------------------------------------------------------------- /checker_database/ObjCContainersASTChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | Using CoreFoundation container creation functions (such as CFArrayCreate, CFSetCreate, or CFDictionaryCreate) with an array argument that does not consist of pointer-sized values. The checker detects when the expected C array argument (typically the second or third parameter) is of an incompatible type (i.e., its element type does not have the size of a pointer), indicating a potential mismatch that could lead to runtime errors. 5 | ``` -------------------------------------------------------------------------------- /checker_database/VirtualCallChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | Calling a virtual method during an object’s construction or destruction. This occurs when a virtual function (including pure virtual functions or those not marked as final) is invoked on an object whose dynamic type is not fully established (in a constructor) or is partially demolished (in a destructor). As a result, the virtual dispatch mechanism does not work as expected and may lead to undefined behavior or bypassed method overrides. 5 | ``` -------------------------------------------------------------------------------- /checker_database/ObjCPropertyChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | Declaring an Objective-C property with the copy attribute for a mutable object type (i.e. a type whose name begins with "NSMutable") can lead to unexpected behavior. When the property is synthesized without a user-declared setter, the automatically generated setter calls −copy on the value, which produces an immutable copy. This mismatch between the property’s declared mutable type and the stored immutable object is the general bug pattern. 5 | ``` -------------------------------------------------------------------------------- /checker_database/CloneChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | The checker detects duplicate or nearly duplicate code fragments—code clones—that indicate potential copy-paste errors. In particular, it looks for groups of statements that are either exact matches or demonstrate only a very minor (often single variable) difference. This pattern suggests that code may have been copied and modified inadequately, leading to maintenance issues or logic bugs when the adaptations (such as variable renaming) are incomplete or inconsistent. -------------------------------------------------------------------------------- /checker_database/StackAddrEscapeChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | The bug pattern is the escape of a pointer to stack-allocated memory out of its valid lifetime. Specifically, a pointer that references memory allocated on the stack (e.g., local variables, alloca results, compound literals, or stack-based blocks) is returned or stored into a global or heap location. This causes the pointer to be used after its associated stack frame has been destroyed, leading to dangling pointer accesses and undefined behavior. 5 | ``` -------------------------------------------------------------------------------- /checker_database/DebugCheckers/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | The pattern here is one of excessive or unconditional diagnostic output where the checker generates reports or dumps internal analyzer data (like CFGs, dominator trees, live variable info, call graphs, or even a report on every statement) regardless of an actual bug condition. This approach, which is useful for debugging, can lead to a flood of non-actionable or spurious warnings that do not represent real issues in the user's code, but instead expose internal analysis details. -------------------------------------------------------------------------------- /checker_database/IteratorRangeChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | Using iterator arithmetic (increment, decrement, or random-access modifications) that results in an iterator pointing outside the valid range (either past-the-end or before the beginning of a container) and then dereferencing or otherwise using that invalid iterator. This bug pattern involves performing operations on STL iterators without ensuring that the resulting iterator remains within the correct container bounds, which can lead to undefined behavior. 5 | ``` -------------------------------------------------------------------------------- /checker_database/SimpleStreamChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | The checker detects improper resource management of file streams, where a file opened via fopen is mishandled by either being closed more than once (double fclose) or never being closed at all (resource leak). The pattern is that after a resource is acquired (opened), its state is not correctly updated or verified before a subsequent operation (like another fclose or program termination), leading to dangerous operations on an invalid or leaked resource. 5 | ``` -------------------------------------------------------------------------------- /checker_database/double-free/pattern.md: -------------------------------------------------------------------------------- 1 | ### Bug Pattern 2 | 3 | The bug pattern in the provided patch is the use of `devm_kcalloc()` for allocating memory, which results in automatic memory management by the device-managed allocation API. This can lead to a double free issue when manual deallocation is also performed with functions like `pinctrl_utils_free_map()`. The root cause is combining automatic device-managed memory allocation with manual memory deallocation, which can result in freeing memory twice and cause undefined behavior 4 | -------------------------------------------------------------------------------- /checker_database/BlockInCriticalSectionChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | Calling blocking functions (e.g. sleep, getc, fgets, read, recv) while a mutex is held or inside a critical section. This pattern arises when code enters a region protected by a lock (or similar synchronization mechanism) and then invokes an operation that can block execution. Such a call may delay progress or even lead to deadlock because it prevents other threads from acquiring the lock, creating a potential performance bottleneck or system deadlock. 5 | ``` -------------------------------------------------------------------------------- /checker_database/MIGChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | In a MIG callback function, if a routine deallocates an out-of-line parameter (i.e., transfers ownership by calling a known deallocation function) and then returns an error code rather than a success code, it leads to a use‐after‐free vulnerability. This is because the MIG calling convention expects that on error, the caller will clean up the parameter—so deallocating it in the callee causes double deallocation (or use‐after‐free) when the caller later tries to free the same resource. -------------------------------------------------------------------------------- /prompt_template/examples/double-free/pattern.md: -------------------------------------------------------------------------------- 1 | ### Bug Pattern 2 | 3 | The bug pattern in the provided patch is the use of `devm_kcalloc()` for allocating memory, which results in automatic memory management by the device-managed allocation API. This can lead to a double free issue when manual deallocation is also performed with functions like `pinctrl_utils_free_map()`. The root cause is combining automatic device-managed memory allocation with manual memory deallocation, which can result in freeing memory twice and cause undefined behavior 4 | -------------------------------------------------------------------------------- /checker_database/InnerPointerChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Keeping and using raw pointers that refer to a container’s internal buffer after the container has been modified or destroyed. This pattern typically occurs when the code retrieves a pointer to the internals of a standard container (e.g., via c_str(), data(), etc.) and later calls non-const operations on the container (such as append, assign, clear, erase, etc.) that may invalidate that raw pointer. Using such invalidated pointers can lead to use-after-free or undefined behavior. -------------------------------------------------------------------------------- /checker_database/ObjCContainersChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | The bug pattern is indexing into an array without ensuring the index is within the valid bounds. In this case, the checker tracks the size of a CFArray (collected during its creation or through a count function) and then checks that any index used in CFArrayGetValueAtIndex falls within the legal range [0, size-1]. This pattern of using an out-of-bound index when accessing a container (or array) can lead to undefined behavior due to memory accesses outside the allocated region. -------------------------------------------------------------------------------- /checker_database/PaddingChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | The checker detects records (or arrays of records) where the ordering of member fields leads to excessive padding. In other words, when a structure is declared with a field order that forces the compiler to insert unnecessary alignment-induced gaps, the overall memory footprint can be significantly larger than an optimally arranged version. This pattern—suboptimal field ordering causing extra padding—is associated with inefficient data layouts that can impact performance and memory usage. -------------------------------------------------------------------------------- /checker_database/PointerArithChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | Performing pointer arithmetic on pointers that do not point to valid array elements. In this pattern, arithmetic operations (such as addition, subtraction, or increment/decrement) are applied to pointers referencing single objects or regions not allocated as arrays, relying on memory layout assumptions that may be invalid. This misuse can lead to undefined behavior and potential memory access errors when the pointer arithmetic goes out-of-bounds of the intended object. 5 | ``` -------------------------------------------------------------------------------- /checker_database/DereferenceChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Dereferencing a pointer when it is null or undefined. In particular, the checker detects cases where a pointer is either explicitly known to be null or remains undefined (i.e., it has not been properly initialized or checked) before it is dereferenced. This bug pattern covers code where a pointer value, which could be null or undefined, is used in memory accesses such as loads, stores, or field accesses without prior validation, potentially leading to runtime crashes or undefined behavior. -------------------------------------------------------------------------------- /checker_database/ObjCUnusedIVarsChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | The bug pattern detected is the declaration of private instance variables (ivars) in an Objective-C class that are never used in any of the class’s implementation methods. In other words, the code defines ivars that are neither referenced within the class’s own methods nor marked with attributes (like Unused or IBOutlet) to indicate intentional non-use. This pattern can lead to unnecessary memory usage and maintenance overhead, suggesting that the ivars may be redundant or vestigial code. -------------------------------------------------------------------------------- /checker_database/ValistChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Improper management of va_list lifetime – using a va_list value that has not been properly initialized or has been reinitialized without proper cleanup. This manifests as either accessing a va_list (via va_arg or passing it to functions that use it) before a corresponding va_start/va_copy call has been made, calling va_end on a va_list that hasn’t been initialized, or overwriting an already initialized va_list (for example via an improper va_copy or a repeated va_start) leading to potential leaks. -------------------------------------------------------------------------------- /checker_database/MismatchedIteratorChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Using iterators that do not stem from the same underlying container when the API requires them to be paired. That is, the code detects cases where iterator(s) from one container are compared, used in insertion, erasure, or passed as arguments expecting a matching iterator pair from the same container. This pattern—mixing iterators of different containers—leads to undefined behavior or logic errors because container operations assume that all provided iterators are from the same container. -------------------------------------------------------------------------------- /checker_database/CXXSelfAssignmentChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | The bug pattern is an assignment operator that does not explicitly handle the case where the assigned object is the same as the target (i.e. self-assignment). Without a guard against self-assignment, the operator may proceed with a full assignment of its own contents over itself, which can lead to logic errors or unintended resource handling issues. This checker models both self‐assignment and non-self‐assignment scenarios to help detect potential bugs arising from the lack of an explicit self-assignment check. -------------------------------------------------------------------------------- /checker_database/IdenticalExprChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | The bug pattern is the inadvertent use of identical expressions in contexts where distinct expressions were likely intended. For example, when both operands of a binary operator (comparison, logical, or bitwise) are exactly the same or when the same condition is used for multiple branches (e.g., in if/else constructs or conditional operators). This leads to expressions that always evaluate to a constant truth value (true or false) or redundant code, indicating a possible logical error in the program. 5 | ``` -------------------------------------------------------------------------------- /checker_database/NullabilityChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | The bug pattern is the violation of nullability contracts. This occurs when a pointer that is required to be nonnull (by its annotation or intended design) is either assigned or produced as null (or comes from a nullable source) and then used unchecked. In other words, the bug arises when null or nullable pointers are passed to locations or functions that expect nonnull values—or when such pointers are dereferenced without a proper null check—thus violating the declared pointer’s nonnull guarantee. 5 | ``` -------------------------------------------------------------------------------- /checker_database/StreamChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | The checker is designed to detect incorrect handling of file stream pointers. In general, the bug pattern is operating on a stream (FILE*) without ensuring that the stream is valid—i.e., not NULL, not already closed or previously failed to open, and not in an indeterminate state due to prior I/O errors. Programs that use stream functions without verifying that the stream pointer is non-null and still in an "opened" state (and that its file position is determinate) risk undefined behavior, erroneous I/O, and resource leaks. -------------------------------------------------------------------------------- /checker_database/MoveChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | Detecting and reporting the use‐of an object that has been “moved from.” In other words, the checker identifies when an object (tracked via its memory region) has been subject to a move (move construction or move assignment), which transfers its internal resources and leaves it in a valid but unspecified state, and then is subsequently used (via method calls, copy/move operations, or dereferencing) in ways that assume it is still fully initialized. This misuse of a moved-from object constitutes the bug pattern. 5 | ``` -------------------------------------------------------------------------------- /checker_database/CastValueChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | Performing custom RTTI casts (such as llvm::cast, dyn_cast, cast_or_null, etc.) on a value without ensuring that its dynamic type actually matches the target type. In this pattern, the code assumes that a cast will succeed (or be checked as successful) even when the dynamic type information indicates that the conversion is infeasible. This faulty assumption can lead to generating an incorrect, null, or sink state, reflecting an improper use of type‐casting functions where the static and dynamic types are inconsistent. 5 | ``` -------------------------------------------------------------------------------- /checker_database/UnixAPIChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Improper use of Unix/POSIX API functions via incorrect or mismatched arguments. This includes cases where flags (such as O_CREAT) imply additional arguments (like file mode) that are missing or of the wrong type, passing too many arguments, using transient storage (e.g., stack memory) for functions expecting long-lived control objects (such as in pthread_once), and performing allocations with a size of zero (via malloc, calloc, alloca, etc.). These misuse patterns can lead to runtime errors, undefined behavior, or portability issues. -------------------------------------------------------------------------------- /checker_database/uninit/pattern.md: -------------------------------------------------------------------------------- 1 | ### Bug Pattern 2 | 3 | The bug pattern is using `kmalloc()` to allocate memory for a buffer that is later copied to user space without properly initializing the allocated memory. This can result in a kernel information leak if the allocated memory contains uninitialized or leftover data, which is then exposed to user space. The root cause is the lack of proper memory initialization after allocation, leading to potential exposure of sensitive kernel data. Using `kzalloc()` instead ensures that the allocated memory is zeroed out, preventing such information leaks. 4 | -------------------------------------------------------------------------------- /checker_database/ContainerModeling/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | When operations modify the contents or structure of a container (for example, via clear, push_back, pop_back, insert, erase, or assignment), any previously obtained iterator positions may become invalid. If the program continues to use these stale iterators without properly revalidating or updating them to reflect the container’s new state, it can lead to undefined behavior. This pattern occurs when modifications to a container are not matched with corresponding updates to all dependent iterator values, resulting in potential iterator misuse. -------------------------------------------------------------------------------- /checker_database/ObjCSelfInitChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | Using the 'self' object before it has been properly re-assigned from an initializer call. In other words, in Objective-C initializer methods, if the object referenced by 'self' is used (for example, to access instance variables or to be returned) without first assigning 'self' to the result of an initialization method (such as [super init] or [self init…]), then the object may be in an invalid or uninitialized state. This pattern of not updating 'self' with the initializer’s result before its use is the root cause of the bug. 5 | ``` -------------------------------------------------------------------------------- /prompt_template/examples/uninit/pattern.md: -------------------------------------------------------------------------------- 1 | ### Bug Pattern 2 | 3 | The bug pattern is using `kmalloc()` to allocate memory for a buffer that is later copied to user space without properly initializing the allocated memory. This can result in a kernel information leak if the allocated memory contains uninitialized or leftover data, which is then exposed to user space. The root cause is the lack of proper memory initialization after allocation, leading to potential exposure of sensitive kernel data. Using `kzalloc()` instead ensures that the allocated memory is zeroed out, preventing such information leaks. 4 | -------------------------------------------------------------------------------- /checker_database/CStringSyntaxChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | The bug pattern involves miscomputing the length argument passed to C string functions (like strncat, strlcpy, and strlcat). In these calls, the length parameter is calculated incorrectly—often by using expressions such as sizeof(destination), sizeof(destination)-1, or sizeof(destination)-strlen(destination)—which fail to properly account for the available buffer space (e.g., not leaving room for the terminating null character or misrepresenting the actual size). This incorrect size computation can lead to buffer overflows or memory corruption. -------------------------------------------------------------------------------- /checker_database/NSErrorChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | The checker looks for functions or methods that accept an "error out" parameter (like NSError** or CFErrorRef*) but are declared with a void return type. This pattern is problematic because it violates coding conventions (e.g., those recommended by Apple) that require such functions to return a status (non-void) to indicate whether the error out parameter was set. Without a proper return value, callers cannot reliably determine if an error occurred, which can lead to misuse or unexpected null dereferences when the error parameter is later accessed. -------------------------------------------------------------------------------- /checker_database/RunLoopAutoreleaseLeakChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | Allocation of temporary autoreleased objects (via Objective-C message expressions) that are produced in a scope where the autorelease pool is not explicitly drained before entering the main run loop (or a similar long-running call) causes these objects to never be released. In other words, the pattern is: invoking methods which create temporary autoreleased objects, followed by immediately launching the main run loop (or equivalent) within the same (or without any) autorelease pool, resulting in a leak of these objects. 5 | ``` -------------------------------------------------------------------------------- /checker_database/VforkChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Detecting code running in a vfork child process that performs unsafe operations—specifically, any function calls (other than a small, predefined allowed set), memory writes (other than to the designated vfork return storage), or attempts to return normally. These operations are forbidden because vfork’s child shares the parent's memory state. Thus, the bug pattern is when the child process derived from vfork performs disallowed operations (function calls, bindings/assignments, or returns) that can lead to undefined behavior due to the shared address space. -------------------------------------------------------------------------------- /checker_database/NonnullGlobalConstantsChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | The bug pattern is the failure to recognize and enforce non-nullness for global constant string-like objects. In this pattern, global variables that are declared as constant (often via types like const char*, NSString* const, or typedefs such as CFStringRef) are treated as if they could be null despite their inherent non-null semantics. This may lead to analysis imprecision or spurious warnings since the actual program logic assumes such globals are always non-null, but the analyzer might not be able to infer that without an explicit assumption. -------------------------------------------------------------------------------- /checker_database/AnalyzerStatsChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | The checker reports a situation where portions of a function’s control flow graph (CFG) are not reached during analysis—either as “unreachable” blocks or as points where the analyzer “bails out” (sink points) because it has exhausted its work list. This pattern indicates that certain paths in the function are not analyzable (or dead) due to limitations in the CFG exploration. Such unchecked or unreachable CFG regions can hide defects (or lead to false confidence) in the code, as the analysis may miss execution paths that could be problematic. 5 | ``` -------------------------------------------------------------------------------- /checker_database/DebugIteratorModeling/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | The checker assumes that the provided iterator argument is valid and its internal state (like offset, container, and validity flag) can be extracted. When an iterator value is missing or its internal representation cannot be retrieved (for example, if no argument is given), the checker simply binds a default value and emits a debug message instead of enforcing proper validation. This pattern—relying on presumed valid iterator inputs and defaulting silently when they are absent—can mask underlying iterator misuse or invalid state issues in the analyzed code. -------------------------------------------------------------------------------- /checker_database/GCDAntipatternChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Using asynchronous synchronization objects (such as dispatch semaphores or groups) to force synchronous behavior. Specifically, the pattern is: a semaphore or dispatch group is created (often initialized to indicate “not ready” state), an asynchronous callback is set up that signals the semaphore or leaves the group, and then the main thread or caller immediately waits on that same semaphore or group. This forces synchronous waiting on an otherwise asynchronous operation, leading to potential performance problems like thread blocking and priority inversion. -------------------------------------------------------------------------------- /checker_database/CheckSizeofPointer/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | The bug pattern is the unintended use of sizeof() on a pointer variable. In these cases, developers invoke sizeof() with an expression whose type is a pointer rather than the type of the object pointed to. This typically happens when sizeof() is applied directly to a pointer (for example, sizeof(p)) instead of dereferencing it (for example, sizeof(*p)). This can lead to an incorrect size being computed, which might be much smaller (or different) than the actual object size expected, potentially causing logic errors, memory allocation issues, or other runtime errors. -------------------------------------------------------------------------------- /checker_database/ReturnValueChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | The checker detects cases where a function that is supposed to always return a specific boolean value (i.e. a guaranteed invariant) instead returns a value that deviates from that expected constant. This pattern occurs when a function’s contract stipulates that it must return, for example, true (or false) to signal a particular error condition, but the observed return value contradicts that guarantee. The root cause is that the function call fails to uphold its documented invariant, which may lead to inconsistent error handling or unexpected behavior. 5 | ``` -------------------------------------------------------------------------------- /checker_database/ArrayBoundCheckerV2/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | Accessing an array or memory block using an index or offset that is computed via symbolic arithmetic and not properly constrained within the bounds (either below zero or beyond the block’s extent). In particular, the bug pattern occurs when the computed offset from an array subscripting or pointer dereference is not validated against the actual size of the underlying memory region—potentially allowing negative (underflow) or excessive (overflow) offsets, and even when the offset is tainted. This unchecked arithmetic can lead to out‐of‐bounds memory accesses. 5 | ``` -------------------------------------------------------------------------------- /checker_database/CheckObjCDealloc/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | The bug pattern is failing to correctly manage the memory for synthesized instance variables that back properties with retain or copy semantics in Objective-C. Specifically, it involves either omitting a proper -dealloc method altogether or not releasing these ivars (or improperly releasing ivars that should not be directly released, such as those for assign or weak properties). In short, the pattern is about inconsistent or incorrect release of retained resources in deallocation paths, which can lead to memory leaks or over-releases in manual reference counting environments. -------------------------------------------------------------------------------- /checker_database/MacOSKeychainAPIChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Memory allocated via Keychain API functions (e.g. SecKeychainItemCopyContent, SecKeychainFindGenericPassword, SecKeychainFindInternetPassword, etc.) is expected to be released with a specific corresponding deallocation function (e.g. SecKeychainItemFreeContent). The bug pattern occurs when the allocated memory is not freed using the correct deallocator—or when an incorrect, mismatched deallocation function is used (such as free or another non-corresponding API call). This improper pairing of allocation and deallocation leads to resource leaks or deallocator mismatch errors. -------------------------------------------------------------------------------- /checker_database/SmartPtrModeling/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | The bug pattern is the unchecked use (or dereference) of a smart pointer whose internal raw pointer value may be null. This situation arises from operations such as default construction, release, reset, swap, assignment, or move‑construction—actions that may leave the smart pointer in a “moved-from” or otherwise null state. If the code later uses the smart pointer (for example via operator bool, get, or comparisons) without verifying that its underlying pointer is non-null, it risks dereferencing a null pointer, leading to invalid memory access and undefined behavior. 5 | ``` -------------------------------------------------------------------------------- /checker_database/ErrnoChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | The bug pattern is the misuse of the global "errno" variable by performing operations on it (reading or overwriting) without first checking whether its value is valid. This occurs when a function call that might change errno is made while the current state indicates that errno’s value has not been verified (i.e., not “checked”), leading either to reading an undefined errno value or overwriting it before the program had a chance to inspect it. In essence, the root cause is the lack of immediate error-checking of errno before any subsequent operation that may modify its state. 5 | ``` -------------------------------------------------------------------------------- /checker_database/TrustNonnullChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Assuming that pointers are always non-null based solely on annotations or the API’s expected behavior instead of verifying them. That is, the checker creates assumptions—by adding non-null constraints and symbolic implications based on _Nonnull annotations and Objective-C subscript conventions—so that functions (or methods) declared in system headers or associated with standard APIs are always trusted to return non-null values. This pattern can mask actual null pointer returns by relying entirely on header annotations and implicit state transitions rather than explicit runtime checks. -------------------------------------------------------------------------------- /checker_database/CheckerDocumentation/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | The checker embodies a “no‐op callback” pattern. It registers a full suite of analyzer callbacks (for pre‑ and post‑statement visits, message sends, function calls, branch conditions, etc.) yet nearly every callback is left empty (or with only trivial state transitions) and does not perform any real analysis or bug detection. This pattern is dangerous if misapplied elsewhere because it gives the illusion of thorough checking while effectively doing nothing—potentially causing bugs to be missed or developers to assume that error conditions are being handled when they are not. 5 | ``` -------------------------------------------------------------------------------- /checker_database/CheckSecuritySyntaxOnly/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | The checker detects use of insecure or deprecated API calls and coding constructs that fail to enforce critical security requirements. In essence, it flags code patterns where functions known to be inherently unsafe (e.g. unbounded buffer operations like gets/strcpy/strcat, weak random number generators, or deprecated functions such as bcmp/bcopy/bzero) are used without proper safeguards—such as bounds checking, return value validation, or secure alternatives—thus opening the door to vulnerabilities like buffer overflows, predictable randomness, privilege escalation, and other security flaws. -------------------------------------------------------------------------------- /checker_database/LocalizationChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | The checker detects the pattern where user‐facing string literals (or strings not marked as localized) are used in API calls or UI methods that demand a localized string. In other words, strings that should be wrapped in a localization macro (and optionally include translator comments) are instead left untagged, so that they are treated as “non-localized.” This often happens when a string literal’s state is not explicitly set as localized in the program state, and then that same string is passed to UI methods that expect correctly localized content, leading to potential mismatches in user-facing text. -------------------------------------------------------------------------------- /.dockerignore: -------------------------------------------------------------------------------- 1 | # Git 2 | .git 3 | .gitignore 4 | 5 | # Python 6 | __pycache__/ 7 | *.py[cod] 8 | *$py.class 9 | *.so 10 | .Python 11 | env/ 12 | venv/ 13 | ENV/ 14 | env.bak/ 15 | venv.bak/ 16 | .venv/ 17 | 18 | # IDE 19 | .vscode/ 20 | .idea/ 21 | *.swp 22 | *.swo 23 | *~ 24 | 25 | # OS 26 | .DS_Store 27 | Thumbs.db 28 | 29 | # Project specific 30 | result-debug*/ 31 | generated/ 32 | src/config.yaml 33 | src/config-refine.yaml 34 | src/llm_keys.yaml 35 | 36 | # Build artifacts 37 | src/kparser/build/ 38 | *.o 39 | *.a 40 | *.so 41 | 42 | # Large data directories that should be mounted as volumes 43 | /data/ 44 | llvm/ 45 | linux/ 46 | 47 | # Logs 48 | *.log 49 | -------------------------------------------------------------------------------- /checker_database/NoReturnFunctionChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | The checker identifies functions (or Objective-C methods) that never return—such as exit‐like functions or those that ultimately abort execution—but which are not consistently marked or annotated as “noreturn.” In other words, when a function that should terminate execution is missing the appropriate noreturn attribute or metadata (or is not recognized via hardcoded names), analysis may erroneously assume that control returns normally after the call. This pattern of unannotated no-return functions can lead to improper modeling of control flow and the creation of “sink” states in the analyzer. 5 | ``` -------------------------------------------------------------------------------- /checker_database/IteratorModeling/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Modeling iterator positions via abstract symbolic offsets without ensuring consistent, bound-to-container state propagation. In other words, when iterator operations (such as copy construction, advancement via std::advance/next/prev, incremental/decremental operators, and comparisons) are handled by updating an abstract “position” (using conjured symbols and arithmetic) without adequate checks on container binding or state consistency, the resulting state may be unsound or mismatched. This pattern can lead to erroneous assumptions about iterator equivalence or validity when iterators’ positions are not properly tracked across operations. -------------------------------------------------------------------------------- /checker_database/TraversalChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | The checker isn’t attempting to diagnose program errors at all – instead, it “dumps” internal traversal and call‐event information by printing directly to the standard output (llvm::outs()). This pattern of using unfiltered debug output rather than reporting diagnostics via the analyzer’s bug reporting mechanisms means that the checker is essentially leaking internal traversal state. In other words, embedding direct printing calls in analyzer callbacks (for branch conditions, function entry/exit, and call events) is the pattern here, which can lead to debugging information being exposed and can interfere with the normal diagnostic flow. -------------------------------------------------------------------------------- /checker_database/GenericTaintChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Untrusted (or tainted) data flows from its source into security‐sensitive sinks without being properly sanitized or validated. In other words, if data is obtained from untrusted sources (like input functions or environment variables) and is then directly used in functions that perform critical operations (e.g. as format strings, system call arguments, buffer size parameters, or in memory copy routines), the program becomes vulnerable to attacks such as format string exploits, command injection, or buffer overflows. This pattern—failing to filter or validate tainted data before it is consumed in dangerous contexts—is what the checker identifies. -------------------------------------------------------------------------------- /checker_database/DebugContainerModeling/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | The checker assumes that calls meant to extract container iterator state (via functions like clang_analyzer_container_begin/end) are always given a valid container argument with proper internal data. In cases where the container argument is missing or its associated debug data cannot be retrieved, the checker falls back (or even just reports a debug message) and may not update the program state correctly. This pattern—implicitly assuming the presence and validity of container data without robust checking and state propagation—can lead to unsound modeling of container iterators and incorrect analysis results in similar contexts. 5 | ``` -------------------------------------------------------------------------------- /COMMON-ISSUES.md: -------------------------------------------------------------------------------- 1 | # Common Issues 2 | 3 | ## Running Errors 4 | 5 | ### `Error: undefined symbol: static_assert` 6 | 7 | A possible solution is to comment out the line in `src/kparser/tree-sitter-cpp/src/scanner.c:126`: 8 | 9 | ```cpp 10 | unsigned tree_sitter_cpp_external_scanner_serialize(void *payload, char *buffer) { 11 | // static_assert(MAX_DELIMITER_LENGTH * sizeof(wchar_t) < TREE_SITTER_SERIALIZATION_BUFFER_SIZE, 12 | // "Serialized delimiter is too long!"); 13 | 14 | Scanner *scanner = (Scanner *)payload; 15 | size_t size = scanner->delimiter_length * sizeof(wchar_t); 16 | memcpy(buffer, scanner->delimiter, size); 17 | return (unsigned)size; 18 | } 19 | ``` 20 | -------------------------------------------------------------------------------- /checker_database/CXXDeleteChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | Deleting a polymorphic object (or an array of polymorphic objects) through a base class pointer whose type does not properly reflect the object's dynamic type—specifically when the base class lacks a virtual destructor. This mismatch in type information during deletion can lead to undefined behavior, as the correct destructor (or destructors for arrays) may not be invoked. The pattern is characterized by: 5 | • Converting a pointer from a derived (dynamic) type to a base type that does not declare its destructor virtual. 6 | • Deleting an object or array through such a pointer, which can result in incomplete destruction of the object(s). 7 | ``` -------------------------------------------------------------------------------- /checker_database/BitwiseShiftChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Using bitwise shift operators (<< or >>) with operand values that violate the constraints imposed by the type’s bit-width. This includes: 4 | 5 | • Using a negative or excessively large right operand (shift count) that is not less than the bit width of the left-hand operand’s type. 6 | 7 | • In left-shift operations, applying the shift to a negative left operand or shifting so far that the left operand’s bits overflow its available bit capacity. 8 | 9 | In essence, performing a shift operation where the operands do not conform to the requirements (e.g., right operand < bit-width, left operand non-negative for certain shifts) can lead to undefined behavior. -------------------------------------------------------------------------------- /checker_database/ConversionChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | Implicit conversions where the source type can hold values (especially negative values or values with higher precision) that cannot be accurately represented by the destination type. In particular, converting: 5 | • a signed integer to an unsigned integer (leading to loss of sign), 6 | • or a larger integer to a smaller integer or a floating point type that cannot represent all values in the source’s range (leading to loss of precision). 7 | 8 | This pattern appears in assignments, initializations, and arithmetic operations where the implicit cast may truncate the value or misinterpret its sign, resulting in potentially incorrect computations. 9 | ``` -------------------------------------------------------------------------------- /checker_database/NumberObjectConversionChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | Detecting direct conversion or comparison of pointers that represent number or boolean objects (such as NSNumber, OSNumber, CFNumberRef, etc.) to primitive scalar types (like integers or booleans) without first invoking the proper accessor methods. This typically happens when a pointer is reinterpreted as a numeric value directly (or is compared against a scalar) instead of extracting the contained value through the correct API (e.g., using -boolValue, getValue(), or CFNumberGetValue()). Such misuse can lead to logic errors because the address of the object (the pointer) is used rather than the actual numerical value stored inside the object. 5 | ``` -------------------------------------------------------------------------------- /checker_database/Taint/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | The checker implements a taint‐tracking mechanism but its core pattern is the failure to “normalize” or propagate taint tags correctly when values undergo transformations—such as being cast, incorporated into composite structures, or accessed via subregions. In other words, if a value originally marked as tainted is later wrapped in a SymbolCast, derived into a new symbol, or referenced via a subregion, the taint may not automatically “flow” correctly. This abstraction failure can lead to unsanitized or untracked tainted data being used in sensitive operations, which is the root of many security vulnerabilities where untrusted input isn’t properly validated or sanitized. 5 | ``` -------------------------------------------------------------------------------- /checker_database/CStringChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Improper use of C string functions arising from insufficient validation of buffer properties. In particular, the bug pattern occurs when string API calls (e.g., memcpy, strcpy, strncpy, sprintf, etc.) are used without ensuring that the pointer arguments are non-null, that the buffers are large enough (and their bounds correctly computed to avoid overflows or addition overflow), and that the buffers are properly null‐terminated. It also includes failure to check for overlapping buffers, which can lead to unintended memory corruption. This combination of assumptions about buffer sizes, termination, and non-overlap is the core flaw that can result in memory errors and undefined behavior. -------------------------------------------------------------------------------- /checker_database/FuchsiaHandleChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | The bug pattern involves the mismanagement of Fuchsia handle lifecycles. Specifically, it arises when a program: 4 | 5 | • Acquires a handle (e.g., through a function annotated with acquire_handle) but fails to release it, resulting in a resource leak. 6 | • Releases a handle more than once, leading to a double release. 7 | • Uses a handle after it has been released, causing use-after-release errors. 8 | • Inappropriately releases unowned handles. 9 | 10 | In essence, the root cause is failing to correctly track and enforce the valid state transitions (Allocated → Released/ Escaped, etc.) of handle resources, causing improper resource management and potential runtime errors. -------------------------------------------------------------------------------- /checker_database/BasicObjCFoundationChecks/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | The checker looks for cases where foundation APIs are misused by passing nil where non‐nil objects are expected or by failing to verify that an API’s return value is non-nil before use. In essence, the bug pattern is: a value that must be validated (typically for non-nil) is used without the necessary null-check, leading to API misusage (such as by invoking methods on nil receivers, supplying nil for required key/value arguments in collection methods, or mismanaging memory via invalid CF calls). This pattern is common when developers assume that a method always returns a valid object or that a particular argument can be nil, potentially resulting in runtime crashes or undefined behavior. -------------------------------------------------------------------------------- /checker_database/DynamicTypePropagation/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | The checker flags cases where an Objective‑C generic object’s dynamic type (including its specialized type arguments) does not match or is incompatible with the static type expected at a cast or message send. In other words, when code uses casts or sends messages to objects whose inferred (dynamic) type information—including generic parameter details—differs from the static (declared) type, it may result in an invalid type conversion. This pattern of “mismatched generic type propagation” (i.e. loss or incorrect inference of specialization information) can lead to bugs where the runtime type does not conform to the expected interface, resulting in potentially unsafe conversions. 5 | ``` -------------------------------------------------------------------------------- /checker_database/AnalysisOrderChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | The checker’s design exposes a general pattern where the instrumentation or logging of analysis callbacks is used to validate that every expected callback is fired (and only once) during the analysis pass. In other words, if a codebase relies on callbacks being invoked in a precise order and without duplicates or omissions, any deviation (such as missing, repeated, or out‐of-order callback invocations) can lead to misinterpretation of the analysis state. This pattern is characterized by having many callbacks—each with its own enablement condition—whose improper registration or misconfiguration may result in the analyzer either skipping expected checks or processing the same event multiple times. 5 | ``` -------------------------------------------------------------------------------- /checker_database/STLAlgorithmModeling/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | The bug pattern is modeling STL “find‐like” algorithms by manufacturing (i.e. “conjuring”) a new symbolic iterator as a result of the call without fully capturing the search semantics. In this pattern the checker takes the range’s begin and end iterators, creates a new unconstrained iterator symbol, and then “assumes” (via ad hoc comparisons) that its position lies between the two. This abstraction does not precisely represent the real behavior of these algorithms—namely, the distinction between a successful search (an iterator within the range) and a failed one (typically returning the end iterator)—and may lead to modeling inaccuracies that propagate through similar algorithm calls elsewhere. 5 | ``` -------------------------------------------------------------------------------- /checker_database/Iterator/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | Improper handling of iterator positions through unchecked arithmetic and assumptions. In other words, if iterator objects (or types masquerading as iterators) are advanced, compared, or manipulated by performing arithmetic on their underlying symbolic offset without enforcing proper bounds and validity constraints, then the resulting iterator state may be invalid. This can lead to operations on iterators that are out‐of-range or otherwise unsound. The pattern is common when generic container operations (like insert, erase, or advancing an iterator) use types that either do not fully satisfy the iterator interface requirements or do not check that their computed positions remain valid with respect to the container’s actual bounds. -------------------------------------------------------------------------------- /checker_database/IvarInvalidationChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | The bug pattern is when a class that is supposed to invalidate its “invalidatable” instance variables—based on annotations (such as "objc_instance_variable_invalidator" or its partial variant)—fails to properly reset those instance variables (e.g., by setting them to nil or by calling an appropriate invalidation method). In other words, if a class declares an invalidation method (or relies on partial invalidators) but its implementation does not comprehensively clear or invalidate every instance variable that requires it, then the object may end up with stale or dangling ivars. This pattern can lead to undefined behavior or memory management issues, as the object retains references that are meant to be invalidated. -------------------------------------------------------------------------------- /checker_database/GTestChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | The bug pattern is the loss or failure to propagate essential state (in this case, the boolean "success_" flag) when constructors (especially copy and bool constructors) are not inlined. This pattern appears when an un-inlined API (like gtest’s AssertionResult API) copies a key value through its constructors but that value isn’t properly tracked by the analyzer—leading to an imprecise or incorrect simulation of the object’s state. In other words, if critical data is transferred indirectly (via constructors or similar functions) without explicit propagation, later code may misinterpret the object’s state (e.g., treating a successful assertion as false), which in turn can cause subsequent false positives or misdiagnoses. 5 | ``` -------------------------------------------------------------------------------- /checker_database/ErrnoTesterChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | The checker models functions that mix two different error‐reporting mechanisms—using both the function’s return value and the global errno variable—in an inconsistent way. In these functions, one branch may signal success (with an expected “unused” or undefined errno), while one or more failure branches set errno (either to a fixed value, a range, or a state that must be checked). The bug pattern is that callers may mistakenly assume errno holds a valid error code regardless of the function’s return value, leading to improper error handling. This pattern appears when error reporting is split between a return value and a side‐effect on errno without clear, consistent rules for when errno is reliable, making it easy to misuse the function and ignore necessary checks. 5 | ``` -------------------------------------------------------------------------------- /checker_database/ErrnoModeling/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | The bug pattern here is the assumption that a well‐known global error state (errno) is stored in a single, identifiable memory region that can be reliably located either by a global variable (named "errno") or by a function (with one of several known names) that returns its address. This pattern relies on using fixed identifier names and system header locations to bind a global side-effect (i.e. changes to errno) to a specific memory region. When programs or environments implement errno differently—such as via thread‐local storage or other nonstandard mechanisms—the model may misrepresent the actual error state. This pattern of “hardcoding” the lookup of a global variable by name and assuming a unique, persistent region for it can lead to mis-modeling similar global state across different parts of the codebase. -------------------------------------------------------------------------------- /checker_database/MallocChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | The checker’s bug pattern is about improper memory management — specifically, the inconsistent or mismatched pairing of allocation and deallocation routines. This pattern occurs when memory is allocated using one system (e.g. malloc, new, or specialized kernel allocation routines) but then later freed or released incorrectly. Examples include freeing memory twice (double free), using a deallocation function that does not correspond to the allocation function (e.g. using free to deallocate memory allocated with new or vice‐versa), freeing memory not allocated on the heap (such as stack memory from alloca), or using a pointer after its memory has been freed (use‐after‐free). At its root, the system fails to accurately track and enforce ownership and proper pairing between memory allocation and deallocation, leading to undefined behavior and potential crashes. -------------------------------------------------------------------------------- /prompt_template/patch2pattern.md: -------------------------------------------------------------------------------- 1 | # Instruction 2 | 3 | You will be provided with a patch in Linux kernel. 4 | Please analyze the patch and find out the **bug pattern** in this patch. 5 | A **bug pattern** is the root cause of this bug, meaning that programs with this pattern will have a great possibility of having the same bug. 6 | Note that the bug pattern should be specific and accurate, which can be used to identify the buggy code provided in the patch. 7 | 8 | # Examples 9 | 10 | {{examples}} 11 | 12 | # Target Patch 13 | 14 | {{input_patch}} 15 | 16 | # Formatting 17 | 18 | Please tell me the **bug pattern** of the provided patch. 19 | Please try not to wrap your response in functions if several lines of code are enough to express this pattern. 20 | 21 | Your response should be like: 22 | 23 | ``` 24 | ## Bug Pattern 25 | 26 | {{describe the bug pattern here}} 27 | ``` 28 | -------------------------------------------------------------------------------- /prompt_template/patch2pattern-general.md: -------------------------------------------------------------------------------- 1 | # Instruction 2 | 3 | You will be provided with a patch in Linux kernel. 4 | Please analyze the patch and find out the **bug pattern** in this patch. 5 | A **bug pattern** is the root cause of this bug, meaning that programs with this pattern will have a great possibility of having the same bug. 6 | Note that the bug pattern should be **general and abstract** enough to identify similar buggy code patterns in other parts of the codebase. 7 | 8 | # Examples 9 | 10 | {{examples}} 11 | 12 | # Target Patch 13 | 14 | {{input_patch}} 15 | 16 | # Formatting 17 | 18 | Please tell me the **bug pattern** of the provided patch. 19 | Please try not to wrap your response in functions if several lines of code are enough to express this pattern. 20 | 21 | Your response should be like: 22 | 23 | ``` 24 | ## Bug Pattern 25 | 26 | {{describe the bug pattern here}} 27 | ``` 28 | -------------------------------------------------------------------------------- /checker_database/ExprInspectionChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | The bug pattern is the inadvertent (or intentional) use of special “clang_analyzer_…” functions—which are meant for introspecting and debugging the analyzer’s internal state—in production code. These functions, when called, trigger the emission of diagnostic bug reports (e.g., printing symbolic values, state dumps, or evaluation outcomes) even though there is no actual “bug” in the analyzed program. In other words, code that calls these analyzer-specific debug/evaluation functions (such as clang_analyzer_eval, clang_analyzer_explain, etc.) manifests a pattern where internal analyzer assumptions or state details are exposed via built-in error nodes. This pattern is a red flag since it indicates that debug or test helper functions intended for regression or instrumentation have been left in the code and may lead to misleading diagnostics or spurious error reports. 5 | ``` -------------------------------------------------------------------------------- /checker_database/PthreadLockChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | The bug pattern is the mismanagement of a lock’s state transitions throughout its lifecycle. It occurs when code fails to correctly check and update the state of a lock—whether it is locked, unlocked, destroyed, or in an intermediate/uncertain state—before performing operations such as locking, unlocking, or destroying it. This pattern includes: 4 | 5 | • Acquiring a lock that is already locked (double locking). 6 | • Releasing a lock that is not currently held or has already been released/destroyed (double unlocking or use-after-destruction). 7 | • Improper initialization or reinitialization of locks that are still active or already destroyed. 8 | • Violating the expected lock order by unlocking out of acquisition order (lock order reversal). 9 | 10 | This mismanagement can lead to deadlock, race conditions, and other undefined behaviors in multithreaded code. -------------------------------------------------------------------------------- /checker_database/BuiltinFunctionChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ## Bug Pattern 3 | 4 | The checker models the semantics of various compiler builtin functions, and the core pattern is when a builtin is used to impose assumptions or compute values (e.g. memory extents or constant expressions) but its arguments might be undefined or non-deterministic. In particular, if a builtin (like __builtin_assume) is given an undefined or unsatisfiable condition, it can force the program state to “sink” (i.e. prune a viable execution path), or if a memory allocation builtin (like __builtin_alloca) is invoked with an undefined size, the resulting dynamic extent may be modeled incorrectly. This general pattern – relying on builtins to drive control flow or state updates without guaranteeing that their input values are well-defined – can lead to mis-propagation of assumptions and state, eventually causing incorrect analyses or missed bugs in programs that use such builtins. 5 | ``` -------------------------------------------------------------------------------- /checker_database/LLVMConventionsChecker/pattern.md: -------------------------------------------------------------------------------- 1 | ## Bug Pattern 2 | 3 | This checker identifies two related issues with LLVM and Clang coding conventions: 4 | 5 | 1. Binding a temporary std::string—which may have a very short lifetime—to a StringRef. Since StringRef does not own its data, if it’s initialized from a temporary, the underlying std::string can be destroyed leaving the StringRef dangling. 6 | 7 | 2. Defining AST node classes (e.g., those representing Decl, Stmt, Type, or Attr) with fields that can allocate heap memory (such as std::string, std::vector, or llvm::SmallVector). This violates the design guideline that AST nodes should be lightweight and avoid dynamic memory allocation, potentially leading to performance issues or unintended side effects. 8 | 9 | Both issues stem from improper lifetime or memory management, where temporaries or dynamically allocated fields outlive the expected scope or design, leading to unstable or inefficient code. -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.8' 2 | 3 | services: 4 | knighter: 5 | build: 6 | context: . 7 | dockerfile: Dockerfile 8 | volumes: 9 | # Mount only results directory for output (LLVM and Linux are built into image) 10 | - knighter_results:/data/results 11 | # Mount configuration files 12 | - ./config.yaml:/app/config.yaml 13 | - ./src/llm_keys.yaml:/app/src/llm_keys.yaml 14 | # Mount commits data 15 | - ./commits:/app/commits 16 | environment: 17 | - LLVM_DIR=/data/llvm 18 | - LINUX_DIR=/data/linux 19 | - RESULT_DIR=/data/results 20 | working_dir: /app/src 21 | # Override default command - examples: 22 | command: ["/bin/zsh", "-c", "python3 main.py --help"] 23 | # command: ["/bin/zsh", "-c", "python3 main.py gen --commit_file=../commits/commits-selected.txt --config_file=../config.yaml"] 24 | # command: ["/bin/zsh", "-c", "python3 main.py refine --checker_dir=/data/results --config_file=../config.yaml"] 25 | 26 | volumes: 27 | knighter_results: 28 | -------------------------------------------------------------------------------- /commits/commits-sampled.txt: -------------------------------------------------------------------------------- 1 | b1ba8bcb2d1ffce11b308ce166c9cc28d989e3b9,Null-Pointer-Dereference 2 | 2e29b9971ac54dec88baa58856a230ec2f2a2dff,Null-Pointer-Dereference 3 | 768f17fd25e4a98bf5166148629ecf6f647d5efc,Integer-Overflow 4 | df94cb2e57b2cc539f325003e7abb76d3060d55b,Integer-Overflow 5 | c3d749609472ba0b217b42ab66f80459847e2bcb,Out-of-Bound 6 | ccc514b7e7acbd301219cbaec0fc0bfe5741acee,Out-of-Bound 7 | c6087b82a9146826564a55c5ca0164cac40348f5,Buffer-Overflow 8 | b58b1b883b9b702e25204dbe2b221eecc8ecd159,Buffer-Overflow 9 | 27834971f616c5e154423c578fa95e0444444ce1,Memory-Leak 10 | 4050957c7c2c14aa795dbf423b4180d5ac04e113,Memory-Leak 11 | ad297cd2db8953e2202970e9504cab247b6c7cb4,UAF 12 | 67801fa67b94ebd0e4da7a77ac2d9f321b75fbe0,UAF 13 | e61dd678601eac53d501dda1eb1bcffec7b11bd6,Double-Free 14 | 19ebc1e6cab334a8193398d4152deb76019b5d34,Double-Free 15 | d313eb8b77557a6d5855f42d2234bd592c7b50dd,Uninit-Data 16 | c48a4497356f701f94f1951626637ae240af909e,Uninit-Data 17 | ef307bc6ef04e8c1ea843231db58e3afaafa9fa6,Concurrency 18 | 5e700b384ec13f5bcac9855cb28fcc674f1d3593,Concurrency 19 | a97de7bff13b1cc825c1b1344eaed8d6c2d3e695,Misuse 20 | e651faa2fba4d387aa00b3c02e9c10232852d2ef,Misuse 21 | -------------------------------------------------------------------------------- /src/kparser/kparser.py: -------------------------------------------------------------------------------- 1 | import ctypes 2 | from pathlib import Path 3 | 4 | from tree_sitter import Language, Node, Parser 5 | 6 | CURR = Path(__file__).parent 7 | 8 | Language.build_library( 9 | str(CURR / "build/my-languages.so"), 10 | [str(CURR / "tree-sitter-cpp")], 11 | ) 12 | 13 | 14 | class KParser: 15 | def __init__(self): 16 | # Load the shared library 17 | lib = ctypes.CDLL(str(CURR / "build/my-languages.so")) 18 | 19 | # Get the language function pointer 20 | get_language = lib.tree_sitter_cpp 21 | get_language.restype = ctypes.c_void_p 22 | 23 | # Create language with pointer instead of path 24 | cpp_language = Language(get_language(), "cpp") 25 | parser = Parser() 26 | parser.set_language(cpp_language) 27 | self.parser = parser 28 | 29 | def parse_file(self, fpath: Path) -> Node: 30 | source_code = open(fpath, "r").read() 31 | tree = self.parser.parse(bytes(source_code, "utf8")) 32 | return tree.root_node 33 | 34 | def parse_code(self, code: str) -> Node: 35 | tree = self.parser.parse(bytes(code, "utf8")) 36 | return tree.root_node 37 | -------------------------------------------------------------------------------- /checker_database/TaintTesterChecker/plan.md: -------------------------------------------------------------------------------- 1 | Your plan for the TaintTesterChecker is as follows: 2 | 3 | 1. When an expression finishes evaluating, the checkPostStmt callback is invoked with the expression (E) and the current CheckerContext (C). 4 | 5 | 2. Retrieve the current program state from the CheckerContext. This state tracks information such as which values are currently tainted. 6 | 7 | 3. Check if the expression E has become tainted by using the helper function isTainted. This function consults the program state (and possibly contextual data) to decide if E carries taint. 8 | 9 | 4. If isTainted returns true, create an ExplodedNode (a point in the analysis graph) for a non-fatal error. This marks the location where a potential taint issue is detected. 10 | 11 | 5. Construct a bug report with a descriptive message (in this case, simply "tainted") and attach the source range of the expression E to highlight where the problem is. 12 | 13 | 6. Finally, emit the bug report to inform users about the flawed use of tainted data. 14 | 15 | This step-by-step plan is simple but covers all necessary actions: post-statement evaluation, state checking for taint, error node generation, bug report creation, and finally, reporting the taint issue. -------------------------------------------------------------------------------- /checker_database/uninit/plan.md: -------------------------------------------------------------------------------- 1 | ### Plan 2 | 3 | 1. **Register Program State Map:** 4 | - Define two maps using `REGISTER_MAP_WITH_PROGRAMSTATE`: 5 | - Use `REGISTER_MAP_WITH_PROGRAMSTATE(UninitMemoryMap, const MemRegion *, bool)` to map memory regions to an initialization flag. 6 | - A `PtrAliasMap` to track alias relationships. This is needed so that if one pointer is checked, its aliases are also marked as checked. 7 | 8 | 2. **Track Memory Allocations (`checkPostCall`):** 9 | - **For `kmalloc`:** 10 | - Retrieve the call expression and its base `MemRegion`. 11 | - Mark the region as uninitialized (`true`). 12 | - **For `kzalloc`:** 13 | - Retrieve the call expression and its base `MemRegion`. 14 | - Mark the region as initialized (`false`). 15 | 16 | 3. **Detect Information Leak (`checkPreCall`):** 17 | - Identify calls to `copy_to_user`. 18 | - Retrieve the kernel source argument’s base `MemRegion`. 19 | - If the region is flagged as uninitialized in `UninitMemoryMap`, call `reportInfoLeak` to generate a warning. 20 | 21 | 4. **Bug Reporting (`reportInfoLeak`):** 22 | - Generate a non-fatal error node. 23 | - Emit a bug report with a message indicating potential kernel information leakage. 24 | -------------------------------------------------------------------------------- /prompt_template/examples/uninit/plan.md: -------------------------------------------------------------------------------- 1 | ### Plan 2 | 3 | 1. **Register Program State Map:** 4 | - Define two maps using `REGISTER_MAP_WITH_PROGRAMSTATE`: 5 | - Use `REGISTER_MAP_WITH_PROGRAMSTATE(UninitMemoryMap, const MemRegion *, bool)` to map memory regions to an initialization flag. 6 | - A `PtrAliasMap` to track alias relationships. This is needed so that if one pointer is checked, its aliases are also marked as checked. 7 | 8 | 2. **Track Memory Allocations (`checkPostCall`):** 9 | - **For `kmalloc`:** 10 | - Retrieve the call expression and its base `MemRegion`. 11 | - Mark the region as uninitialized (`true`). 12 | - **For `kzalloc`:** 13 | - Retrieve the call expression and its base `MemRegion`. 14 | - Mark the region as initialized (`false`). 15 | 16 | 3. **Detect Information Leak (`checkPreCall`):** 17 | - Identify calls to `copy_to_user`. 18 | - Retrieve the kernel source argument’s base `MemRegion`. 19 | - If the region is flagged as uninitialized in `UninitMemoryMap`, call `reportInfoLeak` to generate a warning. 20 | 21 | 4. **Bug Reporting (`reportInfoLeak`):** 22 | - Generate a non-fatal error node. 23 | - Emit a bug report with a message indicating potential kernel information leakage. 24 | -------------------------------------------------------------------------------- /checker_database/double-free/plan.md: -------------------------------------------------------------------------------- 1 | ### Plan 2 | 3 | 1. **Declare a Taint Tag:** 4 | - Use a unique identifier (e.g., `static TaintTagType TaintTag = 101;`) to mark allocations from `devm_*` functions. 5 | 6 | 2. **Model the Memory Allocation (evalCall):** 7 | - In the `evalCall` method, intercept calls to `devm_kcalloc`, `devm_kmalloc`, etc. 8 | - Create a symbolic region to represent the newly allocated memory using `getConjuredHeapSymbolVal`. 9 | - Bind this symbolic region to the return expression of the call. 10 | 11 | 3. **Taint the Return Value (checkPostCall):** 12 | - In the `checkPostCall` callback, if the callee is `devm_*`, retrieve the return value’s symbol and mark it as tainted (using `addTaint(State, retSymbol, TaintTag)`). 13 | 14 | 4. **Check Before Freeing (checkPreCall):** 15 | - Intercept calls to `kfree`, `kvfree`, and `pinctrl_utils_free_map`. 16 | - Extract the pointer argument’s symbol. 17 | - If the symbol is tainted, it indicates that this pointer originates from a `devm_*` allocation. Hence, report a potential double-free. 18 | 19 | 5. **Report Bugs (reportDoubleFree):** 20 | - Generate an error node using `generateNonFatalErrorNode`. 21 | - Create a `PathSensitiveBugReport` for the user, describing the “Double free of devm_* allocated memory.” 22 | -------------------------------------------------------------------------------- /checker_database/UndefinedNewArraySizeChecker/plan.md: -------------------------------------------------------------------------------- 1 | Your plan for the UndefinedNewArraySizeChecker can be summarized in a few concrete steps. Each step is specific and straightforward: 2 | 3 | ``` 4 | 1. Check if the call is a new[] allocation: 5 | • In the checkPreCall callback, first determine if the CallEvent is a CXXAllocatorCall. 6 | • Verify that the allocation is for an array by calling isArray(). 7 | 8 | 2. Retrieve the array size: 9 | • Obtain the array size expression (SizeEx) using getArraySizeExpr(). 10 | • Get the corresponding SVal (SizeVal) with getArraySizeVal(). 11 | 12 | 3. Detect an undefined array size: 13 | • Check if SizeVal is undefined by calling isUndef(). 14 | • If the size is undefined, it means the element count is a garbage value. 15 | 16 | 4. Report the bug: 17 | • In the helper function HandleUndefinedArrayElementCount(), generate an error node. 18 | • Create a bug report with a message indicating that the element count in new[] is a garbage value. 19 | • Mark the undefined SVal as interesting, add the source range from the array size expression, and track the expression’s value. 20 | • Finally, emit the bug report. 21 | ``` 22 | 23 | This concrete plan shows each step you need to implement or understand in order to detect undefined new[] array sizes. -------------------------------------------------------------------------------- /prompt_template/examples/double-free/plan.md: -------------------------------------------------------------------------------- 1 | ### Plan 2 | 3 | 1. **Declare a Taint Tag:** 4 | - Use a unique identifier (e.g., `static TaintTagType TaintTag = 101;`) to mark allocations from `devm_*` functions. 5 | 6 | 2. **Model the Memory Allocation (evalCall):** 7 | - In the `evalCall` method, intercept calls to `devm_kcalloc`, `devm_kmalloc`, etc. 8 | - Create a symbolic region to represent the newly allocated memory using `getConjuredHeapSymbolVal`. 9 | - Bind this symbolic region to the return expression of the call. 10 | 11 | 3. **Taint the Return Value (checkPostCall):** 12 | - In the `checkPostCall` callback, if the callee is `devm_*`, retrieve the return value’s symbol and mark it as tainted (using `addTaint(State, retSymbol, TaintTag)`). 13 | 14 | 4. **Check Before Freeing (checkPreCall):** 15 | - Intercept calls to `kfree`, `kvfree`, and `pinctrl_utils_free_map`. 16 | - Extract the pointer argument’s symbol. 17 | - If the symbol is tainted, it indicates that this pointer originates from a `devm_*` allocation. Hence, report a potential double-free. 18 | 19 | 5. **Report Bugs (reportDoubleFree):** 20 | - Generate an error node using `generateNonFatalErrorNode`. 21 | - Create a `PathSensitiveBugReport` for the user, describing the “Double free of devm_* allocated memory.” 22 | -------------------------------------------------------------------------------- /prompt_template/plan2checker-no-utility.md: -------------------------------------------------------------------------------- 1 | # Instruction 2 | 3 | You are proficient in writing Clang Static Analyzer checkers. 4 | 5 | Please help me write a CSA checker to detect a specific bug pattern. 6 | You can refer to the `Target Bug Pattern` and `Target Patch` sections to help you understand the bug pattern. 7 | Please make sure your checker can detect the bug shown in the `Buggy Code` section. 8 | Please refer to the `Plan` section to implement the checker. 9 | 10 | The version of the Clang environment is Clang-18. You should consider the API compatibility. 11 | The checker you write just needs to be able to detect the bug in C language, no need to consider C++ and Objective-C. 12 | 13 | Please complete the template in `Checker Template` section. You should complete the content wrapped in `{{...}}`. 14 | 15 | **Please read `Suggestions` section before writing the checker!** 16 | 17 | {{suggestions}} 18 | 19 | # Examples 20 | 21 | {{examples}} 22 | 23 | # Target Bug Pattern 24 | 25 | {{input_pattern}} 26 | 27 | # Target Patch 28 | 29 | {{input_patch}} 30 | 31 | # Target Plan 32 | 33 | {{input_plan}} 34 | 35 | {{checker_template}} 36 | 37 | # Formatting 38 | 39 | Please show me the completed checker. 40 | 41 | Your response should be like: 42 | 43 | ```cpp 44 | {{checker code here}} 45 | ``` 46 | -------------------------------------------------------------------------------- /prompt_template/plan2checker.md: -------------------------------------------------------------------------------- 1 | # Instruction 2 | 3 | You are proficient in writing Clang Static Analyzer checkers. 4 | 5 | Please help me write a CSA checker to detect a specific bug pattern. 6 | You can refer to the `Target Bug Pattern` and `Target Patch` sections to help you understand the bug pattern. 7 | Please make sure your checker can detect the bug shown in the `Buggy Code` section. 8 | Please refer to the `Plan` section to implement the checker. 9 | You can use the functions in `Utility Functions` section to help you write the checker. 10 | 11 | The version of the Clang environment is Clang-18. You should consider the API compatibility. 12 | The checker you write just needs to be able to detect the bug in C language, no need to consider C++ and Objective-C. 13 | 14 | Please complete the template in `Checker Template` section. You should complete the content wrapped in `{{...}}`. 15 | 16 | **Please read `Suggestions` section before writing the checker!** 17 | 18 | {{utility_functions}} 19 | 20 | {{suggestions}} 21 | 22 | # Examples 23 | 24 | {{examples}} 25 | 26 | # Target Bug Pattern 27 | 28 | {{input_pattern}} 29 | 30 | # Target Patch 31 | 32 | {{input_patch}} 33 | 34 | # Target Plan 35 | 36 | {{input_plan}} 37 | 38 | {{checker_template}} 39 | 40 | # Formatting 41 | 42 | Please show me the completed checker. 43 | 44 | Your response should be like: 45 | 46 | ```cpp 47 | {{checker code here}} 48 | ``` 49 | -------------------------------------------------------------------------------- /prompt_template/patch2checker.md: -------------------------------------------------------------------------------- 1 | # Instruction 2 | 3 | You will be provided with a patch in Linux kernel. 4 | Please analyze the patch and find out the **bug pattern** in this patch. 5 | A **bug pattern** is the root cause of this bug, meaning that programs with this pattern will have a great possibility of having the same bug. 6 | Note that the bug pattern should be specific and accurate, which can be used to identify the buggy code provided in the patch. 7 | 8 | Then, please help to write a CSA checker to detect the specific bug pattern. 9 | You can use the functions in `Utility Functions` section to help you write the checker. 10 | The version of the Clang environment is Clang-18. You should consider the API compatibility. 11 | The checker you write just needs to be able to detect the bug in C language, no need to consider C++ and Objective-C. 12 | 13 | Please complete the template in `Checker Template` section. You should complete the content wrapped in `{{...}}`. 14 | 15 | **Please read `Suggestions` section before writing the checker!** 16 | 17 | {{utility_functions}} 18 | 19 | # Examples 20 | 21 | {{examples}} 22 | 23 | # Target Patch 24 | 25 | {{input_patch}} 26 | 27 | {{suggestions}} 28 | 29 | {{checker_template}} 30 | 31 | # Formatting 32 | 33 | Please show me the completed checker. 34 | 35 | Your response should be like: 36 | 37 | ```cpp 38 | {{checker code here}} 39 | ``` 40 | -------------------------------------------------------------------------------- /src/kernel_commands.py: -------------------------------------------------------------------------------- 1 | args = [ 2 | ("-disable-checker", "core"), 3 | ("-disable-checker", "cplusplus"), 4 | ("-disable-checker", "deadcode"), 5 | ("-disable-checker", "unix"), 6 | ("-disable-checker", "nullability"), 7 | ("-disable-checker", "security"), 8 | ("-maxloop", 4), 9 | ("-o", "tmp/SAGenTestCSAResult"), 10 | ] 11 | 12 | 13 | def generate_command(llvm_build_dir: str, no_output=False, plugin_names=None) -> str: 14 | comd = f"PATH={llvm_build_dir}/bin:$PATH " 15 | comd += f"{llvm_build_dir}/bin/scan-build --use-cc=clang " 16 | if plugin_names: 17 | for plugin_name in plugin_names: 18 | comd += f"-load-plugin {llvm_build_dir}/lib/{plugin_name}Plugin.so " 19 | comd += f"-enable-checker custom.{plugin_name}Checker " 20 | else: 21 | comd += f"-load-plugin {llvm_build_dir}/lib/SAGenTestPlugin.so " 22 | comd += "-enable-checker custom.SAGenTestChecker " 23 | for arg_name, arg_value in args: 24 | if no_output and arg_name == "-o": 25 | continue 26 | comd += f"{arg_name} {arg_value} " 27 | return comd 28 | 29 | 30 | def generate_command_file(file: str, llvm_build_dir: str) -> str: 31 | comd = generate_command(llvm_build_dir) 32 | comd += f"clang {file} -o tmp/SAGenTest.out" 33 | return comd 34 | 35 | 36 | def generate_command_obj(obj: str, llvm_build_dir: str) -> str: 37 | comd = generate_command(llvm_build_dir) 38 | comd += f"make LLVM=1 ARCH=x86 {obj} -j32" 39 | -------------------------------------------------------------------------------- /checker_database/NSAutoreleasePoolChecker/plan.md: -------------------------------------------------------------------------------- 1 | Your plan is as follows: 2 | 3 | ------------------------------------------------------------ 4 | 1. Trigger on Objective-C Message Sending: 5 | • Use the checkPreObjCMessage callback to intercept every Objective-C message. 6 | • First, verify the message is an instance message (not a class message). 7 | 8 | 2. Verify the Receiver’s Type: 9 | • Retrieve the receiver’s interface declaration. 10 | • Check that the interface identifier is "NSAutoreleasePool". 11 | • This ensures that you are only interested in messages sent to NSAutoreleasePool objects. 12 | 13 | 3. Identify the “release” Selector: 14 | • Initialize a Selector variable (releaseS) to the nullary selector "release" if it isn’t already set. 15 | • Compare the message’s selector against this "release" selector. 16 | 17 | 4. Report the Violation: 18 | • If the message is a release message sent to an NSAutoreleasePool, generate a non-fatal error node. 19 | • Build a bug report with a clear message advising the use of -drain instead of -release. 20 | • Highlight the source range of the offending message in the report. 21 | • Finally, emit the bug report to alert the user. 22 | 23 | ------------------------------------------------------------ 24 | This plan uses a minimal number of concrete steps and conditions. You simply: 25 | 26 | • Filter for instance messages sent to NSAutoreleasePool. 27 | • Check if the method called is "release". 28 | • Emit a bug report recommending the upgrade from -release to -drain. 29 | 30 | Follow these steps directly in your checker’s code to construct a correct and functioning NSAutoreleasePoolChecker. -------------------------------------------------------------------------------- /scripts/count_errors.py: -------------------------------------------------------------------------------- 1 | # Count the number and types of errors 2 | # Example usage: 3 | # python scripts/count_errors.py --input_file result/input.log --output_file output.csv 4 | 5 | import fire 6 | from pathlib import Path 7 | 8 | def count_errors(line, output_file): 9 | commit = line.split()[0] 10 | type = line.split()[1] 11 | ranking_text = " ".join(line.split()[2:]) 12 | 13 | ranking_list = eval(ranking_text) 14 | any_valid = any([ranking[1] > 0 and ranking[2] > 0 for ranking in ranking_list]) 15 | 16 | num_compilation_failures = 0 17 | num_runtime_errors = 0 18 | num_semantic_errors = 0 19 | num_all_bug = 0 20 | num_all_not_bug = 0 21 | for ranking in ranking_list: 22 | if ranking[1] == -10: 23 | num_compilation_failures += 1 24 | elif ranking[1] == -2: 25 | num_runtime_errors += 1 26 | elif not (ranking[1] > 0 and ranking[2] > 0): 27 | num_semantic_errors += 1 28 | if ranking[1] == 0: 29 | num_all_not_bug += 1 30 | else: 31 | num_all_bug += 1 32 | 33 | with open(output_file, 'a') as f: 34 | f.write(f"{commit},{type},{any_valid},{num_compilation_failures},{num_runtime_errors},{num_semantic_errors},{num_all_bug},{num_all_not_bug}\n") 35 | 36 | 37 | def count_errors_from_file(input_file, output_file): 38 | input_file = Path(input_file) 39 | output_file = Path(output_file) 40 | output_file.write_text("commit,type,any_valid,num_compilation_failures,num_runtime_errors,num_semantic_errors,num_all_bug,num_all_not_bug\n") 41 | for line in input_file.read_text().splitlines(): 42 | count_errors(line, output_file) 43 | 44 | if __name__ == "__main__": 45 | fire.Fire(count_errors_from_file) 46 | -------------------------------------------------------------------------------- /checker_database/DivZeroChecker/plan.md: -------------------------------------------------------------------------------- 1 | Your plan: 2 | 3 | 1. Identify Division Operations: 4 | • In checkPreStmt, first check if the binary operator (B) is one of the division or remainder types (BO_Div, BO_Rem, BO_DivAssign, BO_RemAssign). 5 | • Also, verify that the right-hand side (RHS) type is scalar. 6 | 7 | 2. Retrieve and Validate the Denominator: 8 | • Obtain the RHS (denom) SVal. 9 | • Convert the SVal to a DefinedSVal. If this conversion fails (i.e. it is undefined), then abort this check so that other rules for undefined values can handle it. 10 | 11 | 3. Use ConstraintManager to Split the State: 12 | • Call assumeDual on the current state with the DefinedSVal of the denominator. This yields two states: 13 | – stateNotZero: a state where the denominator is known to be nonzero. 14 | – stateZero: a state where the denominator may be zero. 15 | • If stateNotZero is unsatisfiable (i.e. only stateZero is valid), then immediately report a division-by-zero bug by calling reportBug with message "Division by zero" and the stateZero. 16 | 17 | 4. Incorporate Tainted-Value Analysis: 18 | • If both stateNotZero and stateZero are possible (i.e. the denominator might be zero but isn’t conclusively zero), check for tainted symbols by calling getTaintedSymbols on the denominator. 19 | • If any tainted symbols are found, report a taint-specific bug using reportTaintBug with a message such as "Division by a tainted value, possibly zero" and passing the list of tainted symbols. 20 | 21 | 5. Update the Transition for Safe Division: 22 | • If the analysis concludes that the denominator is nonzero (i.e. stateNotZero holds), then add a state transition with stateNotZero for subsequent analysis. 23 | 24 | Following these concrete, step‐by‐step actions ensures that you catch both definite divisions by zero and those involving tainted (user- or untrusted-sourced) values. -------------------------------------------------------------------------------- /checker_database/EnumCastOutOfRangeChecker/plan.md: -------------------------------------------------------------------------------- 1 | Your plan can be summarized in a few concrete steps: 2 | 3 | 1. Intercept and Filter Cast Expressions 4 |  • Use a PreStmt callback for CastExpr so that every integer-to-enum cast gets inspected. 5 |  • Immediately filter out casts that are not of kind “integral cast” (i.e. using CK_IntegralCast) since only these are relevant. 6 | 7 | 2. Validate the Cast Target Type and Retrieve the Value 8 |  • Check if the cast’s target type is an enumeration using isEnumeralType(). If not, do nothing. 9 |  • Retrieve the SVal of the subexpression being cast. If you cannot produce a DefinedOrUnknownSVal from it, stop further processing. 10 | 11 | 3. Gather Valid Enumeration Values 12 |  • From the EnumDecl for the target type, collect all enumerator values. 13 |  • Store these values (for example, in a SmallVector) so you know the range of acceptable integer values. 14 | 15 | 4. Compare the Cast Value Against Enumeration Values 16 |  • For each enumerator value, use a constraint-based evaluator (such as the provided ConstraintBasedEQEvaluator) to check if the cast value could equal that enumerator’s value. 17 |  • Rely on the ConstraintManager so that you conservatively decide if any possible value match exists. 18 | 19 | 5. Report an Out-of-Range Cast if Needed 20 |  • If none of the valid enumerator comparisons are possibly true, generate a non-fatal error node. 21 |  • Create and configure a bug report that details the invalid cast (optionally including the concrete integer value if it’s available) and attach the source ranges for better diagnostics. 22 |  • Finally, emit the report with C.emitReport(…). 23 | 24 | This simple, concrete sequence of steps will let you write a checker that intercepts enum casts, verifies the range by comparing against all valid enum constant values, and reports a potential bug when the cast value is out of range. -------------------------------------------------------------------------------- /checker_database/TrustReturnsNonnullChecker/plan.md: -------------------------------------------------------------------------------- 1 | Your goal is to make sure that when a function call returns a pointer and its declaration is annotated with returns_nonnull, the analyzer “trusts” that the returned pointer is non-null. Here’s a step‐by‐step, concrete plan with as few steps as possible: 2 | 3 | -------------------------------------------------------------------- 4 | Plan 5 | 6 | 1. Identify the Target Calls: 7 | • In the checkPostCall callback, examine every call. 8 | • Only consider calls where the expected return type is a pointer (using isAnyPointerType). 9 | • Retrieve the call’s declaration (using Call.getDecl()). 10 | • Check whether the function declaration is annotated with the returns_nonnull attribute. 11 | (This is done in the helper function isNonNullPtr.) 12 | 13 | 2. Set the Non-Null Assumption: 14 | • If the call passes the above check (i.e. it returns a pointer and has the attribute), try to extract the return value as a location using Call.getReturnValue().getAs(). 15 | • Use the program’s state method assume: call State = State->assume(*L, true) on that location. 16 | This operation tells the analyzer that the pointer must be non-null. 17 | 18 | 3. Transition the Updated State: 19 | • After updating the program state with the non-null assumption, add this new state as the next transition with C.addTransition(State). 20 | 21 | -------------------------------------------------------------------- 22 | Each step is concrete: 23 | – Step 1 ensures only calls that are expected to never return null are processed. 24 | – Step 2 uses the program state’s assume mechanism to “mark” the return value as non-null. 25 | – Step 3 hands control back to the analyzer with the updated state. 26 | 27 | Following this plan, you can write a checker that “trusts” the non-null attribute and subsequently avoids false-positive warnings on pointer dereferences stemming from calls that are guaranteed to return non-null pointers. -------------------------------------------------------------------------------- /checker_database/UndefBranchChecker/plan.md: -------------------------------------------------------------------------------- 1 | Your checker detects when a branch condition (the expression used in an if/while/etc.) evaluates to an undefined (i.e. “garbage”) value. Here’s a simple, concrete plan outlining the detection steps: 2 | 3 | -------------------------------------------------- 4 | Your plan here 5 | 6 | 1. Identify the branch condition: 7 | • In the checkBranchCondition callback, first verify that the condition is not part of an Objective-C collection loop (ObjCForCollectionStmt) since these have no condition. 8 | • Retrieve the symbolic value (SVal) of the entire condition expression. 9 | • If the SVal is not undefined, do nothing. 10 | 11 | 2. If the condition’s SVal is undefined: 12 | • Generate an error node using generateErrorNode. This creates a “sink” node that indicates the branch is unreachable under normal execution. 13 | 14 | 3. Pinpoint the root cause: 15 | • Retrieve the predecessor node and corresponding program state. 16 | • Use a helper (here the struct FindUndefExpr) to recursively inspect the expression’s subexpressions. 17 | • In each recursive call, check if a subexpression’s SVal is undefined (using MatchesCriteria). 18 | • By recursing into all children that meet the “undefined” criteria, select the most nested subexpression that triggers the bug. This helps in highlighting the specific part of the condition responsible for the undefined value. 19 | 20 | 4. Report the bug: 21 | • Create a bug report that contains the message “Branch condition evaluates to a garbage value.” 22 | • Attach the source range of the identified problematic subexpression so that it is clearly highlighted. 23 | • Use emitReport to communicate the bug to the user. 24 | 25 | -------------------------------------------------- 26 | Following these concrete steps will let you write a checker that triggers a warning whenever an undefined value is used to control a branch, thereby highlighting potential logic errors in the code. -------------------------------------------------------------------------------- /scripts/count_tokens.py: -------------------------------------------------------------------------------- 1 | """ 2 | Example usage: 3 | python count_tokens.py /path/to/result/dir 4 | 5 | This script counts input and output tokens in result files. 6 | """ 7 | 8 | from pathlib import Path 9 | import tiktoken 10 | import fire 11 | 12 | def count_input_tokens(result_dir: str) -> int: 13 | result_dir = Path(result_dir) 14 | files = [] 15 | for log_file in result_dir.rglob("prompt_history/*/*.md"): 16 | if not log_file.name.startswith("response_"): 17 | files.append(log_file) 18 | print(f"Found {len(files)} input files.") 19 | return count_output_tokens(files) 20 | 21 | def get_output_files(result_dir: str): 22 | """Collect all output files including responses and repairs.""" 23 | result_dir = Path(result_dir) 24 | output_files = list(result_dir.rglob("response_*.md")) 25 | # output_files.extend(result_dir.rglob("intermediate-*/checker-*.cpp")) 26 | return output_files 27 | 28 | def count_output_tokens(files, model: str = "gpt-4o") -> int: 29 | """Count tokens in output files using specified model's tokenizer.""" 30 | encoding = tiktoken.encoding_for_model(model) 31 | return sum(len(encoding.encode(file.read_text())) for file in files) 32 | 33 | def main(result_dir: str, model: str = "gpt-4o"): 34 | """ 35 | Count input and output tokens in the specified result directory. 36 | 37 | Args: 38 | result_dir: Directory containing the result files 39 | model: Model name for tokenizer (default: gpt-4) 40 | """ 41 | input_tokens = count_input_tokens(result_dir) 42 | print(f"Total number of input tokens: {input_tokens}") 43 | 44 | output_files = get_output_files(result_dir) 45 | print(f"Number of output files: {len(output_files)}") 46 | 47 | output_tokens = count_output_tokens(output_files, model) 48 | print(f"Total number of output tokens: {output_tokens}") 49 | 50 | if __name__ == "__main__": 51 | fire.Fire(main) 52 | -------------------------------------------------------------------------------- /checker_database/StringChecker/plan.md: -------------------------------------------------------------------------------- 1 | Your plan here 2 | ---------------- 3 | 4 | 1. Identify the String Constructor Call: 5 | • In the checkPreCall callback, use the helper function isCharToStringCtor() to determine if the current call is the std::basic_string constructor overload that takes a const char* and an allocator (and not the size_t overload). 6 | • This check filters out unwanted overloads by ensuring the first argument is a pointer and the second is not of size_t type. 7 | 8 | 2. Retrieve the Pointer Argument: 9 | • Once the constructor call is confirmed, extract the first parameter’s value by calling Call.getArgSVal(0) and convert it to a location (Loc). 10 | • If the location is null, return early since there is nothing more to check. 11 | 12 | 3. Constrain the Pointer’s Value: 13 | • Use the program state’s assume() method to split the state based on whether the pointer is non-null (NotNull state) or possibly null (Null state). 14 | • This concretely models the condition: “Is the pointer known to be non-null?” 15 | 16 | 4. Process the Non-Null and Null Cases: 17 | • For the non-null branch (NotNull is true), add a state transition. 18 | - Optionally, attach a note (using C.getNoteTag) that indicates the pointer is assumed to be valid. 19 | • If there is a possibility that the pointer is null (i.e. NotNull is false), generate an error node using C.generateErrorNode(). 20 | 21 | 5. Report the Error if Needed: 22 | • When an error node is generated, create a bug report (PathSensitiveBugReport) with a clear message (e.g., “The parameter must not be null”). 23 | • Use bugreporter::trackExpressionValue to highlight the relevant pointer expression. 24 | • Finally, emit the report with C.emitReport(). 25 | 26 | This concise plan ensures that your checker only flags calls to the std::basic_string constructor that do not guarantee a non-null pointer for the first argument, thereby preventing potential null pointer dereferences. -------------------------------------------------------------------------------- /checker_database/ArrayBoundChecker/plan.md: -------------------------------------------------------------------------------- 1 | Your plan is as follows: 2 | 3 | 1. Register for the Location event: 4 | • The checker listens for memory load/store events via the check::Location callback. 5 | 6 | 2. Identify element accesses: 7 | • In checkLocation, obtain the memory region from the passed SVal. 8 | • Ensure the region is an ElementRegion (which represents an array element access). If not, ignore the event. 9 | 10 | 3. Extract the index used for the array access: 11 | • Retrieve the element index from the ElementRegion as a DefinedOrUnknownSVal. 12 | • If the index is a known zero constant (which is always safe), simply return without further action. 13 | 14 | 4. Determine the array bounds: 15 | • Use getDynamicElementCount() with the ElementRegion’s super region and the element type to obtain the total number of elements in the array. 16 | • This function accounts for run-time size information. 17 | 18 | 5. Check index against the array size: 19 | • Use the program state method assumeInBoundDual() with the index and element count. This will yield two possible states: one where the index is in-bound (StInBound) and one where it is out-of-bound (StOutBound). 20 | • If you can prove that the index is out-of-bound (StOutBound exists) and not in-bound (StInBound does not exist), then this access is unsafe. 21 | 22 | 6. Report the bug: 23 | • Generate an error node for the out-of-bound case. 24 | • Create and populate a PathSensitiveBugReport with a clear message ("Access out-of-bound array element (buffer overflow)"). 25 | • Use the source range from the load statement to highlight the error. 26 | • Emit the report so that the analyzer later presents it to the user. 27 | 28 | 7. Transition the state: 29 | • If the index is in-bound, update the state by transitioning to StInBound. This helps avoid duplicate warnings along different paths. 30 | 31 | This plan outlines the simple steps needed to detect and report an out-of-bound array element access in the ArrayBoundChecker. -------------------------------------------------------------------------------- /prompt_template/knowledge/template.md: -------------------------------------------------------------------------------- 1 | # Checker Template 2 | 3 | ```cpp 4 | #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" 5 | #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 6 | #include "clang/StaticAnalyzer/Checkers/Taint.h" 7 | #include "clang/StaticAnalyzer/Core/Checker.h" 8 | #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 9 | #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 10 | #include "clang/StaticAnalyzer/Core/PathSensitive/Environment.h" 11 | #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 12 | #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 13 | #include "clang/StaticAnalyzer/Core/PathSensitive/SymExpr.h" 14 | #include "clang/StaticAnalyzer/Frontend/CheckerRegistry.h" 15 | #include "clang/AST/RecursiveASTVisitor.h" 16 | #include "clang/AST/StmtVisitor.h" 17 | #include "llvm/Support/raw_ostream.h" 18 | #include "clang/StaticAnalyzer/Checkers/utility.h" 19 | {{Add your includes here}} 20 | 21 | using namespace clang; 22 | using namespace ento; 23 | using namespace taint; 24 | 25 | {{Customize program states}} // If necessary 26 | 27 | namespace { 28 | /* The checker callbacks are to be decided. */ 29 | class SAGenTestChecker : public Checker<{{Callback Functions}}> { 30 | mutable std::unique_ptr BT; 31 | 32 | public: 33 | SAGenTestChecker() : BT(new BugType(this, "{{Bug Group}}", "{{Bug Type}}")) {} 34 | 35 | {{Declaration of Callback Functions}} 36 | 37 | private: 38 | 39 | {{Declaration of Self-Defined Functions}} 40 | }; 41 | 42 | {{Your Functions: functions should be complete and runable}} 43 | 44 | } // end anonymous namespace 45 | 46 | extern "C" void clang_registerCheckers(CheckerRegistry ®istry) { 47 | registry.addChecker( 48 | "custom.SAGenTestChecker", 49 | "{{Checker descriptions to be filled}}", 50 | ""); 51 | } 52 | 53 | extern "C" const char clang_analyzerAPIVersionString[] = 54 | CLANG_ANALYZER_API_VERSION_STRING; 55 | ``` 56 | -------------------------------------------------------------------------------- /prompt_template/repair_FP.md: -------------------------------------------------------------------------------- 1 | # Role 2 | 3 | You are an expert in developing and analyzing Clang Static Analyzer checkers, with decades of experience in the Clang project, particularly in the Static Analyzer plugin. 4 | 5 | # Instruction 6 | 7 | Please analyze this false positive case and propose fixes to the checker code to eliminate this specific false positive while maintaining detection of true positives. 8 | 9 | Please help improve this checker to eliminate the false positive while maintaining its ability to detect actual issues. Your solution should: 10 | 11 | 1. Identify the root cause of the false positive 12 | 2. Propose specific fixes to the checker logic 13 | 3. Consider edge cases and possible regressions 14 | 4. Maintain compatibility with Clang-18 API 15 | 16 | Note, the repaired checker needs to still **detect the target buggy code**. 17 | 18 | ## Suggestions 19 | 20 | 1. Use proper visitor patterns and state tracking 21 | 2. Handle corner cases gracefully 22 | 3. You could register a program state like `REGISTER_MAP_WITH_PROGRAMSTATE(...)` to track the information you need. 23 | 4. Follow Clang Static Analyzer best practices for checker development 24 | 5. DO NOT remove any existing `#include` in the checker code. 25 | 26 | You could add some functions like `bool isFalsePositive(...)` to help you define and detect the false positive. 27 | 28 | {{utility_functions}} 29 | 30 | The following pattern is the checker designed to detect: 31 | 32 | {{input_bug_pattern}} 33 | 34 | The patch that needs to be detected: 35 | 36 | {{input_patch}} 37 | 38 | # False Positive Report 39 | 40 | {{input_bug_report}} 41 | 42 | Analysis: 43 | {{input_analysis}} 44 | 45 | # Checker 46 | ```cpp 47 | {{input_checker}} 48 | ``` 49 | 50 | # Formatting 51 | 52 | Please provide the whole checker code after fixing the false positive. 53 | The refined code must be surrounded by ```cpp and ```. 54 | Your response should be like: 55 | 56 | Refinment Plan: 57 | XXX 58 | 59 | Refined Code: 60 | ```cpp 61 | {{fixed checker code here}} 62 | ``` 63 | -------------------------------------------------------------------------------- /checker_database/null-ptr-derefence/plan.md: -------------------------------------------------------------------------------- 1 | ### Plan 2 | 3 | 1. **Create and Manage Program State Maps:** 4 | - Define two maps using `REGISTER_MAP_WITH_PROGRAMSTATE`: 5 | - A `PossibleNullPtrMap` that associates `MemRegion`s with a boolean indicating whether they have been NULL-checked (`true` if checked, `false` if unchecked). 6 | - A `PtrAliasMap` to track alias relationships. This is needed so that if one pointer is checked, its aliases are also marked as checked. 7 | 8 | 2. **Identify the Relevant Function (`devm_kasprintf`):** 9 | - Implement an internal helper function `isDevmKasprintf(const CallEvent &Call)`. 10 | - In `checkPostCall`, if the function is `devm_kasprintf`, mark the return region in `PossibleNullPtrMap` as unchecked (`false`), since it hasn't undergone a NULL check yet. 11 | 12 | 3. **Marking Pointers as Checked:** 13 | - Implement a helper function `setChecked(State, Region)` which marks a pointer (and its aliases) as checked in the `PossibleNullPtrMap`. 14 | - This function is used whenever the checker determines a pointer has been NULL-checked. 15 | 16 | 4. **Observing Conditions (BranchCondition):** 17 | - In `checkBranchCondition`, examine the condition: 18 | - If it looks like `if (!ptr)`, `if (ptr == NULL)`, `if (ptr != NULL)`, or just `if (ptr)`, determine the region being tested. 19 | - Once identified, call `setChecked(...)` on that region. 20 | 21 | 5. **Detecting Dereferences (Location):** 22 | - In `checkLocation`, catch any read/write operation (`*ptr`). 23 | - If the pointer has a mapping in `PossibleNullPtrMap` and it is still set to `false`, issue a warning (using `C.emitReport(...)`) because the pointer might be `NULL`-not-checked. 24 | 25 | 6. **Tracking Aliases (Bind):** 26 | - In `checkBind`, when a pointer is stored into another pointer (e.g., `p2 = p1;`), record this alias in `PtrAliasMap`. 27 | - When one pointer becomes checked, `setChecked(...)` will update the aliases as well. 28 | - Do not update the `PossibleNullPtrMap` in the `checkBind` function. 29 | -------------------------------------------------------------------------------- /prompt_template/examples/null-ptr-derefence/plan.md: -------------------------------------------------------------------------------- 1 | ### Plan 2 | 3 | 1. **Create and Manage Program State Maps:** 4 | - Define two maps using `REGISTER_MAP_WITH_PROGRAMSTATE`: 5 | - A `PossibleNullPtrMap` that associates `MemRegion`s with a boolean indicating whether they have been NULL-checked (`true` if checked, `false` if unchecked). 6 | - A `PtrAliasMap` to track alias relationships. This is needed so that if one pointer is checked, its aliases are also marked as checked. 7 | 8 | 2. **Identify the Relevant Function (`devm_kasprintf`):** 9 | - Implement an internal helper function `isDevmKasprintf(const CallEvent &Call)`. 10 | - In `checkPostCall`, if the function is `devm_kasprintf`, mark the return region in `PossibleNullPtrMap` as unchecked (`false`), since it hasn't undergone a NULL check yet. 11 | 12 | 3. **Marking Pointers as Checked:** 13 | - Implement a helper function `setChecked(State, Region)` which marks a pointer (and its aliases) as checked in the `PossibleNullPtrMap`. 14 | - This function is used whenever the checker determines a pointer has been NULL-checked. 15 | 16 | 4. **Observing Conditions (BranchCondition):** 17 | - In `checkBranchCondition`, examine the condition: 18 | - If it looks like `if (!ptr)`, `if (ptr == NULL)`, `if (ptr != NULL)`, or just `if (ptr)`, determine the region being tested. 19 | - Once identified, call `setChecked(...)` on that region. 20 | 21 | 5. **Detecting Dereferences (Location):** 22 | - In `checkLocation`, catch any read/write operation (`*ptr`). 23 | - If the pointer has a mapping in `PossibleNullPtrMap` and it is still set to `false`, issue a warning (using `C.emitReport(...)`) because the pointer might be `NULL`-not-checked. 24 | 25 | 6. **Tracking Aliases (Bind):** 26 | - In `checkBind`, when a pointer is stored into another pointer (e.g., `p2 = p1;`), record this alias in `PtrAliasMap`. 27 | - When one pointer becomes checked, `setChecked(...)` will update the aliases as well. 28 | - Do not update the `PossibleNullPtrMap` in the `checkBind` function. 29 | -------------------------------------------------------------------------------- /checker_database/TaintTesterChecker/checker.cpp: -------------------------------------------------------------------------------- 1 | //== TaintTesterChecker.cpp ----------------------------------- -*- C++ -*--=// 2 | // 3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 | // See https://llvm.org/LICENSE.txt for license information. 5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 | // 7 | //===----------------------------------------------------------------------===// 8 | // 9 | // This checker can be used for testing how taint data is propagated. 10 | // 11 | //===----------------------------------------------------------------------===// 12 | 13 | #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" 14 | #include "clang/StaticAnalyzer/Checkers/Taint.h" 15 | #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 16 | #include "clang/StaticAnalyzer/Core/Checker.h" 17 | #include "clang/StaticAnalyzer/Core/CheckerManager.h" 18 | #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 19 | 20 | using namespace clang; 21 | using namespace ento; 22 | using namespace taint; 23 | 24 | namespace { 25 | class TaintTesterChecker : public Checker> { 26 | const BugType BT{this, "Tainted data", "General"}; 27 | 28 | public: 29 | void checkPostStmt(const Expr *E, CheckerContext &C) const; 30 | }; 31 | } 32 | 33 | void TaintTesterChecker::checkPostStmt(const Expr *E, 34 | CheckerContext &C) const { 35 | ProgramStateRef State = C.getState(); 36 | if (!State) 37 | return; 38 | 39 | if (isTainted(State, E, C.getLocationContext())) { 40 | if (ExplodedNode *N = C.generateNonFatalErrorNode()) { 41 | auto report = std::make_unique(BT, "tainted", N); 42 | report->addRange(E->getSourceRange()); 43 | C.emitReport(std::move(report)); 44 | } 45 | } 46 | } 47 | 48 | void ento::registerTaintTesterChecker(CheckerManager &mgr) { 49 | mgr.registerChecker(); 50 | } 51 | 52 | bool ento::shouldRegisterTaintTesterChecker(const CheckerManager &mgr) { 53 | return true; 54 | } 55 | -------------------------------------------------------------------------------- /checker_database/RunLoopAutoreleaseLeakChecker/plan.md: -------------------------------------------------------------------------------- 1 | Your plan here 2 | ---------------- 3 | 1. Identify run loop launch and message activities: 4 | • Use AST matchers to capture the NSRunLoop “mainRunLoop” and “run” calls. 5 | • Bind these calls to identifiers (RunLoopBind and RunLoopRunBind). 6 | • Capture any ObjC message expressions that allocate temporary autoreleased objects using a separate matcher bound as OtherMsgBind. 7 | 8 | 2. Match autorelease pool usage: 9 | • Use an AST matcher to detect if the NSRunLoop run call and the temporary object allocations happen inside an ObjC autorelease pool (binding to AutoreleasePoolBind). 10 | • Also match temporary objects sent in an autorelease pool with a distinct binding (OtherStmtAutoreleasePoolBind). 11 | 12 | 3. Differentiate between two scenarios: 13 | • In one case, both the temporary objects and the run loop call occur in the same autorelease pool. 14 | • In the other, the run loop (or xpc_main) is launched without any autorelease pool. 15 | 16 | 4. Determine the evaluation order: 17 | • Create a helper (seenBefore) to roughly decide if the run loop call happens before or after the message call. 18 | • If the run loop is evaluated before the temporary object allocation, ignore it; otherwise, a potential leak exists. 19 | 20 | 5. Emit a diagnostic if a leak is detected: 21 | • Use the emitDiagnostics function to build and report an error message that suggests temporary objects might never be released because they remain in an autorelease pool that is discarded only at program exit. 22 | 23 | 6. Run the analysis: 24 | • In the checkASTCodeBody callback, invoke two separate matching routines: one for code inside an autorelease pool and one for code without any autorelease pool. 25 | • For each match, if conditions indicate the temporary object allocation is “too late” (i.e., after the run loop starts or no proper pool is present), report a memory leak warning. 26 | 27 | Each step is concrete and directly maps to a distinct part of the checker’s design, ensuring the solution remains simple while covering all necessary detection concerns. -------------------------------------------------------------------------------- /checker_database/StdVariantChecker/plan.md: -------------------------------------------------------------------------------- 1 | Your plan here 2 | 3 | 1. Register and Manage Program State Information 4 | • Define a program state map (VariantHeldTypeMap) that stores, for each std::variant instance (MemRegion), its currently held type (QualType). This lets the checker track what type is held in each variant object. 5 | 6 | 2. Intercept std::variant Construction and Assignment 7 | • In evalCall, detect calls that either construct or assign to a std::variant. 8 | • For constructor calls: 9 |   – Check if the call is a std::variant constructor (or assignment operator) by matching a pre-defined CallDescription. 10 |   – For a default constructor (with no arguments), record the first template parameter (the default held type) in VariantHeldTypeMap. 11 |   – For one-argument constructors or assignment operators, use the helper (handleConstructorAndAssignment) to record the held type from the passed argument into VariantHeldTypeMap. 12 | 13 | 3. Intercept std::get Calls and Compare Types 14 | • Still in evalCall, detect std::get calls by matching the StdGet CallDescription. 15 | • In handleStdGetCall: 16 |   – Ensure that the argument to std::get is an instance of std::variant. 17 |   – Retrieve the MemRegion of the variant and look up its stored held type from VariantHeldTypeMap. 18 |   – Extract the expected type from the template argument of std::get (which could be given as a type or index). 19 |   – Compare the canonical form of the held type with the canonical form of the requested type. 20 |   – If they do not match, generate a non-fatal bug report with a descriptive message showing the expected and retrieved types. 21 | 22 | 4. Clean Up Dead Variant Instances 23 | • Use the check::RegionChanges callback to detect when variant objects (or their associated regions) are invalidated. 24 | • Remove the corresponding entries from VariantHeldTypeMap for regions that are already dead. 25 | 26 | By following these steps, the checker will monitor how std::variant objects are constructed, assignment-ed, and later accessed via std::get to ensure that the held type matches what is being retrieved, and it will report mismatches as errors. -------------------------------------------------------------------------------- /scripts/README.md: -------------------------------------------------------------------------------- 1 | # Scripts of KNighter 2 | 3 | ## `collect_valid_checkers.py`: Collect Valid Checkers 4 | 5 | This script collects all valid checkers from the KNighter synthesized checkers. 6 | 7 | ```sh 8 | python3 collect_valid_checkers.py /path/to/synthesized_checkers /path/to/output_dir 9 | # def find_valid_checkers(result_dir: str, output_dir: str) 10 | ``` 11 | 12 | ## `count_errors.py`: Count Errors 13 | 14 | This script counts the number of errors in the synthesized checkers. 15 | 16 | ```sh 17 | python3 count_errors.py /path/to/synthesized_checkers/log-XXX.log output_error.csv 18 | # def count_errors_from_file(input_file, output_file) 19 | ``` 20 | 21 | ## `count_tokens.py`: Count Tokens 22 | 23 | This script counts the number of tokens in the synthesized checkers. 24 | 25 | ```sh 26 | python count_tokens.py /path/to/result/dir 27 | ``` 28 | 29 | ## `setup_llvm.py`: Setup LLVM 30 | 31 | Create the SAGenTestPlugin in your LLVM environment for "self-repair" phase. 32 | 33 | > [!NOTE] 34 | > This is specifically for the LLVM-18.1.8. 35 | 36 | ```sh 37 | # Set up LLVM environment 38 | export LLVM_DIR=/path/to/LLVM_dir 39 | 40 | # Prepare SAGenTest plugin files 41 | cp llvm_utils/create_plugin.py $LLVM_DIR/clang/lib/Analysis/plugins/ 42 | cd $LLVM_DIR/clang/lib/Analysis/plugins/ 43 | python3 ./create_plugin.py SAGenTest 44 | 45 | # Prepare utility functions 46 | cp llvm_utils/utility.cpp $LLVM_DIR/clang/lib/StaticAnalyzer/Checkers/ 47 | cp llvm_utils/utility.h $LLVM_DIR/clang/include/clang/StaticAnalyzer/Checkers/ 48 | ``` 49 | 50 | Then add utility.cpp to this `path/to/LLVM_dir/clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt`: 51 | ```cmake 52 | set(LLVM_TARGET_SOURCES 53 | existing_file1.cpp 54 | existing_file2.cpp 55 | ... 56 | 57 | utility.cpp 58 | ) 59 | ``` 60 | 61 | ```sh 62 | # Test building our plugin 63 | cd /path/to/LLVM_dir/build/ 64 | rm ./CMakeCache.txt #optional 65 | cmake -DLLVM_ENABLE_PROJECTS="clang;lld" -DLLVM_TARGETS_TO_BUILD=X86 -DCMAKE_BUILD_TYPE=Release -G "Unix Makefiles" ../llvm 66 | make SAGenTestPlugin -j$nproc 67 | # Obtain the test checker at: /path/to/LLVM_dir/build/lib/SAGenTestPlugin.so 68 | ``` 69 | -------------------------------------------------------------------------------- /checker_database/CheckPlacementNew/plan.md: -------------------------------------------------------------------------------- 1 | Your plan here 2 | 3 | 1. Detect a placement new operation: 4 | • In the checkPreStmt callback, verify that the new expression uses the default global placement new operator. 5 | • Also check that the placement new call has at least one argument (the storage pointer). 6 | 7 | 2. Validate the storage capacity: 8 | • Retrieve the size required for the allocated type using getExtentSizeOfNewTarget. 9 | – If allocating an array, compute the size by multiplying the element count by the type size. 10 | – If allocating a single object, get the size directly. 11 | • Compute the size of the provided storage using getExtentSizeOfPlace. 12 | • If the storage size is less than the required size (or, in the case of an array with extra overhead, the sizes don’t match typical expectations), generate a bug report reporting “Insufficient storage for placement new” using the SBT bug type. 13 | 14 | 3. Validate the storage alignment: 15 | • Determine the alignment of the allocated type (AllocatedTAlign) based on its type information. 16 | • Retrieve the storage region from the placement argument: 17 | – If it is an ElementRegion, verify that its base region’s alignment (or any explicit alignment from its associated declaration) is sufficient, and check that the region’s offset is a multiple of AllocatedTAlign. 18 | – If it is a FieldRegion, check the containing variable’s alignment and the field’s offset. 19 | – If it is a VarRegion, calculate the storage alignment using getStorageAlign and confirm it meets the requirement. 20 | • If an alignment mismatch is found, call emitBadAlignReport to generate a bug report (“Bad align storage for placement new”) using the ABT bug type. 21 | 22 | 4. Conclude the check: 23 | • In checkPreStmt, if both the capacity and alignment validations pass, then no bug report is generated. 24 | • Otherwise, the appropriate bug report is emitted and the error node is created. 25 | 26 | Following these concrete steps, you will inspect the new expression and verify that the provided storage pointer offers sufficient size and alignment for the type being constructed via placement new. -------------------------------------------------------------------------------- /checker_database/UndefinedArraySubscriptChecker/plan.md: -------------------------------------------------------------------------------- 1 | Your plan for the UndefinedArraySubscriptChecker is as follows: 2 | 3 | 1. Register the Checker on ArraySubscriptExpr Nodes 4 | • The checker is registered to run on every ArraySubscriptExpr before it is evaluated (using the check::PreStmt callback). 5 | • This ensures we can check the subscript expression (the array index) before it is used. 6 | 7 | 2. Retrieve and Check the Array Index’s Value 8 | • In the checkPreStmt callback, start by getting the index expression with A->getIdx(). 9 | • Use the CheckerContext to obtain the symbolic value (SVal) of the index. 10 | • Check whether the SVal is undefined by calling isUndef(). 11 | • If the index is not undefined, return immediately because there’s no problem. 12 | 13 | 3. Avoid False Positives in Implicitly-Generated Code 14 | • Retrieve the current declaration context (using C.getLocationContext()->getDecl()). 15 | • If the context is a defaulted C++ constructor (which Sema may generate for copying array struct fields), then skip issuing a warning. 16 | • This filtering prevents false reports on code generated by the compiler. 17 | 18 | 4. Generate an Error Node and Prepare the Bug Report 19 | • If the index SVal is undefined and we are not in an implicitly-generated constructor, generate an exploded error node (using C.generateErrorNode()). 20 | • If no error node is generated (e.g., if this path was already analyzed), then simply return. 21 | • Create a bug report (PathSensitiveBugReport) with the pre-defined BugType and a message like “Array subscript is undefined”. 22 | • Add the source range of the index expression to the diagnostic report to highlight the problem. 23 | 24 | 5. Track the Expression Value and Emit the Report 25 | • Use bugreporter::trackExpressionValue to attach additional information about the evaluated index expression. 26 | • Finally, emit the bug report (via C.emitReport) so that the analyzer outputs the warning. 27 | 28 | Each step is designed to be as straightforward as possible while ensuring that the checker only issues a warning when an array subscript is truly undefined and not just a side effect of implicitly-generated support code. -------------------------------------------------------------------------------- /checker_database/TrustReturnsNonnullChecker/checker.cpp: -------------------------------------------------------------------------------- 1 | //== TrustReturnsNonnullChecker.cpp -- API nullability modeling -*- C++ -*--==// 2 | // 3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 | // See https://llvm.org/LICENSE.txt for license information. 5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 | // 7 | //===----------------------------------------------------------------------===// 8 | // 9 | // This checker adds nullability-related assumptions to methods annotated with 10 | // returns_nonnull attribute. 11 | // 12 | //===----------------------------------------------------------------------===// 13 | 14 | #include "clang/AST/Attr.h" 15 | #include "clang/AST/Decl.h" 16 | #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" 17 | #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 18 | #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 19 | 20 | using namespace clang; 21 | using namespace ento; 22 | 23 | namespace { 24 | 25 | class TrustReturnsNonnullChecker : public Checker { 26 | 27 | public: 28 | TrustReturnsNonnullChecker(ASTContext &Ctx) {} 29 | 30 | void checkPostCall(const CallEvent &Call, CheckerContext &C) const { 31 | ProgramStateRef State = C.getState(); 32 | 33 | if (isNonNullPtr(Call)) 34 | if (auto L = Call.getReturnValue().getAs()) 35 | State = State->assume(*L, /*assumption=*/true); 36 | 37 | C.addTransition(State); 38 | } 39 | 40 | private: 41 | /// \returns Whether the method declaration has the attribute returns_nonnull. 42 | bool isNonNullPtr(const CallEvent &Call) const { 43 | QualType ExprRetType = Call.getResultType(); 44 | const Decl *CallDeclaration = Call.getDecl(); 45 | if (!ExprRetType->isAnyPointerType() || !CallDeclaration) 46 | return false; 47 | 48 | return CallDeclaration->hasAttr(); 49 | } 50 | }; 51 | 52 | } // namespace 53 | 54 | void ento::registerTrustReturnsNonnullChecker(CheckerManager &Mgr) { 55 | Mgr.registerChecker(Mgr.getASTContext()); 56 | } 57 | 58 | bool ento::shouldRegisterTrustReturnsNonnullChecker(const CheckerManager &mgr) { 59 | return true; 60 | } 61 | --------------------------------------------------------------------------------