pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '0319dac803'
${ noResults }
infer_clone/infer/src/concurrency/RacerDDomain.mli

230 lines
7.2 KiB
Raw Normal View History Unescape

[thread-safety][cleanup] add mli for ThreadSafetyDomain Reviewed By: peterogithub Differential Revision: D4452608 fbshipit-source-id: 1761045
8 years ago
(*
[copyright] Remove years Reviewed By: jvillard Differential Revision: D15771884 fbshipit-source-id: e2997e3a3
6 years ago
* Copyright (c) Facebook, Inc. and its affiliates.
[thread-safety][cleanup] add mli for ThreadSafetyDomain Reviewed By: peterogithub Differential Revision: D4452608 fbshipit-source-id: 1761045
8 years ago
*
Change license to MIT Summary: Change the license of the source code from BSD + PATENTS to MIT. Change `checkCopyright` to reflect the new license and learn some new file types. Generated with: ``` git grep BSD | xargs -n 1 ./scripts/checkCopyright -i ``` Reviewed By: jeremydubreil, mbouaziz, jberdine Differential Revision: D8071249 fbshipit-source-id: 97ca23a
7 years ago
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
[thread-safety][cleanup] add mli for ThreadSafetyDomain Reviewed By: peterogithub Differential Revision: D4452608 fbshipit-source-id: 1761045
8 years ago
*)
open! IStd
[racerd] use access expressions in place of paths Summary: Access paths are too coarse to properly address C/C++ instructions, and lead to false positives and negatives. Begin the process of porting the underlying domains to access expressions, in a results-preserving way. This roughly consists in: - Adding missing functions in `AccessExpression` to mirror those in `AccessPath`. - Replacing `AccessExpression` for `AccessPath` and removing conversions from the former to the latter except in: - Printing functions, to ensure formatting issues won't change tests/CI. - Reporting/deduplication still happens through access path conversion, as we need an analogue of `ModuloThis` for `AccessExpression`. - In selected places, ignore any access type not present in `AccessPath` (ie. dereference/take address of). Reviewed By: jberdine Differential Revision: D16856721 fbshipit-source-id: 5e3a88b75
6 years ago
module AccessExpression = HilExp.AccessExpression
[thread-safety][cleanup] add mli for ThreadSafetyDomain Reviewed By: peterogithub Differential Revision: D4452608 fbshipit-source-id: 1761045
8 years ago
module F = Format
[racerd] output access expressions language-sensitively Summary: Use whatever information we can to decide whether to use C or Java syntax when outputting an access expression, now that we store them as such. Also, make cluster callbacks explicitly set the language, as this was not done before and led to some confusion (Clang being set when analysing a Java file). Reviewed By: skcho Differential Revision: D16884160 fbshipit-source-id: 40adf9f35
6 years ago
val pp_exp : F.formatter -> AccessExpression.t -> unit
(** language sensitive pretty-printer *)
[thread-safety] unify reads and writes into accesses Summary: This cleans up the domain/transfer functions, and it also means that we can now track reads that occur under synchronization. Reviewed By: peterogithub Differential Revision: D4674243 fbshipit-source-id: 8e13656
8 years ago
module Access : sig
[racerd] more precise trace expansion Reviewed By: mbouaziz Differential Revision: D13232424 fbshipit-source-id: 9489a319c
6 years ago
type t =
[racerd] use access expressions in place of paths Summary: Access paths are too coarse to properly address C/C++ instructions, and lead to false positives and negatives. Begin the process of porting the underlying domains to access expressions, in a results-preserving way. This roughly consists in: - Adding missing functions in `AccessExpression` to mirror those in `AccessPath`. - Replacing `AccessExpression` for `AccessPath` and removing conversions from the former to the latter except in: - Printing functions, to ensure formatting issues won't change tests/CI. - Reporting/deduplication still happens through access path conversion, as we need an analogue of `ModuloThis` for `AccessExpression`. - In selected places, ignore any access type not present in `AccessPath` (ie. dereference/take address of). Reviewed By: jberdine Differential Revision: D16856721 fbshipit-source-id: 5e3a88b75
6 years ago
| Read of {exp: AccessExpression.t} (** Field or array read *)
| Write of {exp: AccessExpression.t} (** Field or array write *)
| ContainerRead of {exp: AccessExpression.t; pname: Typ.Procname.t}
(** Read of container object *)
| ContainerWrite of {exp: AccessExpression.t; pname: Typ.Procname.t}
[racerd] more precise trace expansion Reviewed By: mbouaziz Differential Revision: D13232424 fbshipit-source-id: 9489a319c
6 years ago
(** Write to container object *)
[thread-safety] warning when interface method is called from thread-safe context without annotation Reviewed By: ngorogiannis Differential Revision: D5445971 fbshipit-source-id: a3a7dd3
8 years ago
| InterfaceCall of Typ.Procname.t
(** Call to method of interface not annotated with @ThreadSafe *)
[racerd] more precise trace expansion Reviewed By: mbouaziz Differential Revision: D13232424 fbshipit-source-id: 9489a319c
6 years ago
[@@deriving compare]
[racerd] reorg domain module Summary: - Reorder modules in mli for readability. - Match mli module order in the implementation. - Move some functions that operate on domains from RacerD.ml to the domain file. - Kill some module type invocation. - Use standard module signatures. Reviewed By: mbouaziz Differential Revision: D8026386 fbshipit-source-id: ee2af22
7 years ago
[racerd] replace quandary traces with explicit ones Summary: Context: "quandary" traces optimise for space by only storing a call site (plus analysis element) in a summary, as opposed to a list of call sites plus the element (i.e., a trace). When forming a report, the trace is expanded to a full one by reading the summary of the called function, and then matching up the current element with one from the summary, iterating until the trace cannot be expanded any more. In the best case, this can give a quadratic saving, as a real trace gets longer the higher one goes in the call stack, and therefore the total cost of saving that trace in each summary is quadratic in the length of the trace. Quandary traces give a linear cost. HOWEVER, these have been a source of many subtle bugs. 1. The trace expansion strategy is very arbitrary and cannot distinguish between expanded traces that are invalid (i.e., end with a call and not an originating point, such as a field access in RacerD). Plus the strategy does not explore all expansions, just the left-most one, meaning the left most may be invalid in the above sense, but another (not left-most) isn't even though it's not discovered by the expansion. This is fixable with major surgery. 2. All real traces that lead to the same endpoint are conflated -- this is to save space because there may be exponentially many such traces. That's OK, but these traces may have different locking contexts -- one may take the lock along the way, and another may not. The expansion cannot make sure that if we are reporting a trace we have recorded as taking the lock, will actually do so. This has resulted in very confusing race reports that are superficially false positives (even though they point to the existence of a real race). 3. Expansion completely breaks down in the java/buck integration when the trace goes through f -> g -> h and f,g,h are all in distinct buck targets F,G,H and F does not depend directly on H. In that case, the summary of h is simply not available when reporting/expanding in f, so the expanded trace comes out as truncated and invalid. These are filtered out, but the filtering is buggy and kills real races too. This diff completely replaces quandary traces in RacerD with plain explicit traces. - This will incur the quadratic space/time cost previously saved. See test plan: there is indeed a 30% increase in summary size, but there is no slowdown. In fact, on openssl there is a 10-20% perf increase. - For each endpoint, up to a single trace is used, as before, so no exponential explosion. However, because there is no such thing as expansion, we cannot get it wrong and change the locking context of a trace. - This diff is emulating the previous reporting format as much as possible to allow good signal from the CI. Further diffs up this stack will remove quandary-trace specific things, and simplify further the code. - 2 is not fully addressed -- it will require pushing the `AccessSnapshot` structure inside `TraceElem`. Further diffs. Reviewed By: jberdine Differential Revision: D14405600 fbshipit-source-id: d239117aa
6 years ago
include ExplicitTrace.Element with type t := t
[traces] add matches function for extra flexibility in expanding traces Summary: Expanding traces currently works in the following way: Given a `TraceElem.Kind` `k` we want to report in `foo`, we look for a callee `C` of `foo` that has a `TraceElem.Kind` equal to `k` in its summary, grab the summary for `C`, then repeat until we bottom out. This isn't very flexible: it insists on equality between `TraceElem.Kind`'s as the criteria for expanding a trace. This diff introduces a new `matches` function for deciding when to expand a trace from a caller into a callee. Clients that don't want strict equality can implement a fuzzier kind of equality inside this function. I've gone ahead and done this for the trace elemes of thread-safety. In the near future, equivalent access paths won't always compare equal from caller to callee, so we want to match their suffixes instead. Reviewed By: jvillard Differential Revision: D5914118 fbshipit-source-id: 233c603
8 years ago
[racerd] use access expressions in place of paths Summary: Access paths are too coarse to properly address C/C++ instructions, and lead to false positives and negatives. Begin the process of porting the underlying domains to access expressions, in a results-preserving way. This roughly consists in: - Adding missing functions in `AccessExpression` to mirror those in `AccessPath`. - Replacing `AccessExpression` for `AccessPath` and removing conversions from the former to the latter except in: - Printing functions, to ensure formatting issues won't change tests/CI. - Reporting/deduplication still happens through access path conversion, as we need an analogue of `ModuloThis` for `AccessExpression`. - In selected places, ignore any access type not present in `AccessPath` (ie. dereference/take address of). Reviewed By: jberdine Differential Revision: D16856721 fbshipit-source-id: 5e3a88b75
6 years ago
val get_access_exp : t -> AccessExpression.t option
[thread-safety] unify reads and writes into accesses Summary: This cleans up the domain/transfer functions, and it also means that we can now track reads that occur under synchronization. Reviewed By: peterogithub Differential Revision: D4674243 fbshipit-source-id: 8e13656
8 years ago
end
module TraceElem : sig
[racerd] replace quandary traces with explicit ones Summary: Context: "quandary" traces optimise for space by only storing a call site (plus analysis element) in a summary, as opposed to a list of call sites plus the element (i.e., a trace). When forming a report, the trace is expanded to a full one by reading the summary of the called function, and then matching up the current element with one from the summary, iterating until the trace cannot be expanded any more. In the best case, this can give a quadratic saving, as a real trace gets longer the higher one goes in the call stack, and therefore the total cost of saving that trace in each summary is quadratic in the length of the trace. Quandary traces give a linear cost. HOWEVER, these have been a source of many subtle bugs. 1. The trace expansion strategy is very arbitrary and cannot distinguish between expanded traces that are invalid (i.e., end with a call and not an originating point, such as a field access in RacerD). Plus the strategy does not explore all expansions, just the left-most one, meaning the left most may be invalid in the above sense, but another (not left-most) isn't even though it's not discovered by the expansion. This is fixable with major surgery. 2. All real traces that lead to the same endpoint are conflated -- this is to save space because there may be exponentially many such traces. That's OK, but these traces may have different locking contexts -- one may take the lock along the way, and another may not. The expansion cannot make sure that if we are reporting a trace we have recorded as taking the lock, will actually do so. This has resulted in very confusing race reports that are superficially false positives (even though they point to the existence of a real race). 3. Expansion completely breaks down in the java/buck integration when the trace goes through f -> g -> h and f,g,h are all in distinct buck targets F,G,H and F does not depend directly on H. In that case, the summary of h is simply not available when reporting/expanding in f, so the expanded trace comes out as truncated and invalid. These are filtered out, but the filtering is buggy and kills real races too. This diff completely replaces quandary traces in RacerD with plain explicit traces. - This will incur the quadratic space/time cost previously saved. See test plan: there is indeed a 30% increase in summary size, but there is no slowdown. In fact, on openssl there is a 10-20% perf increase. - For each endpoint, up to a single trace is used, as before, so no exponential explosion. However, because there is no such thing as expansion, we cannot get it wrong and change the locking context of a trace. - This diff is emulating the previous reporting format as much as possible to allow good signal from the CI. Further diffs up this stack will remove quandary-trace specific things, and simplify further the code. - 2 is not fully addressed -- it will require pushing the `AccessSnapshot` structure inside `TraceElem`. Further diffs. Reviewed By: jberdine Differential Revision: D14405600 fbshipit-source-id: d239117aa
6 years ago
include ExplicitTrace.TraceElem with type elem_t = Access.t
[thread-safety] unify reads and writes into accesses Summary: This cleans up the domain/transfer functions, and it also means that we can now track reads that occur under synchronization. Reviewed By: peterogithub Differential Revision: D4674243 fbshipit-source-id: 8e13656
8 years ago
val is_write : t -> bool
[racerd] report only writes for GuardedBy Reviewed By: mbouaziz Differential Revision: D14594263 fbshipit-source-id: a8cab1765
6 years ago
(** is it a write OR a container write *)
[thread-safety] unify reads and writes into accesses Summary: This cleans up the domain/transfer functions, and it also means that we can now track reads that occur under synchronization. Reviewed By: peterogithub Differential Revision: D4674243 fbshipit-source-id: 8e13656
8 years ago
[thread-safety] make a distinguished access kind for container writes Summary: The way we represented container writes before was pretty hacky: just use a dummy field for the name of the method that performs the container write. This diff introduces a new access kind for container writes that is much more structured. This will make it easier to soundly handle aliasing between containers and support container reads in the near future. Reviewed By: da319 Differential Revision: D5465747 fbshipit-source-id: e021ec2
8 years ago
val is_container_write : t -> bool
[thread-safety] Rebase accesses in callees onto variables of the caller, where possible. Reviewed By: sblackshear Differential Revision: D5911083 fbshipit-source-id: 2dae717
8 years ago
[racerd] use access expressions in place of paths Summary: Access paths are too coarse to properly address C/C++ instructions, and lead to false positives and negatives. Begin the process of porting the underlying domains to access expressions, in a results-preserving way. This roughly consists in: - Adding missing functions in `AccessExpression` to mirror those in `AccessPath`. - Replacing `AccessExpression` for `AccessPath` and removing conversions from the former to the latter except in: - Printing functions, to ensure formatting issues won't change tests/CI. - Reporting/deduplication still happens through access path conversion, as we need an analogue of `ModuloThis` for `AccessExpression`. - In selected places, ignore any access type not present in `AccessPath` (ie. dereference/take address of). Reviewed By: jberdine Differential Revision: D16856721 fbshipit-source-id: 5e3a88b75
6 years ago
val map : f:(AccessExpression.t -> AccessExpression.t) -> t -> t
[thread-safety] skip reporting on truncated traces Summary: Due to limitations in our Buck integration, the thread-safety analysis cannot create a trace that bottoms out in a Buck target that is not a direct dependency of the current target. These truncated traces are confusing and tough to act on. Until we can address these limitations, let's avoid reporting on truncated traces. Reviewed By: jeremydubreil Differential Revision: D5969840 fbshipit-source-id: 877b9de
7 years ago
[racerd] use access expressions in place of paths Summary: Access paths are too coarse to properly address C/C++ instructions, and lead to false positives and negatives. Begin the process of porting the underlying domains to access expressions, in a results-preserving way. This roughly consists in: - Adding missing functions in `AccessExpression` to mirror those in `AccessPath`. - Replacing `AccessExpression` for `AccessPath` and removing conversions from the former to the latter except in: - Printing functions, to ensure formatting issues won't change tests/CI. - Reporting/deduplication still happens through access path conversion, as we need an analogue of `ModuloThis` for `AccessExpression`. - In selected places, ignore any access type not present in `AccessPath` (ie. dereference/take address of). Reviewed By: jberdine Differential Revision: D16856721 fbshipit-source-id: 5e3a88b75
6 years ago
val make_container_access :
AccessExpression.t -> Typ.Procname.t -> is_write:bool -> Location.t -> t
[thread-safety] skip reporting on truncated traces Summary: Due to limitations in our Buck integration, the thread-safety analysis cannot create a trace that bottoms out in a Buck target that is not a direct dependency of the current target. These truncated traces are confusing and tough to act on. Until we can address these limitations, let's avoid reporting on truncated traces. Reviewed By: jeremydubreil Differential Revision: D5969840 fbshipit-source-id: 877b9de
7 years ago
[racerd] use access expressions in place of paths Summary: Access paths are too coarse to properly address C/C++ instructions, and lead to false positives and negatives. Begin the process of porting the underlying domains to access expressions, in a results-preserving way. This roughly consists in: - Adding missing functions in `AccessExpression` to mirror those in `AccessPath`. - Replacing `AccessExpression` for `AccessPath` and removing conversions from the former to the latter except in: - Printing functions, to ensure formatting issues won't change tests/CI. - Reporting/deduplication still happens through access path conversion, as we need an analogue of `ModuloThis` for `AccessExpression`. - In selected places, ignore any access type not present in `AccessPath` (ie. dereference/take address of). Reviewed By: jberdine Differential Revision: D16856721 fbshipit-source-id: 5e3a88b75
6 years ago
val make_field_access : AccessExpression.t -> is_write:bool -> Location.t -> t
[thread-safety] unify reads and writes into accesses Summary: This cleans up the domain/transfer functions, and it also means that we can now track reads that occur under synchronization. Reviewed By: peterogithub Differential Revision: D4674243 fbshipit-source-id: 8e13656
8 years ago
end
[thread-safety][cleanup] add mli for ThreadSafetyDomain Reviewed By: peterogithub Differential Revision: D4452608 fbshipit-source-id: 1761045
8 years ago
[racerd] new lock domain Summary: The boolean lock domain is simple and surprisingly effective. But it's starting to cause false positives in the case where locks are nested. Releasing the inner lock also releases the outer lock. This diff introduces a new locks domain: a map of locks (access paths) to a bounded count representing an underapproximation of the number of times the lock has been acquired. For now, we just use a single dummy access path to represent all locks (and thus a count actually would have been sufficiently expressive; we don't need the map yet). But I'm planning to remove this limitation in a follow-up by refactoring the lock models to give us an access path. Knowing the names of locks could be useful for error messages and suggesting fixes. Reviewed By: jberdine Differential Revision: D6182006 fbshipit-source-id: 6624971
7 years ago
(** Overapproximation of number of locks that are currently held *)
module LocksDomain : sig
[racerd] strip down domain interface Reviewed By: mbouaziz Differential Revision: D13537494 fbshipit-source-id: 42d8bc89b
6 years ago
type t
[racerd] new lock domain Summary: The boolean lock domain is simple and surprisingly effective. But it's starting to cause false positives in the case where locks are nested. Releasing the inner lock also releases the outer lock. This diff introduces a new locks domain: a map of locks (access paths) to a bounded count representing an underapproximation of the number of times the lock has been acquired. For now, we just use a single dummy access path to represent all locks (and thus a count actually would have been sufficiently expressive; we don't need the map yet). But I'm planning to remove this limitation in a follow-up by refactoring the lock models to give us an access path. Knowing the names of locks could be useful for error messages and suggesting fixes. Reviewed By: jberdine Differential Revision: D6182006 fbshipit-source-id: 6624971
7 years ago
[AI] kill astate type Reviewed By: mbouaziz Differential Revision: D10119192 fbshipit-source-id: 4868cbcb1
6 years ago
val acquire_lock : t -> t
[racerd] new lock domain Summary: The boolean lock domain is simple and surprisingly effective. But it's starting to cause false positives in the case where locks are nested. Releasing the inner lock also releases the outer lock. This diff introduces a new locks domain: a map of locks (access paths) to a bounded count representing an underapproximation of the number of times the lock has been acquired. For now, we just use a single dummy access path to represent all locks (and thus a count actually would have been sufficiently expressive; we don't need the map yet). But I'm planning to remove this limitation in a follow-up by refactoring the lock models to give us an access path. Knowing the names of locks could be useful for error messages and suggesting fixes. Reviewed By: jberdine Differential Revision: D6182006 fbshipit-source-id: 6624971
7 years ago
(** record acquisition of a lock *)
[AI] kill astate type Reviewed By: mbouaziz Differential Revision: D10119192 fbshipit-source-id: 4868cbcb1
6 years ago
val release_lock : t -> t
[racerd] new lock domain Summary: The boolean lock domain is simple and surprisingly effective. But it's starting to cause false positives in the case where locks are nested. Releasing the inner lock also releases the outer lock. This diff introduces a new locks domain: a map of locks (access paths) to a bounded count representing an underapproximation of the number of times the lock has been acquired. For now, we just use a single dummy access path to represent all locks (and thus a count actually would have been sufficiently expressive; we don't need the map yet). But I'm planning to remove this limitation in a follow-up by refactoring the lock models to give us an access path. Knowing the names of locks could be useful for error messages and suggesting fixes. Reviewed By: jberdine Differential Revision: D6182006 fbshipit-source-id: 6624971
7 years ago
(** record release of a lock *)
[racerd] fix lock count treatment at method calls Reviewed By: sblackshear Differential Revision: D7055465 fbshipit-source-id: a6dffe0
7 years ago
[AI] kill astate type Reviewed By: mbouaziz Differential Revision: D10119192 fbshipit-source-id: 4868cbcb1
6 years ago
val integrate_summary : caller_astate:t -> callee_astate:t -> t
[racerd] fix lock count treatment at method calls Reviewed By: sblackshear Differential Revision: D7055465 fbshipit-source-id: a6dffe0
7 years ago
(** integrate current state with a callee summary *)
[racerd] new lock domain Summary: The boolean lock domain is simple and surprisingly effective. But it's starting to cause false positives in the case where locks are nested. Releasing the inner lock also releases the outer lock. This diff introduces a new locks domain: a map of locks (access paths) to a bounded count representing an underapproximation of the number of times the lock has been acquired. For now, we just use a single dummy access path to represent all locks (and thus a count actually would have been sufficiently expressive; we don't need the map yet). But I'm planning to remove this limitation in a follow-up by refactoring the lock models to give us an access path. Knowing the names of locks could be useful for error messages and suggesting fixes. Reviewed By: jberdine Differential Revision: D6182006 fbshipit-source-id: 6624971
7 years ago
end
[thread-safety][cleanup] add mli for ThreadSafetyDomain Reviewed By: peterogithub Differential Revision: D4452608 fbshipit-source-id: 1761045
8 years ago
[thread-safety] Change meaning of @ThreadSafe to "can run in parallel with any thread including itself" Summary: Previously, annotating something ThreadSafe meant "check that it is safe to run all of this procedure's methods in parallel with each other" (including self-parallelization). This makes sense, but it means that if the user writes no annotations, we do no checking. I'm moving toward a model of inferring when an access might happen on a thread that can run concurrently with other threads, then automatically checking that it is thread-safe w.r.t to all other accesses to the same memory (on or off the current thread thread). This will let us report even when there are no `ThreadSafe` annotations. Any method that is known to run on a new thread (e.g., `Runnable.run`) will be modeled as running on a thread that can run in parallel with other threads, and so will any method that is `synchronized` or acquires a lock. In this setup, adding `ThreadSafe` to a method just means: "assume that the current method can run in parallel with any thread, including another thread that includes a different invocation of the same method (a self race) unless you see evidence to the contrary" (e.g., calling `assertMainThread` or annotating with `UiThread`). The key step in this diff is changing the threads domain to abstract *what threads the current thread may run in parallel with* rather than *what the current thread* is. This makes things much simpler. Reviewed By: jberdine Differential Revision: D5895242 fbshipit-source-id: 2e23d1e
8 years ago
(** Abstraction of threads that may run in parallel with the current thread.
NoThread < AnyThreadExceptSelf < AnyThread *)
[thread-safety] new threads domain Summary: Previously, we just tracked a boolean representing whether we were possibly on the main thread (true) or definitely not on the main thread (false). In order to start supporting `Thread.start`, `Runnable.run`, etc., we'll need something more expressive. This diff introduces a lattice: ``` Any / \ Main Background \ / Unknown ``` as the new threads domain. The initial value is `Unknown`, and we introduce `Main` in situations where we would have introduced `true` before. This (mostly) preserves behavior: the main difference is that before code like ``` if (*) { assertMainThread() } else { x.f = ... } ``` would have recorded that the access to `x.f` was on the main thread, whereas now we'll say that it's on an unknown thread. Reviewed By: peterogithub Differential Revision: D5860256 fbshipit-source-id: efee330
8 years ago
module ThreadsDomain : sig
[AI] kill astate type Reviewed By: mbouaziz Differential Revision: D10119192 fbshipit-source-id: 4868cbcb1
6 years ago
type t =
[thread-safety] Change meaning of @ThreadSafe to "can run in parallel with any thread including itself" Summary: Previously, annotating something ThreadSafe meant "check that it is safe to run all of this procedure's methods in parallel with each other" (including self-parallelization). This makes sense, but it means that if the user writes no annotations, we do no checking. I'm moving toward a model of inferring when an access might happen on a thread that can run concurrently with other threads, then automatically checking that it is thread-safe w.r.t to all other accesses to the same memory (on or off the current thread thread). This will let us report even when there are no `ThreadSafe` annotations. Any method that is known to run on a new thread (e.g., `Runnable.run`) will be modeled as running on a thread that can run in parallel with other threads, and so will any method that is `synchronized` or acquires a lock. In this setup, adding `ThreadSafe` to a method just means: "assume that the current method can run in parallel with any thread, including another thread that includes a different invocation of the same method (a self race) unless you see evidence to the contrary" (e.g., calling `assertMainThread` or annotating with `UiThread`). The key step in this diff is changing the threads domain to abstract *what threads the current thread may run in parallel with* rather than *what the current thread* is. This makes things much simpler. Reviewed By: jberdine Differential Revision: D5895242 fbshipit-source-id: 2e23d1e
8 years ago
| NoThread
(** No threads can run in parallel with the current thread (concretization: empty set). We
assume this by default unless we see evidence to the contrary (annotations, use of locks,
etc.) *)
| AnyThreadButSelf
[racerd] `Precondition` -> `OwnershipPrecondition` Reviewed By: jeremydubreil Differential Revision: D7718403 fbshipit-source-id: 73c5cee
7 years ago
(** Current thread can run in parallel with other threads, but not with a copy of itself.
[doc] Fix some invalid/suspicious docstrings Summary: The upcoming ocamlformat has the ability to parse and format docstrings. This requires that the docstrings conform to the ocamldoc spec a bit more strongly. If a docstring does not parse, it is left alone, but if it is morally ill-formed but parses by chance, it can be reformatted incorrectly. This patch fixes the existing instances of this problem. Reviewed By: mbouaziz Differential Revision: D12911937 fbshipit-source-id: 1c2eb590b
6 years ago
(concretization : {% \{ t | t \in TIDs ^ t != t_cur \} %} ) *)
[thread-safety] Change meaning of @ThreadSafe to "can run in parallel with any thread including itself" Summary: Previously, annotating something ThreadSafe meant "check that it is safe to run all of this procedure's methods in parallel with each other" (including self-parallelization). This makes sense, but it means that if the user writes no annotations, we do no checking. I'm moving toward a model of inferring when an access might happen on a thread that can run concurrently with other threads, then automatically checking that it is thread-safe w.r.t to all other accesses to the same memory (on or off the current thread thread). This will let us report even when there are no `ThreadSafe` annotations. Any method that is known to run on a new thread (e.g., `Runnable.run`) will be modeled as running on a thread that can run in parallel with other threads, and so will any method that is `synchronized` or acquires a lock. In this setup, adding `ThreadSafe` to a method just means: "assume that the current method can run in parallel with any thread, including another thread that includes a different invocation of the same method (a self race) unless you see evidence to the contrary" (e.g., calling `assertMainThread` or annotating with `UiThread`). The key step in this diff is changing the threads domain to abstract *what threads the current thread may run in parallel with* rather than *what the current thread* is. This makes things much simpler. Reviewed By: jberdine Differential Revision: D5895242 fbshipit-source-id: 2e23d1e
8 years ago
| AnyThread
[racerd] reorg domain module Summary: - Reorder modules in mli for readability. - Match mli module order in the implementation. - Move some functions that operate on domains from RacerD.ml to the domain file. - Kill some module type invocation. - Use standard module signatures. Reviewed By: mbouaziz Differential Revision: D8026386 fbshipit-source-id: ee2af22
7 years ago
(** Current thread can run in parallel with any thread, including itself (concretization:
[racerd] `Precondition` -> `OwnershipPrecondition` Reviewed By: jeremydubreil Differential Revision: D7718403 fbshipit-source-id: 73c5cee
7 years ago
set of all TIDs ) *)
[thread-safety] new threads domain Summary: Previously, we just tracked a boolean representing whether we were possibly on the main thread (true) or definitely not on the main thread (false). In order to start supporting `Thread.start`, `Runnable.run`, etc., we'll need something more expressive. This diff introduces a lattice: ``` Any / \ Main Background \ / Unknown ``` as the new threads domain. The initial value is `Unknown`, and we introduce `Main` in situations where we would have introduced `true` before. This (mostly) preserves behavior: the main difference is that before code like ``` if (*) { assertMainThread() } else { x.f = ... } ``` would have recorded that the access to `x.f` was on the main thread, whereas now we'll say that it's on an unknown thread. Reviewed By: peterogithub Differential Revision: D5860256 fbshipit-source-id: efee330
8 years ago
[AI] kill astate type Reviewed By: mbouaziz Differential Revision: D10119192 fbshipit-source-id: 4868cbcb1
6 years ago
val can_conflict : t -> t -> bool
[racerd] use `ThreadsDomain.astate` instead of bool in `AccessData` Reviewed By: ngorogiannis Differential Revision: D7423167 fbshipit-source-id: 79daa3a
7 years ago
(** return true if two accesses with these thread values can run concurrently *)
[AI] kill astate type Reviewed By: mbouaziz Differential Revision: D10119192 fbshipit-source-id: 4868cbcb1
6 years ago
val is_any : t -> bool
[racerd] use `ThreadsDomain.astate` instead of bool in `AccessData` Reviewed By: ngorogiannis Differential Revision: D7423167 fbshipit-source-id: 79daa3a
7 years ago
[AI] kill astate type Reviewed By: mbouaziz Differential Revision: D10119192 fbshipit-source-id: 4868cbcb1
6 years ago
val integrate_summary : caller_astate:t -> callee_astate:t -> t
[racerd] use `ThreadsDomain.astate` instead of bool in `AccessData` Reviewed By: ngorogiannis Differential Revision: D7423167 fbshipit-source-id: 79daa3a
7 years ago
(** integrate current state with a callee summary *)
[thread-safety] new threads domain Summary: Previously, we just tracked a boolean representing whether we were possibly on the main thread (true) or definitely not on the main thread (false). In order to start supporting `Thread.start`, `Runnable.run`, etc., we'll need something more expressive. This diff introduces a lattice: ``` Any / \ Main Background \ / Unknown ``` as the new threads domain. The initial value is `Unknown`, and we introduce `Main` in situations where we would have introduced `true` before. This (mostly) preserves behavior: the main difference is that before code like ``` if (*) { assertMainThread() } else { x.f = ... } ``` would have recorded that the access to `x.f` was on the main thread, whereas now we'll say that it's on an unknown thread. Reviewed By: peterogithub Differential Revision: D5860256 fbshipit-source-id: efee330
8 years ago
end
[thread-safety] Model assertManThread and assertHoldsLock Reviewed By: sblackshear Differential Revision: D4706409 fbshipit-source-id: c822c74
8 years ago
[racerd] reorg domain module Summary: - Reorder modules in mli for readability. - Match mli module order in the implementation. - Move some functions that operate on domains from RacerD.ml to the domain file. - Kill some module type invocation. - Use standard module signatures. Reviewed By: mbouaziz Differential Revision: D8026386 fbshipit-source-id: ee2af22
7 years ago
(** snapshot of the relevant state at the time of a heap access: concurrent thread(s), lock(s) held,
ownership precondition *)
module AccessSnapshot : sig
(** precondition for owned access; access is owned if it evaluates to true *)
module OwnershipPrecondition : sig
type t =
| Conjunction of IntSet.t
[AI] fix top interface Reviewed By: jeremydubreil Differential Revision: D13342552 fbshipit-source-id: 2839d62f9
6 years ago
(** Conjunction of "formal index must be owned" predicates. true if empty *)
[racerd] reorg domain module Summary: - Reorder modules in mli for readability. - Match mli module order in the implementation. - Move some functions that operate on domains from RacerD.ml to the domain file. - Kill some module type invocation. - Use standard module signatures. Reviewed By: mbouaziz Differential Revision: D8026386 fbshipit-source-id: ee2af22
7 years ago
| False
include PrettyPrintable.PrintableOrderedType with type t := t
val is_true : t -> bool
(** return [true] if the precondition evaluates to true *)
end
[thread-safety][cleanup] add mli for ThreadSafetyDomain Reviewed By: peterogithub Differential Revision: D4452608 fbshipit-source-id: 1761045
8 years ago
[racerd] reorg domain module Summary: - Reorder modules in mli for readability. - Match mli module order in the implementation. - Move some functions that operate on domains from RacerD.ml to the domain file. - Kill some module type invocation. - Use standard module signatures. Reviewed By: mbouaziz Differential Revision: D8026386 fbshipit-source-id: ee2af22
7 years ago
type t = private
[racerd] replace quandary traces with explicit ones Summary: Context: "quandary" traces optimise for space by only storing a call site (plus analysis element) in a summary, as opposed to a list of call sites plus the element (i.e., a trace). When forming a report, the trace is expanded to a full one by reading the summary of the called function, and then matching up the current element with one from the summary, iterating until the trace cannot be expanded any more. In the best case, this can give a quadratic saving, as a real trace gets longer the higher one goes in the call stack, and therefore the total cost of saving that trace in each summary is quadratic in the length of the trace. Quandary traces give a linear cost. HOWEVER, these have been a source of many subtle bugs. 1. The trace expansion strategy is very arbitrary and cannot distinguish between expanded traces that are invalid (i.e., end with a call and not an originating point, such as a field access in RacerD). Plus the strategy does not explore all expansions, just the left-most one, meaning the left most may be invalid in the above sense, but another (not left-most) isn't even though it's not discovered by the expansion. This is fixable with major surgery. 2. All real traces that lead to the same endpoint are conflated -- this is to save space because there may be exponentially many such traces. That's OK, but these traces may have different locking contexts -- one may take the lock along the way, and another may not. The expansion cannot make sure that if we are reporting a trace we have recorded as taking the lock, will actually do so. This has resulted in very confusing race reports that are superficially false positives (even though they point to the existence of a real race). 3. Expansion completely breaks down in the java/buck integration when the trace goes through f -> g -> h and f,g,h are all in distinct buck targets F,G,H and F does not depend directly on H. In that case, the summary of h is simply not available when reporting/expanding in f, so the expanded trace comes out as truncated and invalid. These are filtered out, but the filtering is buggy and kills real races too. This diff completely replaces quandary traces in RacerD with plain explicit traces. - This will incur the quadratic space/time cost previously saved. See test plan: there is indeed a 30% increase in summary size, but there is no slowdown. In fact, on openssl there is a 10-20% perf increase. - For each endpoint, up to a single trace is used, as before, so no exponential explosion. However, because there is no such thing as expansion, we cannot get it wrong and change the locking context of a trace. - This diff is emulating the previous reporting format as much as possible to allow good signal from the CI. Further diffs up this stack will remove quandary-trace specific things, and simplify further the code. - 2 is not fully addressed -- it will require pushing the `AccessSnapshot` structure inside `TraceElem`. Further diffs. Reviewed By: jberdine Differential Revision: D14405600 fbshipit-source-id: d239117aa
6 years ago
{ access: TraceElem.t
[AI] kill astate type Reviewed By: mbouaziz Differential Revision: D10119192 fbshipit-source-id: 4868cbcb1
6 years ago
; thread: ThreadsDomain.t
[racerd] reorg domain module Summary: - Reorder modules in mli for readability. - Match mli module order in the implementation. - Move some functions that operate on domains from RacerD.ml to the domain file. - Kill some module type invocation. - Use standard module signatures. Reviewed By: mbouaziz Differential Revision: D8026386 fbshipit-source-id: ee2af22
7 years ago
; lock: bool
; ownership_precondition: OwnershipPrecondition.t }
include PrettyPrintable.PrintableOrderedType with type t := t
val make :
[racerd] replace quandary traces with explicit ones Summary: Context: "quandary" traces optimise for space by only storing a call site (plus analysis element) in a summary, as opposed to a list of call sites plus the element (i.e., a trace). When forming a report, the trace is expanded to a full one by reading the summary of the called function, and then matching up the current element with one from the summary, iterating until the trace cannot be expanded any more. In the best case, this can give a quadratic saving, as a real trace gets longer the higher one goes in the call stack, and therefore the total cost of saving that trace in each summary is quadratic in the length of the trace. Quandary traces give a linear cost. HOWEVER, these have been a source of many subtle bugs. 1. The trace expansion strategy is very arbitrary and cannot distinguish between expanded traces that are invalid (i.e., end with a call and not an originating point, such as a field access in RacerD). Plus the strategy does not explore all expansions, just the left-most one, meaning the left most may be invalid in the above sense, but another (not left-most) isn't even though it's not discovered by the expansion. This is fixable with major surgery. 2. All real traces that lead to the same endpoint are conflated -- this is to save space because there may be exponentially many such traces. That's OK, but these traces may have different locking contexts -- one may take the lock along the way, and another may not. The expansion cannot make sure that if we are reporting a trace we have recorded as taking the lock, will actually do so. This has resulted in very confusing race reports that are superficially false positives (even though they point to the existence of a real race). 3. Expansion completely breaks down in the java/buck integration when the trace goes through f -> g -> h and f,g,h are all in distinct buck targets F,G,H and F does not depend directly on H. In that case, the summary of h is simply not available when reporting/expanding in f, so the expanded trace comes out as truncated and invalid. These are filtered out, but the filtering is buggy and kills real races too. This diff completely replaces quandary traces in RacerD with plain explicit traces. - This will incur the quadratic space/time cost previously saved. See test plan: there is indeed a 30% increase in summary size, but there is no slowdown. In fact, on openssl there is a 10-20% perf increase. - For each endpoint, up to a single trace is used, as before, so no exponential explosion. However, because there is no such thing as expansion, we cannot get it wrong and change the locking context of a trace. - This diff is emulating the previous reporting format as much as possible to allow good signal from the CI. Further diffs up this stack will remove quandary-trace specific things, and simplify further the code. - 2 is not fully addressed -- it will require pushing the `AccessSnapshot` structure inside `TraceElem`. Further diffs. Reviewed By: jberdine Differential Revision: D14405600 fbshipit-source-id: d239117aa
6 years ago
TraceElem.t
[AI] kill astate type Reviewed By: mbouaziz Differential Revision: D10119192 fbshipit-source-id: 4868cbcb1
6 years ago
-> LocksDomain.t
-> ThreadsDomain.t
[ocamlformat] upgrade to ocamlformat 0.7 Reviewed By: mbouaziz Differential Revision: D9496601 fbshipit-source-id: 83c6fd241
7 years ago
-> OwnershipPrecondition.t
-> Procdesc.t
[racerd] remove redundant ownership constructor/state Reviewed By: jeremydubreil Differential Revision: D13489018 fbshipit-source-id: b94c50664
6 years ago
-> t option
[racerd] reorg domain module Summary: - Reorder modules in mli for readability. - Match mli module order in the implementation. - Move some functions that operate on domains from RacerD.ml to the domain file. - Kill some module type invocation. - Use standard module signatures. Reviewed By: mbouaziz Differential Revision: D8026386 fbshipit-source-id: ee2af22
7 years ago
[racerd] replace quandary traces with explicit ones Summary: Context: "quandary" traces optimise for space by only storing a call site (plus analysis element) in a summary, as opposed to a list of call sites plus the element (i.e., a trace). When forming a report, the trace is expanded to a full one by reading the summary of the called function, and then matching up the current element with one from the summary, iterating until the trace cannot be expanded any more. In the best case, this can give a quadratic saving, as a real trace gets longer the higher one goes in the call stack, and therefore the total cost of saving that trace in each summary is quadratic in the length of the trace. Quandary traces give a linear cost. HOWEVER, these have been a source of many subtle bugs. 1. The trace expansion strategy is very arbitrary and cannot distinguish between expanded traces that are invalid (i.e., end with a call and not an originating point, such as a field access in RacerD). Plus the strategy does not explore all expansions, just the left-most one, meaning the left most may be invalid in the above sense, but another (not left-most) isn't even though it's not discovered by the expansion. This is fixable with major surgery. 2. All real traces that lead to the same endpoint are conflated -- this is to save space because there may be exponentially many such traces. That's OK, but these traces may have different locking contexts -- one may take the lock along the way, and another may not. The expansion cannot make sure that if we are reporting a trace we have recorded as taking the lock, will actually do so. This has resulted in very confusing race reports that are superficially false positives (even though they point to the existence of a real race). 3. Expansion completely breaks down in the java/buck integration when the trace goes through f -> g -> h and f,g,h are all in distinct buck targets F,G,H and F does not depend directly on H. In that case, the summary of h is simply not available when reporting/expanding in f, so the expanded trace comes out as truncated and invalid. These are filtered out, but the filtering is buggy and kills real races too. This diff completely replaces quandary traces in RacerD with plain explicit traces. - This will incur the quadratic space/time cost previously saved. See test plan: there is indeed a 30% increase in summary size, but there is no slowdown. In fact, on openssl there is a 10-20% perf increase. - For each endpoint, up to a single trace is used, as before, so no exponential explosion. However, because there is no such thing as expansion, we cannot get it wrong and change the locking context of a trace. - This diff is emulating the previous reporting format as much as possible to allow good signal from the CI. Further diffs up this stack will remove quandary-trace specific things, and simplify further the code. - 2 is not fully addressed -- it will require pushing the `AccessSnapshot` structure inside `TraceElem`. Further diffs. Reviewed By: jberdine Differential Revision: D14405600 fbshipit-source-id: d239117aa
6 years ago
val make_from_snapshot : TraceElem.t -> t -> t option
[racerd] reorg domain module Summary: - Reorder modules in mli for readability. - Match mli module order in the implementation. - Move some functions that operate on domains from RacerD.ml to the domain file. - Kill some module type invocation. - Use standard module signatures. Reviewed By: mbouaziz Differential Revision: D8026386 fbshipit-source-id: ee2af22
7 years ago
val is_unprotected : t -> bool
(** return true if not protected by lock, thread, or ownership *)
end
(** map of access metadata |-> set of accesses. the map should hold all accesses to a
possibly-unowned access path *)
[racerd] remove redundant ownership constructor/state Reviewed By: jeremydubreil Differential Revision: D13489018 fbshipit-source-id: b94c50664
6 years ago
module AccessDomain : sig
include AbstractDomain.FiniteSetS with type elt = AccessSnapshot.t
val add_opt : elt option -> t -> t
end
[racerd] reorg domain module Summary: - Reorder modules in mli for readability. - Match mli module order in the implementation. - Move some functions that operate on domains from RacerD.ml to the domain file. - Kill some module type invocation. - Use standard module signatures. Reviewed By: mbouaziz Differential Revision: D8026386 fbshipit-source-id: ee2af22
7 years ago
[thread-safety] add ownership domain: map of access paths to a lattice of ownership predicates Summary: Stepping stone to a more precise ownership domain. Reviewed By: jberdine Differential Revision: D5589834 fbshipit-source-id: 4f6c24a
8 years ago
module OwnershipAbstractValue : sig
[AI] kill astate type Reviewed By: mbouaziz Differential Revision: D10119192 fbshipit-source-id: 4868cbcb1
6 years ago
type t = private
[racerd] remove redundant ownership constructor/state Reviewed By: jeremydubreil Differential Revision: D13489018 fbshipit-source-id: b94c50664
6 years ago
| OwnedIf of IntSet.t
(** Owned if the formals at the given indexes are owned in the caller; unconditionally owned
if the set of formals is empty = bottom of the lattice *)
[thread-safety] add ownership domain: map of access paths to a lattice of ownership predicates Summary: Stepping stone to a more precise ownership domain. Reviewed By: jberdine Differential Revision: D5589834 fbshipit-source-id: 4f6c24a
8 years ago
| Unowned (** Unowned value; top of the lattice *)
[ocamlformat] Upgrade to ocamlformat 0.5 Summary: Upgrade ocamlformat, and base which needs to be done in sync in order to build ocamlformat, and the other deps can come for the ride. Reviewed By: jvillard Differential Revision: D7663537 fbshipit-source-id: 3e90970
7 years ago
[@@deriving compare]
[thread-safety] add ownership domain: map of access paths to a lattice of ownership predicates Summary: Stepping stone to a more precise ownership domain. Reviewed By: jberdine Differential Revision: D5589834 fbshipit-source-id: 4f6c24a
8 years ago
[AI] kill astate type Reviewed By: mbouaziz Differential Revision: D10119192 fbshipit-source-id: 4868cbcb1
6 years ago
val owned : t
[thread-safety] add ownership domain: map of access paths to a lattice of ownership predicates Summary: Stepping stone to a more precise ownership domain. Reviewed By: jberdine Differential Revision: D5589834 fbshipit-source-id: 4f6c24a
8 years ago
[AI] kill astate type Reviewed By: mbouaziz Differential Revision: D10119192 fbshipit-source-id: 4868cbcb1
6 years ago
val unowned : t
[thread-safety] add ownership domain: map of access paths to a lattice of ownership predicates Summary: Stepping stone to a more precise ownership domain. Reviewed By: jberdine Differential Revision: D5589834 fbshipit-source-id: 4f6c24a
8 years ago
[AI] kill astate type Reviewed By: mbouaziz Differential Revision: D10119192 fbshipit-source-id: 4868cbcb1
6 years ago
val make_owned_if : int -> t
[thread-safety] add ownership domain: map of access paths to a lattice of ownership predicates Summary: Stepping stone to a more precise ownership domain. Reviewed By: jberdine Differential Revision: D5589834 fbshipit-source-id: 4f6c24a
8 years ago
end
module OwnershipDomain : sig
[racerd] strip down domain interface Reviewed By: mbouaziz Differential Revision: D13537494 fbshipit-source-id: 42d8bc89b
6 years ago
type t
val empty : t
[racerd] use access expressions in place of paths Summary: Access paths are too coarse to properly address C/C++ instructions, and lead to false positives and negatives. Begin the process of porting the underlying domains to access expressions, in a results-preserving way. This roughly consists in: - Adding missing functions in `AccessExpression` to mirror those in `AccessPath`. - Replacing `AccessExpression` for `AccessPath` and removing conversions from the former to the latter except in: - Printing functions, to ensure formatting issues won't change tests/CI. - Reporting/deduplication still happens through access path conversion, as we need an analogue of `ModuloThis` for `AccessExpression`. - In selected places, ignore any access type not present in `AccessPath` (ie. dereference/take address of). Reviewed By: jberdine Differential Revision: D16856721 fbshipit-source-id: 5e3a88b75
6 years ago
val add : AccessExpression.t -> OwnershipAbstractValue.t -> t -> t
[thread-safety] add ownership domain: map of access paths to a lattice of ownership predicates Summary: Stepping stone to a more precise ownership domain. Reviewed By: jberdine Differential Revision: D5589834 fbshipit-source-id: 4f6c24a
8 years ago
[racerd] use access expressions in place of paths Summary: Access paths are too coarse to properly address C/C++ instructions, and lead to false positives and negatives. Begin the process of porting the underlying domains to access expressions, in a results-preserving way. This roughly consists in: - Adding missing functions in `AccessExpression` to mirror those in `AccessPath`. - Replacing `AccessExpression` for `AccessPath` and removing conversions from the former to the latter except in: - Printing functions, to ensure formatting issues won't change tests/CI. - Reporting/deduplication still happens through access path conversion, as we need an analogue of `ModuloThis` for `AccessExpression`. - In selected places, ignore any access type not present in `AccessPath` (ie. dereference/take address of). Reviewed By: jberdine Differential Revision: D16856721 fbshipit-source-id: 5e3a88b75
6 years ago
val get_owned : AccessExpression.t -> t -> OwnershipAbstractValue.t
[thread-safety] add ownership domain: map of access paths to a lattice of ownership predicates Summary: Stepping stone to a more precise ownership domain. Reviewed By: jberdine Differential Revision: D5589834 fbshipit-source-id: 4f6c24a
8 years ago
[racerd] use access expressions in place of paths Summary: Access paths are too coarse to properly address C/C++ instructions, and lead to false positives and negatives. Begin the process of porting the underlying domains to access expressions, in a results-preserving way. This roughly consists in: - Adding missing functions in `AccessExpression` to mirror those in `AccessPath`. - Replacing `AccessExpression` for `AccessPath` and removing conversions from the former to the latter except in: - Printing functions, to ensure formatting issues won't change tests/CI. - Reporting/deduplication still happens through access path conversion, as we need an analogue of `ModuloThis` for `AccessExpression`. - In selected places, ignore any access type not present in `AccessPath` (ie. dereference/take address of). Reviewed By: jberdine Differential Revision: D16856721 fbshipit-source-id: 5e3a88b75
6 years ago
val propagate_assignment : AccessExpression.t -> HilExp.t -> t -> t
[racerd] don't replicate existing logic in `propagate_return` Summary: `ownership_of_expr` is already doing some of the work in `propagate_return`. Also, split and move into abstract domain, where it belongs. Reviewed By: jeremydubreil Differential Revision: D8855257 fbshipit-source-id: 7756552d8
7 years ago
[racerd] use access expressions in place of paths Summary: Access paths are too coarse to properly address C/C++ instructions, and lead to false positives and negatives. Begin the process of porting the underlying domains to access expressions, in a results-preserving way. This roughly consists in: - Adding missing functions in `AccessExpression` to mirror those in `AccessPath`. - Replacing `AccessExpression` for `AccessPath` and removing conversions from the former to the latter except in: - Printing functions, to ensure formatting issues won't change tests/CI. - Reporting/deduplication still happens through access path conversion, as we need an analogue of `ModuloThis` for `AccessExpression`. - In selected places, ignore any access type not present in `AccessPath` (ie. dereference/take address of). Reviewed By: jberdine Differential Revision: D16856721 fbshipit-source-id: 5e3a88b75
6 years ago
val propagate_return : AccessExpression.t -> OwnershipAbstractValue.t -> HilExp.t list -> t -> t
[racerd] replace quandary traces with explicit ones Summary: Context: "quandary" traces optimise for space by only storing a call site (plus analysis element) in a summary, as opposed to a list of call sites plus the element (i.e., a trace). When forming a report, the trace is expanded to a full one by reading the summary of the called function, and then matching up the current element with one from the summary, iterating until the trace cannot be expanded any more. In the best case, this can give a quadratic saving, as a real trace gets longer the higher one goes in the call stack, and therefore the total cost of saving that trace in each summary is quadratic in the length of the trace. Quandary traces give a linear cost. HOWEVER, these have been a source of many subtle bugs. 1. The trace expansion strategy is very arbitrary and cannot distinguish between expanded traces that are invalid (i.e., end with a call and not an originating point, such as a field access in RacerD). Plus the strategy does not explore all expansions, just the left-most one, meaning the left most may be invalid in the above sense, but another (not left-most) isn't even though it's not discovered by the expansion. This is fixable with major surgery. 2. All real traces that lead to the same endpoint are conflated -- this is to save space because there may be exponentially many such traces. That's OK, but these traces may have different locking contexts -- one may take the lock along the way, and another may not. The expansion cannot make sure that if we are reporting a trace we have recorded as taking the lock, will actually do so. This has resulted in very confusing race reports that are superficially false positives (even though they point to the existence of a real race). 3. Expansion completely breaks down in the java/buck integration when the trace goes through f -> g -> h and f,g,h are all in distinct buck targets F,G,H and F does not depend directly on H. In that case, the summary of h is simply not available when reporting/expanding in f, so the expanded trace comes out as truncated and invalid. These are filtered out, but the filtering is buggy and kills real races too. This diff completely replaces quandary traces in RacerD with plain explicit traces. - This will incur the quadratic space/time cost previously saved. See test plan: there is indeed a 30% increase in summary size, but there is no slowdown. In fact, on openssl there is a 10-20% perf increase. - For each endpoint, up to a single trace is used, as before, so no exponential explosion. However, because there is no such thing as expansion, we cannot get it wrong and change the locking context of a trace. - This diff is emulating the previous reporting format as much as possible to allow good signal from the CI. Further diffs up this stack will remove quandary-trace specific things, and simplify further the code. - 2 is not fully addressed -- it will require pushing the `AccessSnapshot` structure inside `TraceElem`. Further diffs. Reviewed By: jberdine Differential Revision: D14405600 fbshipit-source-id: d239117aa
6 years ago
[racerd] use access expressions in place of paths Summary: Access paths are too coarse to properly address C/C++ instructions, and lead to false positives and negatives. Begin the process of porting the underlying domains to access expressions, in a results-preserving way. This roughly consists in: - Adding missing functions in `AccessExpression` to mirror those in `AccessPath`. - Replacing `AccessExpression` for `AccessPath` and removing conversions from the former to the latter except in: - Printing functions, to ensure formatting issues won't change tests/CI. - Reporting/deduplication still happens through access path conversion, as we need an analogue of `ModuloThis` for `AccessExpression`. - In selected places, ignore any access type not present in `AccessPath` (ie. dereference/take address of). Reviewed By: jberdine Differential Revision: D16856721 fbshipit-source-id: 5e3a88b75
6 years ago
val get_precondition : AccessExpression.t -> t -> AccessSnapshot.OwnershipPrecondition.t
[thread-safety] add ownership domain: map of access paths to a lattice of ownership predicates Summary: Stepping stone to a more precise ownership domain. Reviewed By: jberdine Differential Revision: D5589834 fbshipit-source-id: 4f6c24a
8 years ago
end
[thread-safety] add choice variables to support partial path-sensitivity Reviewed By: peterogithub Differential Revision: D4712228 fbshipit-source-id: 50a9188
8 years ago
(** attribute attached to a boolean variable specifying what it means when the boolean is true *)
module Choice : sig
type t =
Convert Reason to OCaml, and auto-format OCaml Summary: Conversion and reformat of infer source using ocamlformat auto-formatting tool. Current status: - Because Reason does not handle docstrings, the output of the conversion is not 'Warning 50'-clean, meaning that there are docstrings with ambiguous placement. I'll need to manually fix them just before landing. Reviewed By: jvillard Differential Revision: D5225546 fbshipit-source-id: 3bd2786
8 years ago
| OnMainThread (** the current procedure is running on the main thread *)
| LockHeld (** a lock is currently held *)
[racerd] reorg domain module Summary: - Reorder modules in mli for readability. - Match mli module order in the implementation. - Move some functions that operate on domains from RacerD.ml to the domain file. - Kill some module type invocation. - Use standard module signatures. Reviewed By: mbouaziz Differential Revision: D8026386 fbshipit-source-id: ee2af22
7 years ago
include PrettyPrintable.PrintableOrderedType with type t := t
[thread-safety] add choice variables to support partial path-sensitivity Reviewed By: peterogithub Differential Revision: D4712228 fbshipit-source-id: 50a9188
8 years ago
end
[thread-safety] use map of access paths to attributes rather than multiple sets of access paths Summary: This will make it a cinch to track new "attributes" of memory locations, and to propagate more complex attributes such as conditional ownership (coming in a future diff). Reviewed By: peterogithub Differential Revision: D4523143 fbshipit-source-id: 57aa133
8 years ago
module Attribute : sig
type t =
Convert Reason to OCaml, and auto-format OCaml Summary: Conversion and reformat of infer source using ocamlformat auto-formatting tool. Current status: - Because Reason does not handle docstrings, the output of the conversion is not 'Warning 50'-clean, meaning that there are docstrings with ambiguous placement. I'll need to manually fix them just before landing. Reviewed By: jvillard Differential Revision: D5225546 fbshipit-source-id: 3bd2786
8 years ago
| Functional (** holds a value returned from a callee marked @Functional *)
| Choice of Choice.t (** holds a boolean choice variable *)
[thread-safety] use map of access paths to attributes rather than multiple sets of access paths Summary: This will make it a cinch to track new "attributes" of memory locations, and to propagate more complex attributes such as conditional ownership (coming in a future diff). Reviewed By: peterogithub Differential Revision: D4523143 fbshipit-source-id: 57aa133
8 years ago
[racerd] reorg domain module Summary: - Reorder modules in mli for readability. - Match mli module order in the implementation. - Move some functions that operate on domains from RacerD.ml to the domain file. - Kill some module type invocation. - Use standard module signatures. Reviewed By: mbouaziz Differential Revision: D8026386 fbshipit-source-id: ee2af22
7 years ago
include PrettyPrintable.PrintableOrderedType with type t := t
[thread-safety] use map of access paths to attributes rather than multiple sets of access paths Summary: This will make it a cinch to track new "attributes" of memory locations, and to propagate more complex attributes such as conditional ownership (coming in a future diff). Reviewed By: peterogithub Differential Revision: D4523143 fbshipit-source-id: 57aa133
8 years ago
end
[racerd] strip down domain interface Reviewed By: mbouaziz Differential Revision: D13537494 fbshipit-source-id: 42d8bc89b
6 years ago
module AttributeSetDomain : sig
type t
val empty : t
end
[thread-safety] use map of access paths to attributes rather than multiple sets of access paths Summary: This will make it a cinch to track new "attributes" of memory locations, and to propagate more complex attributes such as conditional ownership (coming in a future diff). Reviewed By: peterogithub Differential Revision: D4523143 fbshipit-source-id: 57aa133
8 years ago
module AttributeMapDomain : sig
[racerd] strip down domain interface Reviewed By: mbouaziz Differential Revision: D13537494 fbshipit-source-id: 42d8bc89b
6 years ago
type t
[racerd] use access expressions in place of paths Summary: Access paths are too coarse to properly address C/C++ instructions, and lead to false positives and negatives. Begin the process of porting the underlying domains to access expressions, in a results-preserving way. This roughly consists in: - Adding missing functions in `AccessExpression` to mirror those in `AccessPath`. - Replacing `AccessExpression` for `AccessPath` and removing conversions from the former to the latter except in: - Printing functions, to ensure formatting issues won't change tests/CI. - Reporting/deduplication still happens through access path conversion, as we need an analogue of `ModuloThis` for `AccessExpression`. - In selected places, ignore any access type not present in `AccessPath` (ie. dereference/take address of). Reviewed By: jberdine Differential Revision: D16856721 fbshipit-source-id: 5e3a88b75
6 years ago
val find : AccessExpression.t -> t -> AttributeSetDomain.t
[thread-safety] use map of access paths to attributes rather than multiple sets of access paths Summary: This will make it a cinch to track new "attributes" of memory locations, and to propagate more complex attributes such as conditional ownership (coming in a future diff). Reviewed By: peterogithub Differential Revision: D4523143 fbshipit-source-id: 57aa133
8 years ago
[racerd] use access expressions in place of paths Summary: Access paths are too coarse to properly address C/C++ instructions, and lead to false positives and negatives. Begin the process of porting the underlying domains to access expressions, in a results-preserving way. This roughly consists in: - Adding missing functions in `AccessExpression` to mirror those in `AccessPath`. - Replacing `AccessExpression` for `AccessPath` and removing conversions from the former to the latter except in: - Printing functions, to ensure formatting issues won't change tests/CI. - Reporting/deduplication still happens through access path conversion, as we need an analogue of `ModuloThis` for `AccessExpression`. - In selected places, ignore any access type not present in `AccessPath` (ie. dereference/take address of). Reviewed By: jberdine Differential Revision: D16856721 fbshipit-source-id: 5e3a88b75
6 years ago
val add : AccessExpression.t -> AttributeSetDomain.t -> t -> t
[thread-safety] use map of access paths to attributes rather than multiple sets of access paths Summary: This will make it a cinch to track new "attributes" of memory locations, and to propagate more complex attributes such as conditional ownership (coming in a future diff). Reviewed By: peterogithub Differential Revision: D4523143 fbshipit-source-id: 57aa133
8 years ago
[racerd] use access expressions in place of paths Summary: Access paths are too coarse to properly address C/C++ instructions, and lead to false positives and negatives. Begin the process of porting the underlying domains to access expressions, in a results-preserving way. This roughly consists in: - Adding missing functions in `AccessExpression` to mirror those in `AccessPath`. - Replacing `AccessExpression` for `AccessPath` and removing conversions from the former to the latter except in: - Printing functions, to ensure formatting issues won't change tests/CI. - Reporting/deduplication still happens through access path conversion, as we need an analogue of `ModuloThis` for `AccessExpression`. - In selected places, ignore any access type not present in `AccessPath` (ie. dereference/take address of). Reviewed By: jberdine Differential Revision: D16856721 fbshipit-source-id: 5e3a88b75
6 years ago
val has_attribute : AccessExpression.t -> Attribute.t -> t -> bool
[thread-safety] add callee write as protected-if if it's conditionally owned in caller Reviewed By: peterogithub Differential Revision: D4660606 fbshipit-source-id: 8e523c9
8 years ago
[racerd] use access expressions in place of paths Summary: Access paths are too coarse to properly address C/C++ instructions, and lead to false positives and negatives. Begin the process of porting the underlying domains to access expressions, in a results-preserving way. This roughly consists in: - Adding missing functions in `AccessExpression` to mirror those in `AccessPath`. - Replacing `AccessExpression` for `AccessPath` and removing conversions from the former to the latter except in: - Printing functions, to ensure formatting issues won't change tests/CI. - Reporting/deduplication still happens through access path conversion, as we need an analogue of `ModuloThis` for `AccessExpression`. - In selected places, ignore any access type not present in `AccessPath` (ie. dereference/take address of). Reviewed By: jberdine Differential Revision: D16856721 fbshipit-source-id: 5e3a88b75
6 years ago
val get_choices : AccessExpression.t -> t -> Choice.t list
Convert Reason to OCaml, and auto-format OCaml Summary: Conversion and reformat of infer source using ocamlformat auto-formatting tool. Current status: - Because Reason does not handle docstrings, the output of the conversion is not 'Warning 50'-clean, meaning that there are docstrings with ambiguous placement. I'll need to manually fix them just before landing. Reviewed By: jvillard Differential Revision: D5225546 fbshipit-source-id: 3bd2786
8 years ago
(** get the choice attributes associated with the given access path *)
[thread-safety] add choice variables to support partial path-sensitivity Reviewed By: peterogithub Differential Revision: D4712228 fbshipit-source-id: 50a9188
8 years ago
[racerd] use access expressions in place of paths Summary: Access paths are too coarse to properly address C/C++ instructions, and lead to false positives and negatives. Begin the process of porting the underlying domains to access expressions, in a results-preserving way. This roughly consists in: - Adding missing functions in `AccessExpression` to mirror those in `AccessPath`. - Replacing `AccessExpression` for `AccessPath` and removing conversions from the former to the latter except in: - Printing functions, to ensure formatting issues won't change tests/CI. - Reporting/deduplication still happens through access path conversion, as we need an analogue of `ModuloThis` for `AccessExpression`. - In selected places, ignore any access type not present in `AccessPath` (ie. dereference/take address of). Reviewed By: jberdine Differential Revision: D16856721 fbshipit-source-id: 5e3a88b75
6 years ago
val add_attribute : AccessExpression.t -> Attribute.t -> t -> t
[threadsafety] record threaded information alongside accesses and use disjunction for thread join Summary: Using Conjunction for thread join has known false negatives. Finer grained recording of threading information fixes this. Reviewed By: sblackshear Differential Revision: D5111161 fbshipit-source-id: aab483c
8 years ago
[racerd] use access expressions in place of paths Summary: Access paths are too coarse to properly address C/C++ instructions, and lead to false positives and negatives. Begin the process of porting the underlying domains to access expressions, in a results-preserving way. This roughly consists in: - Adding missing functions in `AccessExpression` to mirror those in `AccessPath`. - Replacing `AccessExpression` for `AccessPath` and removing conversions from the former to the latter except in: - Printing functions, to ensure formatting issues won't change tests/CI. - Reporting/deduplication still happens through access path conversion, as we need an analogue of `ModuloThis` for `AccessExpression`. - In selected places, ignore any access type not present in `AccessPath` (ie. dereference/take address of). Reviewed By: jberdine Differential Revision: D16856721 fbshipit-source-id: 5e3a88b75
6 years ago
val propagate_assignment : AccessExpression.t -> HilExp.t -> t -> t
[racerd] reorg domain module Summary: - Reorder modules in mli for readability. - Match mli module order in the implementation. - Move some functions that operate on domains from RacerD.ml to the domain file. - Kill some module type invocation. - Use standard module signatures. Reviewed By: mbouaziz Differential Revision: D8026386 fbshipit-source-id: ee2af22
7 years ago
(** propagate attributes from the leaves to the root of an RHS Hil expression *)
[thread-safety] AccessDomain for better tracking of writes Summary: In order to be able to report races like ``` synchronized write() { this.f = ... } read() { return this.f; } ``` , we need to track writes that happen inside of synchronization as well as writes that happen outside of synchronization. This diff takes a step toward making that possible by defining an "AccessDomain" mapping a precondition for the safety of a write ( {Safe, SafeIf i, Unsafe} =~ {true, owned(i), false} ) to a set of writes that are safe if the precondition will hold. We're not actually tracking safe writes yet, but this domain will make it easy to do so. This also lets us kill the conditional writes/unconditional writes combo, which was a bit clumsy Reviewed By: peterogithub Differential Revision: D4620153 fbshipit-source-id: 2d9c5ef
8 years ago
end
[AI] kill astate type Reviewed By: mbouaziz Differential Revision: D10119192 fbshipit-source-id: 4868cbcb1
6 years ago
type t =
{ threads: ThreadsDomain.t (** current thread: main, background, or unknown *)
; locks: LocksDomain.t (** boolean that is true if a lock must currently be held *)
; accesses: AccessDomain.t
Convert Reason to OCaml, and auto-format OCaml Summary: Conversion and reformat of infer source using ocamlformat auto-formatting tool. Current status: - Because Reason does not handle docstrings, the output of the conversion is not 'Warning 50'-clean, meaning that there are docstrings with ambiguous placement. I'll need to manually fix them just before landing. Reviewed By: jvillard Differential Revision: D5225546 fbshipit-source-id: 3bd2786
8 years ago
(** read and writes accesses performed without ownership permissions *)
[AI] kill astate type Reviewed By: mbouaziz Differential Revision: D10119192 fbshipit-source-id: 4868cbcb1
6 years ago
; ownership: OwnershipDomain.t (** map of access paths to ownership predicates *)
; attribute_map: AttributeMapDomain.t
[racerd] kill stability Reviewed By: jvillard Differential Revision: D13180369 fbshipit-source-id: 5684ed318
6 years ago
(** map of access paths to attributes such as owned, functional, ... *) }
[thread-safety][cleanup] add mli for ThreadSafetyDomain Reviewed By: peterogithub Differential Revision: D4452608 fbshipit-source-id: 1761045
8 years ago
[thread-safety][cleanup] use record for summary type Reviewed By: peterogithub Differential Revision: D5636060 fbshipit-source-id: 5e25a28
8 years ago
(** same as astate, but without [attribute_map] (since these involve locals) and with the addition
of the ownership/attributes associated with the return value as well as the set of formals which
may escape *)
[hil] functor for easily creating HIL analyses Summary: Last step for converting thread-safety and quandary to HIL. Push the logic for managing the id map and converting the instructions into a functor. This way, client analyses can simply write HIL transfer functions and call the functor. Reviewed By: jberdine Differential Revision: D4989987 fbshipit-source-id: 485169e
8 years ago
type summary =
[AI] kill astate type Reviewed By: mbouaziz Differential Revision: D10119192 fbshipit-source-id: 4868cbcb1
6 years ago
{ threads: ThreadsDomain.t
; locks: LocksDomain.t
; accesses: AccessDomain.t
; return_ownership: OwnershipAbstractValue.t
; return_attributes: AttributeSetDomain.t }
[thread-safety][cleanup] add mli for ThreadSafetyDomain Reviewed By: peterogithub Differential Revision: D4452608 fbshipit-source-id: 1761045
8 years ago
[racerd] detect ObjC "private" methods Summary: To avoid reporting on private methods, ignore those starting with underscore. Other cleanups. Reviewed By: jvillard Differential Revision: D10558970 fbshipit-source-id: 0572f1e70
6 years ago
val empty_summary : summary
[AI] kill astate type Reviewed By: mbouaziz Differential Revision: D10119192 fbshipit-source-id: 4868cbcb1
6 years ago
include AbstractDomain.WithBottom with type t := t
[thread-safety][cleanup] add mli for ThreadSafetyDomain Reviewed By: peterogithub Differential Revision: D4452608 fbshipit-source-id: 1761045
8 years ago
val pp_summary : F.formatter -> summary -> unit
[racerd] move models and domain operations to respective source files Reviewed By: mbouaziz Differential Revision: D13537501 fbshipit-source-id: 88dbc022d
6 years ago
val add_unannotated_call_access : Typ.Procname.t -> Location.t -> Procdesc.t -> t -> t