pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '0911a1297a'
${ noResults }
infer_clone/infer/src/pulse/PulseAbductiveDomain.ml

839 lines
33 KiB
Raw Normal View History Unescape

[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
(*
[copyright] Remove years Reviewed By: jvillard Differential Revision: D15771884 fbshipit-source-id: e2997e3a3
6 years ago
* Copyright (c) Facebook, Inc. and its affiliates.
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
*
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*)
open! IStd
module F = Format
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
module L = Logging
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
module AbstractAddress = PulseDomain.AbstractAddress
module Attributes = PulseDomain.Attributes
module BaseStack = PulseDomain.Stack
module BaseMemory = PulseDomain.Memory
(** signature common to the "normal" [Domain], representing the post at the current program point,
and the inverted [InvertedDomain], representing the inferred pre-condition*)
module type BaseDomain = sig
(* private because the lattice is not the same for preconditions and postconditions so we don't
want to confuse them *)
[pulse] more efficient representation of attributes Summary: This ensures that each attribute type can only be present once per address. Makes ~80x time improvement on pathological cases such as Duff's device. This introduces a new kind of Set in `PrettyPrintable`. Reviewed By: mbouaziz Differential Revision: D14645091 fbshipit-source-id: c7f9b760c
6 years ago
type t = private PulseDomain.t
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
val empty : t
val make : BaseStack.t -> BaseMemory.t -> t
val update : ?stack:BaseStack.t -> ?heap:BaseMemory.t -> t -> t
include AbstractDomain.NoJoin with type t := t
end
(* just to expose the [heap] and [stack] record field names without having to type
[PulseDomain.heap] *)
type base_domain = PulseDomain.t = {heap: BaseMemory.t; stack: BaseStack.t}
(** operations common to [Domain] and [InvertedDomain], see also the [BaseDomain] signature *)
module BaseDomainCommon = struct
let make stack heap = {stack; heap}
let update ?stack ?heap foot =
let new_stack, new_heap =
(Option.value ~default:foot.stack stack, Option.value ~default:foot.heap heap)
in
if phys_equal new_stack foot.stack && phys_equal new_heap foot.heap then foot
else {stack= new_stack; heap= new_heap}
end
(** represents the post abstract state at each program point *)
module Domain : BaseDomain = struct
include BaseDomainCommon
include PulseDomain
end
(** represents the inferred pre-condition at each program point, biabduction style *)
module InvertedDomain : BaseDomain = struct
include BaseDomainCommon
[pulse] more efficient representation of attributes Summary: This ensures that each attribute type can only be present once per address. Makes ~80x time improvement on pathological cases such as Duff's device. This introduces a new kind of Set in `PrettyPrintable`. Reviewed By: mbouaziz Differential Revision: D14645091 fbshipit-source-id: c7f9b760c
6 years ago
type t = PulseDomain.t
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
let empty = PulseDomain.empty
let pp = PulseDomain.pp
(** inverted lattice *)
let ( <= ) ~lhs ~rhs = PulseDomain.( <= ) ~rhs:lhs ~lhs:rhs
end
(** biabduction-style pre/post state *)
type t =
{ post: Domain.t (** state at the current program point*)
; pre: InvertedDomain.t (** inferred pre at the current program point *) }
let pp f {post; pre} = F.fprintf f "@[<v>%a@;[%a]@]" Domain.pp post InvertedDomain.pp pre
let ( <= ) ~lhs ~rhs =
match
PulseDomain.isograph_map PulseDomain.empty_mapping
~lhs:(rhs.pre :> PulseDomain.t)
~rhs:(lhs.pre :> PulseDomain.t)
with
| NotIsomorphic ->
false
| IsomorphicUpTo foot_mapping ->
PulseDomain.is_isograph foot_mapping
~lhs:(lhs.post :> PulseDomain.t)
~rhs:(rhs.post :> PulseDomain.t)
module Stack = struct
[pulse] tighten up summaries Summary: Only throw values to the pre if they can be followed from "abducible" variables: formals of the current method and globals. Because figuring out if a `Pvar.t` is a formal of the current procedure is actually a giant pain, hack something not too bad instead: pre-register all formals at the start of the analysis of the procedure. Then the only other variables we care about in the precondition are globals, which we can detect easily. This is mostly an optimisation (summaries won't include irrelevant "abduced" facts about the procedure's local variables anymore), but it also fixes a bug where we would sometimes overwrite things in the pre. I think that's why the tests improved. Reviewed By: ngorogiannis Differential Revision: D14753493 fbshipit-source-id: 08e73637f
6 years ago
let is_abducible astate var =
(* HACK: formals are pre-registered in the initial state *)
BaseStack.mem var (astate.pre :> base_domain).stack || Var.is_global var
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
(** [astate] with [astate.post.stack = f astate.post.stack] *)
let map_post_stack ~f astate =
let new_post = Domain.update astate.post ~stack:(f (astate.post :> base_domain).stack) in
if phys_equal new_post astate.post then astate else {astate with post= new_post}
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
let eval var astate =
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
match BaseStack.find_opt var (astate.post :> base_domain).stack with
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
| Some addr_hist ->
(astate, addr_hist)
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
| None ->
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
let addr_hist = (AbstractAddress.mk_fresh (), []) in
let post_stack = BaseStack.add var addr_hist (astate.post :> base_domain).stack in
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
let pre =
[pulse] tighten up summaries Summary: Only throw values to the pre if they can be followed from "abducible" variables: formals of the current method and globals. Because figuring out if a `Pvar.t` is a formal of the current procedure is actually a giant pain, hack something not too bad instead: pre-register all formals at the start of the analysis of the procedure. Then the only other variables we care about in the precondition are globals, which we can detect easily. This is mostly an optimisation (summaries won't include irrelevant "abduced" facts about the procedure's local variables anymore), but it also fixes a bug where we would sometimes overwrite things in the pre. I think that's why the tests improved. Reviewed By: ngorogiannis Differential Revision: D14753493 fbshipit-source-id: 08e73637f
6 years ago
(* do not overwrite values of variables already in the pre *)
if (not (BaseStack.mem var (astate.pre :> base_domain).stack)) && is_abducible astate var
then
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
let foot_stack = BaseStack.add var addr_hist (astate.pre :> base_domain).stack in
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
let foot_heap =
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
BaseMemory.register_address (fst addr_hist) (astate.pre :> base_domain).heap
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
in
InvertedDomain.make foot_stack foot_heap
else astate.pre
in
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
({post= Domain.update astate.post ~stack:post_stack; pre}, addr_hist)
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
let add var addr_loc_opt astate =
map_post_stack astate ~f:(fun stack -> BaseStack.add var addr_loc_opt stack)
let remove_vars vars astate =
[pulse] tighten up summaries Summary: Only throw values to the pre if they can be followed from "abducible" variables: formals of the current method and globals. Because figuring out if a `Pvar.t` is a formal of the current procedure is actually a giant pain, hack something not too bad instead: pre-register all formals at the start of the analysis of the procedure. Then the only other variables we care about in the precondition are globals, which we can detect easily. This is mostly an optimisation (summaries won't include irrelevant "abduced" facts about the procedure's local variables anymore), but it also fixes a bug where we would sometimes overwrite things in the pre. I think that's why the tests improved. Reviewed By: ngorogiannis Differential Revision: D14753493 fbshipit-source-id: 08e73637f
6 years ago
let vars_to_remove =
let is_in_pre var astate = BaseStack.mem var (astate.pre :> base_domain).stack in
List.filter vars ~f:(fun var -> not (is_in_pre var astate))
in
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
map_post_stack astate ~f:(fun stack ->
[pulse] tighten up summaries Summary: Only throw values to the pre if they can be followed from "abducible" variables: formals of the current method and globals. Because figuring out if a `Pvar.t` is a formal of the current procedure is actually a giant pain, hack something not too bad instead: pre-register all formals at the start of the analysis of the procedure. Then the only other variables we care about in the precondition are globals, which we can detect easily. This is mostly an optimisation (summaries won't include irrelevant "abduced" facts about the procedure's local variables anymore), but it also fixes a bug where we would sometimes overwrite things in the pre. I think that's why the tests improved. Reviewed By: ngorogiannis Differential Revision: D14753493 fbshipit-source-id: 08e73637f
6 years ago
BaseStack.filter (fun var _ -> not (List.mem ~equal:Var.equal vars_to_remove var)) stack )
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
let fold f astate accum = BaseStack.fold f (astate.post :> base_domain).stack accum
let find_opt var astate = BaseStack.find_opt var (astate.post :> base_domain).stack
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
let mem var astate = BaseStack.mem var (astate.post :> base_domain).stack
[pulse] C++ temporaries bound to globals do not "escape" Summary: Fixes a false positive where the address of a C++ temporary is bound to a static const reference variable then returned. The fix doesn't try to establish that the variable is a const reference so could lead to false negatives but that can be addressed later. Reviewed By: ezgicicek Differential Revision: D16004538 fbshipit-source-id: e403dbefe
6 years ago
let exists f astate = BaseStack.exists f (astate.post :> base_domain).stack
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
end
module Memory = struct
open Result.Monad_infix
module Access = BaseMemory.Access
(** [astate] with [astate.post.heap = f astate.post.heap] *)
let map_post_heap ~f astate =
let new_post = Domain.update astate.post ~heap:(f (astate.post :> base_domain).heap) in
if phys_equal new_post astate.post then astate else {astate with post= new_post}
(** if [address] is in [pre] and it should be valid then that fact goes in the precondition *)
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
let record_must_be_valid action address (pre : InvertedDomain.t) =
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
if BaseMemory.mem_edges address (pre :> base_domain).heap then
InvertedDomain.update pre
~heap:
(BaseMemory.add_attributes address
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
(Attributes.singleton (MustBeValid action))
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
(pre :> base_domain).heap)
else pre
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
let check_valid action addr ({post; pre} as astate) =
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
BaseMemory.check_valid addr (post :> base_domain).heap
>>| fun () ->
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
let new_pre = record_must_be_valid action addr pre in
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
if phys_equal new_pre pre then astate else {astate with pre= new_pre}
[pulse] Record the trace of the address written to Reviewed By: skcho Differential Revision: D17004433 fbshipit-source-id: 937319c27
6 years ago
let add_edge addr access new_addr_trace loc astate =
[pulse] Record writes explicitly as Attributes and get rid of heuristic in is_cell_read_only Reviewed By: jvillard Differential Revision: D16543753 fbshipit-source-id: 4c0d9fb41
6 years ago
map_post_heap astate ~f:(fun heap ->
BaseMemory.add_edge addr access new_addr_trace heap
[pulse] Record the trace of the address written to Reviewed By: skcho Differential Revision: D17004433 fbshipit-source-id: 937319c27
6 years ago
|> BaseMemory.add_attributes addr
(Attributes.singleton
(WrittenTo (PulseDomain.InterprocAction.Immediate {imm= (); location= loc}))) )
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse] C++ temporaries bound to globals do not "escape" Summary: Fixes a false positive where the address of a C++ temporary is bound to a static const reference variable then returned. The fix doesn't try to establish that the variable is a const reference so could lead to false negatives but that can be addressed later. Reviewed By: ezgicicek Differential Revision: D16004538 fbshipit-source-id: e403dbefe
6 years ago
let find_edge_opt address access astate =
BaseMemory.find_edge_opt address access (astate.post :> base_domain).heap
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
let eval_edge addr access astate =
[pulse] C++ temporaries bound to globals do not "escape" Summary: Fixes a false positive where the address of a C++ temporary is bound to a static const reference variable then returned. The fix doesn't try to establish that the variable is a const reference so could lead to false negatives but that can be addressed later. Reviewed By: ezgicicek Differential Revision: D16004538 fbshipit-source-id: e403dbefe
6 years ago
match find_edge_opt addr access astate with
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
| Some addr_trace' ->
(astate, addr_trace')
| None ->
let addr_trace' = (AbstractAddress.mk_fresh (), []) in
let post_heap =
[pulse] do not create `&` back-edges eagerly Summary: This mostly doesn't make sense. The only thing this would have been good for was to give the most accurate result on access paths such as `*(&(x.f))`, but these are normalised anyway (into `x.f`) so we actually never see these. That said there might be some use to some similar logic in the future, but in the meantime let's delete the current feature as it wasn't thought through. Reviewed By: ezgicicek Differential Revision: D14753492 fbshipit-source-id: 597cec027
6 years ago
BaseMemory.add_edge addr access addr_trace' (astate.post :> base_domain).heap
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
in
let foot_heap =
if BaseMemory.mem_edges addr (astate.pre :> base_domain).heap then
[pulse] do not create `&` back-edges eagerly Summary: This mostly doesn't make sense. The only thing this would have been good for was to give the most accurate result on access paths such as `*(&(x.f))`, but these are normalised anyway (into `x.f`) so we actually never see these. That said there might be some use to some similar logic in the future, but in the meantime let's delete the current feature as it wasn't thought through. Reviewed By: ezgicicek Differential Revision: D14753492 fbshipit-source-id: 597cec027
6 years ago
BaseMemory.add_edge addr access addr_trace' (astate.pre :> base_domain).heap
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
|> BaseMemory.register_address (fst addr_trace')
else (astate.pre :> base_domain).heap
in
( { post= Domain.update astate.post ~heap:post_heap
; pre= InvertedDomain.update astate.pre ~heap:foot_heap }
, addr_trace' )
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
let invalidate address action astate =
map_post_heap astate ~f:(fun heap -> BaseMemory.invalidate address action heap)
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
let add_attributes address attributes astate =
map_post_heap astate ~f:(fun heap -> BaseMemory.add_attributes address attributes heap)
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
let get_closure_proc_name addr astate =
BaseMemory.get_closure_proc_name addr (astate.post :> base_domain).heap
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
let std_vector_reserve addr astate =
map_post_heap astate ~f:(fun heap -> BaseMemory.std_vector_reserve addr heap)
let is_std_vector_reserved addr astate =
BaseMemory.is_std_vector_reserved addr (astate.post :> base_domain).heap
let find_opt address astate = BaseMemory.find_opt address (astate.post :> base_domain).heap
[pulse] Record the trace of the address written to Reviewed By: skcho Differential Revision: D17004433 fbshipit-source-id: 937319c27
6 years ago
let set_cell addr cell loc astate =
[pulse] Record writes explicitly as Attributes and get rid of heuristic in is_cell_read_only Reviewed By: jvillard Differential Revision: D16543753 fbshipit-source-id: 4c0d9fb41
6 years ago
map_post_heap astate ~f:(fun heap ->
BaseMemory.set_cell addr cell heap
[pulse] Record the trace of the address written to Reviewed By: skcho Differential Revision: D17004433 fbshipit-source-id: 937319c27
6 years ago
|> BaseMemory.add_attributes addr
(Attributes.singleton
(WrittenTo (PulseDomain.InterprocAction.Immediate {imm= (); location= loc}))) )
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
module Edges = BaseMemory.Edges
end
[pulse] tighten up summaries Summary: Only throw values to the pre if they can be followed from "abducible" variables: formals of the current method and globals. Because figuring out if a `Pvar.t` is a formal of the current procedure is actually a giant pain, hack something not too bad instead: pre-register all formals at the start of the analysis of the procedure. Then the only other variables we care about in the precondition are globals, which we can detect easily. This is mostly an optimisation (summaries won't include irrelevant "abduced" facts about the procedure's local variables anymore), but it also fixes a bug where we would sometimes overwrite things in the pre. I think that's why the tests improved. Reviewed By: ngorogiannis Differential Revision: D14753493 fbshipit-source-id: 08e73637f
6 years ago
let mk_initial proc_desc =
(* HACK: save the formals in the stacks of the pre and the post to remember which local variables
correspond to formals *)
let formals =
let proc_name = Procdesc.get_proc_name proc_desc in
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
let location = Procdesc.get_loc proc_desc in
[pulse] tighten up summaries Summary: Only throw values to the pre if they can be followed from "abducible" variables: formals of the current method and globals. Because figuring out if a `Pvar.t` is a formal of the current procedure is actually a giant pain, hack something not too bad instead: pre-register all formals at the start of the analysis of the procedure. Then the only other variables we care about in the precondition are globals, which we can detect easily. This is mostly an optimisation (summaries won't include irrelevant "abduced" facts about the procedure's local variables anymore), but it also fixes a bug where we would sometimes overwrite things in the pre. I think that's why the tests improved. Reviewed By: ngorogiannis Differential Revision: D14753493 fbshipit-source-id: 08e73637f
6 years ago
Procdesc.get_formals proc_desc
|> List.map ~f:(fun (mangled, _) ->
let var = Var.of_pvar (Pvar.mk mangled proc_name) in
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
( var
, (AbstractAddress.mk_fresh (), [PulseDomain.ValueHistory.VariableDeclaration location])
) )
[pulse] tighten up summaries Summary: Only throw values to the pre if they can be followed from "abducible" variables: formals of the current method and globals. Because figuring out if a `Pvar.t` is a formal of the current procedure is actually a giant pain, hack something not too bad instead: pre-register all formals at the start of the analysis of the procedure. Then the only other variables we care about in the precondition are globals, which we can detect easily. This is mostly an optimisation (summaries won't include irrelevant "abduced" facts about the procedure's local variables anymore), but it also fixes a bug where we would sometimes overwrite things in the pre. I think that's why the tests improved. Reviewed By: ngorogiannis Differential Revision: D14753493 fbshipit-source-id: 08e73637f
6 years ago
in
let initial_stack =
List.fold formals ~init:(InvertedDomain.empty :> PulseDomain.t).stack
~f:(fun stack (formal, addr_loc) -> BaseStack.add formal addr_loc stack)
in
let pre =
let initial_heap =
List.fold formals ~init:(InvertedDomain.empty :> base_domain).heap
~f:(fun heap (_, (addr, _)) -> BaseMemory.register_address addr heap)
in
InvertedDomain.make initial_stack initial_heap
in
let post = Domain.update ~stack:initial_stack Domain.empty in
{pre; post}
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
let discard_unreachable ({pre; post} as astate) =
[pulse] more general graph visitor API Summary: Make it possible to re-use the graph visitor to compute all sorts of things with a flexible API where you can pass a function that folds over all addresses reachable from certain stack variables (specified with a filter) and gets passed the access path that leads to each address. This is used in later commits. Reviewed By: mbouaziz Differential Revision: D15824960 fbshipit-source-id: c424a71cb
6 years ago
let pre_addresses = PulseDomain.reachable_addresses (pre :> PulseDomain.t) in
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
let pre_old_heap = (pre :> PulseDomain.t).heap in
let pre_new_heap =
PulseDomain.Memory.filter
(fun address -> PulseDomain.AbstractAddressSet.mem address pre_addresses)
pre_old_heap
in
[pulse] more general graph visitor API Summary: Make it possible to re-use the graph visitor to compute all sorts of things with a flexible API where you can pass a function that folds over all addresses reachable from certain stack variables (specified with a filter) and gets passed the access path that leads to each address. This is used in later commits. Reviewed By: mbouaziz Differential Revision: D15824960 fbshipit-source-id: c424a71cb
6 years ago
let post_addresses = PulseDomain.reachable_addresses (post :> PulseDomain.t) in
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
let all_addresses = PulseDomain.AbstractAddressSet.union pre_addresses post_addresses in
let post_old_heap = (post :> PulseDomain.t).heap in
let post_new_heap =
PulseDomain.Memory.filter
(fun address -> PulseDomain.AbstractAddressSet.mem address all_addresses)
post_old_heap
in
if phys_equal pre_new_heap pre_old_heap && phys_equal post_new_heap post_old_heap then astate
else
{ pre= InvertedDomain.make (pre :> PulseDomain.t).stack pre_new_heap
; post= Domain.make (post :> PulseDomain.t).stack post_new_heap }
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
[pulse] Handle stack refs escaping their scope via pointer Summary: Pulse didn't treat local variables going out of scope as invalidating the corresponding address in memory. This diff fixes that by - marking all local variables that exits the scope with the attribute `AddressOfStackVariable` - before we write the summary for the proc, we make sure to invalidate all such addresses local to the procedure as `Invalid.` If such an address is read, then we would raise a use-after-lifetime issue. Reviewed By: jvillard Differential Revision: D16458355 fbshipit-source-id: 3686524cb
6 years ago
let is_local var astate = not (Var.is_return var || Stack.is_abducible astate var)
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
module PrePost = struct
type domain_t = t
type t = domain_t
[pulse] apply summaries to globals too Summary: Similarly to function parameters (and the return value), we need to apply the pre/post of a function call to the globals mentioned in its summary. - tigthen summaries further to remember only abducible variables in the post (as well as in the pre) - take globals into account when applying pre/post pairs Reviewed By: jberdine Differential Revision: D14780800 fbshipit-source-id: fc0d180bb
6 years ago
let filter_for_summary astate =
let post_stack =
BaseStack.filter
[pulse] do not record addresses of logical variables Summary: Before this diff we would record when some values came from the "address of" logical variables. This makes no sense and also was incorrectly marking these addresses as "written to" when they appeared in the post of a procedure, because their attributes weren't empty (they had the "address of stack variable" attribute). Reviewed By: ngorogiannis Differential Revision: D17131210 fbshipit-source-id: 6cc3c465a
6 years ago
(fun var _ -> Var.appears_in_source_code var && not (is_local var astate))
[pulse] apply summaries to globals too Summary: Similarly to function parameters (and the return value), we need to apply the pre/post of a function call to the globals mentioned in its summary. - tigthen summaries further to remember only abducible variables in the post (as well as in the pre) - take globals into account when applying pre/post pairs Reviewed By: jberdine Differential Revision: D14780800 fbshipit-source-id: fc0d180bb
6 years ago
(astate.post :> PulseDomain.t).stack
in
[pulse] Remove bindings with empty edges in pre Reviewed By: jvillard Differential Revision: D16419183 fbshipit-source-id: 858958ddd
6 years ago
(* deregister empty edges in pre *)
let pre_heap =
BaseMemory.filter_heap
(fun _addr edges -> not (BaseMemory.Edges.is_empty edges))
(astate.pre :> base_domain).heap
in
{ pre= InvertedDomain.update astate.pre ~heap:pre_heap
; post= Domain.update ~stack:post_stack astate.post }
[pulse] apply summaries to globals too Summary: Similarly to function parameters (and the return value), we need to apply the pre/post of a function call to the globals mentioned in its summary. - tigthen summaries further to remember only abducible variables in the post (as well as in the pre) - take globals into account when applying pre/post pairs Reviewed By: jberdine Differential Revision: D14780800 fbshipit-source-id: fc0d180bb
6 years ago
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
[pulse] Handle stack refs escaping their scope via pointer Summary: Pulse didn't treat local variables going out of scope as invalidating the corresponding address in memory. This diff fixes that by - marking all local variables that exits the scope with the attribute `AddressOfStackVariable` - before we write the summary for the proc, we make sure to invalidate all such addresses local to the procedure as `Invalid.` If such an address is read, then we would raise a use-after-lifetime issue. Reviewed By: jvillard Differential Revision: D16458355 fbshipit-source-id: 3686524cb
6 years ago
let add_out_of_scope_attribute addr pvar location history heap typ =
let action =
PulseDomain.InterprocAction.Immediate
{imm= PulseDomain.Invalidation.GoneOutOfScope (pvar, typ); location}
in
let attr = PulseDomain.Attributes.singleton (Invalid {action; history}) in
PulseDomain.Memory.add_attributes addr attr heap
(** invalidate local variables going out of scope *)
let invalidate_locals pdesc astate : t =
let heap : BaseMemory.t = (astate.post :> PulseDomain.t).heap in
let heap' =
PulseDomain.Memory.fold_attrs
(fun addr attrs heap ->
PulseDomain.Attributes.get_address_of_stack_variable attrs
|> Option.value_map ~default:heap ~f:(fun (var, history, location) ->
let get_local_typ_opt pvar =
Procdesc.get_locals pdesc
|> List.find_map ~f:(fun ProcAttributes.{name; typ} ->
if Mangled.equal name (Pvar.get_name pvar) then Some typ else None )
in
match var with
| Var.ProgramVar pvar ->
get_local_typ_opt pvar
|> Option.value_map ~default:heap
~f:(add_out_of_scope_attribute addr pvar location history heap)
| _ ->
heap ) )
heap heap
in
if phys_equal heap heap' then astate
else {pre= astate.pre; post= Domain.update astate.post ~heap:heap'}
let of_post pdesc astate =
filter_for_summary astate |> discard_unreachable |> invalidate_locals pdesc
[pulse] apply summaries to globals too Summary: Similarly to function parameters (and the return value), we need to apply the pre/post of a function call to the globals mentioned in its summary. - tigthen summaries further to remember only abducible variables in the post (as well as in the pre) - take globals into account when applying pre/post pairs Reviewed By: jberdine Differential Revision: D14780800 fbshipit-source-id: fc0d180bb
6 years ago
(* {2 machinery to apply a pre/post pair corresponding to a function's summary in a function call
to the current state} *)
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
module AddressSet = PulseDomain.AbstractAddressSet
module AddressMap = PulseDomain.AbstractAddressMap
(** raised when the pre/post pair and the current state disagree on the aliasing, i.e. some
addresses that are distinct in the pre/post are aliased in the current state. Typically raised
when calling [foo(z,z)] where the spec for [foo(x,y)] says that [x] and [y] are disjoint. *)
exception Aliasing
(** stuff we carry around when computing the result of applying one pre/post pair *)
type call_state =
{ astate: t (** caller's abstract state computed so far *)
; subst: AbstractAddress.t AddressMap.t
(** translation from callee addresses to caller addresses *)
; rev_subst: AbstractAddress.t AddressMap.t
(** the inverse translation from [subst] from caller addresses to callee addresses *)
; visited: AddressSet.t
(** set of callee addresses that have been visited already
NOTE: this is not always equal to the domain of [rev_subst]: when applying the post
we visit each subgraph from each formal independently so we reset [visited] between
the visit of each formal *)
}
let pp_call_state fmt {astate; subst; rev_subst; visited} =
F.fprintf fmt
"@[<v>{ astate=@[<hv2>%a@];@, subst=@[<hv2>%a@];@, rev_subst=@[<hv2>%a@];@, \
visited=@[<hv2>%a@]@, }@]"
pp astate
(AddressMap.pp ~pp_value:AbstractAddress.pp)
subst
(AddressMap.pp ~pp_value:AbstractAddress.pp)
rev_subst AddressSet.pp visited
[pulse] apply summaries to globals too Summary: Similarly to function parameters (and the return value), we need to apply the pre/post of a function call to the globals mentioned in its summary. - tigthen summaries further to remember only abducible variables in the post (as well as in the pre) - take globals into account when applying pre/post pairs Reviewed By: jberdine Differential Revision: D14780800 fbshipit-source-id: fc0d180bb
6 years ago
let fold_globals_of_stack stack call_state ~f =
Container.fold_result ~fold:(IContainer.fold_of_pervasives_map_fold ~fold:BaseStack.fold)
stack ~init:call_state ~f:(fun call_state (var, stack_value) ->
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
match var with
| Var.ProgramVar pvar when Pvar.is_global pvar ->
let call_state, (addr_caller, _) =
let astate, var_value = Stack.eval var call_state.astate in
if phys_equal astate call_state.astate then (call_state, var_value)
else ({call_state with astate}, var_value)
in
f pvar ~stack_value ~addr_caller call_state
| _ ->
Ok call_state )
[pulse] apply summaries to globals too Summary: Similarly to function parameters (and the return value), we need to apply the pre/post of a function call to the globals mentioned in its summary. - tigthen summaries further to remember only abducible variables in the post (as well as in the pre) - take globals into account when applying pre/post pairs Reviewed By: jberdine Differential Revision: D14780800 fbshipit-source-id: fc0d180bb
6 years ago
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
let visit call_state ~addr_callee ~addr_caller =
( match AddressMap.find_opt addr_caller call_state.rev_subst with
| Some addr_callee' when not (AbstractAddress.equal addr_callee addr_callee') ->
L.d_printfln "Huho, address %a in post already bound to %a, not %a@\nState=%a"
AbstractAddress.pp addr_caller AbstractAddress.pp addr_callee' AbstractAddress.pp
addr_callee pp_call_state call_state ;
raise Aliasing
| _ ->
() ) ;
if AddressSet.mem addr_callee call_state.visited then (`AlreadyVisited, call_state)
else
( `NotAlreadyVisited
, { call_state with
visited= AddressSet.add addr_callee call_state.visited
; subst= AddressMap.add addr_callee addr_caller call_state.subst
; rev_subst= AddressMap.add addr_caller addr_callee call_state.rev_subst } )
let pp f {pre; post} =
F.fprintf f "PRE:@\n @[%a@]@\n" PulseDomain.pp (pre :> PulseDomain.t) ;
F.fprintf f "POST:@\n @[%a@]@\n" PulseDomain.pp (post :> PulseDomain.t)
[pulse] apply summaries to globals too Summary: Similarly to function parameters (and the return value), we need to apply the pre/post of a function call to the globals mentioned in its summary. - tigthen summaries further to remember only abducible variables in the post (as well as in the pre) - take globals into account when applying pre/post pairs Reviewed By: jberdine Differential Revision: D14780800 fbshipit-source-id: fc0d180bb
6 years ago
(* {3 reading the pre from the current state} *)
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
(** Materialize the (abstract memory) subgraph of [pre] reachable from [addr_pre] in
[call_state.astate] starting from address [addr_caller]. Report an error if some invalid
addresses are traversed in the process. *)
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
let rec materialize_pre_from_address callee_proc_name call_location ~pre ~addr_pre ~addr_caller
history call_state =
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
let mk_action action =
[pulse] move [PulseTrace] inside [PulseDomain] Summary: Just moving code around. This is needed later to make some types in `PulseTrace` depend on a new that I'll have to define in `PulseDomain`. Also, this gives better names all around I think Reviewed By: mbouaziz Differential Revision: D15881281 fbshipit-source-id: e86c1472e
6 years ago
PulseDomain.InterprocAction.ViaCall
[pulse] allow models in invalidation traces Summary: Be more flexible in what type of function calls are allowed in `ViaCall ...` actions to be able to include models. Also get rid of `here here` in traces /o\ As a side-effect, get more precise (=qualified) procedure names in traces (but not in messages so as not to be too verbose). Reviewed By: mbouaziz, ngorogiannis Differential Revision: D16121092 fbshipit-source-id: fb51b02f8
6 years ago
{action; f= Call callee_proc_name; location= call_location}
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
in
match visit call_state ~addr_callee:addr_pre ~addr_caller with
| `AlreadyVisited, call_state ->
Ok call_state
| `NotAlreadyVisited, call_state -> (
(let open Option.Monad_infix in
PulseDomain.Memory.find_opt addr_pre pre.PulseDomain.heap
>>= fun (edges_pre, attrs_pre) ->
PulseDomain.Attributes.get_must_be_valid attrs_pre
>>| fun callee_action ->
let action = mk_action callee_action in
match Memory.check_valid action addr_caller call_state.astate with
| Error invalidated_by ->
Error
[pulse] improve error messages and traces Summary: Feedback from peterogithub: - mention which access path is being invalidated and accessed in the message - mention the line at which it was invalidated (the line at which it's accessed is already the line at which we report) - traces for stack variable/C++ temporary address escapes - delete double implementation of the same functionality in `PulseTrace`: `location_of_action_start` is the same as `outer_location_of_action`... Reviewed By: jberdine Differential Revision: D14800294 fbshipit-source-id: 3d9ab9b3d
6 years ago
(PulseDiagnostic.AccessToInvalidAddress
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
{invalidated_by; accessed_by= {action; history}})
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
| Ok astate ->
let call_state = {call_state with astate} in
Container.fold_result
~fold:(IContainer.fold_of_pervasives_map_fold ~fold:Memory.Edges.fold)
~init:call_state edges_pre ~f:(fun call_state (access, (addr_pre_dest, _)) ->
let astate, (addr_caller_dest, _) =
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
Memory.eval_edge addr_caller access call_state.astate
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
in
let call_state = {call_state with astate} in
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
materialize_pre_from_address callee_proc_name call_location ~pre
[pulse] move [PulseTrace] inside [PulseDomain] Summary: Just moving code around. This is needed later to make some types in `PulseTrace` depend on a new that I'll have to define in `PulseDomain`. Also, this gives better names all around I think Reviewed By: mbouaziz Differential Revision: D15881281 fbshipit-source-id: e86c1472e
6 years ago
~addr_pre:addr_pre_dest ~addr_caller:addr_caller_dest history call_state ))
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
|> function Some result -> result | None -> Ok call_state )
(** materialize subgraph of [pre] rooted at the address represented by a [formal] parameter that
has been instantiated with the corresponding [actual] into the current state
[call_state.astate] *)
let materialize_pre_from_actual callee_proc_name call_location ~pre ~formal ~actual call_state =
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
let addr_caller, trace = actual in
L.d_printfln "Materializing PRE from [%a <- %a]" Var.pp formal AbstractAddress.pp addr_caller ;
(let open Option.Monad_infix in
PulseDomain.Stack.find_opt formal pre.PulseDomain.stack
>>= fun (addr_formal_pre, _) ->
PulseDomain.Memory.find_edge_opt addr_formal_pre Dereference pre.PulseDomain.heap
>>| fun (formal_pre, _) ->
materialize_pre_from_address callee_proc_name call_location ~pre ~addr_pre:formal_pre
~addr_caller trace call_state)
|> function Some result -> result | None -> Ok call_state
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
let is_cell_read_only ~cell_pre_opt ~cell_post:(edges_post, attrs_post) =
match cell_pre_opt with
| None ->
false
[pulse] Record writes explicitly as Attributes and get rid of heuristic in is_cell_read_only Reviewed By: jvillard Differential Revision: D16543753 fbshipit-source-id: 4c0d9fb41
6 years ago
| Some (edges_pre, _) when not (Attributes.is_modified attrs_post) ->
let are_edges_equal =
PulseDomain.Memory.Edges.equal
(fun (addr_dest_pre, _) (addr_dest_post, _) ->
(* NOTE: ignores traces
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
TODO: can the traces be leveraged here? maybe easy to detect writes by looking at
the post trace *)
[pulse] Record writes explicitly as Attributes and get rid of heuristic in is_cell_read_only Reviewed By: jvillard Differential Revision: D16543753 fbshipit-source-id: 4c0d9fb41
6 years ago
AbstractAddress.equal addr_dest_pre addr_dest_post )
edges_pre edges_post
in
if CommandLineOption.strict_mode then assert are_edges_equal ;
are_edges_equal
| _ ->
false
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
[pulse] apply summaries to globals too Summary: Similarly to function parameters (and the return value), we need to apply the pre/post of a function call to the globals mentioned in its summary. - tigthen summaries further to remember only abducible variables in the post (as well as in the pre) - take globals into account when applying pre/post pairs Reviewed By: jberdine Differential Revision: D14780800 fbshipit-source-id: fc0d180bb
6 years ago
let materialize_pre_for_parameters callee_proc_name call_location pre_post ~formals ~actuals
call_state =
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
(* For each [(formal, actual)] pair, resolve them to addresses in their respective states then
call [materialize_pre_from] on them. Give up if calling the function introduces aliasing.
*)
match
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
IList.fold2_result formals actuals ~init:call_state ~f:(fun call_state formal (actual, _) ->
[pulse] apply summaries to globals too Summary: Similarly to function parameters (and the return value), we need to apply the pre/post of a function call to the globals mentioned in its summary. - tigthen summaries further to remember only abducible variables in the post (as well as in the pre) - take globals into account when applying pre/post pairs Reviewed By: jberdine Differential Revision: D14780800 fbshipit-source-id: fc0d180bb
6 years ago
materialize_pre_from_actual callee_proc_name call_location
~pre:(pre_post.pre :> PulseDomain.t)
~formal ~actual call_state )
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
with
| Unequal_lengths ->
L.d_printfln "ERROR: formals have length %d but actuals have length %d"
(List.length formals) (List.length actuals) ;
None
[pulse] apply summaries to globals too Summary: Similarly to function parameters (and the return value), we need to apply the pre/post of a function call to the globals mentioned in its summary. - tigthen summaries further to remember only abducible variables in the post (as well as in the pre) - take globals into account when applying pre/post pairs Reviewed By: jberdine Differential Revision: D14780800 fbshipit-source-id: fc0d180bb
6 years ago
| Ok result ->
Some result
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
[pulse] apply summaries to globals too Summary: Similarly to function parameters (and the return value), we need to apply the pre/post of a function call to the globals mentioned in its summary. - tigthen summaries further to remember only abducible variables in the post (as well as in the pre) - take globals into account when applying pre/post pairs Reviewed By: jberdine Differential Revision: D14780800 fbshipit-source-id: fc0d180bb
6 years ago
let materialize_pre_for_globals callee_proc_name call_location pre_post call_state =
fold_globals_of_stack (pre_post.pre :> PulseDomain.t).stack call_state
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
~f:(fun _var ~stack_value:(addr_pre, history) ~addr_caller call_state ->
materialize_pre_from_address callee_proc_name call_location
[pulse] apply summaries to globals too Summary: Similarly to function parameters (and the return value), we need to apply the pre/post of a function call to the globals mentioned in its summary. - tigthen summaries further to remember only abducible variables in the post (as well as in the pre) - take globals into account when applying pre/post pairs Reviewed By: jberdine Differential Revision: D14780800 fbshipit-source-id: fc0d180bb
6 years ago
~pre:(pre_post.pre :> PulseDomain.t)
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
~addr_pre ~addr_caller history call_state )
[pulse] apply summaries to globals too Summary: Similarly to function parameters (and the return value), we need to apply the pre/post of a function call to the globals mentioned in its summary. - tigthen summaries further to remember only abducible variables in the post (as well as in the pre) - take globals into account when applying pre/post pairs Reviewed By: jberdine Differential Revision: D14780800 fbshipit-source-id: fc0d180bb
6 years ago
let materialize_pre callee_proc_name call_location pre_post ~formals ~actuals call_state =
PerfEvent.(log (fun logger -> log_begin_event logger ~name:"pulse call pre" ())) ;
let r =
materialize_pre_for_parameters callee_proc_name call_location pre_post ~formals ~actuals
call_state
|> Option.map
~f:
(Result.bind ~f:(fun call_state ->
materialize_pre_for_globals callee_proc_name call_location pre_post call_state ))
in
PerfEvent.(log (fun logger -> log_end_event logger ())) ;
r
(* {3 applying the post to the current state} *)
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
let subst_find_or_new subst addr_callee =
match AddressMap.find_opt addr_callee subst with
| None ->
let addr_fresh = AbstractAddress.mk_fresh () in
(addr_fresh, AddressMap.add addr_callee addr_fresh subst)
| Some addr_caller ->
(addr_caller, subst)
let call_state_subst_find_or_new call_state addr_callee =
let addr_caller, new_subst = subst_find_or_new call_state.subst addr_callee in
if phys_equal new_subst call_state.subst then (call_state, addr_caller)
else ({call_state with subst= new_subst}, addr_caller)
let delete_edges_in_callee_pre_from_caller ~addr_callee:_ ~cell_pre_opt ~addr_caller call_state =
match
PulseDomain.Memory.find_edges_opt addr_caller (call_state.astate.post :> base_domain).heap
with
| None ->
PulseDomain.Memory.Edges.empty
| Some old_post_edges -> (
match cell_pre_opt with
| None ->
old_post_edges
| Some (edges_pre, _) ->
PulseDomain.Memory.Edges.merge
(fun _access old_opt pre_opt ->
(* TODO: should apply [call_state.subst] to [_access]! Actually, should rewrite the
whole [cell_pre] beforehand so that [Edges.merge] makes sense. *)
if Option.is_some pre_opt then
(* delete edge if some edge for the same access exists in the pre *)
None
else (* keep old edge if it exists *) old_opt )
old_post_edges edges_pre )
let add_call_to_attr proc_name location attr =
match (attr : PulseDomain.Attribute.t) with
[pulse] traces record how values were constructed Summary: Before: the trace would explain how a value was invalidated and accessed, but not how the value that was invalidated had been constructed. Now: `PulseTrace.t` records breadcrumbs of how the value was constructed in addition to the interproc "action" trace leading to the invalidation or access action. Concretely: ``` void bad(X &x) { X *y = x; X *z = x; delete y; access(z); } ``` will produce the trace: Invalidation part: y = x delete y Access part: z = x access(z) access to z->f inside of access(z) Before this diff the "Access part" would be missing the "z = x" part of the trace, so it might be confusing why `z` has anything to do with `y`. However, such "breadcrumbs" are not recorded in the inter-procedural part, only the sequence of calls is. This is a trade-off for simplicity, maybe it's enough for developers maybe it isn't, we'll find out later. Reviewed By: jberdine Differential Revision: D15354438 fbshipit-source-id: 8d0aed717
6 years ago
| Invalid trace ->
PulseDomain.Attribute.Invalid
[pulse] allow models in invalidation traces Summary: Be more flexible in what type of function calls are allowed in `ViaCall ...` actions to be able to include models. Also get rid of `here here` in traces /o\ As a side-effect, get more precise (=qualified) procedure names in traces (but not in messages so as not to be too verbose). Reviewed By: mbouaziz, ngorogiannis Differential Revision: D16121092 fbshipit-source-id: fb51b02f8
6 years ago
{ action=
PulseDomain.InterprocAction.ViaCall
{action= trace.action; f= Call proc_name; location}
[pulse] move [PulseTrace] inside [PulseDomain] Summary: Just moving code around. This is needed later to make some types in `PulseTrace` depend on a new that I'll have to define in `PulseDomain`. Also, this gives better names all around I think Reviewed By: mbouaziz Differential Revision: D15881281 fbshipit-source-id: e86c1472e
6 years ago
; history= trace.history }
[pulse] Handle stack refs escaping their scope via pointer Summary: Pulse didn't treat local variables going out of scope as invalidating the corresponding address in memory. This diff fixes that by - marking all local variables that exits the scope with the attribute `AddressOfStackVariable` - before we write the summary for the proc, we make sure to invalidate all such addresses local to the procedure as `Invalid.` If such an address is read, then we would raise a use-after-lifetime issue. Reviewed By: jvillard Differential Revision: D16458355 fbshipit-source-id: 3686524cb
6 years ago
| MustBeValid _
[pulse] Record the trace of the address written to Reviewed By: skcho Differential Revision: D17004433 fbshipit-source-id: 937319c27
6 years ago
| WrittenTo _
[pulse] Handle stack refs escaping their scope via pointer Summary: Pulse didn't treat local variables going out of scope as invalidating the corresponding address in memory. This diff fixes that by - marking all local variables that exits the scope with the attribute `AddressOfStackVariable` - before we write the summary for the proc, we make sure to invalidate all such addresses local to the procedure as `Invalid.` If such an address is read, then we would raise a use-after-lifetime issue. Reviewed By: jvillard Differential Revision: D16458355 fbshipit-source-id: 3686524cb
6 years ago
| AddressOfCppTemporary (_, _)
| AddressOfStackVariable (_, _, _)
| Closure _
| StdVectorReserve ->
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
attr
[pulse][trivial] remove unecessary option type, exception catching, and mutual recursion Summary: Noticed that: - some option was always `Some _` - recording the post never raises `Aliasing` (only exploring the pre does) - a mutual recursion was unused Reviewed By: mbouaziz Differential Revision: D16050052 fbshipit-source-id: 7f77aae08
6 years ago
let record_post_cell callee_proc_name call_loc ~addr_callee ~cell_pre_opt
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
~cell_post:(edges_post, attrs_post) ~addr_caller call_state =
let post_edges_minus_pre =
delete_edges_in_callee_pre_from_caller ~addr_callee ~cell_pre_opt ~addr_caller call_state
in
[pulse] overwrite attributes of modified cells in interproc calls Summary: Previously we would union them with the previous attributes. I don't think that makes sense. Also change the interface a bit in preparation for the next commit. Reviewed By: mbouaziz Differential Revision: D16050051 fbshipit-source-id: 2e8f88f4e
6 years ago
let heap = (call_state.astate.post :> base_domain).heap in
let heap =
let attrs_post_caller =
[pulse] more efficient representation of attributes Summary: This ensures that each attribute type can only be present once per address. Makes ~80x time improvement on pathological cases such as Duff's device. This introduces a new kind of Set in `PrettyPrintable`. Reviewed By: mbouaziz Differential Revision: D14645091 fbshipit-source-id: c7f9b760c
6 years ago
Attributes.map ~f:(fun attr -> add_call_to_attr callee_proc_name call_loc attr) attrs_post
in
[pulse] overwrite attributes of modified cells in interproc calls Summary: Previously we would union them with the previous attributes. I don't think that makes sense. Also change the interface a bit in preparation for the next commit. Reviewed By: mbouaziz Differential Revision: D16050051 fbshipit-source-id: 2e8f88f4e
6 years ago
PulseDomain.Memory.set_attrs addr_caller attrs_post_caller heap
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
in
let subst, translated_post_edges =
PulseDomain.Memory.Edges.fold_map ~init:call_state.subst edges_post
~f:(fun subst (addr_callee, trace_post) ->
let addr_curr, subst = subst_find_or_new subst addr_callee in
( subst
, ( addr_curr
[pulse] allow models in invalidation traces Summary: Be more flexible in what type of function calls are allowed in `ViaCall ...` actions to be able to include models. Also get rid of `here here` in traces /o\ As a side-effect, get more precise (=qualified) procedure names in traces (but not in messages so as not to be too verbose). Reviewed By: mbouaziz, ngorogiannis Differential Revision: D16121092 fbshipit-source-id: fb51b02f8
6 years ago
, PulseDomain.ValueHistory.Call {f= Call callee_proc_name; location= call_loc}
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
:: trace_post ) ) )
in
[pulse] overwrite attributes of modified cells in interproc calls Summary: Previously we would union them with the previous attributes. I don't think that makes sense. Also change the interface a bit in preparation for the next commit. Reviewed By: mbouaziz Differential Revision: D16050051 fbshipit-source-id: 2e8f88f4e
6 years ago
let heap =
let edges_post_caller =
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
PulseDomain.Memory.Edges.union
(fun _ _ post_cell -> Some post_cell)
post_edges_minus_pre translated_post_edges
in
[pulse] Record the trace of the address written to Reviewed By: skcho Differential Revision: D17004433 fbshipit-source-id: 937319c27
6 years ago
let written_to =
(let open Option.Monad_infix in
PulseDomain.Memory.find_opt addr_caller heap
>>= fun (_edges, attrs) ->
PulseDomain.Attributes.get_written_to attrs
>>| fun callee_action ->
PulseDomain.Attribute.WrittenTo
(PulseDomain.InterprocAction.ViaCall
{action= callee_action; f= Call callee_proc_name; location= call_loc}))
|> Option.value
~default:
(PulseDomain.Attribute.WrittenTo
(PulseDomain.InterprocAction.Immediate {imm= (); location= call_loc}))
in
[pulse] overwrite attributes of modified cells in interproc calls Summary: Previously we would union them with the previous attributes. I don't think that makes sense. Also change the interface a bit in preparation for the next commit. Reviewed By: mbouaziz Differential Revision: D16050051 fbshipit-source-id: 2e8f88f4e
6 years ago
PulseDomain.Memory.set_edges addr_caller edges_post_caller heap
[pulse] Record the trace of the address written to Reviewed By: skcho Differential Revision: D17004433 fbshipit-source-id: 937319c27
6 years ago
|> PulseDomain.Memory.add_attributes addr_caller
(PulseDomain.Attributes.singleton written_to)
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
in
[pulse] overwrite attributes of modified cells in interproc calls Summary: Previously we would union them with the previous attributes. I don't think that makes sense. Also change the interface a bit in preparation for the next commit. Reviewed By: mbouaziz Differential Revision: D16050051 fbshipit-source-id: 2e8f88f4e
6 years ago
let caller_post = Domain.make (call_state.astate.post :> base_domain).stack heap in
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
{call_state with subst; astate= {call_state.astate with post= caller_post}}
[pulse][trivial] remove unecessary option type, exception catching, and mutual recursion Summary: Noticed that: - some option was always `Some _` - recording the post never raises `Aliasing` (only exploring the pre does) - a mutual recursion was unused Reviewed By: mbouaziz Differential Revision: D16050052 fbshipit-source-id: 7f77aae08
6 years ago
let rec record_post_for_address callee_proc_name call_loc ({pre; post} as pre_post) ~addr_callee
~addr_caller call_state =
L.d_printfln "%a<->%a" AbstractAddress.pp addr_callee AbstractAddress.pp addr_caller ;
match visit call_state ~addr_callee ~addr_caller with
| `AlreadyVisited, call_state ->
call_state
| `NotAlreadyVisited, call_state -> (
match PulseDomain.Memory.find_opt addr_callee (post :> PulseDomain.t).PulseDomain.heap with
| None ->
call_state
| Some ((edges_post, _attrs_post) as cell_post) ->
let cell_pre_opt =
PulseDomain.Memory.find_opt addr_callee (pre :> PulseDomain.t).PulseDomain.heap
in
let call_state_after_post =
if is_cell_read_only ~cell_pre_opt ~cell_post then call_state
else
record_post_cell callee_proc_name call_loc ~addr_callee ~cell_pre_opt ~addr_caller
~cell_post call_state
in
IContainer.fold_of_pervasives_map_fold ~fold:Memory.Edges.fold
~init:call_state_after_post edges_post
~f:(fun call_state (_access, (addr_callee_dest, _)) ->
let call_state, addr_curr_dest =
call_state_subst_find_or_new call_state addr_callee_dest
in
record_post_for_address callee_proc_name call_loc pre_post
~addr_callee:addr_callee_dest ~addr_caller:addr_curr_dest call_state ) )
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
let record_post_for_actual callee_proc_name call_loc pre_post ~formal ~actual call_state =
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
let addr_caller, _ = actual in
L.d_printfln_escaped "Recording POST from [%a] <-> %a" Var.pp formal AbstractAddress.pp
addr_caller ;
match
let open Option.Monad_infix in
PulseDomain.Stack.find_opt formal (pre_post.pre :> PulseDomain.t).PulseDomain.stack
>>= fun (addr_formal_pre, _) ->
PulseDomain.Memory.find_edge_opt addr_formal_pre Dereference
(pre_post.pre :> PulseDomain.t).PulseDomain.heap
>>| fun (formal_pre, _) ->
record_post_for_address callee_proc_name call_loc pre_post ~addr_callee:formal_pre
~addr_caller call_state
with
| Some call_state ->
call_state
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
| None ->
call_state
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
let record_post_for_return callee_proc_name call_loc pre_post call_state =
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
let return_var = Var.of_pvar (Pvar.get_ret_pvar callee_proc_name) in
[pulse] tighten up summaries Summary: Only throw values to the pre if they can be followed from "abducible" variables: formals of the current method and globals. Because figuring out if a `Pvar.t` is a formal of the current procedure is actually a giant pain, hack something not too bad instead: pre-register all formals at the start of the analysis of the procedure. Then the only other variables we care about in the precondition are globals, which we can detect easily. This is mostly an optimisation (summaries won't include irrelevant "abduced" facts about the procedure's local variables anymore), but it also fixes a bug where we would sometimes overwrite things in the pre. I think that's why the tests improved. Reviewed By: ngorogiannis Differential Revision: D14753493 fbshipit-source-id: 08e73637f
6 years ago
match PulseDomain.Stack.find_opt return_var (pre_post.post :> PulseDomain.t).stack with
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
| None ->
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
(call_state, None)
| Some (addr_return, _) -> (
match
PulseDomain.Memory.find_edge_opt addr_return Dereference
(pre_post.post :> PulseDomain.t).PulseDomain.heap
with
| None ->
(call_state, None)
| Some (return_callee, _) ->
let return_caller =
match AddressMap.find_opt return_callee call_state.subst with
| Some return_caller ->
return_caller
| None ->
AbstractAddress.mk_fresh ()
in
let call_state =
record_post_for_address callee_proc_name call_loc pre_post ~addr_callee:return_callee
~addr_caller:return_caller call_state
in
(call_state, Some return_caller) )
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
[pulse] apply summaries to globals too Summary: Similarly to function parameters (and the return value), we need to apply the pre/post of a function call to the globals mentioned in its summary. - tigthen summaries further to remember only abducible variables in the post (as well as in the pre) - take globals into account when applying pre/post pairs Reviewed By: jberdine Differential Revision: D14780800 fbshipit-source-id: fc0d180bb
6 years ago
let apply_post_for_parameters callee_proc_name call_location pre_post ~formals ~actuals
call_state =
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
(* for each [(formal_i, actual_i)] pair, do [post_i = post union subst(graph reachable from
formal_i in post)], deleting previous info when comparing pre and post shows a difference
(TODO: record in the pre when a location is written to instead of just comparing values
between pre and post since it's unreliable, eg replace value read in pre with same value in
post but nuke other fields in the meantime? is that possible?). *)
match
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
List.fold2 formals actuals ~init:call_state ~f:(fun call_state formal (actual, _) ->
[pulse] apply summaries to globals too Summary: Similarly to function parameters (and the return value), we need to apply the pre/post of a function call to the globals mentioned in its summary. - tigthen summaries further to remember only abducible variables in the post (as well as in the pre) - take globals into account when applying pre/post pairs Reviewed By: jberdine Differential Revision: D14780800 fbshipit-source-id: fc0d180bb
6 years ago
record_post_for_actual callee_proc_name call_location pre_post ~formal ~actual call_state
)
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
with
| Unequal_lengths ->
(* should have been checked before by [materialize_pre] *)
assert false
[pulse] apply summaries to globals too Summary: Similarly to function parameters (and the return value), we need to apply the pre/post of a function call to the globals mentioned in its summary. - tigthen summaries further to remember only abducible variables in the post (as well as in the pre) - take globals into account when applying pre/post pairs Reviewed By: jberdine Differential Revision: D14780800 fbshipit-source-id: fc0d180bb
6 years ago
| Ok call_state ->
[pulse][trivial] remove unecessary option type, exception catching, and mutual recursion Summary: Noticed that: - some option was always `Some _` - recording the post never raises `Aliasing` (only exploring the pre does) - a mutual recursion was unused Reviewed By: mbouaziz Differential Revision: D16050052 fbshipit-source-id: 7f77aae08
6 years ago
call_state
[pulse] apply summaries to globals too Summary: Similarly to function parameters (and the return value), we need to apply the pre/post of a function call to the globals mentioned in its summary. - tigthen summaries further to remember only abducible variables in the post (as well as in the pre) - take globals into account when applying pre/post pairs Reviewed By: jberdine Differential Revision: D14780800 fbshipit-source-id: fc0d180bb
6 years ago
let apply_post_for_globals callee_proc_name call_location pre_post call_state =
match
fold_globals_of_stack (pre_post.pre :> PulseDomain.t).stack call_state
[pulse] improve error messages and traces Summary: Feedback from peterogithub: - mention which access path is being invalidated and accessed in the message - mention the line at which it was invalidated (the line at which it's accessed is already the line at which we report) - traces for stack variable/C++ temporary address escapes - delete double implementation of the same functionality in `PulseTrace`: `location_of_action_start` is the same as `outer_location_of_action`... Reviewed By: jberdine Differential Revision: D14800294 fbshipit-source-id: 3d9ab9b3d
6 years ago
~f:(fun _var ~stack_value:(addr_callee, _) ~addr_caller call_state ->
[pulse] apply summaries to globals too Summary: Similarly to function parameters (and the return value), we need to apply the pre/post of a function call to the globals mentioned in its summary. - tigthen summaries further to remember only abducible variables in the post (as well as in the pre) - take globals into account when applying pre/post pairs Reviewed By: jberdine Differential Revision: D14780800 fbshipit-source-id: fc0d180bb
6 years ago
Ok
(record_post_for_address callee_proc_name call_location pre_post ~addr_callee
~addr_caller call_state) )
with
| Error _ ->
(* always return [Ok _] above *) assert false
| Ok call_state ->
call_state
[pulse] record attributes of address not edge-reachable in the post Summary: Sometimes the post of a function call has attributes on addresses that were mentioned in the pre but are no longer reachable in the post. We don't want to forget these, see added test. Reviewed By: mbouaziz Differential Revision: D16050050 fbshipit-source-id: 1ce522b97
6 years ago
let record_post_remaining_attributes callee_proc_name call_loc pre_post call_state =
let heap0 = (call_state.astate.post :> base_domain).heap in
let heap =
PulseDomain.Memory.fold_attrs
(fun addr_callee attrs heap ->
if AddressSet.mem addr_callee call_state.visited then
(* already recorded the attributes when we were walking the edges map *) heap
else
match AddressMap.find_opt addr_callee call_state.subst with
| None ->
(* callee address has no meaning for the caller *) heap
| Some addr_caller ->
let attrs' =
Attributes.map
~f:(fun attr -> add_call_to_attr callee_proc_name call_loc attr)
attrs
in
PulseDomain.Memory.set_attrs addr_caller attrs' heap )
(pre_post.post :> PulseDomain.t).heap heap0
in
if phys_equal heap heap0 then call_state
else
let post = Domain.make (call_state.astate.post :> PulseDomain.t).stack heap in
{call_state with astate= {call_state.astate with post}}
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
let apply_post callee_proc_name call_location pre_post ~formals ~actuals call_state =
[pulse] apply summaries to globals too Summary: Similarly to function parameters (and the return value), we need to apply the pre/post of a function call to the globals mentioned in its summary. - tigthen summaries further to remember only abducible variables in the post (as well as in the pre) - take globals into account when applying pre/post pairs Reviewed By: jberdine Differential Revision: D14780800 fbshipit-source-id: fc0d180bb
6 years ago
PerfEvent.(log (fun logger -> log_begin_event logger ~name:"pulse call post" ())) ;
let r =
apply_post_for_parameters callee_proc_name call_location pre_post ~formals ~actuals
call_state
[pulse][trivial] remove unecessary option type, exception catching, and mutual recursion Summary: Noticed that: - some option was always `Some _` - recording the post never raises `Aliasing` (only exploring the pre does) - a mutual recursion was unused Reviewed By: mbouaziz Differential Revision: D16050052 fbshipit-source-id: 7f77aae08
6 years ago
|> apply_post_for_globals callee_proc_name call_location pre_post
|> record_post_for_return callee_proc_name call_location pre_post
[pulse] record attributes of address not edge-reachable in the post Summary: Sometimes the post of a function call has attributes on addresses that were mentioned in the pre but are no longer reachable in the post. We don't want to forget these, see added test. Reviewed By: mbouaziz Differential Revision: D16050050 fbshipit-source-id: 1ce522b97
6 years ago
|> fun (call_state, return_caller) ->
( record_post_remaining_attributes callee_proc_name call_location pre_post call_state
, return_caller )
|> fun ({astate}, return_caller) -> (astate, return_caller)
[pulse] apply summaries to globals too Summary: Similarly to function parameters (and the return value), we need to apply the pre/post of a function call to the globals mentioned in its summary. - tigthen summaries further to remember only abducible variables in the post (as well as in the pre) - take globals into account when applying pre/post pairs Reviewed By: jberdine Differential Revision: D14780800 fbshipit-source-id: fc0d180bb
6 years ago
in
PerfEvent.(log (fun logger -> log_end_event logger ())) ;
r
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
(* - read all the pre, assert validity of addresses and materializes *everything* (to throw stuff
in the *current* pre as appropriate so that callers of the current procedure will also know
about the deeper reads)
- for each actual, write the post for that actual
- if aliasing is introduced at any time then give up
questions:
- what if some preconditions raise lifetime issues but others don't? Have to be careful with
the noise that this will introduce since we don't care about values. For instance, if the pre
is for a path where [formal != 0] and we pass [0] then it will be an FP. Maybe the solution is
to bake in some value analysis. *)
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
let apply callee_proc_name call_location pre_post ~formals ~actuals astate =
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
L.d_printfln "Applying pre/post for %a(%a):@\n%a" Typ.Procname.pp callee_proc_name
(Pp.seq ~sep:"," Var.pp) formals pp pre_post ;
let empty_call_state =
{astate; subst= AddressMap.empty; rev_subst= AddressMap.empty; visited= AddressSet.empty}
in
(* read the precondition *)
match
materialize_pre callee_proc_name call_location pre_post ~formals ~actuals empty_call_state
with
[pulse] apply summaries to globals too Summary: Similarly to function parameters (and the return value), we need to apply the pre/post of a function call to the globals mentioned in its summary. - tigthen summaries further to remember only abducible variables in the post (as well as in the pre) - take globals into account when applying pre/post pairs Reviewed By: jberdine Differential Revision: D14780800 fbshipit-source-id: fc0d180bb
6 years ago
| exception Aliasing ->
(* can't make sense of the pre-condition in the current context: give up on that particular
pre/post pair *)
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
Ok (astate, None)
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
| None ->
(* couldn't apply the pre for some technical reason (as in: not by the fault of the
programmer as far as we know) *)
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
Ok (astate, None)
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
| Some (Error _ as error) ->
(* error: the function call requires to read some state known to be invalid *)
error
[pulse][trivial] remove unecessary option type, exception catching, and mutual recursion Summary: Noticed that: - some option was always `Some _` - recording the post never raises `Aliasing` (only exploring the pre does) - a mutual recursion was unused Reviewed By: mbouaziz Differential Revision: D16050052 fbshipit-source-id: 7f77aae08
6 years ago
| Some (Ok call_state) ->
[pulse] apply summaries to globals too Summary: Similarly to function parameters (and the return value), we need to apply the pre/post of a function call to the globals mentioned in its summary. - tigthen summaries further to remember only abducible variables in the post (as well as in the pre) - take globals into account when applying pre/post pairs Reviewed By: jberdine Differential Revision: D14780800 fbshipit-source-id: fc0d180bb
6 years ago
(* reset [visited] *)
let call_state = {call_state with visited= AddressSet.empty} in
(* apply the postcondition *)
[pulse][trivial] remove unecessary option type, exception catching, and mutual recursion Summary: Noticed that: - some option was always `Some _` - recording the post never raises `Aliasing` (only exploring the pre does) - a mutual recursion was unused Reviewed By: mbouaziz Differential Revision: D16050052 fbshipit-source-id: 7f77aae08
6 years ago
Ok (apply_post callee_proc_name call_location pre_post ~formals ~actuals call_state)
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
end