pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '14b9975cf3'
${ noResults }
infer_clone/infer/src/pulse/PulseModels.ml

245 lines
9.1 KiB
Raw Normal View History Unescape

[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
(*
[copyright] Remove years Reviewed By: jvillard Differential Revision: D15771884 fbshipit-source-id: e2997e3a3
6 years ago
* Copyright (c) Facebook, Inc. and its affiliates.
[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
*
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*)
open! IStd
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
open Result.Monad_infix
[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
type exec_fun =
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
caller_summary:Summary.t
-> Location.t
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
-> ret:Ident.t * Typ.t
-> actuals:(PulseDomain.AddrTracePair.t * Typ.t) list
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
-> PulseAbductiveDomain.t
[pulse] allow models to return disjuncts Summary: This is useful for the model of `exit` that returns 0 disjuncts. All other models return 1 disjunct for now, but in the future things like `malloc()` will need to return 2 possible states for instance. Reviewed By: ngorogiannis Differential Revision: D14753491 fbshipit-source-id: 3e7387d6d
6 years ago
-> PulseAbductiveDomain.t list PulseOperations.access_result
[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
type model = exec_fun
[pulse] model some early exit functions Summary: Copied on the ownership checker logic: return the initial value of the domain as return. This can probably be improved. Reviewed By: mbouaziz Differential Revision: D12888102 fbshipit-source-id: 9e2dac7fc
6 years ago
module Misc = struct
[pulse] model `std::function::operator=` Summary: `function::operator=` is called whenever we assign a literal lambda to a variable, so it's pretty useful to be able to report anything on lambdas. Reviewed By: mbouaziz Differential Revision: D16008163 fbshipit-source-id: a9d07668d
6 years ago
let shallow_copy model_desc : model =
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
fun ~caller_summary:_ location ~ret:(ret_id, _) ~actuals astate ->
[pulse] allow models in invalidation traces Summary: Be more flexible in what type of function calls are allowed in `ViaCall ...` actions to be able to include models. Also get rid of `here here` in traces /o\ As a side-effect, get more precise (=qualified) procedure names in traces (but not in messages so as not to be too verbose). Reviewed By: mbouaziz, ngorogiannis Differential Revision: D16121092 fbshipit-source-id: fb51b02f8
6 years ago
let event = PulseDomain.ValueHistory.Call {f= Model model_desc; location} in
[pulse] model `std::function::operator=` Summary: `function::operator=` is called whenever we assign a literal lambda to a variable, so it's pretty useful to be able to report anything on lambdas. Reviewed By: mbouaziz Differential Revision: D16008163 fbshipit-source-id: a9d07668d
6 years ago
( match actuals with
| [(dest_pointer_hist, _); (src_pointer_hist, _)] ->
PulseOperations.eval_access location src_pointer_hist Dereference astate
>>= fun (astate, obj) ->
PulseOperations.shallow_copy location obj astate
>>= fun (astate, obj_copy) ->
let obj_hist = snd obj in
PulseOperations.write_deref location ~ref:dest_pointer_hist
~obj:(obj_copy, event :: obj_hist)
astate
| _ ->
Ok astate )
>>| fun astate -> [PulseOperations.havoc_id ret_id [event] astate]
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
let early_exit : model = fun ~caller_summary:_ _ ~ret:_ ~actuals:_ _ -> Ok []
[pulse] skip `folly::SocketAddress::~SocketAddress` Summary: The constructor of `folly::SocketAddress` conditionally deletes some object and then makes that condition false. The destructor then does the same. Pulse ignores conditionals so will see a double delete. Just skip that function for now, but it should be easy for pulse to be more correct here if it knew how to compare constant values. Reviewed By: mbouaziz Differential Revision: D16005395 fbshipit-source-id: 036f5091b
6 years ago
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
let skip : model = fun ~caller_summary:_ _ ~ret:_ ~actuals:_ astate -> Ok [astate]
[pulse] model some early exit functions Summary: Copied on the ownership checker logic: return the initial value of the domain as return. This can probably be improved. Reviewed By: mbouaziz Differential Revision: D12888102 fbshipit-source-id: 9e2dac7fc
6 years ago
end
[pulse] use after free Summary: Model `free` like `delete`. Reviewed By: mbouaziz, skcho Differential Revision: D10509332 fbshipit-source-id: fe4249601
6 years ago
module C = struct
let free : model =
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
fun ~caller_summary:_ location ~ret:_ ~actuals astate ->
[pulse] use after free Summary: Model `free` like `delete`. Reviewed By: mbouaziz, skcho Differential Revision: D10509332 fbshipit-source-id: fe4249601
6 years ago
match actuals with
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
| [(deleted_access, _)] ->
PulseOperations.invalidate location
(PulseDomain.InterprocAction.Immediate {imm= PulseDomain.Invalidation.CFree; location})
deleted_access astate
[pulse] allow models to return disjuncts Summary: This is useful for the model of `exit` that returns 0 disjuncts. All other models return 1 disjunct for now, but in the future things like `malloc()` will need to return 2 possible states for instance. Reviewed By: ngorogiannis Differential Revision: D14753491 fbshipit-source-id: 3e7387d6d
6 years ago
>>| List.return
[pulse] use after free Summary: Model `free` like `delete`. Reviewed By: mbouaziz, skcho Differential Revision: D10509332 fbshipit-source-id: fe4249601
6 years ago
| _ ->
[pulse] allow models to return disjuncts Summary: This is useful for the model of `exit` that returns 0 disjuncts. All other models return 1 disjunct for now, but in the future things like `malloc()` will need to return 2 possible states for instance. Reviewed By: ngorogiannis Differential Revision: D14753491 fbshipit-source-id: 3e7387d6d
6 years ago
Ok [astate]
[pulse] use after free Summary: Model `free` like `delete`. Reviewed By: mbouaziz, skcho Differential Revision: D10509332 fbshipit-source-id: fe4249601
6 years ago
end
[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
module Cplusplus = struct
let delete : model =
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
fun ~caller_summary:_ location ~ret:_ ~actuals astate ->
[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
match actuals with
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
| [(deleted_access, _)] ->
PulseOperations.invalidate location
(PulseDomain.InterprocAction.Immediate {imm= PulseDomain.Invalidation.CppDelete; location})
deleted_access astate
[pulse] allow models to return disjuncts Summary: This is useful for the model of `exit` that returns 0 disjuncts. All other models return 1 disjunct for now, but in the future things like `malloc()` will need to return 2 possible states for instance. Reviewed By: ngorogiannis Differential Revision: D14753491 fbshipit-source-id: 3e7387d6d
6 years ago
>>| List.return
[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
| _ ->
[pulse] allow models to return disjuncts Summary: This is useful for the model of `exit` that returns 0 disjuncts. All other models return 1 disjunct for now, but in the future things like `malloc()` will need to return 2 possible states for instance. Reviewed By: ngorogiannis Differential Revision: D14753491 fbshipit-source-id: 3e7387d6d
6 years ago
Ok [astate]
[pulse] Model placement new Summary: Modeling `placement new` Reviewed By: jvillard Differential Revision: D10451539 fbshipit-source-id: 43be005e4
6 years ago
[pulse] model `std::function::operator=` Summary: `function::operator=` is called whenever we assign a literal lambda to a variable, so it's pretty useful to be able to report anything on lambdas. Reviewed By: mbouaziz Differential Revision: D16008163 fbshipit-source-id: a9d07668d
6 years ago
let placement_new : model =
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
fun ~caller_summary:_ location ~ret:(ret_id, _) ~actuals astate ->
[pulse] allow models in invalidation traces Summary: Be more flexible in what type of function calls are allowed in `ViaCall ...` actions to be able to include models. Also get rid of `here here` in traces /o\ As a side-effect, get more precise (=qualified) procedure names in traces (but not in messages so as not to be too verbose). Reviewed By: mbouaziz, ngorogiannis Differential Revision: D16121092 fbshipit-source-id: fb51b02f8
6 years ago
let event = PulseDomain.ValueHistory.Call {f= Model "<placement new>()"; location} in
[pulse] model `std::function::operator=` Summary: `function::operator=` is called whenever we assign a literal lambda to a variable, so it's pretty useful to be able to report anything on lambdas. Reviewed By: mbouaziz Differential Revision: D16008163 fbshipit-source-id: a9d07668d
6 years ago
match List.rev actuals with
| ((address, _), _) :: _ ->
Ok [PulseOperations.write_id ret_id (address, [event]) astate]
| _ ->
Ok [PulseOperations.havoc_id ret_id [event] astate]
end
module StdFunction = struct
[pulse] model lambda captures Summary: When a lambda gets created, record the abstract addresses it captures, then complain if we see some of them be invalidated before it is called. Add a notion of "allocator" for reporting better messages. The messages are still a bit sucky, will need to improve them more generally at some point. ```  jul   lambda  ~  infer  1  infer -g --pulse-only -- clang -std=c++11 -c infer/tests/codetoanalyze/cpp/pulse/closures.cpp Logs in /home/jul/infer.fb/infer-out/logs Capturing in make/cc mode... Found 1 source file to analyze in /home/jul/infer.fb/infer-out Found 2 issues infer/tests/codetoanalyze/cpp/pulse/closures.cpp:21: error: USE_AFTER_DESTRUCTOR `&(f)` accesses address `s` captured by `&(f)` as `s` invalidated by destructor call `S_~S(s)` at line 20, column 3 past its lifetime (debug: 5). 19. f = [&s] { return s.f; }; 20. } // destructor for s called here 21. > return f(); // s used here 22. } 23. infer/tests/codetoanalyze/cpp/pulse/closures.cpp:30: error: USE_AFTER_DESTRUCTOR `&(f)` accesses address `s` captured by `&(f)` as `s` invalidated by destructor call `S_~S(s)` at line 29, column 3 past its lifetime (debug: 8). 28. f = [&] { return s.f; }; 29. } 30. > return f(); 31. } 32. Summary of the reports USE_AFTER_DESTRUCTOR: 2 ``` Reviewed By: da319 Differential Revision: D13400074 fbshipit-source-id: 3c68ff4ea
6 years ago
let operator_call : model =
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
fun ~caller_summary location ~ret ~actuals astate ->
let havoc_ret (ret_id, _) astate =
[pulse] allow models in invalidation traces Summary: Be more flexible in what type of function calls are allowed in `ViaCall ...` actions to be able to include models. Also get rid of `here here` in traces /o\ As a side-effect, get more precise (=qualified) procedure names in traces (but not in messages so as not to be too verbose). Reviewed By: mbouaziz, ngorogiannis Differential Revision: D16121092 fbshipit-source-id: fb51b02f8
6 years ago
let event = PulseDomain.ValueHistory.Call {f= Model "std::function::operator()"; location} in
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
[PulseOperations.havoc_id ret_id [event] astate]
in
match actuals with
| [] ->
Ok (havoc_ret ret astate)
| (lambda_ptr_hist, _) :: actuals -> (
[pulse] model `std::function::operator=` Summary: `function::operator=` is called whenever we assign a literal lambda to a variable, so it's pretty useful to be able to report anything on lambdas. Reviewed By: mbouaziz Differential Revision: D16008163 fbshipit-source-id: a9d07668d
6 years ago
PulseOperations.eval_access location lambda_ptr_hist Dereference astate
>>= fun (astate, (lambda, _)) ->
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
PulseOperations.Closures.check_captured_addresses
(PulseDomain.InterprocAction.Immediate {imm= (); location})
[pulse] model `std::function::operator=` Summary: `function::operator=` is called whenever we assign a literal lambda to a variable, so it's pretty useful to be able to report anything on lambdas. Reviewed By: mbouaziz Differential Revision: D16008163 fbshipit-source-id: a9d07668d
6 years ago
lambda astate
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
>>= fun astate ->
match PulseAbductiveDomain.Memory.get_closure_proc_name lambda astate with
| None ->
(* we don't know what proc name this lambda resolves to *) Ok (havoc_ret ret astate)
| Some callee_proc_name ->
PulseOperations.call ~caller_summary location callee_proc_name ~ret ~actuals astate )
[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
end
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
module StdVector = struct
let internal_array =
Typ.Fieldname.Clang.from_class_name
(Typ.CStruct (QualifiedCppName.of_list ["std"; "vector"]))
"__internal_array"
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
let to_internal_array location vector astate =
PulseOperations.eval_access location vector (FieldAccess internal_array) astate
[pulse] take array indices into account Summary: This will be useful to make the analysis more precise. In particular, it allows a disjunctive version of pulse to deal will deleting vector elements in a loop: without this, deleting an array element in one iteration will make the analysis think that the next array element is invalid too since they are all the same. By keep track of the index, we can detect when we are sure that two elements are the same and only report in that case. Reviewed By: ngorogiannis Differential Revision: D13431374 fbshipit-source-id: dae82deeb
6 years ago
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
let element_of_internal_array location vector index astate =
to_internal_array location vector astate
>>= fun (astate, vector_internal_array) ->
PulseOperations.eval_access location vector_internal_array
(ArrayAccess (Typ.void, index))
astate
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
[pulse] add traces to the domain Summary: Record per-location traces. Actually, that doesn't quite make sense as a location can be accessed in many ways, so associate a trace to each *edge* in the memory graph. For instance, when doing `x->f = *y`, we want to take the history of the `<val of y> --*--> ..` edge, add "assigned at location blah" to it and store this extended history to the edge `<val of x> --f--> ..`. Use this machinery to print nicer traces in `infer explore` and better error messages too (include the last assignment, like biabduction messages). Reviewed By: da319 Differential Revision: D13518668 fbshipit-source-id: 0a62fb55f
6 years ago
let reallocate_internal_array trace vector vector_f location astate =
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
to_internal_array location vector astate
>>= fun (astate, array_address) ->
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
let invalidation =
[pulse] move [PulseTrace] inside [PulseDomain] Summary: Just moving code around. This is needed later to make some types in `PulseTrace` depend on a new that I'll have to define in `PulseDomain`. Also, this gives better names all around I think Reviewed By: mbouaziz Differential Revision: D15881281 fbshipit-source-id: e86c1472e
6 years ago
PulseDomain.InterprocAction.Immediate
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
{imm= PulseDomain.Invalidation.StdVector vector_f; location}
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
in
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
PulseOperations.invalidate_array_elements location invalidation array_address astate
>>= PulseOperations.invalidate_deref location invalidation array_address
>>= PulseOperations.havoc_field location vector internal_array trace
[pulse] Model std::vector::reserve to invalidate references to elements Summary: Similarly as `std::vector::push_back`, `std::vector::reserve` can invalidate the references to elements if the new size is bigger than the existing one. More info on `std::vector::reserve`: https://en.cppreference.com/w/cpp/container/vector/reserve Reviewed By: jvillard Differential Revision: D13340324 fbshipit-source-id: bf99b6923
6 years ago
[pulse] add traces to the domain Summary: Record per-location traces. Actually, that doesn't quite make sense as a location can be accessed in many ways, so associate a trace to each *edge* in the memory graph. For instance, when doing `x->f = *y`, we want to take the history of the `<val of y> --*--> ..` edge, add "assigned at location blah" to it and store this extended history to the edge `<val of x> --f--> ..`. Use this machinery to print nicer traces in `infer explore` and better error messages too (include the last assignment, like biabduction messages). Reviewed By: da319 Differential Revision: D13518668 fbshipit-source-id: 0a62fb55f
6 years ago
let invalidate_references vector_f : model =
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
fun ~caller_summary:_ location ~ret:_ ~actuals astate ->
[pulse] Model more std::vector functions that can invalid references to elements Summary: Model more `std::vector` functions that can potentially invalidate references to vector's elements (https://en.cppreference.com/w/cpp/container/vector). Reviewed By: mbouaziz Differential Revision: D13399161 fbshipit-source-id: 95cf2cae6
6 years ago
match actuals with
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
| (vector, _) :: _ ->
[pulse] add traces to the domain Summary: Record per-location traces. Actually, that doesn't quite make sense as a location can be accessed in many ways, so associate a trace to each *edge* in the memory graph. For instance, when doing `x->f = *y`, we want to take the history of the `<val of y> --*--> ..` edge, add "assigned at location blah" to it and store this extended history to the edge `<val of x> --f--> ..`. Use this machinery to print nicer traces in `infer explore` and better error messages too (include the last assignment, like biabduction messages). Reviewed By: da319 Differential Revision: D13518668 fbshipit-source-id: 0a62fb55f
6 years ago
let crumb =
[pulse] move [PulseTrace] inside [PulseDomain] Summary: Just moving code around. This is needed later to make some types in `PulseTrace` depend on a new that I'll have to define in `PulseDomain`. Also, this gives better names all around I think Reviewed By: mbouaziz Differential Revision: D15881281 fbshipit-source-id: e86c1472e
6 years ago
PulseDomain.ValueHistory.Call
[pulse] move PulseInvalidation inside PulseDomain Summary: Just moving code around. This is needed later to make some types in `PulseInvalidation` depend on a new type that I'll have to define in `PulseDomain`. Reviewed By: mbouaziz Differential Revision: D15824962 fbshipit-source-id: 86cba2bfb
6 years ago
{ f=
[pulse] allow models in invalidation traces Summary: Be more flexible in what type of function calls are allowed in `ViaCall ...` actions to be able to include models. Also get rid of `here here` in traces /o\ As a side-effect, get more precise (=qualified) procedure names in traces (but not in messages so as not to be too verbose). Reviewed By: mbouaziz, ngorogiannis Differential Revision: D16121092 fbshipit-source-id: fb51b02f8
6 years ago
Model
(Format.asprintf "%a()" PulseDomain.Invalidation.pp_std_vector_function vector_f)
[pulse] add traces to the domain Summary: Record per-location traces. Actually, that doesn't quite make sense as a location can be accessed in many ways, so associate a trace to each *edge* in the memory graph. For instance, when doing `x->f = *y`, we want to take the history of the `<val of y> --*--> ..` edge, add "assigned at location blah" to it and store this extended history to the edge `<val of x> --f--> ..`. Use this machinery to print nicer traces in `infer explore` and better error messages too (include the last assignment, like biabduction messages). Reviewed By: da319 Differential Revision: D13518668 fbshipit-source-id: 0a62fb55f
6 years ago
; location }
in
[pulse] allow models to return disjuncts Summary: This is useful for the model of `exit` that returns 0 disjuncts. All other models return 1 disjunct for now, but in the future things like `malloc()` will need to return 2 possible states for instance. Reviewed By: ngorogiannis Differential Revision: D14753491 fbshipit-source-id: 3e7387d6d
6 years ago
reallocate_internal_array [crumb] vector vector_f location astate >>| List.return
[pulse] Model more std::vector functions that can invalid references to elements Summary: Model more `std::vector` functions that can potentially invalidate references to vector's elements (https://en.cppreference.com/w/cpp/container/vector). Reviewed By: mbouaziz Differential Revision: D13399161 fbshipit-source-id: 95cf2cae6
6 years ago
| _ ->
[pulse] allow models to return disjuncts Summary: This is useful for the model of `exit` that returns 0 disjuncts. All other models return 1 disjunct for now, but in the future things like `malloc()` will need to return 2 possible states for instance. Reviewed By: ngorogiannis Differential Revision: D14753491 fbshipit-source-id: 3e7387d6d
6 years ago
Ok [astate]
[pulse] Model more std::vector functions that can invalid references to elements Summary: Model more `std::vector` functions that can potentially invalidate references to vector's elements (https://en.cppreference.com/w/cpp/container/vector). Reviewed By: mbouaziz Differential Revision: D13399161 fbshipit-source-id: 95cf2cae6
6 years ago
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
let at : model =
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
fun ~caller_summary:_ location ~ret ~actuals astate ->
[pulse] allow models in invalidation traces Summary: Be more flexible in what type of function calls are allowed in `ViaCall ...` actions to be able to include models. Also get rid of `here here` in traces /o\ As a side-effect, get more precise (=qualified) procedure names in traces (but not in messages so as not to be too verbose). Reviewed By: mbouaziz, ngorogiannis Differential Revision: D16121092 fbshipit-source-id: fb51b02f8
6 years ago
let event = PulseDomain.ValueHistory.Call {f= Model "std::vector::at()"; location} in
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
match actuals with
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
| [(vector, _); (index, _)] ->
element_of_internal_array location vector (fst index) astate
>>| fun (astate, (addr, _)) -> [PulseOperations.write_id (fst ret) (addr, [event]) astate]
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
| _ ->
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
Ok [PulseOperations.havoc_id (fst ret) [event] astate]
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
[pulse] add model for `std::vector::reserve` using additional memory attribute Summary: Whenever `vec.reserve(n)` is called, remember that the vector is "reserved". When doing `vec.push_back(x)` on a reserved vector, assume enough size has been reserved in advance and do not invalidate the underlying array. This gets rid of false positives. Reviewed By: mbouaziz Differential Revision: D12939837 fbshipit-source-id: ce6354fc5
6 years ago
let reserve : model =
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
fun ~caller_summary:_ location ~ret:_ ~actuals astate ->
[pulse] add model for `std::vector::reserve` using additional memory attribute Summary: Whenever `vec.reserve(n)` is called, remember that the vector is "reserved". When doing `vec.push_back(x)` on a reserved vector, assume enough size has been reserved in advance and do not invalidate the underlying array. This gets rid of false positives. Reviewed By: mbouaziz Differential Revision: D12939837 fbshipit-source-id: ce6354fc5
6 years ago
match actuals with
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
| [(vector, _); _value] ->
[pulse] allow models in invalidation traces Summary: Be more flexible in what type of function calls are allowed in `ViaCall ...` actions to be able to include models. Also get rid of `here here` in traces /o\ As a side-effect, get more precise (=qualified) procedure names in traces (but not in messages so as not to be too verbose). Reviewed By: mbouaziz, ngorogiannis Differential Revision: D16121092 fbshipit-source-id: fb51b02f8
6 years ago
let crumb = PulseDomain.ValueHistory.Call {f= Model "std::vector::reserve()"; location} in
[pulse] add traces to the domain Summary: Record per-location traces. Actually, that doesn't quite make sense as a location can be accessed in many ways, so associate a trace to each *edge* in the memory graph. For instance, when doing `x->f = *y`, we want to take the history of the `<val of y> --*--> ..` edge, add "assigned at location blah" to it and store this extended history to the edge `<val of x> --f--> ..`. Use this machinery to print nicer traces in `infer explore` and better error messages too (include the last assignment, like biabduction messages). Reviewed By: da319 Differential Revision: D13518668 fbshipit-source-id: 0a62fb55f
6 years ago
reallocate_internal_array [crumb] vector Reserve location astate
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
>>| PulseAbductiveDomain.Memory.std_vector_reserve (fst vector)
[pulse] allow models to return disjuncts Summary: This is useful for the model of `exit` that returns 0 disjuncts. All other models return 1 disjunct for now, but in the future things like `malloc()` will need to return 2 possible states for instance. Reviewed By: ngorogiannis Differential Revision: D14753491 fbshipit-source-id: 3e7387d6d
6 years ago
>>| List.return
[pulse] add model for `std::vector::reserve` using additional memory attribute Summary: Whenever `vec.reserve(n)` is called, remember that the vector is "reserved". When doing `vec.push_back(x)` on a reserved vector, assume enough size has been reserved in advance and do not invalidate the underlying array. This gets rid of false positives. Reviewed By: mbouaziz Differential Revision: D12939837 fbshipit-source-id: ce6354fc5
6 years ago
| _ ->
[pulse] allow models to return disjuncts Summary: This is useful for the model of `exit` that returns 0 disjuncts. All other models return 1 disjunct for now, but in the future things like `malloc()` will need to return 2 possible states for instance. Reviewed By: ngorogiannis Differential Revision: D14753491 fbshipit-source-id: 3e7387d6d
6 years ago
Ok [astate]
[pulse] add model for `std::vector::reserve` using additional memory attribute Summary: Whenever `vec.reserve(n)` is called, remember that the vector is "reserved". When doing `vec.push_back(x)` on a reserved vector, assume enough size has been reserved in advance and do not invalidate the underlying array. This gets rid of false positives. Reviewed By: mbouaziz Differential Revision: D12939837 fbshipit-source-id: ce6354fc5
6 years ago
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
let push_back : model =
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
fun ~caller_summary:_ location ~ret:_ ~actuals astate ->
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
match actuals with
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
| [(vector, _); _value] ->
[pulse] allow models in invalidation traces Summary: Be more flexible in what type of function calls are allowed in `ViaCall ...` actions to be able to include models. Also get rid of `here here` in traces /o\ As a side-effect, get more precise (=qualified) procedure names in traces (but not in messages so as not to be too verbose). Reviewed By: mbouaziz, ngorogiannis Differential Revision: D16121092 fbshipit-source-id: fb51b02f8
6 years ago
let crumb = PulseDomain.ValueHistory.Call {f= Model "std::vector::push_back()"; location} in
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
if PulseAbductiveDomain.Memory.is_std_vector_reserved (fst vector) astate then
[pulse] add model for `std::vector::reserve` using additional memory attribute Summary: Whenever `vec.reserve(n)` is called, remember that the vector is "reserved". When doing `vec.push_back(x)` on a reserved vector, assume enough size has been reserved in advance and do not invalidate the underlying array. This gets rid of false positives. Reviewed By: mbouaziz Differential Revision: D12939837 fbshipit-source-id: ce6354fc5
6 years ago
(* assume that any call to [push_back] is ok after one called [reserve] on the same vector
(a perfect analysis would also make sure we don't exceed the reserved size) *)
[pulse] allow models to return disjuncts Summary: This is useful for the model of `exit` that returns 0 disjuncts. All other models return 1 disjunct for now, but in the future things like `malloc()` will need to return 2 possible states for instance. Reviewed By: ngorogiannis Differential Revision: D14753491 fbshipit-source-id: 3e7387d6d
6 years ago
Ok [astate]
[pulse] add model for `std::vector::reserve` using additional memory attribute Summary: Whenever `vec.reserve(n)` is called, remember that the vector is "reserved". When doing `vec.push_back(x)` on a reserved vector, assume enough size has been reserved in advance and do not invalidate the underlying array. This gets rid of false positives. Reviewed By: mbouaziz Differential Revision: D12939837 fbshipit-source-id: ce6354fc5
6 years ago
else
(* simulate a re-allocation of the underlying array every time an element is added *)
[pulse] allow models to return disjuncts Summary: This is useful for the model of `exit` that returns 0 disjuncts. All other models return 1 disjunct for now, but in the future things like `malloc()` will need to return 2 possible states for instance. Reviewed By: ngorogiannis Differential Revision: D14753491 fbshipit-source-id: 3e7387d6d
6 years ago
reallocate_internal_array [crumb] vector PushBack location astate >>| List.return
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
| _ ->
[pulse] allow models to return disjuncts Summary: This is useful for the model of `exit` that returns 0 disjuncts. All other models return 1 disjunct for now, but in the future things like `malloc()` will need to return 2 possible states for instance. Reviewed By: ngorogiannis Differential Revision: D14753491 fbshipit-source-id: 3e7387d6d
6 years ago
Ok [astate]
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
end
module ProcNameDispatcher = struct
let dispatch : (unit, model) ProcnameDispatcher.ProcName.dispatcher =
let open ProcnameDispatcher.ProcName in
make_dispatcher
[pulse] skip `folly::SocketAddress::~SocketAddress` Summary: The constructor of `folly::SocketAddress` conditionally deletes some object and then makes that condition false. The destructor then does the same. Pulse ignores conditionals so will see a double delete. Just skip that function for now, but it should be easy for pulse to be more correct here if it knew how to compare constant values. Reviewed By: mbouaziz Differential Revision: D16005395 fbshipit-source-id: 036f5091b
6 years ago
[ -"folly" &:: "DelayedDestruction" &:: "destroy" &--> Misc.skip
[pulse] skip `folly::Optional::reset()` Summary: Similar to D16005395: `folly::Optional` has a boolean field to know if it needs to destroy the wrapped object and pulse ignores that completely, causing false positives each time an `Optional` is created around something with a non-trivial destructor. Reviewed By: mbouaziz Differential Revision: D16030149 fbshipit-source-id: aeed4a0b3
6 years ago
; -"folly" &:: "Optional" &:: "reset" &--> Misc.skip
[pulse] skip `folly::SocketAddress::~SocketAddress` Summary: The constructor of `folly::SocketAddress` conditionally deletes some object and then makes that condition false. The destructor then does the same. Pulse ignores conditionals so will see a double delete. Just skip that function for now, but it should be easy for pulse to be more correct here if it knew how to compare constant values. Reviewed By: mbouaziz Differential Revision: D16005395 fbshipit-source-id: 036f5091b
6 years ago
; -"folly" &:: "SocketAddress" &:: "~SocketAddress" &--> Misc.skip
[pulse] model `std::function::operator=` Summary: `function::operator=` is called whenever we assign a literal lambda to a variable, so it's pretty useful to be able to report anything on lambdas. Reviewed By: mbouaziz Differential Revision: D16008163 fbshipit-source-id: a9d07668d
6 years ago
; -"std" &:: "function" &:: "operator()" &--> StdFunction.operator_call
; -"std" &:: "function" &:: "operator=" &--> Misc.shallow_copy "std::function::operator="
[pulse] model lambda captures Summary: When a lambda gets created, record the abstract addresses it captures, then complain if we see some of them be invalidated before it is called. Add a notion of "allocator" for reporting better messages. The messages are still a bit sucky, will need to improve them more generally at some point. ```  jul   lambda  ~  infer  1  infer -g --pulse-only -- clang -std=c++11 -c infer/tests/codetoanalyze/cpp/pulse/closures.cpp Logs in /home/jul/infer.fb/infer-out/logs Capturing in make/cc mode... Found 1 source file to analyze in /home/jul/infer.fb/infer-out Found 2 issues infer/tests/codetoanalyze/cpp/pulse/closures.cpp:21: error: USE_AFTER_DESTRUCTOR `&(f)` accesses address `s` captured by `&(f)` as `s` invalidated by destructor call `S_~S(s)` at line 20, column 3 past its lifetime (debug: 5). 19. f = [&s] { return s.f; }; 20. } // destructor for s called here 21. > return f(); // s used here 22. } 23. infer/tests/codetoanalyze/cpp/pulse/closures.cpp:30: error: USE_AFTER_DESTRUCTOR `&(f)` accesses address `s` captured by `&(f)` as `s` invalidated by destructor call `S_~S(s)` at line 29, column 3 past its lifetime (debug: 8). 28. f = [&] { return s.f; }; 29. } 30. > return f(); 31. } 32. Summary of the reports USE_AFTER_DESTRUCTOR: 2 ``` Reviewed By: da319 Differential Revision: D13400074 fbshipit-source-id: 3c68ff4ea
6 years ago
; -"std" &:: "vector" &:: "assign" &--> StdVector.invalidate_references Assign
[pulse] Model more std::vector functions that can invalid references to elements Summary: Model more `std::vector` functions that can potentially invalidate references to vector's elements (https://en.cppreference.com/w/cpp/container/vector). Reviewed By: mbouaziz Differential Revision: D13399161 fbshipit-source-id: 95cf2cae6
6 years ago
; -"std" &:: "vector" &:: "clear" &--> StdVector.invalidate_references Clear
; -"std" &:: "vector" &:: "emplace" &--> StdVector.invalidate_references Emplace
; -"std" &:: "vector" &:: "emplace_back" &--> StdVector.invalidate_references EmplaceBack
; -"std" &:: "vector" &:: "insert" &--> StdVector.invalidate_references Insert
; -"std" &:: "vector" &:: "operator[]" &--> StdVector.at
[pulse] add model for `std::vector::reserve` using additional memory attribute Summary: Whenever `vec.reserve(n)` is called, remember that the vector is "reserved". When doing `vec.push_back(x)` on a reserved vector, assume enough size has been reserved in advance and do not invalidate the underlying array. This gets rid of false positives. Reviewed By: mbouaziz Differential Revision: D12939837 fbshipit-source-id: ce6354fc5
6 years ago
; -"std" &:: "vector" &:: "push_back" &--> StdVector.push_back
[pulse] Model more std::vector functions that can invalid references to elements Summary: Model more `std::vector` functions that can potentially invalidate references to vector's elements (https://en.cppreference.com/w/cpp/container/vector). Reviewed By: mbouaziz Differential Revision: D13399161 fbshipit-source-id: 95cf2cae6
6 years ago
; -"std" &:: "vector" &:: "reserve" &--> StdVector.reserve
; -"std" &:: "vector" &:: "shrink_to_fit" &--> StdVector.invalidate_references ShrinkToFit ]
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
end
[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
let builtins_dispatcher =
[pulse] Model placement new Summary: Modeling `placement new` Reviewed By: jvillard Differential Revision: D10451539 fbshipit-source-id: 43be005e4
6 years ago
let builtins =
[ (BuiltinDecl.__delete, Cplusplus.delete)
[clang] leave markers of variable initialization for pulse Summary: When initialising a variable via semi-exotic means, the frontend loses the information that the variable was initialised. For instance, it translates: ``` struct Foo { int i; }; ... Foo s = {42}; ``` as: ``` s.i := 42 ``` This can be confusing for backends that need to know that `s` actually got initialised, eg pulse. The solution implemented here is to insert of dummy call to `__variable_initiazition`: ``` __variable_initialization(&s); s.i := 42; ``` Then checkers can recognise that this builtin function does what its name says. Reviewed By: mbouaziz Differential Revision: D12887122 fbshipit-source-id: 6e7214438
6 years ago
; (BuiltinDecl.__placement_new, Cplusplus.placement_new)
[pulse] model some early exit functions Summary: Copied on the ownership checker logic: return the initial value of the domain as return. This can probably be improved. Reviewed By: mbouaziz Differential Revision: D12888102 fbshipit-source-id: 9e2dac7fc
6 years ago
; (BuiltinDecl.abort, Misc.early_exit)
; (BuiltinDecl.exit, Misc.early_exit)
; (BuiltinDecl.free, C.free)
; (BuiltinDecl.objc_cpp_throw, Misc.early_exit) ]
[pulse] Model placement new Summary: Modeling `placement new` Reviewed By: jvillard Differential Revision: D10451539 fbshipit-source-id: 43be005e4
6 years ago
in
[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
let builtins_map =
Hashtbl.create
( module struct
include Typ.Procname
let hash = Caml.Hashtbl.hash
let sexp_of_t _ = assert false
end )
in
List.iter builtins ~f:(fun (builtin, model) ->
let open PolyVariantEqual in
assert (Hashtbl.add builtins_map ~key:builtin ~data:model = `Ok) ) ;
fun proc_name -> Hashtbl.find builtins_map proc_name
[pulse] model some early exit functions Summary: Copied on the ownership checker logic: return the initial value of the domain as return. This can probably be improved. Reviewed By: mbouaziz Differential Revision: D12888102 fbshipit-source-id: 9e2dac7fc
6 years ago
let dispatch proc_name flags =
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
match builtins_dispatcher proc_name with
| Some _ as result ->
result
[pulse] model some early exit functions Summary: Copied on the ownership checker logic: return the initial value of the domain as return. This can probably be improved. Reviewed By: mbouaziz Differential Revision: D12888102 fbshipit-source-id: 9e2dac7fc
6 years ago
| None -> (
match ProcNameDispatcher.dispatch () proc_name with
| Some _ as result ->
result
| None ->
if flags.CallFlags.cf_noreturn then Some Misc.early_exit else None )