pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '1652144176'
${ noResults }
infer_clone/infer/src/pulse/PulseBaseDomain.ml

477 lines
17 KiB
Raw Normal View History Unescape

[pulse] initial commit Summary: New analysis in foetal form to detect invalid use of C++ objects after their lifetime has ended. For now it has: - A domain consisting of a graph of abstract locations representing the heap, a map from program variables to abstract locations representing the stack, and a set of locations known to be invalid (their lifetime has ended) - The heap graph is unfolded lazily when we resolve accesses to the heap down to an abstract location. When we traverse a memory location we check that it's not known to be invalid. - A simple transfer function reads and updates the stack and heap in a rudimentary way for now - C++ `delete` is modeled as adding the location that its argument resolves to to the set of invalid locations - Also, the domain has a really crappy join and widening for now (see comments in the code) With this we already pass most of the "use after delete" tests from the Ownership checker. The ones we don't pass are only because we are missing models. Reviewed By: mbouaziz Differential Revision: D10383249 fbshipit-source-id: f414664cb
6 years ago
(*
[copyright] Remove years Reviewed By: jvillard Differential Revision: D15771884 fbshipit-source-id: e2997e3a3
6 years ago
* Copyright (c) Facebook, Inc. and its affiliates.
[pulse] initial commit Summary: New analysis in foetal form to detect invalid use of C++ objects after their lifetime has ended. For now it has: - A domain consisting of a graph of abstract locations representing the heap, a map from program variables to abstract locations representing the stack, and a set of locations known to be invalid (their lifetime has ended) - The heap graph is unfolded lazily when we resolve accesses to the heap down to an abstract location. When we traverse a memory location we check that it's not known to be invalid. - A simple transfer function reads and updates the stack and heap in a rudimentary way for now - C++ `delete` is modeled as adding the location that its argument resolves to to the set of invalid locations - Also, the domain has a really crappy join and widening for now (see comments in the code) With this we already pass most of the "use after delete" tests from the Ownership checker. The ones we don't pass are only because we are missing models. Reviewed By: mbouaziz Differential Revision: D10383249 fbshipit-source-id: f414664cb
6 years ago
*
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*)
open! IStd
module F = Format
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
module L = Logging
[pulse][1/9] create PulseBasicInterface, with CallEvent Summary: Problem: PulseDomain.ml is pretty big, and contains lots of small modules. The Infer build being a bit monolithic at the moment, it is hard to split all these small modules off without creating some confusion about which abstraction barries lay where. For instance, it's fine to use `PulseDomain.ValueHistory` anywhere, but using `PulseDomain` itself is sometimes bad when one should use `PulseAbductiveDomain` instead. Proposal: a poorman's library mechanism based on module aliasing. This stack of diffs creates new Pulse* modules for all these small, safe to use modules, together with `PulseBasicInterface.ml`, which aliases these modules to remove the `Pulse` prefix. At the end of the stack, it will contain: ``` module AbstractValue = PulseAbstractValue module Attribute = PulseAttribute module Attributes = PulseAttribute.Attributes module CallEvent = PulseCallEvent module Diagnostic = PulseDiagnostic module Invalidation = PulseInvalidation module Trace = PulseTrace module ValueHistory = PulseValueHistory ``` This "interface" module can be opened in other pulse modules freely. Reviewed By: ezgicicek Differential Revision: D17955104 fbshipit-source-id: 13d3aa2b5
5 years ago
open PulseBasicInterface
[pulse] initial commit Summary: New analysis in foetal form to detect invalid use of C++ objects after their lifetime has ended. For now it has: - A domain consisting of a graph of abstract locations representing the heap, a map from program variables to abstract locations representing the stack, and a set of locations known to be invalid (their lifetime has ended) - The heap graph is unfolded lazily when we resolve accesses to the heap down to an abstract location. When we traverse a memory location we check that it's not known to be invalid. - A simple transfer function reads and updates the stack and heap in a rudimentary way for now - C++ `delete` is modeled as adding the location that its argument resolves to to the set of invalid locations - Also, the domain has a really crappy join and widening for now (see comments in the code) With this we already pass most of the "use after delete" tests from the Ownership checker. The ones we don't pass are only because we are missing models. Reviewed By: mbouaziz Differential Revision: D10383249 fbshipit-source-id: f414664cb
6 years ago
[pulse] join of memory graphs Summary: Instead of the non-sensical piecewise join we had until now write a proper one. Hopefully the comments explain what it does. Main one: ``` (* high-level idea: maintain some union-find data structure to identify locations in one heap with locations in the other heap. Build the initial join state as follows: - equate all locations that correspond to identical variables in both stacks, eg joining stacks {x=1} and {x=2} adds "1=2" to the unification. - add all addresses reachable from stack variables to the join state heap This gives us an abstract state that is the union of both abstract states, but more states can still be made equal. For instance, if 1 points to 3 in the first heap and 2 points to 4 in the second heap and we deduced "1 = 2" from the stacks already (as in the example just above) then we can deduce "3 = 4". Proceed in this fashion until no more equalities are discovered, and return the abstract state where a canonical representative has been chosen consistently for each equivalence class (this is what the union-find data structure gives us). *) ``` Reviewed By: mbouaziz Differential Revision: D10483978 fbshipit-source-id: f6ffd7528
6 years ago
(* {2 Abstract domain description } *)
[pulse] more issue types and add details about why locations get invalidated Summary: This is more flexible and allows us to give more details when reporting. Reviewed By: mbouaziz Differential Revision: D10509336 fbshipit-source-id: 79c3ac1c8
6 years ago
(* {3 Heap domain } *)
[pulse][7/9] kill `AddrTracePair` Summary: The name had rotten: it should be `AddrHistPair`. There is little value of exposing the type of the pair `AbstractValue.t * ValueHistory.t`, just inline its definition everywhere. Reviewed By: ezgicicek Differential Revision: D17955283 fbshipit-source-id: d145251e0
5 years ago
module AddrHistPair = struct
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
type t = AbstractValue.t * ValueHistory.t [@@deriving compare]
[pulse] add traces to the domain Summary: Record per-location traces. Actually, that doesn't quite make sense as a location can be accessed in many ways, so associate a trace to each *edge* in the memory graph. For instance, when doing `x->f = *y`, we want to take the history of the `<val of y> --*--> ..` edge, add "assigned at location blah" to it and store this extended history to the edge `<val of x> --f--> ..`. Use this machinery to print nicer traces in `infer explore` and better error messages too (include the last assignment, like biabduction messages). Reviewed By: da319 Differential Revision: D13518668 fbshipit-source-id: 0a62fb55f
6 years ago
let pp f addr_trace =
if Config.debug_level_analysis >= 3 then
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
Pp.pair ~fst:AbstractValue.pp ~snd:ValueHistory.pp f addr_trace
else AbstractValue.pp f (fst addr_trace)
[pulse] add traces to the domain Summary: Record per-location traces. Actually, that doesn't quite make sense as a location can be accessed in many ways, so associate a trace to each *edge* in the memory graph. For instance, when doing `x->f = *y`, we want to take the history of the `<val of y> --*--> ..` edge, add "assigned at location blah" to it and store this extended history to the edge `<val of x> --f--> ..`. Use this machinery to print nicer traces in `infer explore` and better error messages too (include the last assignment, like biabduction messages). Reviewed By: da319 Differential Revision: D13518668 fbshipit-source-id: 0a62fb55f
6 years ago
end
[pulse] do not use access paths as they forget about &/* Summary: Now the domain can reason about `&` and `*` too. When recording `&` between two locations also record a back-edge `*`, and vice-versa. Reviewed By: mbouaziz Differential Revision: D10509335 fbshipit-source-id: 8091b6ec0
6 years ago
module Memory : sig
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
module Access : sig
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
include PrettyPrintable.PrintableOrderedType with type t = AbstractValue.t HilExp.Access.t
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
val equal : t -> t -> bool
end
[HIL][1/4] make `Access.t` polymorphic in the array access Summary: This will be useful for proper support of array indexes in pulse and in HIL in general. Reviewed By: mbouaziz Differential Revision: D13377642 fbshipit-source-id: e431121fb
6 years ago
module Edges : PrettyPrintable.PPMap with type key = Access.t
[pulse] initial commit Summary: New analysis in foetal form to detect invalid use of C++ objects after their lifetime has ended. For now it has: - A domain consisting of a graph of abstract locations representing the heap, a map from program variables to abstract locations representing the stack, and a set of locations known to be invalid (their lifetime has ended) - The heap graph is unfolded lazily when we resolve accesses to the heap down to an abstract location. When we traverse a memory location we check that it's not known to be invalid. - A simple transfer function reads and updates the stack and heap in a rudimentary way for now - C++ `delete` is modeled as adding the location that its argument resolves to to the set of invalid locations - Also, the domain has a really crappy join and widening for now (see comments in the code) With this we already pass most of the "use after delete" tests from the Ownership checker. The ones we don't pass are only because we are missing models. Reviewed By: mbouaziz Differential Revision: D10383249 fbshipit-source-id: f414664cb
6 years ago
[pulse][7/9] kill `AddrTracePair` Summary: The name had rotten: it should be `AddrHistPair`. There is little value of exposing the type of the pair `AbstractValue.t * ValueHistory.t`, just inline its definition everywhere. Reviewed By: ezgicicek Differential Revision: D17955283 fbshipit-source-id: d145251e0
5 years ago
type edges = AddrHistPair.t Edges.t
[pulse] do not use access paths as they forget about &/* Summary: Now the domain can reason about `&` and `*` too. When recording `&` between two locations also record a back-edge `*`, and vice-versa. Reviewed By: mbouaziz Differential Revision: D10509335 fbshipit-source-id: 8091b6ec0
6 years ago
[pulse] utility method `PulseDomain.Memory.pp_edges` Summary: Useful for debugging, not used at the moment. Reviewed By: ngorogiannis Differential Revision: D17131275 fbshipit-source-id: 2edbdc517
6 years ago
val pp_edges : F.formatter -> edges -> unit
[pulse] record attributes inside memory cells instead of separately Summary: It turns out keeping attributes (such as invalidation facts) separate from the memory is a bad idea and leads to loss of precision and false positives, as seen in the new test (which previously generated a report). Allow me to illustrate on this example, which is a stylised version of the issue in the added test: previously we'd have: ``` state1 = { x = 1; invalids={} } state2 = { x = 2; invalids ={1} } join(state1, state2) = { x = {1, 2}; invalids={{1, 2}} } ``` So even though none of the states said that `x` pointed to an invalid location, the join state says it does because `1` and `2` have been glommed together. The fact `x=1` from `state1` and the fact "1 is invalid" from `state2` conspire together and `x` is now invalid even though it shouldn't. Instead, if we record attributes as part of the memory we get that `x` is still valid after the join: ``` state1 = { x = (1, {}) } state2 = { x = (2, {}) } join(state1, state2) = { x = ({1, 2}, {}) } ``` Reviewed By: mbouaziz Differential Revision: D12958130 fbshipit-source-id: 53dc81cc7
6 years ago
type cell = edges * Attributes.t
[pulse] more efficient representation of attributes Summary: This ensures that each attribute type can only be present once per address. Makes ~80x time improvement on pathological cases such as Duff's device. This introduces a new kind of Set in `PrettyPrintable`. Reviewed By: mbouaziz Differential Revision: D14645091 fbshipit-source-id: c7f9b760c
6 years ago
type t
[pulse] do not use access paths as they forget about &/* Summary: Now the domain can reason about `&` and `*` too. When recording `&` between two locations also record a back-edge `*`, and vice-versa. Reviewed By: mbouaziz Differential Revision: D10509335 fbshipit-source-id: 8091b6ec0
6 years ago
val empty : t
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val filter : (AbstractValue.t -> bool) -> t -> t
[pulse] collect garbage (unreachable) heap parts from time to time Summary: It's useful to keep the size of states down, especially when humans are trying to read it. It will also help keep the size of summaries down in the inter-procedural pulse. Reviewed By: mbouaziz Differential Revision: D14258486 fbshipit-source-id: 45ebcac67
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val filter_heap : (AbstractValue.t -> edges -> bool) -> t -> t
[pulse] Remove bindings with empty edges in pre Reviewed By: jvillard Differential Revision: D16419183 fbshipit-source-id: 858958ddd
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val find_opt : AbstractValue.t -> t -> cell option
[pulse] do not use access paths as they forget about &/* Summary: Now the domain can reason about `&` and `*` too. When recording `&` between two locations also record a back-edge `*`, and vice-versa. Reviewed By: mbouaziz Differential Revision: D10509335 fbshipit-source-id: 8091b6ec0
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val fold_attrs : (AbstractValue.t -> Attributes.t -> 'acc -> 'acc) -> t -> 'acc -> 'acc
[pulse] record attributes of address not edge-reachable in the post Summary: Sometimes the post of a function call has attributes on addresses that were mentioned in the pre but are no longer reachable in the post. We don't want to forget these, see added test. Reviewed By: mbouaziz Differential Revision: D16050050 fbshipit-source-id: 1ce522b97
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val set_attrs : AbstractValue.t -> Attributes.t -> t -> t
[pulse] overwrite attributes of modified cells in interproc calls Summary: Previously we would union them with the previous attributes. I don't think that makes sense. Also change the interface a bit in preparation for the next commit. Reviewed By: mbouaziz Differential Revision: D16050051 fbshipit-source-id: 2e8f88f4e
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val set_edges : AbstractValue.t -> edges -> t -> t
[pulse] no addresses in attributes Summary: This removes the "abstract addresses" that used to be stored in the `Closure` attribute of pulse abstract addresses. There used to be a list of values recorded for each closure, each one representing one captured value. Instead these values are now recorded as fake edges in the memory graph. Having addresses appear in attributes causes issues when trying to establish graph isomorphism between two memory states. Avoid it by rewriting the closures mechanism to encode captured addresses as fake edges in memory. This way captured addresses are automatically treated right by the graph algorithms (in the next diffs). Reviewed By: mbouaziz Differential Revision: D14323044 fbshipit-source-id: 413b4d989
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val set_cell : AbstractValue.t -> cell -> t -> t
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val find_edges_opt : AbstractValue.t -> t -> edges option
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val mem_edges : AbstractValue.t -> t -> bool
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse][minor] easier-to-understand debug output Summary: - number the disjuncts in the abstract state and in the specs: #0, #1, ... This makes it much easier to know which disjunct the rest of the debug output is talking about, eg in "Executing from disjunct #N" messages - label the currently-inferred precondition with `PRE=` instead of just putting it in square brackets - print value histories when the debug level is >= 3 - separate the memory printing into heap and attributes labelled more explicitly For example, before: ``` 2 disjuncts: { {visited= false; astate= { heap=({ v1 -> { * -> v3 }, v2 -> { * -> v5 } }, { v5 -> { CppDelete(was invalidated by `delete`) } }); stack={ &n=v1, &ptr=v2 };} [{ heap=({ v1 -> { * -> v3 }, v2 -> { * -> v5 }, v3 -> { }, v5 -> { } }, { v1 -> { MustBeValid (read by line 57, column 7) }, v2 -> { MustBeValid (read by line 58, column 12) }, v5 -> { MustBeValid (read by line 58, column 5) } }); stack={ &n=v1, &ptr=v2 };}]}, {visited= false; astate= { heap=({ v1 -> { * -> v3 }, v2 -> { * -> v7 } }, { v7 -> { CppDelete(was invalidated by `delete`) } }); stack={ &n=v1, &ptr=v2 };} [{ heap=({ v1 -> { * -> v3 }, v2 -> { * -> v7 }, v3 -> { }, v7 -> { } }, { v1 -> { MustBeValid (read by line 57, column 7) }, v2 -> { MustBeValid (read by line 60, column 12) }, v7 -> { MustBeValid (read by line 60, column 5) } }); stack={ &n=v1, &ptr=v2 };}]} } ``` after: ``` 2 disjuncts: #0: visited=false; { roots={ &n=v1, &ptr=v2 }; mem ={ v1 -> { * -> v3 }, v2 -> { * -> v4 } }; attrs={ v3 -> { =7 }, v4 -> { CppDelete(was invalidated by `delete`) } };} PRE=[{ roots={ &n=v1, &ptr=v2 }; mem ={ v1 -> { * -> v3 }, v2 -> { * -> v4 }, v3 -> { }, v4 -> { } }; attrs={ v1 -> { MustBeValid (read by line 57, column 7) }, v2 -> { MustBeValid (read by line 58, column 12) }, v4 -> { MustBeValid (read by line 58, column 5) } };}] #1: visited=false; { roots={ &n=v1, &ptr=v2 }; mem ={ v1 -> { * -> v3 }, v2 -> { * -> v5 } }; attrs={ v5 -> { CppDelete(was invalidated by `delete`) } };} PRE=[{ roots={ &n=v1, &ptr=v2 }; mem ={ v1 -> { * -> v3 }, v2 -> { * -> v5 }, v3 -> { }, v5 -> { } }; attrs={ v1 -> { MustBeValid (read by line 57, column 7) }, v2 -> { MustBeValid (read by line 60, column 12) }, v5 -> { MustBeValid (read by line 60, column 5) } };}] ``` Reviewed By: ezgicicek Differential Revision: D17906167 fbshipit-source-id: 2e14325c8
5 years ago
val pp_heap : F.formatter -> t -> unit
val pp_attributes : F.formatter -> t -> unit
[pulse] do not use access paths as they forget about &/* Summary: Now the domain can reason about `&` and `*` too. When recording `&` between two locations also record a back-edge `*`, and vice-versa. Reviewed By: mbouaziz Differential Revision: D10509335 fbshipit-source-id: 8091b6ec0
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val register_address : AbstractValue.t -> t -> t
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse][7/9] kill `AddrTracePair` Summary: The name had rotten: it should be `AddrHistPair`. There is little value of exposing the type of the pair `AbstractValue.t * ValueHistory.t`, just inline its definition everywhere. Reviewed By: ezgicicek Differential Revision: D17955283 fbshipit-source-id: d145251e0
5 years ago
val add_edge : AbstractValue.t -> Access.t -> AddrHistPair.t -> t -> t
[pulse] do not use access paths as they forget about &/* Summary: Now the domain can reason about `&` and `*` too. When recording `&` between two locations also record a back-edge `*`, and vice-versa. Reviewed By: mbouaziz Differential Revision: D10509335 fbshipit-source-id: 8091b6ec0
6 years ago
[pulse][7/9] kill `AddrTracePair` Summary: The name had rotten: it should be `AddrHistPair`. There is little value of exposing the type of the pair `AbstractValue.t * ValueHistory.t`, just inline its definition everywhere. Reviewed By: ezgicicek Differential Revision: D17955283 fbshipit-source-id: d145251e0
5 years ago
val find_edge_opt : AbstractValue.t -> Access.t -> t -> AddrHistPair.t option
[pulse] do not use access paths as they forget about &/* Summary: Now the domain can reason about `&` and `*` too. When recording `&` between two locations also record a back-edge `*`, and vice-versa. Reviewed By: mbouaziz Differential Revision: D10509335 fbshipit-source-id: 8091b6ec0
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val add_attribute : AbstractValue.t -> Attribute.t -> t -> t
[pulse] initial commit Summary: New analysis in foetal form to detect invalid use of C++ objects after their lifetime has ended. For now it has: - A domain consisting of a graph of abstract locations representing the heap, a map from program variables to abstract locations representing the stack, and a set of locations known to be invalid (their lifetime has ended) - The heap graph is unfolded lazily when we resolve accesses to the heap down to an abstract location. When we traverse a memory location we check that it's not known to be invalid. - A simple transfer function reads and updates the stack and heap in a rudimentary way for now - C++ `delete` is modeled as adding the location that its argument resolves to to the set of invalid locations - Also, the domain has a really crappy join and widening for now (see comments in the code) With this we already pass most of the "use after delete" tests from the Ownership checker. The ones we don't pass are only because we are missing models. Reviewed By: mbouaziz Differential Revision: D10383249 fbshipit-source-id: f414664cb
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val invalidate : AbstractValue.t * ValueHistory.t -> Invalidation.t -> Location.t -> t -> t
[pulse] initial commit Summary: New analysis in foetal form to detect invalid use of C++ objects after their lifetime has ended. For now it has: - A domain consisting of a graph of abstract locations representing the heap, a map from program variables to abstract locations representing the stack, and a set of locations known to be invalid (their lifetime has ended) - The heap graph is unfolded lazily when we resolve accesses to the heap down to an abstract location. When we traverse a memory location we check that it's not known to be invalid. - A simple transfer function reads and updates the stack and heap in a rudimentary way for now - C++ `delete` is modeled as adding the location that its argument resolves to to the set of invalid locations - Also, the domain has a really crappy join and widening for now (see comments in the code) With this we already pass most of the "use after delete" tests from the Ownership checker. The ones we don't pass are only because we are missing models. Reviewed By: mbouaziz Differential Revision: D10383249 fbshipit-source-id: f414664cb
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val check_valid : AbstractValue.t -> t -> (unit, Invalidation.t Trace.t) result
[pulse] initial commit Summary: New analysis in foetal form to detect invalid use of C++ objects after their lifetime has ended. For now it has: - A domain consisting of a graph of abstract locations representing the heap, a map from program variables to abstract locations representing the stack, and a set of locations known to be invalid (their lifetime has ended) - The heap graph is unfolded lazily when we resolve accesses to the heap down to an abstract location. When we traverse a memory location we check that it's not known to be invalid. - A simple transfer function reads and updates the stack and heap in a rudimentary way for now - C++ `delete` is modeled as adding the location that its argument resolves to to the set of invalid locations - Also, the domain has a really crappy join and widening for now (see comments in the code) With this we already pass most of the "use after delete" tests from the Ownership checker. The ones we don't pass are only because we are missing models. Reviewed By: mbouaziz Differential Revision: D10383249 fbshipit-source-id: f414664cb
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val get_closure_proc_name : AbstractValue.t -> t -> Typ.Procname.t option
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val get_constant : AbstractValue.t -> t -> Const.t option
[pulse] use constant equality to prune unfeasible paths Summary: When we know "x = 3" and we have a condition "x != 3" we know we can prune the corresponding path. Reviewed By: skcho Differential Revision: D17665472 fbshipit-source-id: 988958ea6
5 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val std_vector_reserve : AbstractValue.t -> t -> t
[pulse] initial commit Summary: New analysis in foetal form to detect invalid use of C++ objects after their lifetime has ended. For now it has: - A domain consisting of a graph of abstract locations representing the heap, a map from program variables to abstract locations representing the stack, and a set of locations known to be invalid (their lifetime has ended) - The heap graph is unfolded lazily when we resolve accesses to the heap down to an abstract location. When we traverse a memory location we check that it's not known to be invalid. - A simple transfer function reads and updates the stack and heap in a rudimentary way for now - C++ `delete` is modeled as adding the location that its argument resolves to to the set of invalid locations - Also, the domain has a really crappy join and widening for now (see comments in the code) With this we already pass most of the "use after delete" tests from the Ownership checker. The ones we don't pass are only because we are missing models. Reviewed By: mbouaziz Differential Revision: D10383249 fbshipit-source-id: f414664cb
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val is_std_vector_reserved : AbstractValue.t -> t -> bool
[pulse] record attributes inside memory cells instead of separately Summary: It turns out keeping attributes (such as invalidation facts) separate from the memory is a bad idea and leads to loss of precision and false positives, as seen in the new test (which previously generated a report). Allow me to illustrate on this example, which is a stylised version of the issue in the added test: previously we'd have: ``` state1 = { x = 1; invalids={} } state2 = { x = 2; invalids ={1} } join(state1, state2) = { x = {1, 2}; invalids={{1, 2}} } ``` So even though none of the states said that `x` pointed to an invalid location, the join state says it does because `1` and `2` have been glommed together. The fact `x=1` from `state1` and the fact "1 is invalid" from `state2` conspire together and `x` is now invalid even though it shouldn't. Instead, if we record attributes as part of the memory we get that `x` is still valid after the join: ``` state1 = { x = (1, {}) } state2 = { x = (2, {}) } join(state1, state2) = { x = ({1, 2}, {}) } ``` Reviewed By: mbouaziz Differential Revision: D12958130 fbshipit-source-id: 53dc81cc7
6 years ago
end = struct
[HIL][1/4] make `Access.t` polymorphic in the array access Summary: This will be useful for proper support of array indexes in pulse and in HIL in general. Reviewed By: mbouaziz Differential Revision: D13377642 fbshipit-source-id: e431121fb
6 years ago
module Access = struct
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
type t = AbstractValue.t HilExp.Access.t [@@deriving compare]
[HIL][1/4] make `Access.t` polymorphic in the array access Summary: This will be useful for proper support of array indexes in pulse and in HIL in general. Reviewed By: mbouaziz Differential Revision: D13377642 fbshipit-source-id: e431121fb
6 years ago
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
let equal = [%compare.equal: t]
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
let pp = HilExp.Access.pp AbstractValue.pp
[HIL][1/4] make `Access.t` polymorphic in the array access Summary: This will be useful for proper support of array indexes in pulse and in HIL in general. Reviewed By: mbouaziz Differential Revision: D13377642 fbshipit-source-id: e431121fb
6 years ago
end
module Edges = PrettyPrintable.MakePPMap (Access)
[pulse] initial commit Summary: New analysis in foetal form to detect invalid use of C++ objects after their lifetime has ended. For now it has: - A domain consisting of a graph of abstract locations representing the heap, a map from program variables to abstract locations representing the stack, and a set of locations known to be invalid (their lifetime has ended) - The heap graph is unfolded lazily when we resolve accesses to the heap down to an abstract location. When we traverse a memory location we check that it's not known to be invalid. - A simple transfer function reads and updates the stack and heap in a rudimentary way for now - C++ `delete` is modeled as adding the location that its argument resolves to to the set of invalid locations - Also, the domain has a really crappy join and widening for now (see comments in the code) With this we already pass most of the "use after delete" tests from the Ownership checker. The ones we don't pass are only because we are missing models. Reviewed By: mbouaziz Differential Revision: D10383249 fbshipit-source-id: f414664cb
6 years ago
[pulse][7/9] kill `AddrTracePair` Summary: The name had rotten: it should be `AddrHistPair`. There is little value of exposing the type of the pair `AbstractValue.t * ValueHistory.t`, just inline its definition everywhere. Reviewed By: ezgicicek Differential Revision: D17955283 fbshipit-source-id: d145251e0
5 years ago
type edges = AddrHistPair.t Edges.t [@@deriving compare]
[pulse] initial commit Summary: New analysis in foetal form to detect invalid use of C++ objects after their lifetime has ended. For now it has: - A domain consisting of a graph of abstract locations representing the heap, a map from program variables to abstract locations representing the stack, and a set of locations known to be invalid (their lifetime has ended) - The heap graph is unfolded lazily when we resolve accesses to the heap down to an abstract location. When we traverse a memory location we check that it's not known to be invalid. - A simple transfer function reads and updates the stack and heap in a rudimentary way for now - C++ `delete` is modeled as adding the location that its argument resolves to to the set of invalid locations - Also, the domain has a really crappy join and widening for now (see comments in the code) With this we already pass most of the "use after delete" tests from the Ownership checker. The ones we don't pass are only because we are missing models. Reviewed By: mbouaziz Differential Revision: D10383249 fbshipit-source-id: f414664cb
6 years ago
[pulse][7/9] kill `AddrTracePair` Summary: The name had rotten: it should be `AddrHistPair`. There is little value of exposing the type of the pair `AbstractValue.t * ValueHistory.t`, just inline its definition everywhere. Reviewed By: ezgicicek Differential Revision: D17955283 fbshipit-source-id: d145251e0
5 years ago
let pp_edges = Edges.pp ~pp_value:AddrHistPair.pp
[pulse] utility method `PulseDomain.Memory.pp_edges` Summary: Useful for debugging, not used at the moment. Reviewed By: ngorogiannis Differential Revision: D17131275 fbshipit-source-id: 2edbdc517
6 years ago
[pulse] more efficient representation of attributes Summary: This ensures that each attribute type can only be present once per address. Makes ~80x time improvement on pathological cases such as Duff's device. This introduces a new kind of Set in `PrettyPrintable`. Reviewed By: mbouaziz Differential Revision: D14645091 fbshipit-source-id: c7f9b760c
6 years ago
type cell = edges * Attributes.t
[pulse] join of memory graphs Summary: Instead of the non-sensical piecewise join we had until now write a proper one. Hopefully the comments explain what it does. Main one: ``` (* high-level idea: maintain some union-find data structure to identify locations in one heap with locations in the other heap. Build the initial join state as follows: - equate all locations that correspond to identical variables in both stacks, eg joining stacks {x=1} and {x=2} adds "1=2" to the unification. - add all addresses reachable from stack variables to the join state heap This gives us an abstract state that is the union of both abstract states, but more states can still be made equal. For instance, if 1 points to 3 in the first heap and 2 points to 4 in the second heap and we deduced "1 = 2" from the stacks already (as in the example just above) then we can deduce "3 = 4". Proceed in this fashion until no more equalities are discovered, and return the abstract state where a canonical representative has been chosen consistently for each equivalence class (this is what the union-find data structure gives us). *) ``` Reviewed By: mbouaziz Differential Revision: D10483978 fbshipit-source-id: f6ffd7528
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
module Graph = PrettyPrintable.MakePPMap (AbstractValue)
[pulse] record attributes inside memory cells instead of separately Summary: It turns out keeping attributes (such as invalidation facts) separate from the memory is a bad idea and leads to loss of precision and false positives, as seen in the new test (which previously generated a report). Allow me to illustrate on this example, which is a stylised version of the issue in the added test: previously we'd have: ``` state1 = { x = 1; invalids={} } state2 = { x = 2; invalids ={1} } join(state1, state2) = { x = {1, 2}; invalids={{1, 2}} } ``` So even though none of the states said that `x` pointed to an invalid location, the join state says it does because `1` and `2` have been glommed together. The fact `x=1` from `state1` and the fact "1 is invalid" from `state2` conspire together and `x` is now invalid even though it shouldn't. Instead, if we record attributes as part of the memory we get that `x` is still valid after the join: ``` state1 = { x = (1, {}) } state2 = { x = (2, {}) } join(state1, state2) = { x = ({1, 2}, {}) } ``` Reviewed By: mbouaziz Differential Revision: D12958130 fbshipit-source-id: 53dc81cc7
6 years ago
[pulse] more efficient representation of attributes Summary: This ensures that each attribute type can only be present once per address. Makes ~80x time improvement on pathological cases such as Duff's device. This introduces a new kind of Set in `PrettyPrintable`. Reviewed By: mbouaziz Differential Revision: D14645091 fbshipit-source-id: c7f9b760c
6 years ago
type t = edges Graph.t * Attributes.t Graph.t
[pulse] initial commit Summary: New analysis in foetal form to detect invalid use of C++ objects after their lifetime has ended. For now it has: - A domain consisting of a graph of abstract locations representing the heap, a map from program variables to abstract locations representing the stack, and a set of locations known to be invalid (their lifetime has ended) - The heap graph is unfolded lazily when we resolve accesses to the heap down to an abstract location. When we traverse a memory location we check that it's not known to be invalid. - A simple transfer function reads and updates the stack and heap in a rudimentary way for now - C++ `delete` is modeled as adding the location that its argument resolves to to the set of invalid locations - Also, the domain has a really crappy join and widening for now (see comments in the code) With this we already pass most of the "use after delete" tests from the Ownership checker. The ones we don't pass are only because we are missing models. Reviewed By: mbouaziz Differential Revision: D10383249 fbshipit-source-id: f414664cb
6 years ago
[pulse][minor] easier-to-understand debug output Summary: - number the disjuncts in the abstract state and in the specs: #0, #1, ... This makes it much easier to know which disjunct the rest of the debug output is talking about, eg in "Executing from disjunct #N" messages - label the currently-inferred precondition with `PRE=` instead of just putting it in square brackets - print value histories when the debug level is >= 3 - separate the memory printing into heap and attributes labelled more explicitly For example, before: ``` 2 disjuncts: { {visited= false; astate= { heap=({ v1 -> { * -> v3 }, v2 -> { * -> v5 } }, { v5 -> { CppDelete(was invalidated by `delete`) } }); stack={ &n=v1, &ptr=v2 };} [{ heap=({ v1 -> { * -> v3 }, v2 -> { * -> v5 }, v3 -> { }, v5 -> { } }, { v1 -> { MustBeValid (read by line 57, column 7) }, v2 -> { MustBeValid (read by line 58, column 12) }, v5 -> { MustBeValid (read by line 58, column 5) } }); stack={ &n=v1, &ptr=v2 };}]}, {visited= false; astate= { heap=({ v1 -> { * -> v3 }, v2 -> { * -> v7 } }, { v7 -> { CppDelete(was invalidated by `delete`) } }); stack={ &n=v1, &ptr=v2 };} [{ heap=({ v1 -> { * -> v3 }, v2 -> { * -> v7 }, v3 -> { }, v7 -> { } }, { v1 -> { MustBeValid (read by line 57, column 7) }, v2 -> { MustBeValid (read by line 60, column 12) }, v7 -> { MustBeValid (read by line 60, column 5) } }); stack={ &n=v1, &ptr=v2 };}]} } ``` after: ``` 2 disjuncts: #0: visited=false; { roots={ &n=v1, &ptr=v2 }; mem ={ v1 -> { * -> v3 }, v2 -> { * -> v4 } }; attrs={ v3 -> { =7 }, v4 -> { CppDelete(was invalidated by `delete`) } };} PRE=[{ roots={ &n=v1, &ptr=v2 }; mem ={ v1 -> { * -> v3 }, v2 -> { * -> v4 }, v3 -> { }, v4 -> { } }; attrs={ v1 -> { MustBeValid (read by line 57, column 7) }, v2 -> { MustBeValid (read by line 58, column 12) }, v4 -> { MustBeValid (read by line 58, column 5) } };}] #1: visited=false; { roots={ &n=v1, &ptr=v2 }; mem ={ v1 -> { * -> v3 }, v2 -> { * -> v5 } }; attrs={ v5 -> { CppDelete(was invalidated by `delete`) } };} PRE=[{ roots={ &n=v1, &ptr=v2 }; mem ={ v1 -> { * -> v3 }, v2 -> { * -> v5 }, v3 -> { }, v5 -> { } }; attrs={ v1 -> { MustBeValid (read by line 57, column 7) }, v2 -> { MustBeValid (read by line 60, column 12) }, v5 -> { MustBeValid (read by line 60, column 5) } };}] ``` Reviewed By: ezgicicek Differential Revision: D17906167 fbshipit-source-id: 2e14325c8
5 years ago
let pp_heap fmt (heap, _) = Graph.pp ~pp_value:pp_edges fmt heap
let pp_attributes fmt (_, attrs) = Graph.pp ~pp_value:Attributes.pp fmt attrs
[pulse] more aggressive join Summary: Do the intersection of the heap and stack domains, and the union of the invalid location sets. This forgets invalid locations that appear only in one heap, unfortunately. We can start with this and improve later. Reviewed By: mbouaziz Differential Revision: D10445825 fbshipit-source-id: cc24460af
6 years ago
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
let register_address addr memory =
if Graph.mem addr (fst memory) then memory
else (Graph.add addr Edges.empty (fst memory), snd memory)
[pulse] join of memory graphs Summary: Instead of the non-sensical piecewise join we had until now write a proper one. Hopefully the comments explain what it does. Main one: ``` (* high-level idea: maintain some union-find data structure to identify locations in one heap with locations in the other heap. Build the initial join state as follows: - equate all locations that correspond to identical variables in both stacks, eg joining stacks {x=1} and {x=2} adds "1=2" to the unification. - add all addresses reachable from stack variables to the join state heap This gives us an abstract state that is the union of both abstract states, but more states can still be made equal. For instance, if 1 points to 3 in the first heap and 2 points to 4 in the second heap and we deduced "1 = 2" from the stacks already (as in the example just above) then we can deduce "3 = 4". Proceed in this fashion until no more equalities are discovered, and return the abstract state where a canonical representative has been chosen consistently for each equivalence class (this is what the union-find data structure gives us). *) ``` Reviewed By: mbouaziz Differential Revision: D10483978 fbshipit-source-id: f6ffd7528
6 years ago
(* {3 Helper functions to traverse the two maps at once } *)
[pulse] more aggressive join Summary: Do the intersection of the heap and stack domains, and the union of the invalid location sets. This forgets invalid locations that appear only in one heap, unfortunately. We can start with this and improve later. Reviewed By: mbouaziz Differential Revision: D10445825 fbshipit-source-id: cc24460af
6 years ago
[pulse] add traces to the domain Summary: Record per-location traces. Actually, that doesn't quite make sense as a location can be accessed in many ways, so associate a trace to each *edge* in the memory graph. For instance, when doing `x->f = *y`, we want to take the history of the `<val of y> --*--> ..` edge, add "assigned at location blah" to it and store this extended history to the edge `<val of x> --f--> ..`. Use this machinery to print nicer traces in `infer explore` and better error messages too (include the last assignment, like biabduction messages). Reviewed By: da319 Differential Revision: D13518668 fbshipit-source-id: 0a62fb55f
6 years ago
let add_edge addr_src access value memory =
[pulse] perf win: separate edges from attrs in memory Summary: Before: the abstract state represents heap addresses as a single map from addresses to edges + attributes. After: the heap is made of 2 maps: one mapping addresses to edges, and one mapping an address to its attributes. It turns out that edges and attributes are often not updated at the same time, so keeping them in the same map was causing pressure on the OCaml gc. Reviewed By: mbouaziz Differential Revision: D14147991 fbshipit-source-id: 6713eeb3c
6 years ago
let old_edges = Graph.find_opt addr_src (fst memory) |> Option.value ~default:Edges.empty in
let new_edges = Edges.add access value old_edges in
if phys_equal old_edges new_edges then memory
else (Graph.add addr_src new_edges (fst memory), snd memory)
[pulse] more aggressive join Summary: Do the intersection of the heap and stack domains, and the union of the invalid location sets. This forgets invalid locations that appear only in one heap, unfortunately. We can start with this and improve later. Reviewed By: mbouaziz Differential Revision: D10445825 fbshipit-source-id: cc24460af
6 years ago
[pulse] rename `Location` -> `Address` and better reporting Summary: `Location` was clashing with the `Location` module, so use `Address` instead. When invalidating an address, remember the "actor" of its invalidation, i.e. the access expression leading to the address and the source location of the corresponding instruction. When checking accesses, also pass the actor responsible for the access, so that when we raise an error we know: 1. when and why a location was invalidated 2. when and why we tried to read it after that Reviewed By: mbouaziz Differential Revision: D10446282 fbshipit-source-id: 3ca4fb3d4
6 years ago
let find_edge_opt addr access memory =
[pulse] more aggressive join Summary: Do the intersection of the heap and stack domains, and the union of the invalid location sets. This forgets invalid locations that appear only in one heap, unfortunately. We can start with this and improve later. Reviewed By: mbouaziz Differential Revision: D10445825 fbshipit-source-id: cc24460af
6 years ago
let open Option.Monad_infix in
[pulse] perf win: separate edges from attrs in memory Summary: Before: the abstract state represents heap addresses as a single map from addresses to edges + attributes. After: the heap is made of 2 maps: one mapping addresses to edges, and one mapping an address to its attributes. It turns out that edges and attributes are often not updated at the same time, so keeping them in the same map was causing pressure on the OCaml gc. Reviewed By: mbouaziz Differential Revision: D14147991 fbshipit-source-id: 6713eeb3c
6 years ago
Graph.find_opt addr (fst memory) >>= Edges.find_opt access
[pulse] more issue types and add details about why locations get invalidated Summary: This is more flexible and allows us to give more details when reporting. Reviewed By: mbouaziz Differential Revision: D10509336 fbshipit-source-id: 79c3ac1c8
6 years ago
[pulse] join of memory graphs Summary: Instead of the non-sensical piecewise join we had until now write a proper one. Hopefully the comments explain what it does. Main one: ``` (* high-level idea: maintain some union-find data structure to identify locations in one heap with locations in the other heap. Build the initial join state as follows: - equate all locations that correspond to identical variables in both stacks, eg joining stacks {x=1} and {x=2} adds "1=2" to the unification. - add all addresses reachable from stack variables to the join state heap This gives us an abstract state that is the union of both abstract states, but more states can still be made equal. For instance, if 1 points to 3 in the first heap and 2 points to 4 in the second heap and we deduced "1 = 2" from the stacks already (as in the example just above) then we can deduce "3 = 4". Proceed in this fashion until no more equalities are discovered, and return the abstract state where a canonical representative has been chosen consistently for each equivalence class (this is what the union-find data structure gives us). *) ``` Reviewed By: mbouaziz Differential Revision: D10483978 fbshipit-source-id: f6ffd7528
6 years ago
[pulse] use `Memory.add_attribute` for singleton attributes sets Summary: Turns out `Memory.add_attributes` was only used to add singletons so deleted that in the process. Reviewed By: skcho Differential Revision: D17627725 fbshipit-source-id: 0abe3889d
5 years ago
let add_attribute addr attribute memory =
match Graph.find_opt addr (snd memory) with
| None ->
(fst memory, Graph.add addr (Attributes.singleton attribute) (snd memory))
| Some old_attrs ->
let new_attrs = Attributes.add old_attrs attribute in
[pulse] more efficient representation of attributes Summary: This ensures that each attribute type can only be present once per address. Makes ~80x time improvement on pathological cases such as Duff's device. This introduces a new kind of Set in `PrettyPrintable`. Reviewed By: mbouaziz Differential Revision: D14645091 fbshipit-source-id: c7f9b760c
6 years ago
(fst memory, Graph.add addr new_attrs (snd memory))
[pulse] join of memory graphs Summary: Instead of the non-sensical piecewise join we had until now write a proper one. Hopefully the comments explain what it does. Main one: ``` (* high-level idea: maintain some union-find data structure to identify locations in one heap with locations in the other heap. Build the initial join state as follows: - equate all locations that correspond to identical variables in both stacks, eg joining stacks {x=1} and {x=2} adds "1=2" to the unification. - add all addresses reachable from stack variables to the join state heap This gives us an abstract state that is the union of both abstract states, but more states can still be made equal. For instance, if 1 points to 3 in the first heap and 2 points to 4 in the second heap and we deduced "1 = 2" from the stacks already (as in the example just above) then we can deduce "3 = 4". Proceed in this fashion until no more equalities are discovered, and return the abstract state where a canonical representative has been chosen consistently for each equivalence class (this is what the union-find data structure gives us). *) ``` Reviewed By: mbouaziz Differential Revision: D10483978 fbshipit-source-id: f6ffd7528
6 years ago
[pulse] interprocedural histories and traces Summary: bigmacro_bender There are 3 ways pulse tracks history. This is at least one too many. So far, we have: 1. "histories": a humble list of "events" like "assigned here", "returned from call", ... 2. "interproc actions": a structured nesting of calls with a final "action", eg "f calls g calls h which does blah" 3. "traces", which combine one history with one interproc action This diff gets rid of interproc actions and makes histories include "nested" callee histories too. This allows pulse to track and display how a value got assigned across function calls. Traces are now more powerful and interleave histories and interproc actions. This allows pulse to track how a value is fed into an action, for instance performed in callee, which itself creates some more (potentially now interprocedural) history before going to the next step of the action (either another call or the action itself). This gives much better traces, and some examples are added to showcase this. There are a lot of changes when applying summaries to keep track of histories more accurately than was done before, but also a few simplifications that give additional evidence that this is the right concept. Reviewed By: skcho Differential Revision: D17908942 fbshipit-source-id: 3b62eaf78
5 years ago
let invalidate (address, history) invalid location memory =
let invalidation = Trace.Immediate {imm= invalid; location; history} in
add_attribute address (Attribute.Invalid invalidation) memory
[pulse] rename `Location` -> `Address` and better reporting Summary: `Location` was clashing with the `Location` module, so use `Address` instead. When invalidating an address, remember the "actor" of its invalidation, i.e. the access expression leading to the address and the source location of the corresponding instruction. When checking accesses, also pass the actor responsible for the access, so that when we raise an error we know: 1. when and why a location was invalidated 2. when and why we tried to read it after that Reviewed By: mbouaziz Differential Revision: D10446282 fbshipit-source-id: 3ca4fb3d4
6 years ago
[pulse][minor] move attributes function around Summary: imjustmovingshitaround Reviewed By: mbouaziz Differential Revision: D14258488 fbshipit-source-id: e32d61b88
6 years ago
let check_valid address memory =
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
L.d_printfln "Checking validity of %a" AbstractValue.pp address ;
[pulse] perf win: separate edges from attrs in memory Summary: Before: the abstract state represents heap addresses as a single map from addresses to edges + attributes. After: the heap is made of 2 maps: one mapping addresses to edges, and one mapping an address to its attributes. It turns out that edges and attributes are often not updated at the same time, so keeping them in the same map was causing pressure on the OCaml gc. Reviewed By: mbouaziz Differential Revision: D14147991 fbshipit-source-id: 6713eeb3c
6 years ago
match Graph.find_opt address (snd memory) |> Option.bind ~f:Attributes.get_invalid with
[pulse][minor] move attributes function around Summary: imjustmovingshitaround Reviewed By: mbouaziz Differential Revision: D14258488 fbshipit-source-id: e32d61b88
6 years ago
| Some invalidation ->
Error invalidation
| None ->
Ok ()
[pulse] rename `Location` -> `Address` and better reporting Summary: `Location` was clashing with the `Location` module, so use `Address` instead. When invalidating an address, remember the "actor" of its invalidation, i.e. the access expression leading to the address and the source location of the corresponding instruction. When checking accesses, also pass the actor responsible for the access, so that when we raise an error we know: 1. when and why a location was invalidated 2. when and why we tried to read it after that Reviewed By: mbouaziz Differential Revision: D10446282 fbshipit-source-id: 3ca4fb3d4
6 years ago
[pulse] back to sounder joins Summary: Now that arrays are dealt with separately (see previous diff), we can turn the join back into an over-approximation as far as invalid locations are concerned. Reviewed By: skcho Differential Revision: D12881989 fbshipit-source-id: fd85e49c0
6 years ago
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
let get_closure_proc_name address memory =
Graph.find_opt address (snd memory)
|> Option.bind ~f:(fun attributes -> Attributes.get_closure_proc_name attributes)
[pulse] use constant equality to prune unfeasible paths Summary: When we know "x = 3" and we have a condition "x != 3" we know we can prune the corresponding path. Reviewed By: skcho Differential Revision: D17665472 fbshipit-source-id: 988958ea6
5 years ago
let get_constant address memory =
Graph.find_opt address (snd memory)
|> Option.bind ~f:(fun attributes -> Attributes.get_constant attributes)
[pulse] switch back to having a single abstract address per stack variable and heap location Summary: Mostly a revert of D13190876 once the disjunctive domain is in place. Reviewed By: da319 Differential Revision: D13432488 fbshipit-source-id: f1e98ef0d
6 years ago
let std_vector_reserve address memory = add_attribute address Attribute.StdVectorReserve memory
[pulse] add model for `std::vector::reserve` using additional memory attribute Summary: Whenever `vec.reserve(n)` is called, remember that the vector is "reserved". When doing `vec.push_back(x)` on a reserved vector, assume enough size has been reserved in advance and do not invalidate the underlying array. This gets rid of false positives. Reviewed By: mbouaziz Differential Revision: D12939837 fbshipit-source-id: ce6354fc5
6 years ago
[pulse] switch back to having a single abstract address per stack variable and heap location Summary: Mostly a revert of D13190876 once the disjunctive domain is in place. Reviewed By: da319 Differential Revision: D13432488 fbshipit-source-id: f1e98ef0d
6 years ago
let is_std_vector_reserved address memory =
[pulse] perf win: separate edges from attrs in memory Summary: Before: the abstract state represents heap addresses as a single map from addresses to edges + attributes. After: the heap is made of 2 maps: one mapping addresses to edges, and one mapping an address to its attributes. It turns out that edges and attributes are often not updated at the same time, so keeping them in the same map was causing pressure on the OCaml gc. Reviewed By: mbouaziz Differential Revision: D14147991 fbshipit-source-id: 6713eeb3c
6 years ago
Graph.find_opt address (snd memory)
[pulse] switch back to having a single abstract address per stack variable and heap location Summary: Mostly a revert of D13190876 once the disjunctive domain is in place. Reviewed By: da319 Differential Revision: D13432488 fbshipit-source-id: f1e98ef0d
6 years ago
|> Option.value_map ~default:false ~f:(fun attributes ->
[pulse] more efficient representation of attributes Summary: This ensures that each attribute type can only be present once per address. Makes ~80x time improvement on pathological cases such as Duff's device. This introduces a new kind of Set in `PrettyPrintable`. Reviewed By: mbouaziz Differential Revision: D14645091 fbshipit-source-id: c7f9b760c
6 years ago
Attributes.is_std_vector_reserved attributes )
[pulse] add model for `std::vector::reserve` using additional memory attribute Summary: Whenever `vec.reserve(n)` is called, remember that the vector is "reserved". When doing `vec.push_back(x)` on a reserved vector, assume enough size has been reserved in advance and do not invalidate the underlying array. This gets rid of false positives. Reviewed By: mbouaziz Differential Revision: D12939837 fbshipit-source-id: ce6354fc5
6 years ago
[pulse] generalise "invalid" addresses as sets of attributes Summary: Instead of keeping at most one invalidation fact for each address, keep a set of them and call them "attributes". Keeping a set of invalidation facts is redundant since we always only want the smallest one, but makes the implementation simpler, especially once we add more kinds of attributes (used for modelling, see next diffs). Reviewed By: mbouaziz Differential Revision: D12939839 fbshipit-source-id: 4a54c2132
6 years ago
[pulse] record attributes inside memory cells instead of separately Summary: It turns out keeping attributes (such as invalidation facts) separate from the memory is a bad idea and leads to loss of precision and false positives, as seen in the new test (which previously generated a report). Allow me to illustrate on this example, which is a stylised version of the issue in the added test: previously we'd have: ``` state1 = { x = 1; invalids={} } state2 = { x = 2; invalids ={1} } join(state1, state2) = { x = {1, 2}; invalids={{1, 2}} } ``` So even though none of the states said that `x` pointed to an invalid location, the join state says it does because `1` and `2` have been glommed together. The fact `x=1` from `state1` and the fact "1 is invalid" from `state2` conspire together and `x` is now invalid even though it shouldn't. Instead, if we record attributes as part of the memory we get that `x` is still valid after the join: ``` state1 = { x = (1, {}) } state2 = { x = (2, {}) } join(state1, state2) = { x = ({1, 2}, {}) } ``` Reviewed By: mbouaziz Differential Revision: D12958130 fbshipit-source-id: 53dc81cc7
6 years ago
(* {3 Monomorphic {!PPMap} interface as needed } *)
[pulse] generalise "invalid" addresses as sets of attributes Summary: Instead of keeping at most one invalidation fact for each address, keep a set of them and call them "attributes". Keeping a set of invalidation facts is redundant since we always only want the smallest one, but makes the implementation simpler, especially once we add more kinds of attributes (used for modelling, see next diffs). Reviewed By: mbouaziz Differential Revision: D12939839 fbshipit-source-id: 4a54c2132
6 years ago
[pulse] perf win: separate edges from attrs in memory Summary: Before: the abstract state represents heap addresses as a single map from addresses to edges + attributes. After: the heap is made of 2 maps: one mapping addresses to edges, and one mapping an address to its attributes. It turns out that edges and attributes are often not updated at the same time, so keeping them in the same map was causing pressure on the OCaml gc. Reviewed By: mbouaziz Differential Revision: D14147991 fbshipit-source-id: 6713eeb3c
6 years ago
let empty = (Graph.empty, Graph.empty)
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
let find_edges_opt addr memory = Graph.find_opt addr (fst memory)
let find_attrs_opt addr memory = Graph.find_opt addr (snd memory)
[pulse] perf win: separate edges from attrs in memory Summary: Before: the abstract state represents heap addresses as a single map from addresses to edges + attributes. After: the heap is made of 2 maps: one mapping addresses to edges, and one mapping an address to its attributes. It turns out that edges and attributes are often not updated at the same time, so keeping them in the same map was causing pressure on the OCaml gc. Reviewed By: mbouaziz Differential Revision: D14147991 fbshipit-source-id: 6713eeb3c
6 years ago
let find_opt addr memory =
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
match (find_edges_opt addr memory, find_attrs_opt addr memory) with
[pulse] perf win: separate edges from attrs in memory Summary: Before: the abstract state represents heap addresses as a single map from addresses to edges + attributes. After: the heap is made of 2 maps: one mapping addresses to edges, and one mapping an address to its attributes. It turns out that edges and attributes are often not updated at the same time, so keeping them in the same map was causing pressure on the OCaml gc. Reviewed By: mbouaziz Differential Revision: D14147991 fbshipit-source-id: 6713eeb3c
6 years ago
| None, None ->
None
| edges_opt, attrs_opt ->
let edges = Option.value edges_opt ~default:Edges.empty in
let attrs = Option.value attrs_opt ~default:Attributes.empty in
Some (edges, attrs)
[pulse] generalise "invalid" addresses as sets of attributes Summary: Instead of keeping at most one invalidation fact for each address, keep a set of them and call them "attributes". Keeping a set of invalidation facts is redundant since we always only want the smallest one, but makes the implementation simpler, especially once we add more kinds of attributes (used for modelling, see next diffs). Reviewed By: mbouaziz Differential Revision: D12939839 fbshipit-source-id: 4a54c2132
6 years ago
[pulse] record attributes of address not edge-reachable in the post Summary: Sometimes the post of a function call has attributes on addresses that were mentioned in the pre but are no longer reachable in the post. We don't want to forget these, see added test. Reviewed By: mbouaziz Differential Revision: D16050050 fbshipit-source-id: 1ce522b97
6 years ago
let fold_attrs f memory init = Graph.fold f (snd memory) init
[pulse] overwrite attributes of modified cells in interproc calls Summary: Previously we would union them with the previous attributes. I don't think that makes sense. Also change the interface a bit in preparation for the next commit. Reviewed By: mbouaziz Differential Revision: D16050051 fbshipit-source-id: 2e8f88f4e
6 years ago
let set_attrs addr attrs memory = (fst memory, Graph.add addr attrs (snd memory))
let set_edges addr edges memory = (Graph.add addr edges (fst memory), snd memory)
[pulse] perf win: separate edges from attrs in memory Summary: Before: the abstract state represents heap addresses as a single map from addresses to edges + attributes. After: the heap is made of 2 maps: one mapping addresses to edges, and one mapping an address to its attributes. It turns out that edges and attributes are often not updated at the same time, so keeping them in the same map was causing pressure on the OCaml gc. Reviewed By: mbouaziz Differential Revision: D14147991 fbshipit-source-id: 6713eeb3c
6 years ago
let set_cell addr (edges, attrs) memory =
(Graph.add addr edges (fst memory), Graph.add addr attrs (snd memory))
[pulse] rename `Location` -> `Address` and better reporting Summary: `Location` was clashing with the `Location` module, so use `Address` instead. When invalidating an address, remember the "actor" of its invalidation, i.e. the access expression leading to the address and the source location of the corresponding instruction. When checking accesses, also pass the actor responsible for the access, so that when we raise an error we know: 1. when and why a location was invalidated 2. when and why we tried to read it after that Reviewed By: mbouaziz Differential Revision: D10446282 fbshipit-source-id: 3ca4fb3d4
6 years ago
[pulse] no addresses in attributes Summary: This removes the "abstract addresses" that used to be stored in the `Closure` attribute of pulse abstract addresses. There used to be a list of values recorded for each closure, each one representing one captured value. Instead these values are now recorded as fake edges in the memory graph. Having addresses appear in attributes causes issues when trying to establish graph isomorphism between two memory states. Avoid it by rewriting the closures mechanism to encode captured addresses as fake edges in memory. This way captured addresses are automatically treated right by the graph algorithms (in the next diffs). Reviewed By: mbouaziz Differential Revision: D14323044 fbshipit-source-id: 413b4d989
6 years ago
[pulse] perf win: separate edges from attrs in memory Summary: Before: the abstract state represents heap addresses as a single map from addresses to edges + attributes. After: the heap is made of 2 maps: one mapping addresses to edges, and one mapping an address to its attributes. It turns out that edges and attributes are often not updated at the same time, so keeping them in the same map was causing pressure on the OCaml gc. Reviewed By: mbouaziz Differential Revision: D14147991 fbshipit-source-id: 6713eeb3c
6 years ago
let filter f memory =
let heap = Graph.filter (fun address _ -> f address) (fst memory) in
let attrs = Graph.filter (fun address _ -> f address) (snd memory) in
if phys_equal heap (fst memory) && phys_equal attrs (snd memory) then memory else (heap, attrs)
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse] Remove bindings with empty edges in pre Reviewed By: jvillard Differential Revision: D16419183 fbshipit-source-id: 858958ddd
6 years ago
let filter_heap f memory =
let heap = Graph.filter f (fst memory) in
if phys_equal heap (fst memory) then memory else (heap, snd memory)
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
let mem_edges addr memory = Graph.mem addr (fst memory)
[pulse] record attributes inside memory cells instead of separately Summary: It turns out keeping attributes (such as invalidation facts) separate from the memory is a bad idea and leads to loss of precision and false positives, as seen in the new test (which previously generated a report). Allow me to illustrate on this example, which is a stylised version of the issue in the added test: previously we'd have: ``` state1 = { x = 1; invalids={} } state2 = { x = 2; invalids ={1} } join(state1, state2) = { x = {1, 2}; invalids={{1, 2}} } ``` So even though none of the states said that `x` pointed to an invalid location, the join state says it does because `1` and `2` have been glommed together. The fact `x=1` from `state1` and the fact "1 is invalid" from `state2` conspire together and `x` is now invalid even though it shouldn't. Instead, if we record attributes as part of the memory we get that `x` is still valid after the join: ``` state1 = { x = (1, {}) } state2 = { x = (2, {}) } join(state1, state2) = { x = ({1, 2}, {}) } ``` Reviewed By: mbouaziz Differential Revision: D12958130 fbshipit-source-id: 53dc81cc7
6 years ago
end
[pulse] generalise "invalid" addresses as sets of attributes Summary: Instead of keeping at most one invalidation fact for each address, keep a set of them and call them "attributes". Keeping a set of invalidation facts is redundant since we always only want the smallest one, but makes the implementation simpler, especially once we add more kinds of attributes (used for modelling, see next diffs). Reviewed By: mbouaziz Differential Revision: D12939839 fbshipit-source-id: 4a54c2132
6 years ago
[pulse] remove last traces of join/widen Summary: Instead of defining `let join .. = assert false` introduce simplified module signatures for domains without join/widen as used in disjunctive domains. Reviewed By: mbouaziz, skcho Differential Revision: D14568271 fbshipit-source-id: 6484335c9
6 years ago
(** Stacks: map addresses of variables to values and initialisation location. *)
[HIL][pulse] add disjunctive domain Summary: Introduce machinery to do disjunctive HIL domains and use it for pulse, but only in a mode that preserves the existing behaviour. The disjunctive domain is a functor that turns any (HIL for now) transfer function module into one operating on sets of elements of the original domain. The behaviour of joins (and widenings, which are equal to joins) can be chosen when instantiating the functor among 3 behaviours: - `` `JoinAfter n`: when the set of disjuncts gets bigger than `n` the underlying domain's join is called to collapse them into one state - `` `UnderApproximateAfter n`: when the sest of disjuncts gets bigger than `n` then just stop adding new states to it, drop any further states on the floor. This corresponds to an under-approximation/bounded approach. - `` `NeverJoin` The widening is always of the form `` `UnderApproximateAfterNumIterations max_iter` for now since the only user is pulse and I'm not sure what else would be useful. Picking `` `JoinAfter 0` gives the same results as the non-disjunctive domain since the underlying `join` will always be called. Make pulse use this mode for now, and tune it in a next diff. Reviewed By: mbouaziz Differential Revision: D13431375 fbshipit-source-id: b93aa50e7
6 years ago
module Stack = struct
[pulse] better pretty-printing of stacks Summary: Instead of `x -> 4` print the more accurate `&x=4`. Reviewed By: da319 Differential Revision: D13518669 fbshipit-source-id: 6ca28d0e1
6 years ago
module VarAddress = struct
include Var
let pp f var =
let pp_ampersand f = function
| ProgramVar _ ->
F.pp_print_string f "&"
| LogicalVar _ ->
()
in
F.fprintf f "%a%a" pp_ampersand var Var.pp var
end
[pulse][7/9] kill `AddrTracePair` Summary: The name had rotten: it should be `AddrHistPair`. There is little value of exposing the type of the pair `AbstractValue.t * ValueHistory.t`, just inline its definition everywhere. Reviewed By: ezgicicek Differential Revision: D17955283 fbshipit-source-id: d145251e0
5 years ago
include PrettyPrintable.MakePPMonoMap (VarAddress) (AddrHistPair)
[pulse] better pretty-printing of stacks Summary: Instead of `x -> 4` print the more accurate `&x=4`. Reviewed By: da319 Differential Revision: D13518669 fbshipit-source-id: 6ca28d0e1
6 years ago
let pp fmt m =
let pp_item fmt (var_address, v) =
[pulse][7/9] kill `AddrTracePair` Summary: The name had rotten: it should be `AddrHistPair`. There is little value of exposing the type of the pair `AbstractValue.t * ValueHistory.t`, just inline its definition everywhere. Reviewed By: ezgicicek Differential Revision: D17955283 fbshipit-source-id: d145251e0
5 years ago
F.fprintf fmt "%a=%a" VarAddress.pp var_address AddrHistPair.pp v
[pulse] better pretty-printing of stacks Summary: Instead of `x -> 4` print the more accurate `&x=4`. Reviewed By: da319 Differential Revision: D13518669 fbshipit-source-id: 6ca28d0e1
6 years ago
in
PrettyPrintable.pp_collection ~pp_item fmt (bindings m)
[pulse] switch back to having a single abstract address per stack variable and heap location Summary: Mostly a revert of D13190876 once the disjunctive domain is in place. Reviewed By: da319 Differential Revision: D13432488 fbshipit-source-id: f1e98ef0d
6 years ago
[pulse][7/9] kill `AddrTracePair` Summary: The name had rotten: it should be `AddrHistPair`. There is little value of exposing the type of the pair `AbstractValue.t * ValueHistory.t`, just inline its definition everywhere. Reviewed By: ezgicicek Differential Revision: D17955283 fbshipit-source-id: d145251e0
5 years ago
let compare = compare AddrHistPair.compare
[HIL][pulse] add disjunctive domain Summary: Introduce machinery to do disjunctive HIL domains and use it for pulse, but only in a mode that preserves the existing behaviour. The disjunctive domain is a functor that turns any (HIL for now) transfer function module into one operating on sets of elements of the original domain. The behaviour of joins (and widenings, which are equal to joins) can be chosen when instantiating the functor among 3 behaviours: - `` `JoinAfter n`: when the set of disjuncts gets bigger than `n` the underlying domain's join is called to collapse them into one state - `` `UnderApproximateAfter n`: when the sest of disjuncts gets bigger than `n` then just stop adding new states to it, drop any further states on the floor. This corresponds to an under-approximation/bounded approach. - `` `NeverJoin` The widening is always of the form `` `UnderApproximateAfterNumIterations max_iter` for now since the only user is pulse and I'm not sure what else would be useful. Picking `` `JoinAfter 0` gives the same results as the non-disjunctive domain since the underlying `join` will always be called. Make pulse use this mode for now, and tune it in a next diff. Reviewed By: mbouaziz Differential Revision: D13431375 fbshipit-source-id: b93aa50e7
6 years ago
end
[pulse] initial commit Summary: New analysis in foetal form to detect invalid use of C++ objects after their lifetime has ended. For now it has: - A domain consisting of a graph of abstract locations representing the heap, a map from program variables to abstract locations representing the stack, and a set of locations known to be invalid (their lifetime has ended) - The heap graph is unfolded lazily when we resolve accesses to the heap down to an abstract location. When we traverse a memory location we check that it's not known to be invalid. - A simple transfer function reads and updates the stack and heap in a rudimentary way for now - C++ `delete` is modeled as adding the location that its argument resolves to to the set of invalid locations - Also, the domain has a really crappy join and widening for now (see comments in the code) With this we already pass most of the "use after delete" tests from the Ownership checker. The ones we don't pass are only because we are missing models. Reviewed By: mbouaziz Differential Revision: D10383249 fbshipit-source-id: f414664cb
6 years ago
[pulse] more efficient representation of attributes Summary: This ensures that each attribute type can only be present once per address. Makes ~80x time improvement on pathological cases such as Duff's device. This introduces a new kind of Set in `PrettyPrintable`. Reviewed By: mbouaziz Differential Revision: D14645091 fbshipit-source-id: c7f9b760c
6 years ago
type t = {heap: Memory.t; stack: Stack.t}
[pulse] initial commit Summary: New analysis in foetal form to detect invalid use of C++ objects after their lifetime has ended. For now it has: - A domain consisting of a graph of abstract locations representing the heap, a map from program variables to abstract locations representing the stack, and a set of locations known to be invalid (their lifetime has ended) - The heap graph is unfolded lazily when we resolve accesses to the heap down to an abstract location. When we traverse a memory location we check that it's not known to be invalid. - A simple transfer function reads and updates the stack and heap in a rudimentary way for now - C++ `delete` is modeled as adding the location that its argument resolves to to the set of invalid locations - Also, the domain has a really crappy join and widening for now (see comments in the code) With this we already pass most of the "use after delete" tests from the Ownership checker. The ones we don't pass are only because we are missing models. Reviewed By: mbouaziz Differential Revision: D10383249 fbshipit-source-id: f414664cb
6 years ago
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
let empty =
[pulse] record attributes inside memory cells instead of separately Summary: It turns out keeping attributes (such as invalidation facts) separate from the memory is a bad idea and leads to loss of precision and false positives, as seen in the new test (which previously generated a report). Allow me to illustrate on this example, which is a stylised version of the issue in the added test: previously we'd have: ``` state1 = { x = 1; invalids={} } state2 = { x = 2; invalids ={1} } join(state1, state2) = { x = {1, 2}; invalids={{1, 2}} } ``` So even though none of the states said that `x` pointed to an invalid location, the join state says it does because `1` and `2` have been glommed together. The fact `x=1` from `state1` and the fact "1 is invalid" from `state2` conspire together and `x` is now invalid even though it shouldn't. Instead, if we record attributes as part of the memory we get that `x` is still valid after the join: ``` state1 = { x = (1, {}) } state2 = { x = (2, {}) } join(state1, state2) = { x = ({1, 2}, {}) } ``` Reviewed By: mbouaziz Differential Revision: D12958130 fbshipit-source-id: 53dc81cc7
6 years ago
{ heap=
Memory.empty
(* TODO: we could record that 0 is an invalid address at this point but this makes the
analysis go a bit overboard with the Nullptr reports. *)
; stack= Stack.empty }
[pulse] more aggressive join Summary: Do the intersection of the heap and stack domains, and the union of the invalid location sets. This forgets invalid locations that appear only in one heap, unfortunately. We can start with this and improve later. Reviewed By: mbouaziz Differential Revision: D10445825 fbshipit-source-id: cc24460af
6 years ago
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
(** comparison between two elements of the domain to determine the [<=] relation
[pulse] |- is now true only of isomorphic graphs Summary: Previously we would say that `lhs <= rhs` (or `lhs |- rhs`) when a mapping existed between the abstract addresses of `lhs` and `rhs` such that `mapping(lhs)` was a supergraph of `rhs`. In particular, we had that `x |-> x' * x' |-> x'' |- x |-> x'`. This is not entirely great, in particular once we get pairs of state representing footprint + current state. I'm not sure I have an extremely compelling argument why though, except that it's not the usual way we do implication in SL, but there wasn't a compelling argument for the previous state of affairs either. This changes `|-` to be true only when `mapping(lhs) = rhs` (modulo only considering the addresses reachable from the stack variables). Reviewed By: jberdine Differential Revision: D14568272 fbshipit-source-id: 1bb83950e
6 years ago
Given two states [lhs] and [rhs], try to find a bijection [lhs_to_rhs] (with inverse
[rhs_to_lhs]) between the addresses of [lhs] and [rhs] such that [lhs_to_rhs(reachable(lhs)) =
reachable(rhs)] (where addresses are reachable if they are reachable from stack variables). *)
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
module GraphComparison = struct
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
module AddressMap = PrettyPrintable.MakePPMap (AbstractValue)
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
(** translation between the abstract values on the LHS and the ones on the RHS *)
type mapping =
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
{ rhs_to_lhs: AbstractValue.t AddressMap.t (** map from RHS values to LHS *)
; lhs_to_rhs: AbstractValue.t AddressMap.t (** inverse map from [rhs_to_lhs] *) }
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
let empty_mapping = {rhs_to_lhs= AddressMap.empty; lhs_to_rhs= AddressMap.empty}
let pp_mapping fmt {rhs_to_lhs; lhs_to_rhs} =
F.fprintf fmt "@[<v>{ rhs_to_lhs=@[<hv2>%a@];@,lhs_to_rhs=@[<hv2>%a@];@,}@]"
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
(AddressMap.pp ~pp_value:AbstractValue.pp)
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
rhs_to_lhs
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
(AddressMap.pp ~pp_value:AbstractValue.pp)
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
lhs_to_rhs
(** try to add the fact that [addr_lhs] corresponds to [addr_rhs] to the [mapping] *)
let record_equal ~addr_lhs ~addr_rhs mapping =
(* have we seen [addr_lhs] before?.. *)
match AddressMap.find_opt addr_lhs mapping.lhs_to_rhs with
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
| Some addr_rhs' when not (AbstractValue.equal addr_rhs addr_rhs') ->
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
(* ...yes, but it was bound to another address *)
L.d_printfln
"Aliasing in LHS not in RHS: LHS address %a in current already bound to %a, not %a@\n\
State=%a"
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
AbstractValue.pp addr_lhs AbstractValue.pp addr_rhs' AbstractValue.pp addr_rhs pp_mapping
mapping ;
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
`AliasingLHS
| Some _addr_rhs (* [_addr_rhs = addr_rhs] *) ->
`AlreadyVisited
| None -> (
(* ...and have we seen [addr_rhs] before?.. *)
match AddressMap.find_opt addr_rhs mapping.rhs_to_lhs with
| Some addr_lhs' ->
(* ...yes, but it was bound to another address: [addr_lhs' != addr_lhs] otherwise we would
have found [addr_lhs] in the [lhs_to_rhs] map above *)
L.d_printfln
"Aliasing in RHS not in LHS: RHS address %a in current already bound to %a, not %a@\n\
State=%a"
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
AbstractValue.pp addr_rhs AbstractValue.pp addr_lhs' AbstractValue.pp addr_lhs
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
pp_mapping mapping ;
`AliasingRHS
| None ->
(* [addr_rhs] and [addr_lhs] are both new, record that they correspond to each other *)
let mapping' =
{ rhs_to_lhs= AddressMap.add addr_rhs addr_lhs mapping.rhs_to_lhs
; lhs_to_rhs= AddressMap.add addr_lhs addr_rhs mapping.lhs_to_rhs }
in
`NotAlreadyVisited mapping' )
[pulse] |- is now true only of isomorphic graphs Summary: Previously we would say that `lhs <= rhs` (or `lhs |- rhs`) when a mapping existed between the abstract addresses of `lhs` and `rhs` such that `mapping(lhs)` was a supergraph of `rhs`. In particular, we had that `x |-> x' * x' |-> x'' |- x |-> x'`. This is not entirely great, in particular once we get pairs of state representing footprint + current state. I'm not sure I have an extremely compelling argument why though, except that it's not the usual way we do implication in SL, but there wasn't a compelling argument for the previous state of affairs either. This changes `|-` to be true only when `mapping(lhs) = rhs` (modulo only considering the addresses reachable from the stack variables). Reviewed By: jberdine Differential Revision: D14568272 fbshipit-source-id: 1bb83950e
6 years ago
type isograph_relation =
| NotIsomorphic (** no mapping was found that can make LHS the same as the RHS *)
| IsomorphicUpTo of mapping (** [mapping(lhs)] is isomorphic to [rhs] *)
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
[pulse] |- is now true only of isomorphic graphs Summary: Previously we would say that `lhs <= rhs` (or `lhs |- rhs`) when a mapping existed between the abstract addresses of `lhs` and `rhs` such that `mapping(lhs)` was a supergraph of `rhs`. In particular, we had that `x |-> x' * x' |-> x'' |- x |-> x'`. This is not entirely great, in particular once we get pairs of state representing footprint + current state. I'm not sure I have an extremely compelling argument why though, except that it's not the usual way we do implication in SL, but there wasn't a compelling argument for the previous state of affairs either. This changes `|-` to be true only when `mapping(lhs) = rhs` (modulo only considering the addresses reachable from the stack variables). Reviewed By: jberdine Differential Revision: D14568272 fbshipit-source-id: 1bb83950e
6 years ago
(** can we extend [mapping] so that the subgraph of [lhs] rooted at [addr_lhs] is isomorphic to
the subgraph of [rhs] rooted at [addr_rhs]? *)
let rec isograph_map_from_address ~lhs ~addr_lhs ~rhs ~addr_rhs mapping =
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
L.d_printfln "%a<->%a@\n" AbstractValue.pp addr_lhs AbstractValue.pp addr_rhs ;
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
match record_equal mapping ~addr_lhs ~addr_rhs with
| `AlreadyVisited ->
[pulse] |- is now true only of isomorphic graphs Summary: Previously we would say that `lhs <= rhs` (or `lhs |- rhs`) when a mapping existed between the abstract addresses of `lhs` and `rhs` such that `mapping(lhs)` was a supergraph of `rhs`. In particular, we had that `x |-> x' * x' |-> x'' |- x |-> x'`. This is not entirely great, in particular once we get pairs of state representing footprint + current state. I'm not sure I have an extremely compelling argument why though, except that it's not the usual way we do implication in SL, but there wasn't a compelling argument for the previous state of affairs either. This changes `|-` to be true only when `mapping(lhs) = rhs` (modulo only considering the addresses reachable from the stack variables). Reviewed By: jberdine Differential Revision: D14568272 fbshipit-source-id: 1bb83950e
6 years ago
IsomorphicUpTo mapping
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
| `AliasingRHS | `AliasingLHS ->
[pulse] |- is now true only of isomorphic graphs Summary: Previously we would say that `lhs <= rhs` (or `lhs |- rhs`) when a mapping existed between the abstract addresses of `lhs` and `rhs` such that `mapping(lhs)` was a supergraph of `rhs`. In particular, we had that `x |-> x' * x' |-> x'' |- x |-> x'`. This is not entirely great, in particular once we get pairs of state representing footprint + current state. I'm not sure I have an extremely compelling argument why though, except that it's not the usual way we do implication in SL, but there wasn't a compelling argument for the previous state of affairs either. This changes `|-` to be true only when `mapping(lhs) = rhs` (modulo only considering the addresses reachable from the stack variables). Reviewed By: jberdine Differential Revision: D14568272 fbshipit-source-id: 1bb83950e
6 years ago
NotIsomorphic
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
| `NotAlreadyVisited mapping -> (
[pulse] |- is now true only of isomorphic graphs Summary: Previously we would say that `lhs <= rhs` (or `lhs |- rhs`) when a mapping existed between the abstract addresses of `lhs` and `rhs` such that `mapping(lhs)` was a supergraph of `rhs`. In particular, we had that `x |-> x' * x' |-> x'' |- x |-> x'`. This is not entirely great, in particular once we get pairs of state representing footprint + current state. I'm not sure I have an extremely compelling argument why though, except that it's not the usual way we do implication in SL, but there wasn't a compelling argument for the previous state of affairs either. This changes `|-` to be true only when `mapping(lhs) = rhs` (modulo only considering the addresses reachable from the stack variables). Reviewed By: jberdine Differential Revision: D14568272 fbshipit-source-id: 1bb83950e
6 years ago
let get_non_empty_cell = function
| None ->
None
| Some (edges, attrs) when Memory.Edges.is_empty edges && Attributes.is_empty attrs ->
(* this can happen because of [register_address] or because we don't care to delete empty
edges when removing edges *)
None
| Some _ as some_cell ->
some_cell
in
let lhs_cell_opt = Memory.find_opt addr_lhs lhs.heap |> get_non_empty_cell in
let rhs_cell_opt = Memory.find_opt addr_rhs rhs.heap |> get_non_empty_cell in
match (lhs_cell_opt, rhs_cell_opt) with
| None, None ->
IsomorphicUpTo mapping
| Some _, None | None, Some _ ->
NotIsomorphic
| Some (edges_rhs, attrs_rhs), Some (edges_lhs, attrs_lhs) ->
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
(* continue the comparison recursively on all edges and attributes *)
[pulse] |- is now true only of isomorphic graphs Summary: Previously we would say that `lhs <= rhs` (or `lhs |- rhs`) when a mapping existed between the abstract addresses of `lhs` and `rhs` such that `mapping(lhs)` was a supergraph of `rhs`. In particular, we had that `x |-> x' * x' |-> x'' |- x |-> x'`. This is not entirely great, in particular once we get pairs of state representing footprint + current state. I'm not sure I have an extremely compelling argument why though, except that it's not the usual way we do implication in SL, but there wasn't a compelling argument for the previous state of affairs either. This changes `|-` to be true only when `mapping(lhs) = rhs` (modulo only considering the addresses reachable from the stack variables). Reviewed By: jberdine Differential Revision: D14568272 fbshipit-source-id: 1bb83950e
6 years ago
if Attributes.equal attrs_rhs attrs_lhs then
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
let bindings_lhs = Memory.Edges.bindings edges_lhs in
let bindings_rhs = Memory.Edges.bindings edges_rhs in
[pulse] |- is now true only of isomorphic graphs Summary: Previously we would say that `lhs <= rhs` (or `lhs |- rhs`) when a mapping existed between the abstract addresses of `lhs` and `rhs` such that `mapping(lhs)` was a supergraph of `rhs`. In particular, we had that `x |-> x' * x' |-> x'' |- x |-> x'`. This is not entirely great, in particular once we get pairs of state representing footprint + current state. I'm not sure I have an extremely compelling argument why though, except that it's not the usual way we do implication in SL, but there wasn't a compelling argument for the previous state of affairs either. This changes `|-` to be true only when `mapping(lhs) = rhs` (modulo only considering the addresses reachable from the stack variables). Reviewed By: jberdine Differential Revision: D14568272 fbshipit-source-id: 1bb83950e
6 years ago
isograph_map_edges ~lhs ~edges_lhs:bindings_lhs ~rhs ~edges_rhs:bindings_rhs mapping
else NotIsomorphic )
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
[pulse] |- is now true only of isomorphic graphs Summary: Previously we would say that `lhs <= rhs` (or `lhs |- rhs`) when a mapping existed between the abstract addresses of `lhs` and `rhs` such that `mapping(lhs)` was a supergraph of `rhs`. In particular, we had that `x |-> x' * x' |-> x'' |- x |-> x'`. This is not entirely great, in particular once we get pairs of state representing footprint + current state. I'm not sure I have an extremely compelling argument why though, except that it's not the usual way we do implication in SL, but there wasn't a compelling argument for the previous state of affairs either. This changes `|-` to be true only when `mapping(lhs) = rhs` (modulo only considering the addresses reachable from the stack variables). Reviewed By: jberdine Differential Revision: D14568272 fbshipit-source-id: 1bb83950e
6 years ago
(** check that the isograph relation can be extended for all edges *)
and isograph_map_edges ~lhs ~edges_lhs ~rhs ~edges_rhs mapping =
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
match (edges_lhs, edges_rhs) with
[pulse] |- is now true only of isomorphic graphs Summary: Previously we would say that `lhs <= rhs` (or `lhs |- rhs`) when a mapping existed between the abstract addresses of `lhs` and `rhs` such that `mapping(lhs)` was a supergraph of `rhs`. In particular, we had that `x |-> x' * x' |-> x'' |- x |-> x'`. This is not entirely great, in particular once we get pairs of state representing footprint + current state. I'm not sure I have an extremely compelling argument why though, except that it's not the usual way we do implication in SL, but there wasn't a compelling argument for the previous state of affairs either. This changes `|-` to be true only when `mapping(lhs) = rhs` (modulo only considering the addresses reachable from the stack variables). Reviewed By: jberdine Differential Revision: D14568272 fbshipit-source-id: 1bb83950e
6 years ago
| [], [] ->
IsomorphicUpTo mapping
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
| (a_lhs, (addr_lhs, _trace_lhs)) :: edges_lhs, (a_rhs, (addr_rhs, _trace_rhs)) :: edges_rhs
when Memory.Access.equal a_lhs a_rhs -> (
[pulse] |- is now true only of isomorphic graphs Summary: Previously we would say that `lhs <= rhs` (or `lhs |- rhs`) when a mapping existed between the abstract addresses of `lhs` and `rhs` such that `mapping(lhs)` was a supergraph of `rhs`. In particular, we had that `x |-> x' * x' |-> x'' |- x |-> x'`. This is not entirely great, in particular once we get pairs of state representing footprint + current state. I'm not sure I have an extremely compelling argument why though, except that it's not the usual way we do implication in SL, but there wasn't a compelling argument for the previous state of affairs either. This changes `|-` to be true only when `mapping(lhs) = rhs` (modulo only considering the addresses reachable from the stack variables). Reviewed By: jberdine Differential Revision: D14568272 fbshipit-source-id: 1bb83950e
6 years ago
(* check isograph relation from the destination addresses *)
match isograph_map_from_address ~lhs ~addr_lhs ~rhs ~addr_rhs mapping with
| IsomorphicUpTo mapping ->
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
(* ok: continue with the other edges *)
[pulse] |- is now true only of isomorphic graphs Summary: Previously we would say that `lhs <= rhs` (or `lhs |- rhs`) when a mapping existed between the abstract addresses of `lhs` and `rhs` such that `mapping(lhs)` was a supergraph of `rhs`. In particular, we had that `x |-> x' * x' |-> x'' |- x |-> x'`. This is not entirely great, in particular once we get pairs of state representing footprint + current state. I'm not sure I have an extremely compelling argument why though, except that it's not the usual way we do implication in SL, but there wasn't a compelling argument for the previous state of affairs either. This changes `|-` to be true only when `mapping(lhs) = rhs` (modulo only considering the addresses reachable from the stack variables). Reviewed By: jberdine Differential Revision: D14568272 fbshipit-source-id: 1bb83950e
6 years ago
isograph_map_edges ~lhs ~edges_lhs ~rhs ~edges_rhs mapping
| NotIsomorphic ->
NotIsomorphic )
| _ :: _, _ :: _ | [], _ :: _ | _ :: _, [] ->
NotIsomorphic
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
(** check that the memory graph induced by the addresses in [lhs] reachable from the variables in
[pulse] |- is now true only of isomorphic graphs Summary: Previously we would say that `lhs <= rhs` (or `lhs |- rhs`) when a mapping existed between the abstract addresses of `lhs` and `rhs` such that `mapping(lhs)` was a supergraph of `rhs`. In particular, we had that `x |-> x' * x' |-> x'' |- x |-> x'`. This is not entirely great, in particular once we get pairs of state representing footprint + current state. I'm not sure I have an extremely compelling argument why though, except that it's not the usual way we do implication in SL, but there wasn't a compelling argument for the previous state of affairs either. This changes `|-` to be true only when `mapping(lhs) = rhs` (modulo only considering the addresses reachable from the stack variables). Reviewed By: jberdine Differential Revision: D14568272 fbshipit-source-id: 1bb83950e
6 years ago
[stack_lhs] is a isograph of the same graph in [rhs] starting from [stack_rhs], up to some
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
[mapping] *)
[pulse] |- is now true only of isomorphic graphs Summary: Previously we would say that `lhs <= rhs` (or `lhs |- rhs`) when a mapping existed between the abstract addresses of `lhs` and `rhs` such that `mapping(lhs)` was a supergraph of `rhs`. In particular, we had that `x |-> x' * x' |-> x'' |- x |-> x'`. This is not entirely great, in particular once we get pairs of state representing footprint + current state. I'm not sure I have an extremely compelling argument why though, except that it's not the usual way we do implication in SL, but there wasn't a compelling argument for the previous state of affairs either. This changes `|-` to be true only when `mapping(lhs) = rhs` (modulo only considering the addresses reachable from the stack variables). Reviewed By: jberdine Differential Revision: D14568272 fbshipit-source-id: 1bb83950e
6 years ago
let rec isograph_map_from_stack ~lhs ~stack_lhs ~rhs ~stack_rhs mapping =
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
match (stack_lhs, stack_rhs) with
[pulse] |- is now true only of isomorphic graphs Summary: Previously we would say that `lhs <= rhs` (or `lhs |- rhs`) when a mapping existed between the abstract addresses of `lhs` and `rhs` such that `mapping(lhs)` was a supergraph of `rhs`. In particular, we had that `x |-> x' * x' |-> x'' |- x |-> x'`. This is not entirely great, in particular once we get pairs of state representing footprint + current state. I'm not sure I have an extremely compelling argument why though, except that it's not the usual way we do implication in SL, but there wasn't a compelling argument for the previous state of affairs either. This changes `|-` to be true only when `mapping(lhs) = rhs` (modulo only considering the addresses reachable from the stack variables). Reviewed By: jberdine Differential Revision: D14568272 fbshipit-source-id: 1bb83950e
6 years ago
| [], [] ->
IsomorphicUpTo mapping
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
| ( (var_lhs, (addr_lhs, _trace_lhs)) :: stack_lhs
, (var_rhs, (addr_rhs, _trace_rhs)) :: stack_rhs )
when Var.equal var_lhs var_rhs -> (
[pulse] |- is now true only of isomorphic graphs Summary: Previously we would say that `lhs <= rhs` (or `lhs |- rhs`) when a mapping existed between the abstract addresses of `lhs` and `rhs` such that `mapping(lhs)` was a supergraph of `rhs`. In particular, we had that `x |-> x' * x' |-> x'' |- x |-> x'`. This is not entirely great, in particular once we get pairs of state representing footprint + current state. I'm not sure I have an extremely compelling argument why though, except that it's not the usual way we do implication in SL, but there wasn't a compelling argument for the previous state of affairs either. This changes `|-` to be true only when `mapping(lhs) = rhs` (modulo only considering the addresses reachable from the stack variables). Reviewed By: jberdine Differential Revision: D14568272 fbshipit-source-id: 1bb83950e
6 years ago
match isograph_map_from_address ~lhs ~addr_lhs ~rhs ~addr_rhs mapping with
| IsomorphicUpTo mapping ->
isograph_map_from_stack ~lhs ~stack_lhs ~rhs ~stack_rhs mapping
| NotIsomorphic ->
NotIsomorphic )
| _ :: _, _ :: _ | [], _ :: _ | _ :: _, [] ->
NotIsomorphic
let isograph_map ~lhs ~rhs mapping =
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
let stack_lhs = Stack.bindings lhs.stack in
let stack_rhs = Stack.bindings rhs.stack in
[pulse] |- is now true only of isomorphic graphs Summary: Previously we would say that `lhs <= rhs` (or `lhs |- rhs`) when a mapping existed between the abstract addresses of `lhs` and `rhs` such that `mapping(lhs)` was a supergraph of `rhs`. In particular, we had that `x |-> x' * x' |-> x'' |- x |-> x'`. This is not entirely great, in particular once we get pairs of state representing footprint + current state. I'm not sure I have an extremely compelling argument why though, except that it's not the usual way we do implication in SL, but there wasn't a compelling argument for the previous state of affairs either. This changes `|-` to be true only when `mapping(lhs) = rhs` (modulo only considering the addresses reachable from the stack variables). Reviewed By: jberdine Differential Revision: D14568272 fbshipit-source-id: 1bb83950e
6 years ago
isograph_map_from_stack ~lhs ~rhs ~stack_lhs ~stack_rhs mapping
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
[pulse] |- is now true only of isomorphic graphs Summary: Previously we would say that `lhs <= rhs` (or `lhs |- rhs`) when a mapping existed between the abstract addresses of `lhs` and `rhs` such that `mapping(lhs)` was a supergraph of `rhs`. In particular, we had that `x |-> x' * x' |-> x'' |- x |-> x'`. This is not entirely great, in particular once we get pairs of state representing footprint + current state. I'm not sure I have an extremely compelling argument why though, except that it's not the usual way we do implication in SL, but there wasn't a compelling argument for the previous state of affairs either. This changes `|-` to be true only when `mapping(lhs) = rhs` (modulo only considering the addresses reachable from the stack variables). Reviewed By: jberdine Differential Revision: D14568272 fbshipit-source-id: 1bb83950e
6 years ago
let is_isograph ~lhs ~rhs mapping =
match isograph_map ~lhs ~rhs mapping with IsomorphicUpTo _ -> true | NotIsomorphic -> false
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
end
[pulse] join of memory graphs Summary: Instead of the non-sensical piecewise join we had until now write a proper one. Hopefully the comments explain what it does. Main one: ``` (* high-level idea: maintain some union-find data structure to identify locations in one heap with locations in the other heap. Build the initial join state as follows: - equate all locations that correspond to identical variables in both stacks, eg joining stacks {x=1} and {x=2} adds "1=2" to the unification. - add all addresses reachable from stack variables to the join state heap This gives us an abstract state that is the union of both abstract states, but more states can still be made equal. For instance, if 1 points to 3 in the first heap and 2 points to 4 in the second heap and we deduced "1 = 2" from the stacks already (as in the example just above) then we can deduce "3 = 4". Proceed in this fashion until no more equalities are discovered, and return the abstract state where a canonical representative has been chosen consistently for each equivalence class (this is what the union-find data structure gives us). *) ``` Reviewed By: mbouaziz Differential Revision: D10483978 fbshipit-source-id: f6ffd7528
6 years ago
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
let ( <= ) ~lhs ~rhs =
[pulse] |- is now true only of isomorphic graphs Summary: Previously we would say that `lhs <= rhs` (or `lhs |- rhs`) when a mapping existed between the abstract addresses of `lhs` and `rhs` such that `mapping(lhs)` was a supergraph of `rhs`. In particular, we had that `x |-> x' * x' |-> x'' |- x |-> x'`. This is not entirely great, in particular once we get pairs of state representing footprint + current state. I'm not sure I have an extremely compelling argument why though, except that it's not the usual way we do implication in SL, but there wasn't a compelling argument for the previous state of affairs either. This changes `|-` to be true only when `mapping(lhs) = rhs` (modulo only considering the addresses reachable from the stack variables). Reviewed By: jberdine Differential Revision: D14568272 fbshipit-source-id: 1bb83950e
6 years ago
phys_equal lhs rhs || GraphComparison.is_isograph ~lhs ~rhs GraphComparison.empty_mapping
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
[pulse] join of memory graphs Summary: Instead of the non-sensical piecewise join we had until now write a proper one. Hopefully the comments explain what it does. Main one: ``` (* high-level idea: maintain some union-find data structure to identify locations in one heap with locations in the other heap. Build the initial join state as follows: - equate all locations that correspond to identical variables in both stacks, eg joining stacks {x=1} and {x=2} adds "1=2" to the unification. - add all addresses reachable from stack variables to the join state heap This gives us an abstract state that is the union of both abstract states, but more states can still be made equal. For instance, if 1 points to 3 in the first heap and 2 points to 4 in the second heap and we deduced "1 = 2" from the stacks already (as in the example just above) then we can deduce "3 = 4". Proceed in this fashion until no more equalities are discovered, and return the abstract state where a canonical representative has been chosen consistently for each equivalence class (this is what the union-find data structure gives us). *) ``` Reviewed By: mbouaziz Differential Revision: D10483978 fbshipit-source-id: f6ffd7528
6 years ago
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
let pp fmt {heap; stack} =
[pulse][minor] easier-to-understand debug output Summary: - number the disjuncts in the abstract state and in the specs: #0, #1, ... This makes it much easier to know which disjunct the rest of the debug output is talking about, eg in "Executing from disjunct #N" messages - label the currently-inferred precondition with `PRE=` instead of just putting it in square brackets - print value histories when the debug level is >= 3 - separate the memory printing into heap and attributes labelled more explicitly For example, before: ``` 2 disjuncts: { {visited= false; astate= { heap=({ v1 -> { * -> v3 }, v2 -> { * -> v5 } }, { v5 -> { CppDelete(was invalidated by `delete`) } }); stack={ &n=v1, &ptr=v2 };} [{ heap=({ v1 -> { * -> v3 }, v2 -> { * -> v5 }, v3 -> { }, v5 -> { } }, { v1 -> { MustBeValid (read by line 57, column 7) }, v2 -> { MustBeValid (read by line 58, column 12) }, v5 -> { MustBeValid (read by line 58, column 5) } }); stack={ &n=v1, &ptr=v2 };}]}, {visited= false; astate= { heap=({ v1 -> { * -> v3 }, v2 -> { * -> v7 } }, { v7 -> { CppDelete(was invalidated by `delete`) } }); stack={ &n=v1, &ptr=v2 };} [{ heap=({ v1 -> { * -> v3 }, v2 -> { * -> v7 }, v3 -> { }, v7 -> { } }, { v1 -> { MustBeValid (read by line 57, column 7) }, v2 -> { MustBeValid (read by line 60, column 12) }, v7 -> { MustBeValid (read by line 60, column 5) } }); stack={ &n=v1, &ptr=v2 };}]} } ``` after: ``` 2 disjuncts: #0: visited=false; { roots={ &n=v1, &ptr=v2 }; mem ={ v1 -> { * -> v3 }, v2 -> { * -> v4 } }; attrs={ v3 -> { =7 }, v4 -> { CppDelete(was invalidated by `delete`) } };} PRE=[{ roots={ &n=v1, &ptr=v2 }; mem ={ v1 -> { * -> v3 }, v2 -> { * -> v4 }, v3 -> { }, v4 -> { } }; attrs={ v1 -> { MustBeValid (read by line 57, column 7) }, v2 -> { MustBeValid (read by line 58, column 12) }, v4 -> { MustBeValid (read by line 58, column 5) } };}] #1: visited=false; { roots={ &n=v1, &ptr=v2 }; mem ={ v1 -> { * -> v3 }, v2 -> { * -> v5 } }; attrs={ v5 -> { CppDelete(was invalidated by `delete`) } };} PRE=[{ roots={ &n=v1, &ptr=v2 }; mem ={ v1 -> { * -> v3 }, v2 -> { * -> v5 }, v3 -> { }, v5 -> { } }; attrs={ v1 -> { MustBeValid (read by line 57, column 7) }, v2 -> { MustBeValid (read by line 60, column 12) }, v5 -> { MustBeValid (read by line 60, column 5) } };}] ``` Reviewed By: ezgicicek Differential Revision: D17906167 fbshipit-source-id: 2e14325c8
5 years ago
F.fprintf fmt "{@[<v1> roots=@[<hv>%a@];@;mem =@[<hv>%a@];@;attrs=@[<hv>%a@];@]}" Stack.pp stack
Memory.pp_heap heap Memory.pp_attributes heap
[pulse] collect garbage (unreachable) heap parts from time to time Summary: It's useful to keep the size of states down, especially when humans are trying to read it. It will also help keep the size of summaries down in the inter-procedural pulse. Reviewed By: mbouaziz Differential Revision: D14258486 fbshipit-source-id: 45ebcac67
6 years ago
[pulse] more general graph visitor API Summary: Make it possible to re-use the graph visitor to compute all sorts of things with a flexible API where you can pass a function that folds over all addresses reachable from certain stack variables (specified with a filter) and gets passed the access path that leads to each address. This is used in later commits. Reviewed By: mbouaziz Differential Revision: D15824960 fbshipit-source-id: c424a71cb
6 years ago
module GraphVisit : sig
val fold :
var_filter:(Var.t -> bool)
-> t
-> init:'accum
-> f:( 'accum
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
-> AbstractValue.t
[pulse] more general graph visitor API Summary: Make it possible to re-use the graph visitor to compute all sorts of things with a flexible API where you can pass a function that folds over all addresses reachable from certain stack variables (specified with a filter) and gets passed the access path that leads to each address. This is used in later commits. Reviewed By: mbouaziz Differential Revision: D15824960 fbshipit-source-id: c424a71cb
6 years ago
-> Var.t
-> Memory.Access.t list
-> ('accum, 'final) Base.Continue_or_stop.t)
-> finish:('accum -> 'final)
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
-> AbstractValue.Set.t * 'final
[pulse] more general graph visitor API Summary: Make it possible to re-use the graph visitor to compute all sorts of things with a flexible API where you can pass a function that folds over all addresses reachable from certain stack variables (specified with a filter) and gets passed the access path that leads to each address. This is used in later commits. Reviewed By: mbouaziz Differential Revision: D15824960 fbshipit-source-id: c424a71cb
6 years ago
(** Generic graph traversal of the memory starting from each variable in the stack that pass
[var_filter], in order. Returns the result of folding over every address in the graph and the
set of addresses that have been visited before [f] returned [Stop] or all reachable addresses
were seen. [f] is passed each address together with the variable from which the address was
reached and the access path from that variable to the address. *)
[pulse] collect garbage (unreachable) heap parts from time to time Summary: It's useful to keep the size of states down, especially when humans are trying to read it. It will also help keep the size of summaries down in the inter-procedural pulse. Reviewed By: mbouaziz Differential Revision: D14258486 fbshipit-source-id: 45ebcac67
6 years ago
end = struct
[pulse] more general graph visitor API Summary: Make it possible to re-use the graph visitor to compute all sorts of things with a flexible API where you can pass a function that folds over all addresses reachable from certain stack variables (specified with a filter) and gets passed the access path that leads to each address. This is used in later commits. Reviewed By: mbouaziz Differential Revision: D15824960 fbshipit-source-id: c424a71cb
6 years ago
open Base.Continue_or_stop
[pulse] collect garbage (unreachable) heap parts from time to time Summary: It's useful to keep the size of states down, especially when humans are trying to read it. It will also help keep the size of summaries down in the inter-procedural pulse. Reviewed By: mbouaziz Differential Revision: D14258486 fbshipit-source-id: 45ebcac67
6 years ago
let visit address visited =
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
if AbstractValue.Set.mem address visited then `AlreadyVisited
[pulse] collect garbage (unreachable) heap parts from time to time Summary: It's useful to keep the size of states down, especially when humans are trying to read it. It will also help keep the size of summaries down in the inter-procedural pulse. Reviewed By: mbouaziz Differential Revision: D14258486 fbshipit-source-id: 45ebcac67
6 years ago
else
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
let visited = AbstractValue.Set.add address visited in
[pulse] collect garbage (unreachable) heap parts from time to time Summary: It's useful to keep the size of states down, especially when humans are trying to read it. It will also help keep the size of summaries down in the inter-procedural pulse. Reviewed By: mbouaziz Differential Revision: D14258486 fbshipit-source-id: 45ebcac67
6 years ago
`NotAlreadyVisited visited
[pulse] more general graph visitor API Summary: Make it possible to re-use the graph visitor to compute all sorts of things with a flexible API where you can pass a function that folds over all addresses reachable from certain stack variables (specified with a filter) and gets passed the access path that leads to each address. This is used in later commits. Reviewed By: mbouaziz Differential Revision: D15824960 fbshipit-source-id: c424a71cb
6 years ago
let rec visit_address orig_var ~f rev_accesses astate address ((visited, accum) as visited_accum)
=
[pulse] collect garbage (unreachable) heap parts from time to time Summary: It's useful to keep the size of states down, especially when humans are trying to read it. It will also help keep the size of summaries down in the inter-procedural pulse. Reviewed By: mbouaziz Differential Revision: D14258486 fbshipit-source-id: 45ebcac67
6 years ago
match visit address visited with
| `AlreadyVisited ->
[pulse] more general graph visitor API Summary: Make it possible to re-use the graph visitor to compute all sorts of things with a flexible API where you can pass a function that folds over all addresses reachable from certain stack variables (specified with a filter) and gets passed the access path that leads to each address. This is used in later commits. Reviewed By: mbouaziz Differential Revision: D15824960 fbshipit-source-id: c424a71cb
6 years ago
Continue visited_accum
[pulse] collect garbage (unreachable) heap parts from time to time Summary: It's useful to keep the size of states down, especially when humans are trying to read it. It will also help keep the size of summaries down in the inter-procedural pulse. Reviewed By: mbouaziz Differential Revision: D14258486 fbshipit-source-id: 45ebcac67
6 years ago
| `NotAlreadyVisited visited -> (
[pulse] more general graph visitor API Summary: Make it possible to re-use the graph visitor to compute all sorts of things with a flexible API where you can pass a function that folds over all addresses reachable from certain stack variables (specified with a filter) and gets passed the access path that leads to each address. This is used in later commits. Reviewed By: mbouaziz Differential Revision: D15824960 fbshipit-source-id: c424a71cb
6 years ago
match f accum address orig_var rev_accesses with
| Continue accum -> (
match Memory.find_opt address astate.heap with
| None ->
Continue (visited, accum)
| Some (edges, _) ->
visit_edges orig_var ~f rev_accesses astate ~edges (visited, accum) )
| Stop fin ->
Stop (visited, fin) )
and visit_edges orig_var ~f rev_accesses ~edges astate visited_accum =
let finish visited_accum = Continue visited_accum in
Container.fold_until edges
~fold:(IContainer.fold_of_pervasives_map_fold ~fold:Memory.Edges.fold)
~finish ~init:visited_accum ~f:(fun visited_accum (access, (address, _trace)) ->
match visit_address orig_var ~f (access :: rev_accesses) astate address visited_accum with
| Continue _ as cont ->
cont
| Stop fin ->
Stop (Stop fin) )
let fold ~var_filter astate ~init ~f ~finish =
let finish (visited, accum) = (visited, finish accum) in
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
let init = (AbstractValue.Set.empty, init) in
[pulse] more general graph visitor API Summary: Make it possible to re-use the graph visitor to compute all sorts of things with a flexible API where you can pass a function that folds over all addresses reachable from certain stack variables (specified with a filter) and gets passed the access path that leads to each address. This is used in later commits. Reviewed By: mbouaziz Differential Revision: D15824960 fbshipit-source-id: c424a71cb
6 years ago
Container.fold_until astate.stack
~fold:(IContainer.fold_of_pervasives_map_fold ~fold:Stack.fold) ~init ~finish
~f:(fun visited_accum (var, (address, _loc)) ->
if var_filter var then visit_address var ~f [] astate address visited_accum
else Continue visited_accum )
[pulse] collect garbage (unreachable) heap parts from time to time Summary: It's useful to keep the size of states down, especially when humans are trying to read it. It will also help keep the size of summaries down in the inter-procedural pulse. Reviewed By: mbouaziz Differential Revision: D14258486 fbshipit-source-id: 45ebcac67
6 years ago
end
[ai][pulse] use subgraph-based implication between states Summary: When joining two lists of disjuncts we try to ensure there isn't a state that under-approximates another already in the list. This helps reduce the number of disjuncts that are generated by conditionals and loops. Before we would always just add more disjuncts unless they were physically equal but now we do a subgraph computation to assess under-approximation. We only do this half-heartedly for now however, only taking into consideration the "new" disjuncts vs the "old" ones. It probably makes sense to do a full quadratic search to minimise the number of disjuncts from time to time but this isn't done here. Reviewed By: mbouaziz Differential Revision: D14258482 fbshipit-source-id: c2dad4889
6 years ago
include GraphComparison
[pulse] more general graph visitor API Summary: Make it possible to re-use the graph visitor to compute all sorts of things with a flexible API where you can pass a function that folds over all addresses reachable from certain stack variables (specified with a filter) and gets passed the access path that leads to each address. This is used in later commits. Reviewed By: mbouaziz Differential Revision: D15824960 fbshipit-source-id: c424a71cb
6 years ago
let reachable_addresses astate =
GraphVisit.fold astate
~var_filter:(fun _ -> true)
~init:() ~finish:Fn.id
~f:(fun () _ _ _ -> Continue ())
|> fst