pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '1652144176'
${ noResults }
infer_clone/infer/src/pulse/PulseBaseDomain.mli

95 lines
2.8 KiB
Raw Normal View History Unescape

[pulse] initial commit Summary: New analysis in foetal form to detect invalid use of C++ objects after their lifetime has ended. For now it has: - A domain consisting of a graph of abstract locations representing the heap, a map from program variables to abstract locations representing the stack, and a set of locations known to be invalid (their lifetime has ended) - The heap graph is unfolded lazily when we resolve accesses to the heap down to an abstract location. When we traverse a memory location we check that it's not known to be invalid. - A simple transfer function reads and updates the stack and heap in a rudimentary way for now - C++ `delete` is modeled as adding the location that its argument resolves to to the set of invalid locations - Also, the domain has a really crappy join and widening for now (see comments in the code) With this we already pass most of the "use after delete" tests from the Ownership checker. The ones we don't pass are only because we are missing models. Reviewed By: mbouaziz Differential Revision: D10383249 fbshipit-source-id: f414664cb
6 years ago
(*
[copyright] Remove years Reviewed By: jvillard Differential Revision: D15771884 fbshipit-source-id: e2997e3a3
6 years ago
* Copyright (c) Facebook, Inc. and its affiliates.
[pulse] initial commit Summary: New analysis in foetal form to detect invalid use of C++ objects after their lifetime has ended. For now it has: - A domain consisting of a graph of abstract locations representing the heap, a map from program variables to abstract locations representing the stack, and a set of locations known to be invalid (their lifetime has ended) - The heap graph is unfolded lazily when we resolve accesses to the heap down to an abstract location. When we traverse a memory location we check that it's not known to be invalid. - A simple transfer function reads and updates the stack and heap in a rudimentary way for now - C++ `delete` is modeled as adding the location that its argument resolves to to the set of invalid locations - Also, the domain has a really crappy join and widening for now (see comments in the code) With this we already pass most of the "use after delete" tests from the Ownership checker. The ones we don't pass are only because we are missing models. Reviewed By: mbouaziz Differential Revision: D10383249 fbshipit-source-id: f414664cb
6 years ago
*
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*)
open! IStd
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
module F = Format
[pulse][1/9] create PulseBasicInterface, with CallEvent Summary: Problem: PulseDomain.ml is pretty big, and contains lots of small modules. The Infer build being a bit monolithic at the moment, it is hard to split all these small modules off without creating some confusion about which abstraction barries lay where. For instance, it's fine to use `PulseDomain.ValueHistory` anywhere, but using `PulseDomain` itself is sometimes bad when one should use `PulseAbductiveDomain` instead. Proposal: a poorman's library mechanism based on module aliasing. This stack of diffs creates new Pulse* modules for all these small, safe to use modules, together with `PulseBasicInterface.ml`, which aliases these modules to remove the `Pulse` prefix. At the end of the stack, it will contain: ``` module AbstractValue = PulseAbstractValue module Attribute = PulseAttribute module Attributes = PulseAttribute.Attributes module CallEvent = PulseCallEvent module Diagnostic = PulseDiagnostic module Invalidation = PulseInvalidation module Trace = PulseTrace module ValueHistory = PulseValueHistory ``` This "interface" module can be opened in other pulse modules freely. Reviewed By: ezgicicek Differential Revision: D17955104 fbshipit-source-id: 13d3aa2b5
5 years ago
open PulseBasicInterface
[pulse] allow models in invalidation traces Summary: Be more flexible in what type of function calls are allowed in `ViaCall ...` actions to be able to include models. Also get rid of `here here` in traces /o\ As a side-effect, get more precise (=qualified) procedure names in traces (but not in messages so as not to be too verbose). Reviewed By: mbouaziz, ngorogiannis Differential Revision: D16121092 fbshipit-source-id: fb51b02f8
6 years ago
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
module Stack : sig
[pulse][7/9] kill `AddrTracePair` Summary: The name had rotten: it should be `AddrHistPair`. There is little value of exposing the type of the pair `AbstractValue.t * ValueHistory.t`, just inline its definition everywhere. Reviewed By: ezgicicek Differential Revision: D17955283 fbshipit-source-id: d145251e0
5 years ago
include
PrettyPrintable.MonoMap with type key = Var.t and type value = AbstractValue.t * ValueHistory.t
[pulse] initial commit Summary: New analysis in foetal form to detect invalid use of C++ objects after their lifetime has ended. For now it has: - A domain consisting of a graph of abstract locations representing the heap, a map from program variables to abstract locations representing the stack, and a set of locations known to be invalid (their lifetime has ended) - The heap graph is unfolded lazily when we resolve accesses to the heap down to an abstract location. When we traverse a memory location we check that it's not known to be invalid. - A simple transfer function reads and updates the stack and heap in a rudimentary way for now - C++ `delete` is modeled as adding the location that its argument resolves to to the set of invalid locations - Also, the domain has a really crappy join and widening for now (see comments in the code) With this we already pass most of the "use after delete" tests from the Ownership checker. The ones we don't pass are only because we are missing models. Reviewed By: mbouaziz Differential Revision: D10383249 fbshipit-source-id: f414664cb
6 years ago
[pulse] remove last traces of join/widen Summary: Instead of defining `let join .. = assert false` introduce simplified module signatures for domains without join/widen as used in disjunctive domains. Reviewed By: mbouaziz, skcho Differential Revision: D14568271 fbshipit-source-id: 6484335c9
6 years ago
(* need to shadow the declaration in [MonoMap] even though it is unused since [MapS.compare] has a
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
different type *)
val compare : t -> t -> int [@@warning "-32"]
end
[HIL][pulse] add disjunctive domain Summary: Introduce machinery to do disjunctive HIL domains and use it for pulse, but only in a mode that preserves the existing behaviour. The disjunctive domain is a functor that turns any (HIL for now) transfer function module into one operating on sets of elements of the original domain. The behaviour of joins (and widenings, which are equal to joins) can be chosen when instantiating the functor among 3 behaviours: - `` `JoinAfter n`: when the set of disjuncts gets bigger than `n` the underlying domain's join is called to collapse them into one state - `` `UnderApproximateAfter n`: when the sest of disjuncts gets bigger than `n` then just stop adding new states to it, drop any further states on the floor. This corresponds to an under-approximation/bounded approach. - `` `NeverJoin` The widening is always of the form `` `UnderApproximateAfterNumIterations max_iter` for now since the only user is pulse and I'm not sure what else would be useful. Picking `` `JoinAfter 0` gives the same results as the non-disjunctive domain since the underlying `join` will always be called. Make pulse use this mode for now, and tune it in a next diff. Reviewed By: mbouaziz Differential Revision: D13431375 fbshipit-source-id: b93aa50e7
6 years ago
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
module Memory : sig
module Access :
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
PrettyPrintable.PrintableOrderedType with type t = AbstractValue.t HilExp.Access.t
[pulse] rename `Location` -> `Address` and better reporting Summary: `Location` was clashing with the `Location` module, so use `Address` instead. When invalidating an address, remember the "actor" of its invalidation, i.e. the access expression leading to the address and the source location of the corresponding instruction. When checking accesses, also pass the actor responsible for the access, so that when we raise an error we know: 1. when and why a location was invalidated 2. when and why we tried to read it after that Reviewed By: mbouaziz Differential Revision: D10446282 fbshipit-source-id: 3ca4fb3d4
6 years ago
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
module Edges : PrettyPrintable.PPMap with type key = Access.t
[pulse] rename `Location` -> `Address` and better reporting Summary: `Location` was clashing with the `Location` module, so use `Address` instead. When invalidating an address, remember the "actor" of its invalidation, i.e. the access expression leading to the address and the source location of the corresponding instruction. When checking accesses, also pass the actor responsible for the access, so that when we raise an error we know: 1. when and why a location was invalidated 2. when and why we tried to read it after that Reviewed By: mbouaziz Differential Revision: D10446282 fbshipit-source-id: 3ca4fb3d4
6 years ago
[pulse][7/9] kill `AddrTracePair` Summary: The name had rotten: it should be `AddrHistPair`. There is little value of exposing the type of the pair `AbstractValue.t * ValueHistory.t`, just inline its definition everywhere. Reviewed By: ezgicicek Differential Revision: D17955283 fbshipit-source-id: d145251e0
5 years ago
type edges = (AbstractValue.t * ValueHistory.t) Edges.t
[pulse] initial commit Summary: New analysis in foetal form to detect invalid use of C++ objects after their lifetime has ended. For now it has: - A domain consisting of a graph of abstract locations representing the heap, a map from program variables to abstract locations representing the stack, and a set of locations known to be invalid (their lifetime has ended) - The heap graph is unfolded lazily when we resolve accesses to the heap down to an abstract location. When we traverse a memory location we check that it's not known to be invalid. - A simple transfer function reads and updates the stack and heap in a rudimentary way for now - C++ `delete` is modeled as adding the location that its argument resolves to to the set of invalid locations - Also, the domain has a really crappy join and widening for now (see comments in the code) With this we already pass most of the "use after delete" tests from the Ownership checker. The ones we don't pass are only because we are missing models. Reviewed By: mbouaziz Differential Revision: D10383249 fbshipit-source-id: f414664cb
6 years ago
[pulse] utility method `PulseDomain.Memory.pp_edges` Summary: Useful for debugging, not used at the moment. Reviewed By: ngorogiannis Differential Revision: D17131275 fbshipit-source-id: 2edbdc517
6 years ago
val pp_edges : F.formatter -> edges -> unit [@@warning "-32"]
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
type cell = edges * Attributes.t
[pulse] model lambda captures Summary: When a lambda gets created, record the abstract addresses it captures, then complain if we see some of them be invalidated before it is called. Add a notion of "allocator" for reporting better messages. The messages are still a bit sucky, will need to improve them more generally at some point. ```  jul   lambda  ~  infer  1  infer -g --pulse-only -- clang -std=c++11 -c infer/tests/codetoanalyze/cpp/pulse/closures.cpp Logs in /home/jul/infer.fb/infer-out/logs Capturing in make/cc mode... Found 1 source file to analyze in /home/jul/infer.fb/infer-out Found 2 issues infer/tests/codetoanalyze/cpp/pulse/closures.cpp:21: error: USE_AFTER_DESTRUCTOR `&(f)` accesses address `s` captured by `&(f)` as `s` invalidated by destructor call `S_~S(s)` at line 20, column 3 past its lifetime (debug: 5). 19. f = [&s] { return s.f; }; 20. } // destructor for s called here 21. > return f(); // s used here 22. } 23. infer/tests/codetoanalyze/cpp/pulse/closures.cpp:30: error: USE_AFTER_DESTRUCTOR `&(f)` accesses address `s` captured by `&(f)` as `s` invalidated by destructor call `S_~S(s)` at line 29, column 3 past its lifetime (debug: 8). 28. f = [&] { return s.f; }; 29. } 30. > return f(); 31. } 32. Summary of the reports USE_AFTER_DESTRUCTOR: 2 ``` Reviewed By: da319 Differential Revision: D13400074 fbshipit-source-id: 3c68ff4ea
6 years ago
[pulse] more efficient representation of attributes Summary: This ensures that each attribute type can only be present once per address. Makes ~80x time improvement on pathological cases such as Duff's device. This introduces a new kind of Set in `PrettyPrintable`. Reviewed By: mbouaziz Differential Revision: D14645091 fbshipit-source-id: c7f9b760c
6 years ago
type t
[pulse] add model for `std::vector::reserve` using additional memory attribute Summary: Whenever `vec.reserve(n)` is called, remember that the vector is "reserved". When doing `vec.push_back(x)` on a reserved vector, assume enough size has been reserved in advance and do not invalidate the underlying array. This gets rid of false positives. Reviewed By: mbouaziz Differential Revision: D12939837 fbshipit-source-id: ce6354fc5
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val filter : (AbstractValue.t -> bool) -> t -> t
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val filter_heap : (AbstractValue.t -> edges -> bool) -> t -> t
[pulse] Remove bindings with empty edges in pre Reviewed By: jvillard Differential Revision: D16419183 fbshipit-source-id: 858958ddd
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val find_opt : AbstractValue.t -> t -> cell option
[pulse] add model for `std::vector::reserve` using additional memory attribute Summary: Whenever `vec.reserve(n)` is called, remember that the vector is "reserved". When doing `vec.push_back(x)` on a reserved vector, assume enough size has been reserved in advance and do not invalidate the underlying array. This gets rid of false positives. Reviewed By: mbouaziz Differential Revision: D12939837 fbshipit-source-id: ce6354fc5
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val fold_attrs : (AbstractValue.t -> Attributes.t -> 'acc -> 'acc) -> t -> 'acc -> 'acc
[pulse] record attributes of address not edge-reachable in the post Summary: Sometimes the post of a function call has attributes on addresses that were mentioned in the pre but are no longer reachable in the post. We don't want to forget these, see added test. Reviewed By: mbouaziz Differential Revision: D16050050 fbshipit-source-id: 1ce522b97
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val set_attrs : AbstractValue.t -> Attributes.t -> t -> t
[pulse] overwrite attributes of modified cells in interproc calls Summary: Previously we would union them with the previous attributes. I don't think that makes sense. Also change the interface a bit in preparation for the next commit. Reviewed By: mbouaziz Differential Revision: D16050051 fbshipit-source-id: 2e8f88f4e
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val set_edges : AbstractValue.t -> edges -> t -> t
[pulse] no addresses in attributes Summary: This removes the "abstract addresses" that used to be stored in the `Closure` attribute of pulse abstract addresses. There used to be a list of values recorded for each closure, each one representing one captured value. Instead these values are now recorded as fake edges in the memory graph. Having addresses appear in attributes causes issues when trying to establish graph isomorphism between two memory states. Avoid it by rewriting the closures mechanism to encode captured addresses as fake edges in memory. This way captured addresses are automatically treated right by the graph algorithms (in the next diffs). Reviewed By: mbouaziz Differential Revision: D14323044 fbshipit-source-id: 413b4d989
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val set_cell : AbstractValue.t -> cell -> t -> t
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val find_edges_opt : AbstractValue.t -> t -> edges option
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val mem_edges : AbstractValue.t -> t -> bool
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val register_address : AbstractValue.t -> t -> t
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse][7/9] kill `AddrTracePair` Summary: The name had rotten: it should be `AddrHistPair`. There is little value of exposing the type of the pair `AbstractValue.t * ValueHistory.t`, just inline its definition everywhere. Reviewed By: ezgicicek Differential Revision: D17955283 fbshipit-source-id: d145251e0
5 years ago
val add_edge : AbstractValue.t -> Access.t -> AbstractValue.t * ValueHistory.t -> t -> t
[pulse] initial commit Summary: New analysis in foetal form to detect invalid use of C++ objects after their lifetime has ended. For now it has: - A domain consisting of a graph of abstract locations representing the heap, a map from program variables to abstract locations representing the stack, and a set of locations known to be invalid (their lifetime has ended) - The heap graph is unfolded lazily when we resolve accesses to the heap down to an abstract location. When we traverse a memory location we check that it's not known to be invalid. - A simple transfer function reads and updates the stack and heap in a rudimentary way for now - C++ `delete` is modeled as adding the location that its argument resolves to to the set of invalid locations - Also, the domain has a really crappy join and widening for now (see comments in the code) With this we already pass most of the "use after delete" tests from the Ownership checker. The ones we don't pass are only because we are missing models. Reviewed By: mbouaziz Differential Revision: D10383249 fbshipit-source-id: f414664cb
6 years ago
[pulse][7/9] kill `AddrTracePair` Summary: The name had rotten: it should be `AddrHistPair`. There is little value of exposing the type of the pair `AbstractValue.t * ValueHistory.t`, just inline its definition everywhere. Reviewed By: ezgicicek Differential Revision: D17955283 fbshipit-source-id: d145251e0
5 years ago
val find_edge_opt : AbstractValue.t -> Access.t -> t -> (AbstractValue.t * ValueHistory.t) option
[pulse] havoc vector array on push_back Summary: Turns out once a vector array became invalid it stayed that way, instead of the vector getting a new valid internal array. Reviewed By: skcho Differential Revision: D10853532 fbshipit-source-id: f6f22407f
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val add_attribute : AbstractValue.t -> Attribute.t -> t -> t
[pulse] define havoc and use in symbolic execution Summary: Assigns non-deterministic value to some variable. Reviewed By: mbouaziz Differential Revision: D10483977 fbshipit-source-id: dc5050886
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val invalidate : AbstractValue.t * ValueHistory.t -> Invalidation.t -> Location.t -> t -> t
[access expressions] force clients to normalize when introducing `Dereference` and `AddressOf` Summary: Make the whole type private, introduce constructors for each variant, and deal with the consequences. Reviewed By: da319 Differential Revision: D12825810 fbshipit-source-id: a01922812
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val check_valid : AbstractValue.t -> t -> (unit, Invalidation.t Trace.t) result
[pulse] initial commit Summary: New analysis in foetal form to detect invalid use of C++ objects after their lifetime has ended. For now it has: - A domain consisting of a graph of abstract locations representing the heap, a map from program variables to abstract locations representing the stack, and a set of locations known to be invalid (their lifetime has ended) - The heap graph is unfolded lazily when we resolve accesses to the heap down to an abstract location. When we traverse a memory location we check that it's not known to be invalid. - A simple transfer function reads and updates the stack and heap in a rudimentary way for now - C++ `delete` is modeled as adding the location that its argument resolves to to the set of invalid locations - Also, the domain has a really crappy join and widening for now (see comments in the code) With this we already pass most of the "use after delete" tests from the Ownership checker. The ones we don't pass are only because we are missing models. Reviewed By: mbouaziz Differential Revision: D10383249 fbshipit-source-id: f414664cb
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val get_closure_proc_name : AbstractValue.t -> t -> Typ.Procname.t option
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val get_constant : AbstractValue.t -> t -> Const.t option
[pulse] use constant equality to prune unfeasible paths Summary: When we know "x = 3" and we have a condition "x != 3" we know we can prune the corresponding path. Reviewed By: skcho Differential Revision: D17665472 fbshipit-source-id: 988958ea6
5 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val std_vector_reserve : AbstractValue.t -> t -> t
[HIL] Add `ExitScope` instruction Summary: It's useful for checkers to know when variables go out of scope to perform garbage collection in their domains, especially for complex domains with non-trivial joins. This makes the analyses more precise at little cost. This could have been added as a custom function call to a builtin, but I decided against it because this instruction doesn't have the semantics of any function call. It's better for each checker to explicitly not deal with the custom instruction instead. Reviewed By: jberdine Differential Revision: D13102951 fbshipit-source-id: 33be22fab
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val is_std_vector_reserved : AbstractValue.t -> t -> bool
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
end
[pulse] take array indices into account Summary: This will be useful to make the analysis more precise. In particular, it allows a disjunctive version of pulse to deal will deleting vector elements in a loop: without this, deleting an array element in one iteration will make the analysis think that the next array element is invalid too since they are all the same. By keep track of the index, we can detect when we are sure that two elements are the same and only report in that case. Reviewed By: ngorogiannis Differential Revision: D13431374 fbshipit-source-id: dae82deeb
6 years ago
[pulse] more efficient representation of attributes Summary: This ensures that each attribute type can only be present once per address. Makes ~80x time improvement on pathological cases such as Duff's device. This introduces a new kind of Set in `PrettyPrintable`. Reviewed By: mbouaziz Differential Revision: D14645091 fbshipit-source-id: c7f9b760c
6 years ago
type t = {heap: Memory.t; stack: Stack.t}
[pulse] add traces to the domain Summary: Record per-location traces. Actually, that doesn't quite make sense as a location can be accessed in many ways, so associate a trace to each *edge* in the memory graph. For instance, when doing `x->f = *y`, we want to take the history of the `<val of y> --*--> ..` edge, add "assigned at location blah" to it and store this extended history to the edge `<val of x> --f--> ..`. Use this machinery to print nicer traces in `infer explore` and better error messages too (include the last assignment, like biabduction messages). Reviewed By: da319 Differential Revision: D13518668 fbshipit-source-id: 0a62fb55f
6 years ago
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
val empty : t
[pulse] detect stack variable address escape Summary: When assign to the special `return` variable, check that the result is not the address of a local variable, otherwise report. Reviewed By: ngorogiannis Differential Revision: D13466896 fbshipit-source-id: 465da7f13
6 years ago
[pulse] remove last traces of join/widen Summary: Instead of defining `let join .. = assert false` introduce simplified module signatures for domains without join/widen as used in disjunctive domains. Reviewed By: mbouaziz, skcho Differential Revision: D14568271 fbshipit-source-id: 6484335c9
6 years ago
include AbstractDomain.NoJoin with type t := t
[pulse] collect garbage (unreachable) heap parts from time to time Summary: It's useful to keep the size of states down, especially when humans are trying to read it. It will also help keep the size of summaries down in the inter-procedural pulse. Reviewed By: mbouaziz Differential Revision: D14258486 fbshipit-source-id: 45ebcac67
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val reachable_addresses : t -> AbstractValue.Set.t
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
(** compute the set of abstract addresses that are "used" in the abstract state, i.e. reachable
[pulse] more general graph visitor API Summary: Make it possible to re-use the graph visitor to compute all sorts of things with a flexible API where you can pass a function that folds over all addresses reachable from certain stack variables (specified with a filter) and gets passed the access path that leads to each address. This is used in later commits. Reviewed By: mbouaziz Differential Revision: D15824960 fbshipit-source-id: c424a71cb
6 years ago
from the stack variables *)
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
type mapping
val empty_mapping : mapping
type isograph_relation =
| NotIsomorphic (** no mapping was found that can make LHS the same as the RHS *)
| IsomorphicUpTo of mapping (** [mapping(lhs)] is isomorphic to [rhs] *)
val isograph_map : lhs:t -> rhs:t -> mapping -> isograph_relation
val is_isograph : lhs:t -> rhs:t -> mapping -> bool