pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '3ce095a288'
${ noResults }
infer_clone/infer/src/pulse/PulseModels.ml

224 lines
7.9 KiB
Raw Normal View History Unescape

[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
(*
* Copyright (c) 2018-present, Facebook, Inc.
*
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*)
open! IStd
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
open Result.Monad_infix
[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
type exec_fun =
[pulse] rename `Location` -> `Address` and better reporting Summary: `Location` was clashing with the `Location` module, so use `Address` instead. When invalidating an address, remember the "actor" of its invalidation, i.e. the access expression leading to the address and the source location of the corresponding instruction. When checking accesses, also pass the actor responsible for the access, so that when we raise an error we know: 1. when and why a location was invalidated 2. when and why we tried to read it after that Reviewed By: mbouaziz Differential Revision: D10446282 fbshipit-source-id: 3ca4fb3d4
6 years ago
Location.t
-> ret:Var.t * Typ.t
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
-> actuals:HilExp.t list
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
-> PulseAbductiveDomain.t
-> PulseAbductiveDomain.t PulseOperations.access_result
[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
type model = exec_fun
[pulse] model some early exit functions Summary: Copied on the ownership checker logic: return the initial value of the domain as return. This can probably be improved. Reviewed By: mbouaziz Differential Revision: D12888102 fbshipit-source-id: 9e2dac7fc
6 years ago
module Misc = struct
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
let early_exit : model = fun _ ~ret:_ ~actuals:_ _ -> Ok PulseAbductiveDomain.empty
[pulse] model some early exit functions Summary: Copied on the ownership checker logic: return the initial value of the domain as return. This can probably be improved. Reviewed By: mbouaziz Differential Revision: D12888102 fbshipit-source-id: 9e2dac7fc
6 years ago
end
[pulse] use after free Summary: Model `free` like `delete`. Reviewed By: mbouaziz, skcho Differential Revision: D10509332 fbshipit-source-id: fe4249601
6 years ago
module C = struct
let free : model =
fun location ~ret:_ ~actuals astate ->
match actuals with
| [AccessExpression deleted_access] ->
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
PulseOperations.invalidate
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
(PulseTrace.Immediate {imm= PulseInvalidation.CFree (deleted_access, location); location})
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
location deleted_access astate
[pulse] use after free Summary: Model `free` like `delete`. Reviewed By: mbouaziz, skcho Differential Revision: D10509332 fbshipit-source-id: fe4249601
6 years ago
| _ ->
Ok astate
end
[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
module Cplusplus = struct
let delete : model =
[pulse] rename `Location` -> `Address` and better reporting Summary: `Location` was clashing with the `Location` module, so use `Address` instead. When invalidating an address, remember the "actor" of its invalidation, i.e. the access expression leading to the address and the source location of the corresponding instruction. When checking accesses, also pass the actor responsible for the access, so that when we raise an error we know: 1. when and why a location was invalidated 2. when and why we tried to read it after that Reviewed By: mbouaziz Differential Revision: D10446282 fbshipit-source-id: 3ca4fb3d4
6 years ago
fun location ~ret:_ ~actuals astate ->
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
PulseOperations.read_all location (List.concat_map actuals ~f:HilExp.get_access_exprs) astate
[pulse] Model placement new Summary: Modeling `placement new` Reviewed By: jvillard Differential Revision: D10451539 fbshipit-source-id: 43be005e4
6 years ago
>>= fun astate ->
[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
match actuals with
| [AccessExpression deleted_access] ->
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
PulseOperations.invalidate
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
(PulseTrace.Immediate
{imm= PulseInvalidation.CppDelete (deleted_access, location); location})
[pulse] do not use access paths as they forget about &/* Summary: Now the domain can reason about `&` and `*` too. When recording `&` between two locations also record a back-edge `*`, and vice-versa. Reviewed By: mbouaziz Differential Revision: D10509335 fbshipit-source-id: 8091b6ec0
6 years ago
location deleted_access astate
[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
| _ ->
Ok astate
[pulse] Model placement new Summary: Modeling `placement new` Reviewed By: jvillard Differential Revision: D10451539 fbshipit-source-id: 43be005e4
6 years ago
[pulse] model lambda captures Summary: When a lambda gets created, record the abstract addresses it captures, then complain if we see some of them be invalidated before it is called. Add a notion of "allocator" for reporting better messages. The messages are still a bit sucky, will need to improve them more generally at some point. ```  jul   lambda  ~  infer  1  infer -g --pulse-only -- clang -std=c++11 -c infer/tests/codetoanalyze/cpp/pulse/closures.cpp Logs in /home/jul/infer.fb/infer-out/logs Capturing in make/cc mode... Found 1 source file to analyze in /home/jul/infer.fb/infer-out Found 2 issues infer/tests/codetoanalyze/cpp/pulse/closures.cpp:21: error: USE_AFTER_DESTRUCTOR `&(f)` accesses address `s` captured by `&(f)` as `s` invalidated by destructor call `S_~S(s)` at line 20, column 3 past its lifetime (debug: 5). 19. f = [&s] { return s.f; }; 20. } // destructor for s called here 21. > return f(); // s used here 22. } 23. infer/tests/codetoanalyze/cpp/pulse/closures.cpp:30: error: USE_AFTER_DESTRUCTOR `&(f)` accesses address `s` captured by `&(f)` as `s` invalidated by destructor call `S_~S(s)` at line 29, column 3 past its lifetime (debug: 8). 28. f = [&] { return s.f; }; 29. } 30. > return f(); 31. } 32. Summary of the reports USE_AFTER_DESTRUCTOR: 2 ``` Reviewed By: da319 Differential Revision: D13400074 fbshipit-source-id: 3c68ff4ea
6 years ago
let operator_call : model =
fun location ~ret:(ret_var, _) ~actuals astate ->
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
PulseOperations.read_all location (List.concat_map actuals ~f:HilExp.get_access_exprs) astate
[pulse] model lambda captures Summary: When a lambda gets created, record the abstract addresses it captures, then complain if we see some of them be invalidated before it is called. Add a notion of "allocator" for reporting better messages. The messages are still a bit sucky, will need to improve them more generally at some point. ```  jul   lambda  ~  infer  1  infer -g --pulse-only -- clang -std=c++11 -c infer/tests/codetoanalyze/cpp/pulse/closures.cpp Logs in /home/jul/infer.fb/infer-out/logs Capturing in make/cc mode... Found 1 source file to analyze in /home/jul/infer.fb/infer-out Found 2 issues infer/tests/codetoanalyze/cpp/pulse/closures.cpp:21: error: USE_AFTER_DESTRUCTOR `&(f)` accesses address `s` captured by `&(f)` as `s` invalidated by destructor call `S_~S(s)` at line 20, column 3 past its lifetime (debug: 5). 19. f = [&s] { return s.f; }; 20. } // destructor for s called here 21. > return f(); // s used here 22. } 23. infer/tests/codetoanalyze/cpp/pulse/closures.cpp:30: error: USE_AFTER_DESTRUCTOR `&(f)` accesses address `s` captured by `&(f)` as `s` invalidated by destructor call `S_~S(s)` at line 29, column 3 past its lifetime (debug: 8). 28. f = [&] { return s.f; }; 29. } 30. > return f(); 31. } 32. Summary of the reports USE_AFTER_DESTRUCTOR: 2 ``` Reviewed By: da319 Differential Revision: D13400074 fbshipit-source-id: 3c68ff4ea
6 years ago
>>= fun astate ->
( match actuals with
| AccessExpression lambda :: _ ->
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
PulseOperations.read location HilExp.AccessExpression.(dereference lambda) astate
[pulse] model lambda captures Summary: When a lambda gets created, record the abstract addresses it captures, then complain if we see some of them be invalidated before it is called. Add a notion of "allocator" for reporting better messages. The messages are still a bit sucky, will need to improve them more generally at some point. ```  jul   lambda  ~  infer  1  infer -g --pulse-only -- clang -std=c++11 -c infer/tests/codetoanalyze/cpp/pulse/closures.cpp Logs in /home/jul/infer.fb/infer-out/logs Capturing in make/cc mode... Found 1 source file to analyze in /home/jul/infer.fb/infer-out Found 2 issues infer/tests/codetoanalyze/cpp/pulse/closures.cpp:21: error: USE_AFTER_DESTRUCTOR `&(f)` accesses address `s` captured by `&(f)` as `s` invalidated by destructor call `S_~S(s)` at line 20, column 3 past its lifetime (debug: 5). 19. f = [&s] { return s.f; }; 20. } // destructor for s called here 21. > return f(); // s used here 22. } 23. infer/tests/codetoanalyze/cpp/pulse/closures.cpp:30: error: USE_AFTER_DESTRUCTOR `&(f)` accesses address `s` captured by `&(f)` as `s` invalidated by destructor call `S_~S(s)` at line 29, column 3 past its lifetime (debug: 8). 28. f = [&] { return s.f; }; 29. } 30. > return f(); 31. } 32. Summary of the reports USE_AFTER_DESTRUCTOR: 2 ``` Reviewed By: da319 Differential Revision: D13400074 fbshipit-source-id: 3c68ff4ea
6 years ago
>>= fun (astate, address) ->
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
PulseOperations.Closures.check_captured_addresses location lambda (fst address) astate
[pulse] model lambda captures Summary: When a lambda gets created, record the abstract addresses it captures, then complain if we see some of them be invalidated before it is called. Add a notion of "allocator" for reporting better messages. The messages are still a bit sucky, will need to improve them more generally at some point. ```  jul   lambda  ~  infer  1  infer -g --pulse-only -- clang -std=c++11 -c infer/tests/codetoanalyze/cpp/pulse/closures.cpp Logs in /home/jul/infer.fb/infer-out/logs Capturing in make/cc mode... Found 1 source file to analyze in /home/jul/infer.fb/infer-out Found 2 issues infer/tests/codetoanalyze/cpp/pulse/closures.cpp:21: error: USE_AFTER_DESTRUCTOR `&(f)` accesses address `s` captured by `&(f)` as `s` invalidated by destructor call `S_~S(s)` at line 20, column 3 past its lifetime (debug: 5). 19. f = [&s] { return s.f; }; 20. } // destructor for s called here 21. > return f(); // s used here 22. } 23. infer/tests/codetoanalyze/cpp/pulse/closures.cpp:30: error: USE_AFTER_DESTRUCTOR `&(f)` accesses address `s` captured by `&(f)` as `s` invalidated by destructor call `S_~S(s)` at line 29, column 3 past its lifetime (debug: 8). 28. f = [&] { return s.f; }; 29. } 30. > return f(); 31. } 32. Summary of the reports USE_AFTER_DESTRUCTOR: 2 ``` Reviewed By: da319 Differential Revision: D13400074 fbshipit-source-id: 3c68ff4ea
6 years ago
| _ ->
Ok astate )
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
>>| PulseOperations.havoc_var
[PulseTrace.Call {f= `Model "<lambda>"; actuals; location}]
ret_var
[pulse] model lambda captures Summary: When a lambda gets created, record the abstract addresses it captures, then complain if we see some of them be invalidated before it is called. Add a notion of "allocator" for reporting better messages. The messages are still a bit sucky, will need to improve them more generally at some point. ```  jul   lambda  ~  infer  1  infer -g --pulse-only -- clang -std=c++11 -c infer/tests/codetoanalyze/cpp/pulse/closures.cpp Logs in /home/jul/infer.fb/infer-out/logs Capturing in make/cc mode... Found 1 source file to analyze in /home/jul/infer.fb/infer-out Found 2 issues infer/tests/codetoanalyze/cpp/pulse/closures.cpp:21: error: USE_AFTER_DESTRUCTOR `&(f)` accesses address `s` captured by `&(f)` as `s` invalidated by destructor call `S_~S(s)` at line 20, column 3 past its lifetime (debug: 5). 19. f = [&s] { return s.f; }; 20. } // destructor for s called here 21. > return f(); // s used here 22. } 23. infer/tests/codetoanalyze/cpp/pulse/closures.cpp:30: error: USE_AFTER_DESTRUCTOR `&(f)` accesses address `s` captured by `&(f)` as `s` invalidated by destructor call `S_~S(s)` at line 29, column 3 past its lifetime (debug: 8). 28. f = [&] { return s.f; }; 29. } 30. > return f(); 31. } 32. Summary of the reports USE_AFTER_DESTRUCTOR: 2 ``` Reviewed By: da319 Differential Revision: D13400074 fbshipit-source-id: 3c68ff4ea
6 years ago
[pulse] Model placement new Summary: Modeling `placement new` Reviewed By: jvillard Differential Revision: D10451539 fbshipit-source-id: 43be005e4
6 years ago
let placement_new : model =
[access expressions] force clients to normalize when introducing `Dereference` and `AddressOf` Summary: Make the whole type private, introduce constructors for each variant, and deal with the consequences. Reviewed By: da319 Differential Revision: D12825810 fbshipit-source-id: a01922812
6 years ago
fun location ~ret:(ret_var, _) ~actuals astate ->
[pulse] Clean up placement new model Summary: Do not create a new location for placement new argument if it already exists. Reviewed By: jvillard Differential Revision: D12839942 fbshipit-source-id: 758b67a82
6 years ago
let read_all args astate =
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
PulseOperations.read_all location (List.concat_map args ~f:HilExp.get_access_exprs) astate
[pulse] Clean up placement new model Summary: Do not create a new location for placement new argument if it already exists. Reviewed By: jvillard Differential Revision: D12839942 fbshipit-source-id: 758b67a82
6 years ago
in
[pulse] add traces to the domain Summary: Record per-location traces. Actually, that doesn't quite make sense as a location can be accessed in many ways, so associate a trace to each *edge* in the memory graph. For instance, when doing `x->f = *y`, we want to take the history of the `<val of y> --*--> ..` edge, add "assigned at location blah" to it and store this extended history to the edge `<val of x> --f--> ..`. Use this machinery to print nicer traces in `infer explore` and better error messages too (include the last assignment, like biabduction messages). Reviewed By: da319 Differential Revision: D13518668 fbshipit-source-id: 0a62fb55f
6 years ago
let crumb = PulseTrace.Call {f= `Model "<placement new>"; actuals; location} in
[pulse] Model placement new Summary: Modeling `placement new` Reviewed By: jvillard Differential Revision: D10451539 fbshipit-source-id: 43be005e4
6 years ago
match List.rev actuals with
| HilExp.AccessExpression expr :: other_actuals ->
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
PulseOperations.read location expr astate
[pulse] add traces to the domain Summary: Record per-location traces. Actually, that doesn't quite make sense as a location can be accessed in many ways, so associate a trace to each *edge* in the memory graph. For instance, when doing `x->f = *y`, we want to take the history of the `<val of y> --*--> ..` edge, add "assigned at location blah" to it and store this extended history to the edge `<val of x> --f--> ..`. Use this machinery to print nicer traces in `infer explore` and better error messages too (include the last assignment, like biabduction messages). Reviewed By: da319 Differential Revision: D13518668 fbshipit-source-id: 0a62fb55f
6 years ago
>>= fun (astate, (address, trace)) ->
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
PulseOperations.write_var ret_var (address, crumb :: trace) astate
|> read_all other_actuals
[pulse] Model placement new Summary: Modeling `placement new` Reviewed By: jvillard Differential Revision: D10451539 fbshipit-source-id: 43be005e4
6 years ago
| _ :: other_actuals ->
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
read_all other_actuals astate >>| PulseOperations.havoc_var [crumb] ret_var
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
| [] ->
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
Ok (PulseOperations.havoc_var [crumb] ret_var astate)
[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
end
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
module StdVector = struct
let internal_array =
Typ.Fieldname.Clang.from_class_name
(Typ.CStruct (QualifiedCppName.of_list ["std"; "vector"]))
"__internal_array"
[HIL][3/4] remove compatibility AccessExpression.ml Summary: `AccessExpression.t` and `HilExp.t` are about to become mutually recursive, this will help distinguish the actual changes from the moving of code around. This deletes the file left around in the previous commit to preserve callers of `AccessExpression`. Reviewed By: mbouaziz Differential Revision: D13377645 fbshipit-source-id: 71338d1f3
6 years ago
let to_internal_array vector = HilExp.AccessExpression.field_offset vector internal_array
[pulse] underapproximate joins of array values Summary: Arrays are the main source of false positives that prevent us from having a better (less under-approximate) join in general. The next diff improves join and I split this off to make it easier to review. Reviewed By: mbouaziz Differential Revision: D12881986 fbshipit-source-id: 5f52dea27
6 years ago
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
let deref_internal_array vector =
[pulse] take array indices into account Summary: This will be useful to make the analysis more precise. In particular, it allows a disjunctive version of pulse to deal will deleting vector elements in a loop: without this, deleting an array element in one iteration will make the analysis think that the next array element is invalid too since they are all the same. By keep track of the index, we can detect when we are sure that two elements are the same and only report in that case. Reviewed By: ngorogiannis Differential Revision: D13431374 fbshipit-source-id: dae82deeb
6 years ago
HilExp.AccessExpression.(dereference (to_internal_array vector))
let element_of_internal_array vector index =
HilExp.AccessExpression.array_offset (deref_internal_array vector) Typ.void index
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
[pulse] add traces to the domain Summary: Record per-location traces. Actually, that doesn't quite make sense as a location can be accessed in many ways, so associate a trace to each *edge* in the memory graph. For instance, when doing `x->f = *y`, we want to take the history of the `<val of y> --*--> ..` edge, add "assigned at location blah" to it and store this extended history to the edge `<val of x> --f--> ..`. Use this machinery to print nicer traces in `infer explore` and better error messages too (include the last assignment, like biabduction messages). Reviewed By: da319 Differential Revision: D13518668 fbshipit-source-id: 0a62fb55f
6 years ago
let reallocate_internal_array trace vector vector_f location astate =
[pulse] take array indices into account Summary: This will be useful to make the analysis more precise. In particular, it allows a disjunctive version of pulse to deal will deleting vector elements in a loop: without this, deleting an array element in one iteration will make the analysis think that the next array element is invalid too since they are all the same. By keep track of the index, we can detect when we are sure that two elements are the same and only report in that case. Reviewed By: ngorogiannis Differential Revision: D13431374 fbshipit-source-id: dae82deeb
6 years ago
let array_address = to_internal_array vector in
let array = deref_internal_array vector in
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
let invalidation =
PulseTrace.Immediate {imm= PulseInvalidation.StdVector (vector_f, vector, location); location}
in
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
PulseOperations.invalidate_array_elements invalidation location array astate
>>= PulseOperations.invalidate invalidation location array
>>= PulseOperations.havoc trace location array_address
[pulse] Model std::vector::reserve to invalidate references to elements Summary: Similarly as `std::vector::push_back`, `std::vector::reserve` can invalidate the references to elements if the new size is bigger than the existing one. More info on `std::vector::reserve`: https://en.cppreference.com/w/cpp/container/vector/reserve Reviewed By: jvillard Differential Revision: D13340324 fbshipit-source-id: bf99b6923
6 years ago
[pulse] add traces to the domain Summary: Record per-location traces. Actually, that doesn't quite make sense as a location can be accessed in many ways, so associate a trace to each *edge* in the memory graph. For instance, when doing `x->f = *y`, we want to take the history of the `<val of y> --*--> ..` edge, add "assigned at location blah" to it and store this extended history to the edge `<val of x> --f--> ..`. Use this machinery to print nicer traces in `infer explore` and better error messages too (include the last assignment, like biabduction messages). Reviewed By: da319 Differential Revision: D13518668 fbshipit-source-id: 0a62fb55f
6 years ago
let invalidate_references vector_f : model =
[pulse] Model more std::vector functions that can invalid references to elements Summary: Model more `std::vector` functions that can potentially invalidate references to vector's elements (https://en.cppreference.com/w/cpp/container/vector). Reviewed By: mbouaziz Differential Revision: D13399161 fbshipit-source-id: 95cf2cae6
6 years ago
fun location ~ret:_ ~actuals astate ->
match actuals with
| AccessExpression vector :: _ ->
[pulse] add traces to the domain Summary: Record per-location traces. Actually, that doesn't quite make sense as a location can be accessed in many ways, so associate a trace to each *edge* in the memory graph. For instance, when doing `x->f = *y`, we want to take the history of the `<val of y> --*--> ..` edge, add "assigned at location blah" to it and store this extended history to the edge `<val of x> --f--> ..`. Use this machinery to print nicer traces in `infer explore` and better error messages too (include the last assignment, like biabduction messages). Reviewed By: da319 Differential Revision: D13518668 fbshipit-source-id: 0a62fb55f
6 years ago
let crumb =
PulseTrace.Call
{ f= `Model (Format.asprintf "%a" PulseInvalidation.pp_std_vector_function vector_f)
; actuals
; location }
in
reallocate_internal_array [crumb] vector vector_f location astate
[pulse] Model more std::vector functions that can invalid references to elements Summary: Model more `std::vector` functions that can potentially invalidate references to vector's elements (https://en.cppreference.com/w/cpp/container/vector). Reviewed By: mbouaziz Differential Revision: D13399161 fbshipit-source-id: 95cf2cae6
6 years ago
| _ ->
Ok astate
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
let at : model =
[pulse] rename `Location` -> `Address` and better reporting Summary: `Location` was clashing with the `Location` module, so use `Address` instead. When invalidating an address, remember the "actor" of its invalidation, i.e. the access expression leading to the address and the source location of the corresponding instruction. When checking accesses, also pass the actor responsible for the access, so that when we raise an error we know: 1. when and why a location was invalidated 2. when and why we tried to read it after that Reviewed By: mbouaziz Differential Revision: D10446282 fbshipit-source-id: 3ca4fb3d4
6 years ago
fun location ~ret ~actuals astate ->
[pulse] add traces to the domain Summary: Record per-location traces. Actually, that doesn't quite make sense as a location can be accessed in many ways, so associate a trace to each *edge* in the memory graph. For instance, when doing `x->f = *y`, we want to take the history of the `<val of y> --*--> ..` edge, add "assigned at location blah" to it and store this extended history to the edge `<val of x> --f--> ..`. Use this machinery to print nicer traces in `infer explore` and better error messages too (include the last assignment, like biabduction messages). Reviewed By: da319 Differential Revision: D13518668 fbshipit-source-id: 0a62fb55f
6 years ago
let crumb = PulseTrace.Call {f= `Model "std::vector::at"; actuals; location} in
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
match actuals with
[pulse] take array indices into account Summary: This will be useful to make the analysis more precise. In particular, it allows a disjunctive version of pulse to deal will deleting vector elements in a loop: without this, deleting an array element in one iteration will make the analysis think that the next array element is invalid too since they are all the same. By keep track of the index, we can detect when we are sure that two elements are the same and only report in that case. Reviewed By: ngorogiannis Differential Revision: D13431374 fbshipit-source-id: dae82deeb
6 years ago
| [AccessExpression vector_access_expr; index_exp] ->
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
PulseOperations.read location
[pulse] take array indices into account Summary: This will be useful to make the analysis more precise. In particular, it allows a disjunctive version of pulse to deal will deleting vector elements in a loop: without this, deleting an array element in one iteration will make the analysis think that the next array element is invalid too since they are all the same. By keep track of the index, we can detect when we are sure that two elements are the same and only report in that case. Reviewed By: ngorogiannis Differential Revision: D13431374 fbshipit-source-id: dae82deeb
6 years ago
(element_of_internal_array vector_access_expr (Some index_exp))
astate
[pulse] add traces to the domain Summary: Record per-location traces. Actually, that doesn't quite make sense as a location can be accessed in many ways, so associate a trace to each *edge* in the memory graph. For instance, when doing `x->f = *y`, we want to take the history of the `<val of y> --*--> ..` edge, add "assigned at location blah" to it and store this extended history to the edge `<val of x> --f--> ..`. Use this machinery to print nicer traces in `infer explore` and better error messages too (include the last assignment, like biabduction messages). Reviewed By: da319 Differential Revision: D13518668 fbshipit-source-id: 0a62fb55f
6 years ago
>>= fun (astate, (addr, trace)) ->
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
PulseOperations.write location
(HilExp.AccessExpression.base ret)
(addr, crumb :: trace)
astate
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
| _ ->
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
Ok (PulseOperations.havoc_var [crumb] (fst ret) astate)
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
[pulse] add model for `std::vector::reserve` using additional memory attribute Summary: Whenever `vec.reserve(n)` is called, remember that the vector is "reserved". When doing `vec.push_back(x)` on a reserved vector, assume enough size has been reserved in advance and do not invalidate the underlying array. This gets rid of false positives. Reviewed By: mbouaziz Differential Revision: D12939837 fbshipit-source-id: ce6354fc5
6 years ago
let reserve : model =
fun location ~ret:_ ~actuals astate ->
match actuals with
| [AccessExpression vector; _value] ->
[pulse] add traces to the domain Summary: Record per-location traces. Actually, that doesn't quite make sense as a location can be accessed in many ways, so associate a trace to each *edge* in the memory graph. For instance, when doing `x->f = *y`, we want to take the history of the `<val of y> --*--> ..` edge, add "assigned at location blah" to it and store this extended history to the edge `<val of x> --f--> ..`. Use this machinery to print nicer traces in `infer explore` and better error messages too (include the last assignment, like biabduction messages). Reviewed By: da319 Differential Revision: D13518668 fbshipit-source-id: 0a62fb55f
6 years ago
let crumb = PulseTrace.Call {f= `Model "std::vector::reserve"; actuals; location} in
reallocate_internal_array [crumb] vector Reserve location astate
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
>>= PulseOperations.StdVector.mark_reserved location vector
[pulse] add model for `std::vector::reserve` using additional memory attribute Summary: Whenever `vec.reserve(n)` is called, remember that the vector is "reserved". When doing `vec.push_back(x)` on a reserved vector, assume enough size has been reserved in advance and do not invalidate the underlying array. This gets rid of false positives. Reviewed By: mbouaziz Differential Revision: D12939837 fbshipit-source-id: ce6354fc5
6 years ago
| _ ->
Ok astate
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
let push_back : model =
[pulse] rename `Location` -> `Address` and better reporting Summary: `Location` was clashing with the `Location` module, so use `Address` instead. When invalidating an address, remember the "actor" of its invalidation, i.e. the access expression leading to the address and the source location of the corresponding instruction. When checking accesses, also pass the actor responsible for the access, so that when we raise an error we know: 1. when and why a location was invalidated 2. when and why we tried to read it after that Reviewed By: mbouaziz Differential Revision: D10446282 fbshipit-source-id: 3ca4fb3d4
6 years ago
fun location ~ret:_ ~actuals astate ->
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
match actuals with
| [AccessExpression vector; _value] ->
[pulse] add traces to the domain Summary: Record per-location traces. Actually, that doesn't quite make sense as a location can be accessed in many ways, so associate a trace to each *edge* in the memory graph. For instance, when doing `x->f = *y`, we want to take the history of the `<val of y> --*--> ..` edge, add "assigned at location blah" to it and store this extended history to the edge `<val of x> --f--> ..`. Use this machinery to print nicer traces in `infer explore` and better error messages too (include the last assignment, like biabduction messages). Reviewed By: da319 Differential Revision: D13518668 fbshipit-source-id: 0a62fb55f
6 years ago
let crumb = PulseTrace.Call {f= `Model "std::vector::push_back"; actuals; location} in
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
PulseOperations.StdVector.is_reserved location vector astate
[pulse] add model for `std::vector::reserve` using additional memory attribute Summary: Whenever `vec.reserve(n)` is called, remember that the vector is "reserved". When doing `vec.push_back(x)` on a reserved vector, assume enough size has been reserved in advance and do not invalidate the underlying array. This gets rid of false positives. Reviewed By: mbouaziz Differential Revision: D12939837 fbshipit-source-id: ce6354fc5
6 years ago
>>= fun (astate, is_reserved) ->
if is_reserved then
(* assume that any call to [push_back] is ok after one called [reserve] on the same vector
(a perfect analysis would also make sure we don't exceed the reserved size) *)
Ok astate
else
(* simulate a re-allocation of the underlying array every time an element is added *)
[pulse] add traces to the domain Summary: Record per-location traces. Actually, that doesn't quite make sense as a location can be accessed in many ways, so associate a trace to each *edge* in the memory graph. For instance, when doing `x->f = *y`, we want to take the history of the `<val of y> --*--> ..` edge, add "assigned at location blah" to it and store this extended history to the edge `<val of x> --f--> ..`. Use this machinery to print nicer traces in `infer explore` and better error messages too (include the last assignment, like biabduction messages). Reviewed By: da319 Differential Revision: D13518668 fbshipit-source-id: 0a62fb55f
6 years ago
reallocate_internal_array [crumb] vector PushBack location astate
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
| _ ->
Ok astate
end
module ProcNameDispatcher = struct
let dispatch : (unit, model) ProcnameDispatcher.ProcName.dispatcher =
let open ProcnameDispatcher.ProcName in
make_dispatcher
[pulse] model lambda captures Summary: When a lambda gets created, record the abstract addresses it captures, then complain if we see some of them be invalidated before it is called. Add a notion of "allocator" for reporting better messages. The messages are still a bit sucky, will need to improve them more generally at some point. ```  jul   lambda  ~  infer  1  infer -g --pulse-only -- clang -std=c++11 -c infer/tests/codetoanalyze/cpp/pulse/closures.cpp Logs in /home/jul/infer.fb/infer-out/logs Capturing in make/cc mode... Found 1 source file to analyze in /home/jul/infer.fb/infer-out Found 2 issues infer/tests/codetoanalyze/cpp/pulse/closures.cpp:21: error: USE_AFTER_DESTRUCTOR `&(f)` accesses address `s` captured by `&(f)` as `s` invalidated by destructor call `S_~S(s)` at line 20, column 3 past its lifetime (debug: 5). 19. f = [&s] { return s.f; }; 20. } // destructor for s called here 21. > return f(); // s used here 22. } 23. infer/tests/codetoanalyze/cpp/pulse/closures.cpp:30: error: USE_AFTER_DESTRUCTOR `&(f)` accesses address `s` captured by `&(f)` as `s` invalidated by destructor call `S_~S(s)` at line 29, column 3 past its lifetime (debug: 8). 28. f = [&] { return s.f; }; 29. } 30. > return f(); 31. } 32. Summary of the reports USE_AFTER_DESTRUCTOR: 2 ``` Reviewed By: da319 Differential Revision: D13400074 fbshipit-source-id: 3c68ff4ea
6 years ago
[ -"std" &:: "function" &:: "operator()" &--> Cplusplus.operator_call
; -"std" &:: "vector" &:: "assign" &--> StdVector.invalidate_references Assign
[pulse] Model more std::vector functions that can invalid references to elements Summary: Model more `std::vector` functions that can potentially invalidate references to vector's elements (https://en.cppreference.com/w/cpp/container/vector). Reviewed By: mbouaziz Differential Revision: D13399161 fbshipit-source-id: 95cf2cae6
6 years ago
; -"std" &:: "vector" &:: "clear" &--> StdVector.invalidate_references Clear
; -"std" &:: "vector" &:: "emplace" &--> StdVector.invalidate_references Emplace
; -"std" &:: "vector" &:: "emplace_back" &--> StdVector.invalidate_references EmplaceBack
; -"std" &:: "vector" &:: "insert" &--> StdVector.invalidate_references Insert
; -"std" &:: "vector" &:: "operator[]" &--> StdVector.at
[pulse] add model for `std::vector::reserve` using additional memory attribute Summary: Whenever `vec.reserve(n)` is called, remember that the vector is "reserved". When doing `vec.push_back(x)` on a reserved vector, assume enough size has been reserved in advance and do not invalidate the underlying array. This gets rid of false positives. Reviewed By: mbouaziz Differential Revision: D12939837 fbshipit-source-id: ce6354fc5
6 years ago
; -"std" &:: "vector" &:: "push_back" &--> StdVector.push_back
[pulse] Model more std::vector functions that can invalid references to elements Summary: Model more `std::vector` functions that can potentially invalidate references to vector's elements (https://en.cppreference.com/w/cpp/container/vector). Reviewed By: mbouaziz Differential Revision: D13399161 fbshipit-source-id: 95cf2cae6
6 years ago
; -"std" &:: "vector" &:: "reserve" &--> StdVector.reserve
; -"std" &:: "vector" &:: "shrink_to_fit" &--> StdVector.invalidate_references ShrinkToFit ]
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
end
[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
let builtins_dispatcher =
[pulse] Model placement new Summary: Modeling `placement new` Reviewed By: jvillard Differential Revision: D10451539 fbshipit-source-id: 43be005e4
6 years ago
let builtins =
[ (BuiltinDecl.__delete, Cplusplus.delete)
[clang] leave markers of variable initialization for pulse Summary: When initialising a variable via semi-exotic means, the frontend loses the information that the variable was initialised. For instance, it translates: ``` struct Foo { int i; }; ... Foo s = {42}; ``` as: ``` s.i := 42 ``` This can be confusing for backends that need to know that `s` actually got initialised, eg pulse. The solution implemented here is to insert of dummy call to `__variable_initiazition`: ``` __variable_initialization(&s); s.i := 42; ``` Then checkers can recognise that this builtin function does what its name says. Reviewed By: mbouaziz Differential Revision: D12887122 fbshipit-source-id: 6e7214438
6 years ago
; (BuiltinDecl.__placement_new, Cplusplus.placement_new)
[pulse] model some early exit functions Summary: Copied on the ownership checker logic: return the initial value of the domain as return. This can probably be improved. Reviewed By: mbouaziz Differential Revision: D12888102 fbshipit-source-id: 9e2dac7fc
6 years ago
; (BuiltinDecl.abort, Misc.early_exit)
; (BuiltinDecl.exit, Misc.early_exit)
; (BuiltinDecl.free, C.free)
; (BuiltinDecl.objc_cpp_throw, Misc.early_exit) ]
[pulse] Model placement new Summary: Modeling `placement new` Reviewed By: jvillard Differential Revision: D10451539 fbshipit-source-id: 43be005e4
6 years ago
in
[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
let builtins_map =
Hashtbl.create
( module struct
include Typ.Procname
let hash = Caml.Hashtbl.hash
let sexp_of_t _ = assert false
end )
in
List.iter builtins ~f:(fun (builtin, model) ->
let open PolyVariantEqual in
assert (Hashtbl.add builtins_map ~key:builtin ~data:model = `Ok) ) ;
fun proc_name -> Hashtbl.find builtins_map proc_name
[pulse] model some early exit functions Summary: Copied on the ownership checker logic: return the initial value of the domain as return. This can probably be improved. Reviewed By: mbouaziz Differential Revision: D12888102 fbshipit-source-id: 9e2dac7fc
6 years ago
let dispatch proc_name flags =
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
match builtins_dispatcher proc_name with
| Some _ as result ->
result
[pulse] model some early exit functions Summary: Copied on the ownership checker logic: return the initial value of the domain as return. This can probably be improved. Reviewed By: mbouaziz Differential Revision: D12888102 fbshipit-source-id: 9e2dac7fc
6 years ago
| None -> (
match ProcNameDispatcher.dispatch () proc_name with
| Some _ as result ->
result
| None ->
if flags.CallFlags.cf_noreturn then Some Misc.early_exit else None )