infer_clone/infer/src/quandary/JavaTaintAnalysis.ml

(*
 * Copyright (c) 2016 - present Facebook, Inc.
 * All rights reserved.
 *
 * This source code is licensed under the BSD style license found in the
 * LICENSE file in the root directory of this source tree. An additional grant
 * of patent rights can be found in the PATENTS file in the same directory.
 *)

open! IStd

module F = Format
module L = Logging

include
  TaintAnalysis.Make(struct
    module Trace = JavaTrace
    module AccessTree = AccessTree.Make(Trace)

    let to_summary_access_tree access_tree = QuandarySummary.AccessTree.Java access_tree

    let of_summary_access_tree = function
      | QuandarySummary.AccessTree.Java access_tree -> access_tree
      | _ -> assert false

    let handle_unknown_call pname ret_typ_opt actuals tenv =
      let types_match typ class_string tenv = match typ with
        | Typ.Tptr (Tstruct original_typename, _) ->
            PatternMatch.supertype_exists
              tenv
              (fun typename _ -> String.equal (Typ.Name.name typename) class_string)
              original_typename
        | _ ->
            false in
      match pname with
      | (Typ.Procname.Java java_pname) as pname ->
          let is_static = Typ.Procname.java_is_static pname in
          begin
            match Typ.Procname.java_get_class_name java_pname,
                  Typ.Procname.java_get_method java_pname,
                  ret_typ_opt with
            | _ when Typ.Procname.is_constructor pname ->
                [TaintSpec.Propagate_to_receiver]
            | _, _, (Some Typ.Tvoid | None) when not is_static ->
                (* for instance methods with no return value, propagate the taint to the receiver *)
                [TaintSpec.Propagate_to_receiver]
            | classname, _, Some (Typ.Tptr _ | Tstruct _) ->
                begin
                  match actuals with
                  | (_, receiver_typ) :: _
                    when not is_static && types_match receiver_typ classname tenv ->
                      (* if the receiver and return type are the same, propagate to both. we're
                         assuming the call is one of the common "builder-style" methods that both
                         updates and returns the receiver *)
                      [TaintSpec.Propagate_to_receiver; TaintSpec.Propagate_to_return]
                  | _ ->
                      (* receiver doesn't match return type; just propagate to the return type *)
                      [TaintSpec.Propagate_to_return]
                end
            | _ ->
                []
          end
      | pname when BuiltinDecl.is_declared pname ->
          []
      | pname ->
          failwithf "Non-Java procname %a in Java analysis@." Typ.Procname.pp pname
  end)
[quandary] allow trace-specific rules for handling unknown code Reviewed By: jeremydubreil Differential Revision: D3962285 fbshipit-source-id: b14f3d2 9 years ago			`(*`
			`* Copyright (c) 2016 - present Facebook, Inc.`
			`* All rights reserved.`
			`*`
			`* This source code is licensed under the BSD style license found in the`
			`* LICENSE file in the root directory of this source tree. An additional grant`
			`* of patent rights can be found in the PATENTS file in the same directory.`
			`*)`

Divide Utils into Utils, Pp, and IStd Summary: Utils contains definitions intended to be in the global namespace for all of the infer code-base, as well as pretty-printing functions, and assorted utility functions mostly for dealing with files and processes. This diff changes the module opened into the global namespace to IStd (Std conflict with extlib), and moves the pretty-printing definitions from Utils to Pp. Reviewed By: jvillard Differential Revision: D4232457 fbshipit-source-id: 1e070e0 8 years ago			`open! IStd`
[quandary] allow trace-specific rules for handling unknown code Reviewed By: jeremydubreil Differential Revision: D3962285 fbshipit-source-id: b14f3d2 9 years ago
			`module F = Format`
			`module L = Logging`

			`include`
			`TaintAnalysis.Make(struct`
[quandary] adding TaintSpec module for clearer naming Reviewed By: jberdine Differential Revision: D3997622 fbshipit-source-id: 3f22c8e 9 years ago			`module Trace = JavaTrace`
[quandary] summaries are access trees too Summary: Previously, summaries worked by flattening the access tree representing the post of the procedure into (in essence) a list of functions from caller input traces to callee output traces. This is inefficient in many ways, and is also much more complex than just using the original access tree as the summary. One big inefficiency of the old way is this: calling `Trace.append` is slow, and we want to do it as few times as possible. Under the old summary system, we would do it at most once for each "function" in the summary list. Now, we'll do it at most once for each node in the access tree summary. This will be a smaller number of calls, since each node can summarize many input/output relationships. Reviewed By: jeremydubreil Differential Revision: D4271579 fbshipit-source-id: 34e407a 8 years ago			`module AccessTree = AccessTree.Make(Trace)`
[quandary] allow trace-specific rules for handling unknown code Reviewed By: jeremydubreil Differential Revision: D3962285 fbshipit-source-id: b14f3d2 9 years ago
[quandary] summaries are access trees too Summary: Previously, summaries worked by flattening the access tree representing the post of the procedure into (in essence) a list of functions from caller input traces to callee output traces. This is inefficient in many ways, and is also much more complex than just using the original access tree as the summary. One big inefficiency of the old way is this: calling `Trace.append` is slow, and we want to do it as few times as possible. Under the old summary system, we would do it at most once for each "function" in the summary list. Now, we'll do it at most once for each node in the access tree summary. This will be a smaller number of calls, since each node can summarize many input/output relationships. Reviewed By: jeremydubreil Differential Revision: D4271579 fbshipit-source-id: 34e407a 8 years ago			`let to_summary_access_tree access_tree = QuandarySummary.AccessTree.Java access_tree`
[quandary] allow trace-specific rules for handling unknown code Reviewed By: jeremydubreil Differential Revision: D3962285 fbshipit-source-id: b14f3d2 9 years ago
[quandary] summaries are access trees too Summary: Previously, summaries worked by flattening the access tree representing the post of the procedure into (in essence) a list of functions from caller input traces to callee output traces. This is inefficient in many ways, and is also much more complex than just using the original access tree as the summary. One big inefficiency of the old way is this: calling `Trace.append` is slow, and we want to do it as few times as possible. Under the old summary system, we would do it at most once for each "function" in the summary list. Now, we'll do it at most once for each node in the access tree summary. This will be a smaller number of calls, since each node can summarize many input/output relationships. Reviewed By: jeremydubreil Differential Revision: D4271579 fbshipit-source-id: 34e407a 8 years ago			`let of_summary_access_tree = function`
			`\| QuandarySummary.AccessTree.Java access_tree -> access_tree`
[quandary] skeleton for C++ analysis Differential Revision: D3998518 fbshipit-source-id: e90c46d 9 years ago			`\| _ -> assert false`
[quandary] allow trace-specific rules for handling unknown code Reviewed By: jeremydubreil Differential Revision: D3962285 fbshipit-source-id: b14f3d2 9 years ago
[quandary] better taint propagation for Intent's Reviewed By: mburman Differential Revision: D4491864 fbshipit-source-id: 059b204 8 years ago			`let handle_unknown_call pname ret_typ_opt actuals tenv =`
			`let types_match typ class_string tenv = match typ with`
			`\| Typ.Tptr (Tstruct original_typename, _) ->`
			`PatternMatch.supertype_exists`
			`tenv`
[IR] Make template info part of Typename.t, rename Typename to Typ.Name Reviewed By: jberdine Differential Revision: D4722070 fbshipit-source-id: 0bf8996 8 years ago			`(fun typename _ -> String.equal (Typ.Name.name typename) class_string)`
[quandary] better taint propagation for Intent's Reviewed By: mburman Differential Revision: D4491864 fbshipit-source-id: 059b204 8 years ago			`original_typename`
			`\| _ ->`
			`false in`
[quandary] making it easier to specify behavior for unknown functions Summary: In Java, we handle unknown code by propagating behavior from the parameters of the unknown function call to the return value (or constructed object, in the case of a constructor). But we do this in a somewhat silly way--generating a new summary with these semantics at each unknown call site. Instead, this diff introduces these two options as predefined behaviors and adds specialized code for them. As a side effect of this approach, unknown functions are no longer counted as passthroughs. This is ok; the original behavior was less of a reasoned decision and more of an unintended consequence of the way we decided to handle unknown code. This new approach ought to be more efficient than the old one, and as a virtuous side effect it will be easier to specify how to handle unknown code in other languages like C++. Reviewed By: jeremydubreil Differential Revision: D4205624 fbshipit-source-id: bf97445 8 years ago			`match pname with`
[codemod] Move `Procname` into `Typ.Procname` Summary: `Procname` needs to depend on `Typ.t` and `Typ.Struct` depends on `Procname.t`. To resolve this circular dependency issue, move `Procname` into `Typ` steps: 1. Move everything from `Procname` to `Typ.Procname`, remove `Procname.re(i)` 2. search & replace `Procname.` with `Typ.Procname.` 3. fix outstanding compilation issues manually 4. `yes \| arc lint` Reviewed By: jberdine Differential Revision: D4681509 fbshipit-source-id: b07af63 8 years ago			`\| (Typ.Procname.Java java_pname) as pname ->`
			`let is_static = Typ.Procname.java_is_static pname in`
[quandary] allow trace-specific rules for handling unknown code Reviewed By: jeremydubreil Differential Revision: D3962285 fbshipit-source-id: b14f3d2 9 years ago			`begin`
[codemod] Move `Procname` into `Typ.Procname` Summary: `Procname` needs to depend on `Typ.t` and `Typ.Struct` depends on `Procname.t`. To resolve this circular dependency issue, move `Procname` into `Typ` steps: 1. Move everything from `Procname` to `Typ.Procname`, remove `Procname.re(i)` 2. search & replace `Procname.` with `Typ.Procname.` 3. fix outstanding compilation issues manually 4. `yes \| arc lint` Reviewed By: jberdine Differential Revision: D4681509 fbshipit-source-id: b07af63 8 years ago			`match Typ.Procname.java_get_class_name java_pname,`
			`Typ.Procname.java_get_method java_pname,`
[quandary] allow trace-specific rules for handling unknown code Reviewed By: jeremydubreil Differential Revision: D3962285 fbshipit-source-id: b14f3d2 9 years ago			`ret_typ_opt with`
[codemod] Move `Procname` into `Typ.Procname` Summary: `Procname` needs to depend on `Typ.t` and `Typ.Struct` depends on `Procname.t`. To resolve this circular dependency issue, move `Procname` into `Typ` steps: 1. Move everything from `Procname` to `Typ.Procname`, remove `Procname.re(i)` 2. search & replace `Procname.` with `Typ.Procname.` 3. fix outstanding compilation issues manually 4. `yes \| arc lint` Reviewed By: jberdine Differential Revision: D4681509 fbshipit-source-id: b07af63 8 years ago			`\| _ when Typ.Procname.is_constructor pname ->`
[quandary] making it easier to specify behavior for unknown functions Summary: In Java, we handle unknown code by propagating behavior from the parameters of the unknown function call to the return value (or constructed object, in the case of a constructor). But we do this in a somewhat silly way--generating a new summary with these semantics at each unknown call site. Instead, this diff introduces these two options as predefined behaviors and adds specialized code for them. As a side effect of this approach, unknown functions are no longer counted as passthroughs. This is ok; the original behavior was less of a reasoned decision and more of an unintended consequence of the way we decided to handle unknown code. This new approach ought to be more efficient than the old one, and as a virtuous side effect it will be easier to specify how to handle unknown code in other languages like C++. Reviewed By: jeremydubreil Differential Revision: D4205624 fbshipit-source-id: bf97445 8 years ago			`[TaintSpec.Propagate_to_receiver]`
[quandary] improve taint propagation for unknown calls Summary: When the receiver type and return type of an unknown call are the same, propagate taint to both the receiver and the return type. This does the right thing for common "builder-style" methods that both update and return the receiver. We already had custom models for a few such methods (e.g., `StringBuilder.append`), but we can remove them now. Reviewed By: jeremydubreil Differential Revision: D4490071 fbshipit-source-id: 325ea88 8 years ago			`\| _, _, (Some Typ.Tvoid \| None) when not is_static ->`
[quandary] for instance methods with no return value, propagate the taint to the receiver Summary: If we have code like ``` o.setF(source()) sink(o) ``` and `setF` is an unknown method, we probably want to report. Reviewed By: jeremydubreil, mburman Differential Revision: D4438896 fbshipit-source-id: 5edd204 8 years ago			`(* for instance methods with no return value, propagate the taint to the receiver *)`
			`[TaintSpec.Propagate_to_receiver]`
[quandary] improve taint propagation for unknown calls Summary: When the receiver type and return type of an unknown call are the same, propagate taint to both the receiver and the return type. This does the right thing for common "builder-style" methods that both update and return the receiver. We already had custom models for a few such methods (e.g., `StringBuilder.append`), but we can remove them now. Reviewed By: jeremydubreil Differential Revision: D4490071 fbshipit-source-id: 325ea88 8 years ago			`\| classname, _, Some (Typ.Tptr _ \| Tstruct _) ->`
			`begin`
			`match actuals with`
			`\| (_, receiver_typ) :: _`
[quandary] better taint propagation for Intent's Reviewed By: mburman Differential Revision: D4491864 fbshipit-source-id: 059b204 8 years ago			`when not is_static && types_match receiver_typ classname tenv ->`
[quandary] improve taint propagation for unknown calls Summary: When the receiver type and return type of an unknown call are the same, propagate taint to both the receiver and the return type. This does the right thing for common "builder-style" methods that both update and return the receiver. We already had custom models for a few such methods (e.g., `StringBuilder.append`), but we can remove them now. Reviewed By: jeremydubreil Differential Revision: D4490071 fbshipit-source-id: 325ea88 8 years ago			`(* if the receiver and return type are the same, propagate to both. we're`
			`assuming the call is one of the common "builder-style" methods that both`
			`updates and returns the receiver *)`
			`[TaintSpec.Propagate_to_receiver; TaintSpec.Propagate_to_return]`
			`\| _ ->`
			`(* receiver doesn't match return type; just propagate to the return type *)`
			`[TaintSpec.Propagate_to_return]`
			`end`
			`\| _ ->`
[quandary] allow trace-specific rules for handling unknown code Reviewed By: jeremydubreil Differential Revision: D3962285 fbshipit-source-id: b14f3d2 9 years ago			`[]`
			`end`
[backend] Split construction of builtin pnames and builtin registration Summary: this makes frontends no longer depend on SymExec.ml. `ModelBuiltins` was split into two modules: - `BuiltinDecl` with procnames for builtins (used to determine whether some function is a builtin) - `BuiltinDefn` with implementations used by `SymExec` - they both have similar type defined in `BUILTINS.S` which makes sure that new builtin gets added into both modules. During the refactor I ran some scripts: `BuiltinDecl.ml`: let X = create_procname "X" cat BuiltinDecl.ml \| grep "create_procname" \| tail -70 \| awk ' { print $1,$2,$3,$4,"\42"$2"\42"} ' then manually confirm string match. Exceptions: "__exit" -> "_exit" "objc_cpp_throw" -> "__infer_objc_cpp_throw" __objc_dictionary_literal nsArray_arrayWithObjects nsArray_arrayWithObjectsCount `BuiltinDefn.ml`: let X = Builtin.register BuiltinDecl.X execute_X cat BuiltinDecl.ml \| grep "create_procname" \| tail -70 \| awk ' { print $1,$2,$3,"Builtin.register BuiltinDecl."$2,"execute_"$2} ' then, fix all compilation problems Reviewed By: jberdine Differential Revision: D3951035 fbshipit-source-id: f059602 8 years ago			`\| pname when BuiltinDecl.is_declared pname ->`
[quandary] fix missing check for builtin in Quandary models Reviewed By: jeremydubreil Differential Revision: D3972830 fbshipit-source-id: d431dfe 9 years ago			`[]`
[quandary] allow trace-specific rules for handling unknown code Reviewed By: jeremydubreil Differential Revision: D3962285 fbshipit-source-id: b14f3d2 9 years ago			`\| pname ->`
[codemod] Move `Procname` into `Typ.Procname` Summary: `Procname` needs to depend on `Typ.t` and `Typ.Struct` depends on `Procname.t`. To resolve this circular dependency issue, move `Procname` into `Typ` steps: 1. Move everything from `Procname` to `Typ.Procname`, remove `Procname.re(i)` 2. search & replace `Procname.` with `Typ.Procname.` 3. fix outstanding compilation issues manually 4. `yes \| arc lint` Reviewed By: jberdine Differential Revision: D4681509 fbshipit-source-id: b07af63 8 years ago			`failwithf "Non-Java procname %a in Java analysis@." Typ.Procname.pp pname`
[quandary] allow trace-specific rules for handling unknown code Reviewed By: jeremydubreil Differential Revision: D3962285 fbshipit-source-id: b14f3d2 9 years ago			`end)`