pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '6df4fb6a9b'
${ noResults }
infer_clone/infer/src/pulse/PulseModels.ml

294 lines
11 KiB
Raw Normal View History Unescape

[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
(*
[copyright] Remove years Reviewed By: jvillard Differential Revision: D15771884 fbshipit-source-id: e2997e3a3
6 years ago
* Copyright (c) Facebook, Inc. and its affiliates.
[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
*
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*)
open! IStd
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
open Result.Monad_infix
[pulse][1/9] create PulseBasicInterface, with CallEvent Summary: Problem: PulseDomain.ml is pretty big, and contains lots of small modules. The Infer build being a bit monolithic at the moment, it is hard to split all these small modules off without creating some confusion about which abstraction barries lay where. For instance, it's fine to use `PulseDomain.ValueHistory` anywhere, but using `PulseDomain` itself is sometimes bad when one should use `PulseAbductiveDomain` instead. Proposal: a poorman's library mechanism based on module aliasing. This stack of diffs creates new Pulse* modules for all these small, safe to use modules, together with `PulseBasicInterface.ml`, which aliases these modules to remove the `Pulse` prefix. At the end of the stack, it will contain: ``` module AbstractValue = PulseAbstractValue module Attribute = PulseAttribute module Attributes = PulseAttribute.Attributes module CallEvent = PulseCallEvent module Diagnostic = PulseDiagnostic module Invalidation = PulseInvalidation module Trace = PulseTrace module ValueHistory = PulseValueHistory ``` This "interface" module can be opened in other pulse modules freely. Reviewed By: ezgicicek Differential Revision: D17955104 fbshipit-source-id: 13d3aa2b5
5 years ago
open PulseBasicInterface
[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
type exec_fun =
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
caller_summary:Summary.t
-> Location.t
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
-> ret:Ident.t * Typ.t
[pulse][7/9] kill `AddrTracePair` Summary: The name had rotten: it should be `AddrHistPair`. There is little value of exposing the type of the pair `AbstractValue.t * ValueHistory.t`, just inline its definition everywhere. Reviewed By: ezgicicek Differential Revision: D17955283 fbshipit-source-id: d145251e0
5 years ago
-> actuals:((AbstractValue.t * ValueHistory.t) * Typ.t) list
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
-> PulseAbductiveDomain.t
[pulse] allow models to return disjuncts Summary: This is useful for the model of `exit` that returns 0 disjuncts. All other models return 1 disjunct for now, but in the future things like `malloc()` will need to return 2 possible states for instance. Reviewed By: ngorogiannis Differential Revision: D14753491 fbshipit-source-id: 3e7387d6d
6 years ago
-> PulseAbductiveDomain.t list PulseOperations.access_result
[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
type model = exec_fun
[pulse] model some early exit functions Summary: Copied on the ownership checker logic: return the initial value of the domain as return. This can probably be improved. Reviewed By: mbouaziz Differential Revision: D12888102 fbshipit-source-id: 9e2dac7fc
6 years ago
module Misc = struct
[pulse] model `std::function::operator=` Summary: `function::operator=` is called whenever we assign a literal lambda to a variable, so it's pretty useful to be able to report anything on lambdas. Reviewed By: mbouaziz Differential Revision: D16008163 fbshipit-source-id: a9d07668d
6 years ago
let shallow_copy model_desc : model =
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
fun ~caller_summary:_ location ~ret:(ret_id, _) ~actuals astate ->
[pulse][3/9] add PulseValueHistory to PulseBasicInterface Summary: See explanations in D17955104 Reviewed By: ezgicicek Differential Revision: D17955285 fbshipit-source-id: 4e93a86df
5 years ago
let event = ValueHistory.Call {f= Model model_desc; location; in_call= []} in
[pulse] model `std::function::operator=` Summary: `function::operator=` is called whenever we assign a literal lambda to a variable, so it's pretty useful to be able to report anything on lambdas. Reviewed By: mbouaziz Differential Revision: D16008163 fbshipit-source-id: a9d07668d
6 years ago
( match actuals with
| [(dest_pointer_hist, _); (src_pointer_hist, _)] ->
PulseOperations.eval_access location src_pointer_hist Dereference astate
>>= fun (astate, obj) ->
PulseOperations.shallow_copy location obj astate
>>= fun (astate, obj_copy) ->
PulseOperations.write_deref location ~ref:dest_pointer_hist
[pulse] interprocedural histories and traces Summary: bigmacro_bender There are 3 ways pulse tracks history. This is at least one too many. So far, we have: 1. "histories": a humble list of "events" like "assigned here", "returned from call", ... 2. "interproc actions": a structured nesting of calls with a final "action", eg "f calls g calls h which does blah" 3. "traces", which combine one history with one interproc action This diff gets rid of interproc actions and makes histories include "nested" callee histories too. This allows pulse to track and display how a value got assigned across function calls. Traces are now more powerful and interleave histories and interproc actions. This allows pulse to track how a value is fed into an action, for instance performed in callee, which itself creates some more (potentially now interprocedural) history before going to the next step of the action (either another call or the action itself). This gives much better traces, and some examples are added to showcase this. There are a lot of changes when applying summaries to keep track of histories more accurately than was done before, but also a few simplifications that give additional evidence that this is the right concept. Reviewed By: skcho Differential Revision: D17908942 fbshipit-source-id: 3b62eaf78
5 years ago
~obj:(fst obj_copy, event :: snd obj_copy)
[pulse] model `std::function::operator=` Summary: `function::operator=` is called whenever we assign a literal lambda to a variable, so it's pretty useful to be able to report anything on lambdas. Reviewed By: mbouaziz Differential Revision: D16008163 fbshipit-source-id: a9d07668d
6 years ago
astate
| _ ->
Ok astate )
>>| fun astate -> [PulseOperations.havoc_id ret_id [event] astate]
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
let early_exit : model = fun ~caller_summary:_ _ ~ret:_ ~actuals:_ _ -> Ok []
[pulse] skip `folly::SocketAddress::~SocketAddress` Summary: The constructor of `folly::SocketAddress` conditionally deletes some object and then makes that condition false. The destructor then does the same. Pulse ignores conditionals so will see a double delete. Just skip that function for now, but it should be easy for pulse to be more correct here if it knew how to compare constant values. Reviewed By: mbouaziz Differential Revision: D16005395 fbshipit-source-id: 036f5091b
6 years ago
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
let skip : model = fun ~caller_summary:_ _ ~ret:_ ~actuals:_ astate -> Ok [astate]
[pulse][impurity] Add Pulse Java models for get and cast Summary: We consider Java collections to be like c++ std::vectors and add models for - `Collections.get(..)` - `__cast` Reviewed By: skcho Differential Revision: D18449607 fbshipit-source-id: 448206c84
5 years ago
let id_first_arg : model =
fun ~caller_summary:_ _ ~ret ~actuals astate ->
match actuals with
| (arg_access_hist, _) :: _ ->
Ok [PulseOperations.write_id (fst ret) arg_access_hist astate]
| _ ->
Ok [astate]
[pulse] model some early exit functions Summary: Copied on the ownership checker logic: return the initial value of the domain as return. This can probably be improved. Reviewed By: mbouaziz Differential Revision: D12888102 fbshipit-source-id: 9e2dac7fc
6 years ago
end
[pulse] use after free Summary: Model `free` like `delete`. Reviewed By: mbouaziz, skcho Differential Revision: D10509332 fbshipit-source-id: fe4249601
6 years ago
module C = struct
let free : model =
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
fun ~caller_summary:_ location ~ret:_ ~actuals astate ->
[pulse] use after free Summary: Model `free` like `delete`. Reviewed By: mbouaziz, skcho Differential Revision: D10509332 fbshipit-source-id: fe4249601
6 years ago
match actuals with
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
| [(deleted_access, _)] ->
[ocamlformat] Upgrade ocamlformat version Reviewed By: jvillard Differential Revision: D18162727 fbshipit-source-id: ffb9f7541
5 years ago
PulseOperations.invalidate location Invalidation.CFree deleted_access astate >>| List.return
[pulse] use after free Summary: Model `free` like `delete`. Reviewed By: mbouaziz, skcho Differential Revision: D10509332 fbshipit-source-id: fe4249601
6 years ago
| _ ->
[pulse] allow models to return disjuncts Summary: This is useful for the model of `exit` that returns 0 disjuncts. All other models return 1 disjunct for now, but in the future things like `malloc()` will need to return 2 possible states for instance. Reviewed By: ngorogiannis Differential Revision: D14753491 fbshipit-source-id: 3e7387d6d
6 years ago
Ok [astate]
[pulse] use after free Summary: Model `free` like `delete`. Reviewed By: mbouaziz, skcho Differential Revision: D10509332 fbshipit-source-id: fe4249601
6 years ago
end
[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
module Cplusplus = struct
let delete : model =
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
fun ~caller_summary:_ location ~ret:_ ~actuals astate ->
[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
match actuals with
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
| [(deleted_access, _)] ->
[pulse][2/9] add PulseInvalidation to PulseBasicInterface Summary: See explanations in D17955104 Reviewed By: ezgicicek Differential Revision: D17955286 fbshipit-source-id: 831491e47
5 years ago
PulseOperations.invalidate location Invalidation.CppDelete deleted_access astate
[pulse] allow models to return disjuncts Summary: This is useful for the model of `exit` that returns 0 disjuncts. All other models return 1 disjunct for now, but in the future things like `malloc()` will need to return 2 possible states for instance. Reviewed By: ngorogiannis Differential Revision: D14753491 fbshipit-source-id: 3e7387d6d
6 years ago
>>| List.return
[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
| _ ->
[pulse] allow models to return disjuncts Summary: This is useful for the model of `exit` that returns 0 disjuncts. All other models return 1 disjunct for now, but in the future things like `malloc()` will need to return 2 possible states for instance. Reviewed By: ngorogiannis Differential Revision: D14753491 fbshipit-source-id: 3e7387d6d
6 years ago
Ok [astate]
[pulse] Model placement new Summary: Modeling `placement new` Reviewed By: jvillard Differential Revision: D10451539 fbshipit-source-id: 43be005e4
6 years ago
[pulse] model `std::function::operator=` Summary: `function::operator=` is called whenever we assign a literal lambda to a variable, so it's pretty useful to be able to report anything on lambdas. Reviewed By: mbouaziz Differential Revision: D16008163 fbshipit-source-id: a9d07668d
6 years ago
let placement_new : model =
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
fun ~caller_summary:_ location ~ret:(ret_id, _) ~actuals astate ->
[pulse][3/9] add PulseValueHistory to PulseBasicInterface Summary: See explanations in D17955104 Reviewed By: ezgicicek Differential Revision: D17955285 fbshipit-source-id: 4e93a86df
5 years ago
let event = ValueHistory.Call {f= Model "<placement new>()"; location; in_call= []} in
[pulse] model `std::function::operator=` Summary: `function::operator=` is called whenever we assign a literal lambda to a variable, so it's pretty useful to be able to report anything on lambdas. Reviewed By: mbouaziz Differential Revision: D16008163 fbshipit-source-id: a9d07668d
6 years ago
match List.rev actuals with
[pulse] interprocedural histories and traces Summary: bigmacro_bender There are 3 ways pulse tracks history. This is at least one too many. So far, we have: 1. "histories": a humble list of "events" like "assigned here", "returned from call", ... 2. "interproc actions": a structured nesting of calls with a final "action", eg "f calls g calls h which does blah" 3. "traces", which combine one history with one interproc action This diff gets rid of interproc actions and makes histories include "nested" callee histories too. This allows pulse to track and display how a value got assigned across function calls. Traces are now more powerful and interleave histories and interproc actions. This allows pulse to track how a value is fed into an action, for instance performed in callee, which itself creates some more (potentially now interprocedural) history before going to the next step of the action (either another call or the action itself). This gives much better traces, and some examples are added to showcase this. There are a lot of changes when applying summaries to keep track of histories more accurately than was done before, but also a few simplifications that give additional evidence that this is the right concept. Reviewed By: skcho Differential Revision: D17908942 fbshipit-source-id: 3b62eaf78
5 years ago
| ((address, hist), _) :: _ ->
Ok [PulseOperations.write_id ret_id (address, event :: hist) astate]
[pulse] model `std::function::operator=` Summary: `function::operator=` is called whenever we assign a literal lambda to a variable, so it's pretty useful to be able to report anything on lambdas. Reviewed By: mbouaziz Differential Revision: D16008163 fbshipit-source-id: a9d07668d
6 years ago
| _ ->
Ok [PulseOperations.havoc_id ret_id [event] astate]
end
[pulse] model some of `std::basic_string` Summary: A common gotcha is the new test. Model the minimum amount of `std::basic_string` to catch it. Reviewed By: mbouaziz, ngorogiannis Differential Revision: D16121090 fbshipit-source-id: 66f06cb43
6 years ago
module StdBasicString = struct
let internal_string =
Typ.Fieldname.Clang.from_class_name
(Typ.CStruct (QualifiedCppName.of_list ["std"; "basic_string"]))
"__infer_model_backing_string"
let internal_string_access = HilExp.Access.FieldAccess internal_string
let to_internal_string location bstring astate =
PulseOperations.eval_access location bstring internal_string_access astate
let data : model =
fun ~caller_summary:_ location ~ret:(ret_id, _) ~actuals astate ->
[pulse][3/9] add PulseValueHistory to PulseBasicInterface Summary: See explanations in D17955104 Reviewed By: ezgicicek Differential Revision: D17955285 fbshipit-source-id: 4e93a86df
5 years ago
let event = ValueHistory.Call {f= Model "std::basic_string::data()"; location; in_call= []} in
[pulse] model some of `std::basic_string` Summary: A common gotcha is the new test. Model the minimum amount of `std::basic_string` to catch it. Reviewed By: mbouaziz, ngorogiannis Differential Revision: D16121090 fbshipit-source-id: 66f06cb43
6 years ago
match actuals with
| [(this_hist, _)] ->
to_internal_string location this_hist astate
>>= fun (astate, string_addr_hist) ->
PulseOperations.eval_access location string_addr_hist Dereference astate
>>| fun (astate, (string, hist)) ->
[PulseOperations.write_id ret_id (string, event :: hist) astate]
| _ ->
Ok [PulseOperations.havoc_id ret_id [event] astate]
let destructor : model =
fun ~caller_summary:_ location ~ret:(ret_id, _) ~actuals astate ->
[pulse][1/9] create PulseBasicInterface, with CallEvent Summary: Problem: PulseDomain.ml is pretty big, and contains lots of small modules. The Infer build being a bit monolithic at the moment, it is hard to split all these small modules off without creating some confusion about which abstraction barries lay where. For instance, it's fine to use `PulseDomain.ValueHistory` anywhere, but using `PulseDomain` itself is sometimes bad when one should use `PulseAbductiveDomain` instead. Proposal: a poorman's library mechanism based on module aliasing. This stack of diffs creates new Pulse* modules for all these small, safe to use modules, together with `PulseBasicInterface.ml`, which aliases these modules to remove the `Pulse` prefix. At the end of the stack, it will contain: ``` module AbstractValue = PulseAbstractValue module Attribute = PulseAttribute module Attributes = PulseAttribute.Attributes module CallEvent = PulseCallEvent module Diagnostic = PulseDiagnostic module Invalidation = PulseInvalidation module Trace = PulseTrace module ValueHistory = PulseValueHistory ``` This "interface" module can be opened in other pulse modules freely. Reviewed By: ezgicicek Differential Revision: D17955104 fbshipit-source-id: 13d3aa2b5
5 years ago
let model = CallEvent.Model "std::basic_string::~basic_string()" in
[pulse][3/9] add PulseValueHistory to PulseBasicInterface Summary: See explanations in D17955104 Reviewed By: ezgicicek Differential Revision: D17955285 fbshipit-source-id: 4e93a86df
5 years ago
let call_event = ValueHistory.Call {f= model; location; in_call= []} in
[pulse] model some of `std::basic_string` Summary: A common gotcha is the new test. Model the minimum amount of `std::basic_string` to catch it. Reviewed By: mbouaziz, ngorogiannis Differential Revision: D16121090 fbshipit-source-id: 66f06cb43
6 years ago
match actuals with
| [(this_hist, _)] ->
to_internal_string location this_hist astate
[pulse] interprocedural histories and traces Summary: bigmacro_bender There are 3 ways pulse tracks history. This is at least one too many. So far, we have: 1. "histories": a humble list of "events" like "assigned here", "returned from call", ... 2. "interproc actions": a structured nesting of calls with a final "action", eg "f calls g calls h which does blah" 3. "traces", which combine one history with one interproc action This diff gets rid of interproc actions and makes histories include "nested" callee histories too. This allows pulse to track and display how a value got assigned across function calls. Traces are now more powerful and interleave histories and interproc actions. This allows pulse to track how a value is fed into an action, for instance performed in callee, which itself creates some more (potentially now interprocedural) history before going to the next step of the action (either another call or the action itself). This gives much better traces, and some examples are added to showcase this. There are a lot of changes when applying summaries to keep track of histories more accurately than was done before, but also a few simplifications that give additional evidence that this is the right concept. Reviewed By: skcho Differential Revision: D17908942 fbshipit-source-id: 3b62eaf78
5 years ago
>>= fun (astate, (string_addr, string_hist)) ->
let string_addr_hist = (string_addr, call_event :: string_hist) in
PulseOperations.invalidate_deref location CppDelete string_addr_hist astate
[pulse] model some of `std::basic_string` Summary: A common gotcha is the new test. Model the minimum amount of `std::basic_string` to catch it. Reviewed By: mbouaziz, ngorogiannis Differential Revision: D16121090 fbshipit-source-id: 66f06cb43
6 years ago
>>= fun astate ->
[pulse] interprocedural histories and traces Summary: bigmacro_bender There are 3 ways pulse tracks history. This is at least one too many. So far, we have: 1. "histories": a humble list of "events" like "assigned here", "returned from call", ... 2. "interproc actions": a structured nesting of calls with a final "action", eg "f calls g calls h which does blah" 3. "traces", which combine one history with one interproc action This diff gets rid of interproc actions and makes histories include "nested" callee histories too. This allows pulse to track and display how a value got assigned across function calls. Traces are now more powerful and interleave histories and interproc actions. This allows pulse to track how a value is fed into an action, for instance performed in callee, which itself creates some more (potentially now interprocedural) history before going to the next step of the action (either another call or the action itself). This gives much better traces, and some examples are added to showcase this. There are a lot of changes when applying summaries to keep track of histories more accurately than was done before, but also a few simplifications that give additional evidence that this is the right concept. Reviewed By: skcho Differential Revision: D17908942 fbshipit-source-id: 3b62eaf78
5 years ago
PulseOperations.invalidate location CppDelete string_addr_hist astate
[pulse] model some of `std::basic_string` Summary: A common gotcha is the new test. Model the minimum amount of `std::basic_string` to catch it. Reviewed By: mbouaziz, ngorogiannis Differential Revision: D16121090 fbshipit-source-id: 66f06cb43
6 years ago
>>| fun astate -> [astate]
| _ ->
Ok [PulseOperations.havoc_id ret_id [call_event] astate]
end
[pulse] model `std::function::operator=` Summary: `function::operator=` is called whenever we assign a literal lambda to a variable, so it's pretty useful to be able to report anything on lambdas. Reviewed By: mbouaziz Differential Revision: D16008163 fbshipit-source-id: a9d07668d
6 years ago
module StdFunction = struct
[pulse] model lambda captures Summary: When a lambda gets created, record the abstract addresses it captures, then complain if we see some of them be invalidated before it is called. Add a notion of "allocator" for reporting better messages. The messages are still a bit sucky, will need to improve them more generally at some point. ```  jul   lambda  ~  infer  1  infer -g --pulse-only -- clang -std=c++11 -c infer/tests/codetoanalyze/cpp/pulse/closures.cpp Logs in /home/jul/infer.fb/infer-out/logs Capturing in make/cc mode... Found 1 source file to analyze in /home/jul/infer.fb/infer-out Found 2 issues infer/tests/codetoanalyze/cpp/pulse/closures.cpp:21: error: USE_AFTER_DESTRUCTOR `&(f)` accesses address `s` captured by `&(f)` as `s` invalidated by destructor call `S_~S(s)` at line 20, column 3 past its lifetime (debug: 5). 19. f = [&s] { return s.f; }; 20. } // destructor for s called here 21. > return f(); // s used here 22. } 23. infer/tests/codetoanalyze/cpp/pulse/closures.cpp:30: error: USE_AFTER_DESTRUCTOR `&(f)` accesses address `s` captured by `&(f)` as `s` invalidated by destructor call `S_~S(s)` at line 29, column 3 past its lifetime (debug: 8). 28. f = [&] { return s.f; }; 29. } 30. > return f(); 31. } 32. Summary of the reports USE_AFTER_DESTRUCTOR: 2 ``` Reviewed By: da319 Differential Revision: D13400074 fbshipit-source-id: 3c68ff4ea
6 years ago
let operator_call : model =
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
fun ~caller_summary location ~ret ~actuals astate ->
let havoc_ret (ret_id, _) astate =
[ocamlformat] Upgrade ocamlformat version Reviewed By: jvillard Differential Revision: D18162727 fbshipit-source-id: ffb9f7541
5 years ago
let event = ValueHistory.Call {f= Model "std::function::operator()"; location; in_call= []} in
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
[PulseOperations.havoc_id ret_id [event] astate]
in
match actuals with
| [] ->
Ok (havoc_ret ret astate)
| (lambda_ptr_hist, _) :: actuals -> (
[pulse] model `std::function::operator=` Summary: `function::operator=` is called whenever we assign a literal lambda to a variable, so it's pretty useful to be able to report anything on lambdas. Reviewed By: mbouaziz Differential Revision: D16008163 fbshipit-source-id: a9d07668d
6 years ago
PulseOperations.eval_access location lambda_ptr_hist Dereference astate
>>= fun (astate, (lambda, _)) ->
[pulse] interprocedural histories and traces Summary: bigmacro_bender There are 3 ways pulse tracks history. This is at least one too many. So far, we have: 1. "histories": a humble list of "events" like "assigned here", "returned from call", ... 2. "interproc actions": a structured nesting of calls with a final "action", eg "f calls g calls h which does blah" 3. "traces", which combine one history with one interproc action This diff gets rid of interproc actions and makes histories include "nested" callee histories too. This allows pulse to track and display how a value got assigned across function calls. Traces are now more powerful and interleave histories and interproc actions. This allows pulse to track how a value is fed into an action, for instance performed in callee, which itself creates some more (potentially now interprocedural) history before going to the next step of the action (either another call or the action itself). This gives much better traces, and some examples are added to showcase this. There are a lot of changes when applying summaries to keep track of histories more accurately than was done before, but also a few simplifications that give additional evidence that this is the right concept. Reviewed By: skcho Differential Revision: D17908942 fbshipit-source-id: 3b62eaf78
5 years ago
PulseOperations.Closures.check_captured_addresses location lambda astate
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
>>= fun astate ->
match PulseAbductiveDomain.Memory.get_closure_proc_name lambda astate with
| None ->
(* we don't know what proc name this lambda resolves to *) Ok (havoc_ret ret astate)
| Some callee_proc_name ->
PulseOperations.call ~caller_summary location callee_proc_name ~ret ~actuals astate )
[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
end
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
module StdVector = struct
let internal_array =
Typ.Fieldname.Clang.from_class_name
(Typ.CStruct (QualifiedCppName.of_list ["std"; "vector"]))
[pulse] model some of `std::basic_string` Summary: A common gotcha is the new test. Model the minimum amount of `std::basic_string` to catch it. Reviewed By: mbouaziz, ngorogiannis Differential Revision: D16121090 fbshipit-source-id: 66f06cb43
6 years ago
"__infer_model_backing_array"
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
[pulse] model some of `std::basic_string` Summary: A common gotcha is the new test. Model the minimum amount of `std::basic_string` to catch it. Reviewed By: mbouaziz, ngorogiannis Differential Revision: D16121090 fbshipit-source-id: 66f06cb43
6 years ago
let internal_array_access = HilExp.Access.FieldAccess internal_array
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
let to_internal_array location vector astate =
[pulse] model some of `std::basic_string` Summary: A common gotcha is the new test. Model the minimum amount of `std::basic_string` to catch it. Reviewed By: mbouaziz, ngorogiannis Differential Revision: D16121090 fbshipit-source-id: 66f06cb43
6 years ago
PulseOperations.eval_access location vector internal_array_access astate
[pulse] take array indices into account Summary: This will be useful to make the analysis more precise. In particular, it allows a disjunctive version of pulse to deal will deleting vector elements in a loop: without this, deleting an array element in one iteration will make the analysis think that the next array element is invalid too since they are all the same. By keep track of the index, we can detect when we are sure that two elements are the same and only report in that case. Reviewed By: ngorogiannis Differential Revision: D13431374 fbshipit-source-id: dae82deeb
6 years ago
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
let element_of_internal_array location vector index astate =
to_internal_array location vector astate
>>= fun (astate, vector_internal_array) ->
PulseOperations.eval_access location vector_internal_array
(ArrayAccess (Typ.void, index))
astate
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
[pulse] add traces to the domain Summary: Record per-location traces. Actually, that doesn't quite make sense as a location can be accessed in many ways, so associate a trace to each *edge* in the memory graph. For instance, when doing `x->f = *y`, we want to take the history of the `<val of y> --*--> ..` edge, add "assigned at location blah" to it and store this extended history to the edge `<val of x> --f--> ..`. Use this machinery to print nicer traces in `infer explore` and better error messages too (include the last assignment, like biabduction messages). Reviewed By: da319 Differential Revision: D13518668 fbshipit-source-id: 0a62fb55f
6 years ago
let reallocate_internal_array trace vector vector_f location astate =
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
to_internal_array location vector astate
>>= fun (astate, array_address) ->
[pulse] interprocedural histories and traces Summary: bigmacro_bender There are 3 ways pulse tracks history. This is at least one too many. So far, we have: 1. "histories": a humble list of "events" like "assigned here", "returned from call", ... 2. "interproc actions": a structured nesting of calls with a final "action", eg "f calls g calls h which does blah" 3. "traces", which combine one history with one interproc action This diff gets rid of interproc actions and makes histories include "nested" callee histories too. This allows pulse to track and display how a value got assigned across function calls. Traces are now more powerful and interleave histories and interproc actions. This allows pulse to track how a value is fed into an action, for instance performed in callee, which itself creates some more (potentially now interprocedural) history before going to the next step of the action (either another call or the action itself). This gives much better traces, and some examples are added to showcase this. There are a lot of changes when applying summaries to keep track of histories more accurately than was done before, but also a few simplifications that give additional evidence that this is the right concept. Reviewed By: skcho Differential Revision: D17908942 fbshipit-source-id: 3b62eaf78
5 years ago
PulseOperations.invalidate_array_elements location (StdVector vector_f) array_address astate
>>= PulseOperations.invalidate_deref location (StdVector vector_f) array_address
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
>>= PulseOperations.havoc_field location vector internal_array trace
[pulse] Model std::vector::reserve to invalidate references to elements Summary: Similarly as `std::vector::push_back`, `std::vector::reserve` can invalidate the references to elements if the new size is bigger than the existing one. More info on `std::vector::reserve`: https://en.cppreference.com/w/cpp/container/vector/reserve Reviewed By: jvillard Differential Revision: D13340324 fbshipit-source-id: bf99b6923
6 years ago
[pulse] add traces to the domain Summary: Record per-location traces. Actually, that doesn't quite make sense as a location can be accessed in many ways, so associate a trace to each *edge* in the memory graph. For instance, when doing `x->f = *y`, we want to take the history of the `<val of y> --*--> ..` edge, add "assigned at location blah" to it and store this extended history to the edge `<val of x> --f--> ..`. Use this machinery to print nicer traces in `infer explore` and better error messages too (include the last assignment, like biabduction messages). Reviewed By: da319 Differential Revision: D13518668 fbshipit-source-id: 0a62fb55f
6 years ago
let invalidate_references vector_f : model =
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
fun ~caller_summary:_ location ~ret:_ ~actuals astate ->
[pulse] Model more std::vector functions that can invalid references to elements Summary: Model more `std::vector` functions that can potentially invalidate references to vector's elements (https://en.cppreference.com/w/cpp/container/vector). Reviewed By: mbouaziz Differential Revision: D13399161 fbshipit-source-id: 95cf2cae6
6 years ago
match actuals with
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
| (vector, _) :: _ ->
[pulse] add traces to the domain Summary: Record per-location traces. Actually, that doesn't quite make sense as a location can be accessed in many ways, so associate a trace to each *edge* in the memory graph. For instance, when doing `x->f = *y`, we want to take the history of the `<val of y> --*--> ..` edge, add "assigned at location blah" to it and store this extended history to the edge `<val of x> --f--> ..`. Use this machinery to print nicer traces in `infer explore` and better error messages too (include the last assignment, like biabduction messages). Reviewed By: da319 Differential Revision: D13518668 fbshipit-source-id: 0a62fb55f
6 years ago
let crumb =
[pulse][3/9] add PulseValueHistory to PulseBasicInterface Summary: See explanations in D17955104 Reviewed By: ezgicicek Differential Revision: D17955285 fbshipit-source-id: 4e93a86df
5 years ago
ValueHistory.Call
[pulse][2/9] add PulseInvalidation to PulseBasicInterface Summary: See explanations in D17955104 Reviewed By: ezgicicek Differential Revision: D17955286 fbshipit-source-id: 831491e47
5 years ago
{ f= Model (Format.asprintf "%a()" Invalidation.pp_std_vector_function vector_f)
[pulse] interprocedural histories and traces Summary: bigmacro_bender There are 3 ways pulse tracks history. This is at least one too many. So far, we have: 1. "histories": a humble list of "events" like "assigned here", "returned from call", ... 2. "interproc actions": a structured nesting of calls with a final "action", eg "f calls g calls h which does blah" 3. "traces", which combine one history with one interproc action This diff gets rid of interproc actions and makes histories include "nested" callee histories too. This allows pulse to track and display how a value got assigned across function calls. Traces are now more powerful and interleave histories and interproc actions. This allows pulse to track how a value is fed into an action, for instance performed in callee, which itself creates some more (potentially now interprocedural) history before going to the next step of the action (either another call or the action itself). This gives much better traces, and some examples are added to showcase this. There are a lot of changes when applying summaries to keep track of histories more accurately than was done before, but also a few simplifications that give additional evidence that this is the right concept. Reviewed By: skcho Differential Revision: D17908942 fbshipit-source-id: 3b62eaf78
5 years ago
; location
; in_call= [] }
[pulse] add traces to the domain Summary: Record per-location traces. Actually, that doesn't quite make sense as a location can be accessed in many ways, so associate a trace to each *edge* in the memory graph. For instance, when doing `x->f = *y`, we want to take the history of the `<val of y> --*--> ..` edge, add "assigned at location blah" to it and store this extended history to the edge `<val of x> --f--> ..`. Use this machinery to print nicer traces in `infer explore` and better error messages too (include the last assignment, like biabduction messages). Reviewed By: da319 Differential Revision: D13518668 fbshipit-source-id: 0a62fb55f
6 years ago
in
[pulse] allow models to return disjuncts Summary: This is useful for the model of `exit` that returns 0 disjuncts. All other models return 1 disjunct for now, but in the future things like `malloc()` will need to return 2 possible states for instance. Reviewed By: ngorogiannis Differential Revision: D14753491 fbshipit-source-id: 3e7387d6d
6 years ago
reallocate_internal_array [crumb] vector vector_f location astate >>| List.return
[pulse] Model more std::vector functions that can invalid references to elements Summary: Model more `std::vector` functions that can potentially invalidate references to vector's elements (https://en.cppreference.com/w/cpp/container/vector). Reviewed By: mbouaziz Differential Revision: D13399161 fbshipit-source-id: 95cf2cae6
6 years ago
| _ ->
[pulse] allow models to return disjuncts Summary: This is useful for the model of `exit` that returns 0 disjuncts. All other models return 1 disjunct for now, but in the future things like `malloc()` will need to return 2 possible states for instance. Reviewed By: ngorogiannis Differential Revision: D14753491 fbshipit-source-id: 3e7387d6d
6 years ago
Ok [astate]
[pulse] Model more std::vector functions that can invalid references to elements Summary: Model more `std::vector` functions that can potentially invalidate references to vector's elements (https://en.cppreference.com/w/cpp/container/vector). Reviewed By: mbouaziz Differential Revision: D13399161 fbshipit-source-id: 95cf2cae6
6 years ago
[pulse][impurity] Add Pulse Java models for get and cast Summary: We consider Java collections to be like c++ std::vectors and add models for - `Collections.get(..)` - `__cast` Reviewed By: skcho Differential Revision: D18449607 fbshipit-source-id: 448206c84
5 years ago
let at ~desc : model =
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
fun ~caller_summary:_ location ~ret ~actuals astate ->
[pulse][impurity] Add Pulse Java models for get and cast Summary: We consider Java collections to be like c++ std::vectors and add models for - `Collections.get(..)` - `__cast` Reviewed By: skcho Differential Revision: D18449607 fbshipit-source-id: 448206c84
5 years ago
let event = ValueHistory.Call {f= Model desc; location; in_call= []} in
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
match actuals with
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
| [(vector, _); (index, _)] ->
element_of_internal_array location vector (fst index) astate
[pulse] interprocedural histories and traces Summary: bigmacro_bender There are 3 ways pulse tracks history. This is at least one too many. So far, we have: 1. "histories": a humble list of "events" like "assigned here", "returned from call", ... 2. "interproc actions": a structured nesting of calls with a final "action", eg "f calls g calls h which does blah" 3. "traces", which combine one history with one interproc action This diff gets rid of interproc actions and makes histories include "nested" callee histories too. This allows pulse to track and display how a value got assigned across function calls. Traces are now more powerful and interleave histories and interproc actions. This allows pulse to track how a value is fed into an action, for instance performed in callee, which itself creates some more (potentially now interprocedural) history before going to the next step of the action (either another call or the action itself). This gives much better traces, and some examples are added to showcase this. There are a lot of changes when applying summaries to keep track of histories more accurately than was done before, but also a few simplifications that give additional evidence that this is the right concept. Reviewed By: skcho Differential Revision: D17908942 fbshipit-source-id: 3b62eaf78
5 years ago
>>| fun (astate, (addr, hist)) ->
[PulseOperations.write_id (fst ret) (addr, event :: hist) astate]
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
| _ ->
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
Ok [PulseOperations.havoc_id (fst ret) [event] astate]
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
[pulse] add model for `std::vector::reserve` using additional memory attribute Summary: Whenever `vec.reserve(n)` is called, remember that the vector is "reserved". When doing `vec.push_back(x)` on a reserved vector, assume enough size has been reserved in advance and do not invalidate the underlying array. This gets rid of false positives. Reviewed By: mbouaziz Differential Revision: D12939837 fbshipit-source-id: ce6354fc5
6 years ago
let reserve : model =
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
fun ~caller_summary:_ location ~ret:_ ~actuals astate ->
[pulse] add model for `std::vector::reserve` using additional memory attribute Summary: Whenever `vec.reserve(n)` is called, remember that the vector is "reserved". When doing `vec.push_back(x)` on a reserved vector, assume enough size has been reserved in advance and do not invalidate the underlying array. This gets rid of false positives. Reviewed By: mbouaziz Differential Revision: D12939837 fbshipit-source-id: ce6354fc5
6 years ago
match actuals with
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
| [(vector, _); _value] ->
[pulse][3/9] add PulseValueHistory to PulseBasicInterface Summary: See explanations in D17955104 Reviewed By: ezgicicek Differential Revision: D17955285 fbshipit-source-id: 4e93a86df
5 years ago
let crumb = ValueHistory.Call {f= Model "std::vector::reserve()"; location; in_call= []} in
[pulse] add traces to the domain Summary: Record per-location traces. Actually, that doesn't quite make sense as a location can be accessed in many ways, so associate a trace to each *edge* in the memory graph. For instance, when doing `x->f = *y`, we want to take the history of the `<val of y> --*--> ..` edge, add "assigned at location blah" to it and store this extended history to the edge `<val of x> --f--> ..`. Use this machinery to print nicer traces in `infer explore` and better error messages too (include the last assignment, like biabduction messages). Reviewed By: da319 Differential Revision: D13518668 fbshipit-source-id: 0a62fb55f
6 years ago
reallocate_internal_array [crumb] vector Reserve location astate
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
>>| PulseAbductiveDomain.Memory.std_vector_reserve (fst vector)
[pulse] allow models to return disjuncts Summary: This is useful for the model of `exit` that returns 0 disjuncts. All other models return 1 disjunct for now, but in the future things like `malloc()` will need to return 2 possible states for instance. Reviewed By: ngorogiannis Differential Revision: D14753491 fbshipit-source-id: 3e7387d6d
6 years ago
>>| List.return
[pulse] add model for `std::vector::reserve` using additional memory attribute Summary: Whenever `vec.reserve(n)` is called, remember that the vector is "reserved". When doing `vec.push_back(x)` on a reserved vector, assume enough size has been reserved in advance and do not invalidate the underlying array. This gets rid of false positives. Reviewed By: mbouaziz Differential Revision: D12939837 fbshipit-source-id: ce6354fc5
6 years ago
| _ ->
[pulse] allow models to return disjuncts Summary: This is useful for the model of `exit` that returns 0 disjuncts. All other models return 1 disjunct for now, but in the future things like `malloc()` will need to return 2 possible states for instance. Reviewed By: ngorogiannis Differential Revision: D14753491 fbshipit-source-id: 3e7387d6d
6 years ago
Ok [astate]
[pulse] add model for `std::vector::reserve` using additional memory attribute Summary: Whenever `vec.reserve(n)` is called, remember that the vector is "reserved". When doing `vec.push_back(x)` on a reserved vector, assume enough size has been reserved in advance and do not invalidate the underlying array. This gets rid of false positives. Reviewed By: mbouaziz Differential Revision: D12939837 fbshipit-source-id: ce6354fc5
6 years ago
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
let push_back : model =
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
fun ~caller_summary:_ location ~ret:_ ~actuals astate ->
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
match actuals with
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
| [(vector, _); _value] ->
[pulse] model some of `std::basic_string` Summary: A common gotcha is the new test. Model the minimum amount of `std::basic_string` to catch it. Reviewed By: mbouaziz, ngorogiannis Differential Revision: D16121090 fbshipit-source-id: 66f06cb43
6 years ago
let crumb =
[pulse][3/9] add PulseValueHistory to PulseBasicInterface Summary: See explanations in D17955104 Reviewed By: ezgicicek Differential Revision: D17955285 fbshipit-source-id: 4e93a86df
5 years ago
ValueHistory.Call {f= Model "std::vector::push_back()"; location; in_call= []}
[pulse] model some of `std::basic_string` Summary: A common gotcha is the new test. Model the minimum amount of `std::basic_string` to catch it. Reviewed By: mbouaziz, ngorogiannis Differential Revision: D16121090 fbshipit-source-id: 66f06cb43
6 years ago
in
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
if PulseAbductiveDomain.Memory.is_std_vector_reserved (fst vector) astate then
[pulse] add model for `std::vector::reserve` using additional memory attribute Summary: Whenever `vec.reserve(n)` is called, remember that the vector is "reserved". When doing `vec.push_back(x)` on a reserved vector, assume enough size has been reserved in advance and do not invalidate the underlying array. This gets rid of false positives. Reviewed By: mbouaziz Differential Revision: D12939837 fbshipit-source-id: ce6354fc5
6 years ago
(* assume that any call to [push_back] is ok after one called [reserve] on the same vector
(a perfect analysis would also make sure we don't exceed the reserved size) *)
[pulse] allow models to return disjuncts Summary: This is useful for the model of `exit` that returns 0 disjuncts. All other models return 1 disjunct for now, but in the future things like `malloc()` will need to return 2 possible states for instance. Reviewed By: ngorogiannis Differential Revision: D14753491 fbshipit-source-id: 3e7387d6d
6 years ago
Ok [astate]
[pulse] add model for `std::vector::reserve` using additional memory attribute Summary: Whenever `vec.reserve(n)` is called, remember that the vector is "reserved". When doing `vec.push_back(x)` on a reserved vector, assume enough size has been reserved in advance and do not invalidate the underlying array. This gets rid of false positives. Reviewed By: mbouaziz Differential Revision: D12939837 fbshipit-source-id: ce6354fc5
6 years ago
else
(* simulate a re-allocation of the underlying array every time an element is added *)
[pulse] allow models to return disjuncts Summary: This is useful for the model of `exit` that returns 0 disjuncts. All other models return 1 disjunct for now, but in the future things like `malloc()` will need to return 2 possible states for instance. Reviewed By: ngorogiannis Differential Revision: D14753491 fbshipit-source-id: 3e7387d6d
6 years ago
reallocate_internal_array [crumb] vector PushBack location astate >>| List.return
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
| _ ->
[pulse] allow models to return disjuncts Summary: This is useful for the model of `exit` that returns 0 disjuncts. All other models return 1 disjunct for now, but in the future things like `malloc()` will need to return 2 possible states for instance. Reviewed By: ngorogiannis Differential Revision: D14753491 fbshipit-source-id: 3e7387d6d
6 years ago
Ok [astate]
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
end
module ProcNameDispatcher = struct
[pulse][impurity] Add Pulse Java models for get and cast Summary: We consider Java collections to be like c++ std::vectors and add models for - `Collections.get(..)` - `__cast` Reviewed By: skcho Differential Revision: D18449607 fbshipit-source-id: 448206c84
5 years ago
let dispatch : (Tenv.t, model) ProcnameDispatcher.ProcName.dispatcher =
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
let open ProcnameDispatcher.ProcName in
make_dispatcher
[pulse] skip `folly::SocketAddress::~SocketAddress` Summary: The constructor of `folly::SocketAddress` conditionally deletes some object and then makes that condition false. The destructor then does the same. Pulse ignores conditionals so will see a double delete. Just skip that function for now, but it should be easy for pulse to be more correct here if it knew how to compare constant values. Reviewed By: mbouaziz Differential Revision: D16005395 fbshipit-source-id: 036f5091b
6 years ago
[ -"folly" &:: "DelayedDestruction" &:: "destroy" &--> Misc.skip
[pulse] skip `folly::Optional::reset()` Summary: Similar to D16005395: `folly::Optional` has a boolean field to know if it needs to destroy the wrapped object and pulse ignores that completely, causing false positives each time an `Optional` is created around something with a non-trivial destructor. Reviewed By: mbouaziz Differential Revision: D16030149 fbshipit-source-id: aeed4a0b3
6 years ago
; -"folly" &:: "Optional" &:: "reset" &--> Misc.skip
[pulse] skip `folly::SocketAddress::~SocketAddress` Summary: The constructor of `folly::SocketAddress` conditionally deletes some object and then makes that condition false. The destructor then does the same. Pulse ignores conditionals so will see a double delete. Just skip that function for now, but it should be easy for pulse to be more correct here if it knew how to compare constant values. Reviewed By: mbouaziz Differential Revision: D16005395 fbshipit-source-id: 036f5091b
6 years ago
; -"folly" &:: "SocketAddress" &:: "~SocketAddress" &--> Misc.skip
[pulse] model some of `std::basic_string` Summary: A common gotcha is the new test. Model the minimum amount of `std::basic_string` to catch it. Reviewed By: mbouaziz, ngorogiannis Differential Revision: D16121090 fbshipit-source-id: 66f06cb43
6 years ago
; -"std" &:: "basic_string" &:: "data" &--> StdBasicString.data
; -"std" &:: "basic_string" &:: "~basic_string" &--> StdBasicString.destructor
[pulse] model `std::function::operator=` Summary: `function::operator=` is called whenever we assign a literal lambda to a variable, so it's pretty useful to be able to report anything on lambdas. Reviewed By: mbouaziz Differential Revision: D16008163 fbshipit-source-id: a9d07668d
6 years ago
; -"std" &:: "function" &:: "operator()" &--> StdFunction.operator_call
; -"std" &:: "function" &:: "operator=" &--> Misc.shallow_copy "std::function::operator="
[pulse] model lambda captures Summary: When a lambda gets created, record the abstract addresses it captures, then complain if we see some of them be invalidated before it is called. Add a notion of "allocator" for reporting better messages. The messages are still a bit sucky, will need to improve them more generally at some point. ```  jul   lambda  ~  infer  1  infer -g --pulse-only -- clang -std=c++11 -c infer/tests/codetoanalyze/cpp/pulse/closures.cpp Logs in /home/jul/infer.fb/infer-out/logs Capturing in make/cc mode... Found 1 source file to analyze in /home/jul/infer.fb/infer-out Found 2 issues infer/tests/codetoanalyze/cpp/pulse/closures.cpp:21: error: USE_AFTER_DESTRUCTOR `&(f)` accesses address `s` captured by `&(f)` as `s` invalidated by destructor call `S_~S(s)` at line 20, column 3 past its lifetime (debug: 5). 19. f = [&s] { return s.f; }; 20. } // destructor for s called here 21. > return f(); // s used here 22. } 23. infer/tests/codetoanalyze/cpp/pulse/closures.cpp:30: error: USE_AFTER_DESTRUCTOR `&(f)` accesses address `s` captured by `&(f)` as `s` invalidated by destructor call `S_~S(s)` at line 29, column 3 past its lifetime (debug: 8). 28. f = [&] { return s.f; }; 29. } 30. > return f(); 31. } 32. Summary of the reports USE_AFTER_DESTRUCTOR: 2 ``` Reviewed By: da319 Differential Revision: D13400074 fbshipit-source-id: 3c68ff4ea
6 years ago
; -"std" &:: "vector" &:: "assign" &--> StdVector.invalidate_references Assign
[pulse] Model more std::vector functions that can invalid references to elements Summary: Model more `std::vector` functions that can potentially invalidate references to vector's elements (https://en.cppreference.com/w/cpp/container/vector). Reviewed By: mbouaziz Differential Revision: D13399161 fbshipit-source-id: 95cf2cae6
6 years ago
; -"std" &:: "vector" &:: "clear" &--> StdVector.invalidate_references Clear
; -"std" &:: "vector" &:: "emplace" &--> StdVector.invalidate_references Emplace
; -"std" &:: "vector" &:: "emplace_back" &--> StdVector.invalidate_references EmplaceBack
; -"std" &:: "vector" &:: "insert" &--> StdVector.invalidate_references Insert
[pulse][impurity] Add Pulse Java models for get and cast Summary: We consider Java collections to be like c++ std::vectors and add models for - `Collections.get(..)` - `__cast` Reviewed By: skcho Differential Revision: D18449607 fbshipit-source-id: 448206c84
5 years ago
; -"std" &:: "vector" &:: "operator[]" &--> StdVector.at ~desc:"std::vector::at()"
[pulse] add model for `std::vector::reserve` using additional memory attribute Summary: Whenever `vec.reserve(n)` is called, remember that the vector is "reserved". When doing `vec.push_back(x)` on a reserved vector, assume enough size has been reserved in advance and do not invalidate the underlying array. This gets rid of false positives. Reviewed By: mbouaziz Differential Revision: D12939837 fbshipit-source-id: ce6354fc5
6 years ago
; -"std" &:: "vector" &:: "push_back" &--> StdVector.push_back
[pulse] Model more std::vector functions that can invalid references to elements Summary: Model more `std::vector` functions that can potentially invalidate references to vector's elements (https://en.cppreference.com/w/cpp/container/vector). Reviewed By: mbouaziz Differential Revision: D13399161 fbshipit-source-id: 95cf2cae6
6 years ago
; -"std" &:: "vector" &:: "reserve" &--> StdVector.reserve
[pulse][impurity] Add Pulse Java models for get and cast Summary: We consider Java collections to be like c++ std::vectors and add models for - `Collections.get(..)` - `__cast` Reviewed By: skcho Differential Revision: D18449607 fbshipit-source-id: 448206c84
5 years ago
; -"std" &:: "vector" &:: "shrink_to_fit" &--> StdVector.invalidate_references ShrinkToFit
; +PatternMatch.implements_collection &:: "get" <>--> StdVector.at ~desc:"Collection.get()"
; -"__cast" <>--> Misc.id_first_arg ]
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
end
[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
let builtins_dispatcher =
[pulse] Model placement new Summary: Modeling `placement new` Reviewed By: jvillard Differential Revision: D10451539 fbshipit-source-id: 43be005e4
6 years ago
let builtins =
[ (BuiltinDecl.__delete, Cplusplus.delete)
[clang] leave markers of variable initialization for pulse Summary: When initialising a variable via semi-exotic means, the frontend loses the information that the variable was initialised. For instance, it translates: ``` struct Foo { int i; }; ... Foo s = {42}; ``` as: ``` s.i := 42 ``` This can be confusing for backends that need to know that `s` actually got initialised, eg pulse. The solution implemented here is to insert of dummy call to `__variable_initiazition`: ``` __variable_initialization(&s); s.i := 42; ``` Then checkers can recognise that this builtin function does what its name says. Reviewed By: mbouaziz Differential Revision: D12887122 fbshipit-source-id: 6e7214438
6 years ago
; (BuiltinDecl.__placement_new, Cplusplus.placement_new)
[pulse] model some early exit functions Summary: Copied on the ownership checker logic: return the initial value of the domain as return. This can probably be improved. Reviewed By: mbouaziz Differential Revision: D12888102 fbshipit-source-id: 9e2dac7fc
6 years ago
; (BuiltinDecl.abort, Misc.early_exit)
; (BuiltinDecl.exit, Misc.early_exit)
; (BuiltinDecl.free, C.free)
; (BuiltinDecl.objc_cpp_throw, Misc.early_exit) ]
[pulse] Model placement new Summary: Modeling `placement new` Reviewed By: jvillard Differential Revision: D10451539 fbshipit-source-id: 43be005e4
6 years ago
in
[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
let builtins_map =
Hashtbl.create
( module struct
include Typ.Procname
let hash = Caml.Hashtbl.hash
let sexp_of_t _ = assert false
end )
in
List.iter builtins ~f:(fun (builtin, model) ->
let open PolyVariantEqual in
assert (Hashtbl.add builtins_map ~key:builtin ~data:model = `Ok) ) ;
fun proc_name -> Hashtbl.find builtins_map proc_name
[pulse][impurity] Add Pulse Java models for get and cast Summary: We consider Java collections to be like c++ std::vectors and add models for - `Collections.get(..)` - `__cast` Reviewed By: skcho Differential Revision: D18449607 fbshipit-source-id: 448206c84
5 years ago
let dispatch tenv proc_name flags =
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
match builtins_dispatcher proc_name with
| Some _ as result ->
result
[pulse] model some early exit functions Summary: Copied on the ownership checker logic: return the initial value of the domain as return. This can probably be improved. Reviewed By: mbouaziz Differential Revision: D12888102 fbshipit-source-id: 9e2dac7fc
6 years ago
| None -> (
[pulse][impurity] Add Pulse Java models for get and cast Summary: We consider Java collections to be like c++ std::vectors and add models for - `Collections.get(..)` - `__cast` Reviewed By: skcho Differential Revision: D18449607 fbshipit-source-id: 448206c84
5 years ago
match ProcNameDispatcher.dispatch tenv proc_name with
[pulse] model some early exit functions Summary: Copied on the ownership checker logic: return the initial value of the domain as return. This can probably be improved. Reviewed By: mbouaziz Differential Revision: D12888102 fbshipit-source-id: 9e2dac7fc
6 years ago
| Some _ as result ->
result
| None ->
if flags.CallFlags.cf_noreturn then Some Misc.early_exit else None )