pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7e4f5ec43b'
${ noResults }
infer_clone/infer/tests/codetoanalyze/c/pulse/nullptr.c

166 lines
3.4 KiB
Raw Normal View History Unescape

[pulse] add a cache of constants to equate them Summary: When encountering a constant, pulse creates an abstract value (a variable) to represent it, and remembers that it's equal to it. The problem is that pulse doesn't yet know how to deal with the fact that some variables are going to be equal to each other. This hacks around this issue in the case of constants, within the same procedure, by remembering which constants have been assigned to which place-holder variables, and serving those variables again when the same constant is translated again. Limitation: this doesn't work across procedure calls as the "constant maps" are not saved in summaries. Something to look out for: we don't want to make `if (p == NULL)` create a path where `p` is invalid (we only make null invalid when we see an assignment from 0, i.e. `p = NULL;`). Reviewed By: ezgicicek Differential Revision: D21089961 fbshipit-source-id: 5ebb85d0a
5 years ago
/*
* Copyright (c) Facebook, Inc. and its affiliates.
*
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*/
#include <stdlib.h>
[pulse] Change to ExitProgram state when calling noreturn function Summary: Since D20736043 (https://github.com/facebook/infer/commit/d84fea52aeff1efde8eb25b080c6c5ca292b142f) is adding edges from the noreturn function node to exit node, analyzers should handle the state differently to normal states. Reviewed By: ezgicicek Differential Revision: D25402576 fbshipit-source-id: a98e41b0c
4 years ago
#include <stdnoreturn.h>
[pulse] add a cache of constants to equate them Summary: When encountering a constant, pulse creates an abstract value (a variable) to represent it, and remembers that it's equal to it. The problem is that pulse doesn't yet know how to deal with the fact that some variables are going to be equal to each other. This hacks around this issue in the case of constants, within the same procedure, by remembering which constants have been assigned to which place-holder variables, and serving those variables again when the same constant is translated again. Limitation: this doesn't work across procedure calls as the "constant maps" are not saved in summaries. Something to look out for: we don't want to make `if (p == NULL)` create a path where `p` is invalid (we only make null invalid when we see an assignment from 0, i.e. `p = NULL;`). Reviewed By: ezgicicek Differential Revision: D21089961 fbshipit-source-id: 5ebb85d0a
5 years ago
int* malloc_no_check_bad() {
[pulse] recency model for memory accesses Summary: Add a new data structure and use it for the map of memory accesses to limit the number of destinations reachable from a given address. This avoids remembering details of each index in large arrays, or even each field in large structs. Reviewed By: skcho Differential Revision: D18246091 fbshipit-source-id: 5d3974d9c
5 years ago
int* p = (int*)malloc(sizeof(int));
[pulse] add a cache of constants to equate them Summary: When encountering a constant, pulse creates an abstract value (a variable) to represent it, and remembers that it's equal to it. The problem is that pulse doesn't yet know how to deal with the fact that some variables are going to be equal to each other. This hacks around this issue in the case of constants, within the same procedure, by remembering which constants have been assigned to which place-holder variables, and serving those variables again when the same constant is translated again. Limitation: this doesn't work across procedure calls as the "constant maps" are not saved in summaries. Something to look out for: we don't want to make `if (p == NULL)` create a path where `p` is invalid (we only make null invalid when we see an assignment from 0, i.e. `p = NULL;`). Reviewed By: ezgicicek Differential Revision: D21089961 fbshipit-source-id: 5ebb85d0a
5 years ago
*p = 42;
return p;
}
void create_null_path_ok(int* p) {
if (p) {
*p = 32;
}
}
void call_create_null_path_then_deref_unconditionally_ok(int* p) {
create_null_path_ok(p);
*p = 52;
}
[pulse] no longer drop attributes of dead addresses Summary: When garbage-collecting addresses we would also remove their attributes. But even though the addresses are no longer allocated in the heap, they might show up in the formula and so we need to remember facts about them. This forces us to detect leaks closer to the point where addresses are deleted from the heap, in AbductiveDomain.ml. This is a nice refactoring in itself: doing so fixes some other FNs where we sometimes missed leak detection on dead addresses. This also makes it unecessary to simplify InstanceOf eagerly when variables get out of scope. Some new {folly,std}::optionals false positives that either are similar to existing ones or involve unmodelled smart pointers. Reviewed By: da319 Differential Revision: D28126103 fbshipit-source-id: e3a903282
4 years ago
void create_null_path2_latent(int* p) {
[pulse] add a cache of constants to equate them Summary: When encountering a constant, pulse creates an abstract value (a variable) to represent it, and remembers that it's equal to it. The problem is that pulse doesn't yet know how to deal with the fact that some variables are going to be equal to each other. This hacks around this issue in the case of constants, within the same procedure, by remembering which constants have been assigned to which place-holder variables, and serving those variables again when the same constant is translated again. Limitation: this doesn't work across procedure calls as the "constant maps" are not saved in summaries. Something to look out for: we don't want to make `if (p == NULL)` create a path where `p` is invalid (we only make null invalid when we see an assignment from 0, i.e. `p = NULL;`). Reviewed By: ezgicicek Differential Revision: D21089961 fbshipit-source-id: 5ebb85d0a
5 years ago
int* q = NULL;
if (p) {
*p = 32;
}
// arguably bogus to check p above but not here, but the above could
// also be macro-generated code so both reporting and not reporting
// are sort of justifiable
*p = 52;
}
// combine several of the difficulties above
[pulse] use term_eqs Summary: Whenever an equality "t = v" (t an arbitrary term, v a variable) is added (or "v = t"), remember the "t -> v" mapping after canonicalising t and v. Use this to detect when two variables are equal to the same term: `t = v` and `t = v'` now yields `v = v'` to be added to the equality relation of variables. This increases the precision of the arithmetic engine. Interestingly, the impact on most code I've tried is: 1. mostly same perfs as before, if a bit slower (could be within noise) 2. slightly more (latent) bugs reported in absolute numbers I would have expected it to be more expensive and yield fewer bugs (as fewer false positives), but there could be second-order effects at play here where we get more coverage. We definitely get more latent issues due to dereferencing pointers after testing nullness, as can be seen in the unit tests as well, which may alone explain (2). There's some complexity when adding term equalities where the term is linear, as we also need to add it to `linear_eqs` but `term_eqs` and `linear_eqs` are interested in slightly different normal forms. Reviewed By: skcho Differential Revision: D27331336 fbshipit-source-id: 7314e127a
4 years ago
void malloc_then_call_create_null_path_then_deref_unconditionally_latent(
int* p) {
[pulse] recency model for memory accesses Summary: Add a new data structure and use it for the map of memory accesses to limit the number of destinations reachable from a given address. This avoids remembering details of each index in large arrays, or even each field in large structs. Reviewed By: skcho Differential Revision: D18246091 fbshipit-source-id: 5d3974d9c
5 years ago
int* x = (int*)malloc(sizeof(int));
[pulse] add a cache of constants to equate them Summary: When encountering a constant, pulse creates an abstract value (a variable) to represent it, and remembers that it's equal to it. The problem is that pulse doesn't yet know how to deal with the fact that some variables are going to be equal to each other. This hacks around this issue in the case of constants, within the same procedure, by remembering which constants have been assigned to which place-holder variables, and serving those variables again when the same constant is translated again. Limitation: this doesn't work across procedure calls as the "constant maps" are not saved in summaries. Something to look out for: we don't want to make `if (p == NULL)` create a path where `p` is invalid (we only make null invalid when we see an assignment from 0, i.e. `p = NULL;`). Reviewed By: ezgicicek Differential Revision: D21089961 fbshipit-source-id: 5ebb85d0a
5 years ago
if (p) {
*p = 32;
}
create_null_path_ok(p);
*p = 52;
free(x);
}
[pulse] recency model for memory accesses Summary: Add a new data structure and use it for the map of memory accesses to limit the number of destinations reachable from a given address. This avoids remembering details of each index in large arrays, or even each field in large structs. Reviewed By: skcho Differential Revision: D18246091 fbshipit-source-id: 5d3974d9c
5 years ago
// pulse should remember the value of vec[64] because it was just written to
void nullptr_deref_young_bad(int* x) {
int* vec[65] = {x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
x, x, x, x, x, x, x, x, x, x, x, x, x, NULL};
int p = *vec[64];
}
// due to the recency model of memory accesses, vec[0] can get forgotten
// by the time we have processed the last element of the
// initialization so we don't report here
[pulse] use term_eqs Summary: Whenever an equality "t = v" (t an arbitrary term, v a variable) is added (or "v = t"), remember the "t -> v" mapping after canonicalising t and v. Use this to detect when two variables are equal to the same term: `t = v` and `t = v'` now yields `v = v'` to be added to the equality relation of variables. This increases the precision of the arithmetic engine. Interestingly, the impact on most code I've tried is: 1. mostly same perfs as before, if a bit slower (could be within noise) 2. slightly more (latent) bugs reported in absolute numbers I would have expected it to be more expensive and yield fewer bugs (as fewer false positives), but there could be second-order effects at play here where we get more coverage. We definitely get more latent issues due to dereferencing pointers after testing nullness, as can be seen in the unit tests as well, which may alone explain (2). There's some complexity when adding term equalities where the term is linear, as we also need to add it to `linear_eqs` but `term_eqs` and `linear_eqs` are interested in slightly different normal forms. Reviewed By: skcho Differential Revision: D27331336 fbshipit-source-id: 7314e127a
4 years ago
void FN_nullptr_deref_old_bad(int* x) {
[pulse] recency model for memory accesses Summary: Add a new data structure and use it for the map of memory accesses to limit the number of destinations reachable from a given address. This avoids remembering details of each index in large arrays, or even each field in large structs. Reviewed By: skcho Differential Revision: D18246091 fbshipit-source-id: 5d3974d9c
5 years ago
int* vec[65] = {NULL, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
x, x, x, x, x, x, x, x, x, x, x, x, x, x};
int p = *vec[0];
}
[pulse] revamp arithmetic, put everything in the path condition Summary: List of things happening in this unreviewable diff: - moved PulsePathCondition to PulseSledge - renamed --pulse-path-conditions to --pudge - PulsePathCondition now contains all the arithmetic of pulse (inferbo+concrete intervals+pudge). In particular, moved arithmetic attributes into PulsePathCondition.t. PulsePathCondition plays the role of PulseArithmetic (combining all domains). - added tests for a false positive involving free() - PulseArithmetic is now just a thin wrapper around PulsePathCondition to operate on states directly (instead of on path conditions). - The rest is mostly moving code into PulsePathCondition (eg, from PulseInterproc) and adjusting it. Reviewed By: jberdine Differential Revision: D21332073 fbshipit-source-id: 184c8e0a9
5 years ago
void malloc_free_ok() {
int* p = (int*)malloc(sizeof(int));
free(p);
}
void wrap_free(void* p) { free(p); }
[pulse] require ptr>0 in free() Summary: Resolves a false positive. Reviewed By: skcho Differential Revision: D21332074 fbshipit-source-id: a0c962b91
5 years ago
void interproc_free_ok() {
[pulse] revamp arithmetic, put everything in the path condition Summary: List of things happening in this unreviewable diff: - moved PulsePathCondition to PulseSledge - renamed --pulse-path-conditions to --pudge - PulsePathCondition now contains all the arithmetic of pulse (inferbo+concrete intervals+pudge). In particular, moved arithmetic attributes into PulsePathCondition.t. PulsePathCondition plays the role of PulseArithmetic (combining all domains). - added tests for a false positive involving free() - PulseArithmetic is now just a thin wrapper around PulsePathCondition to operate on states directly (instead of on path conditions). - The rest is mostly moving code into PulsePathCondition (eg, from PulseInterproc) and adjusting it. Reviewed By: jberdine Differential Revision: D21332073 fbshipit-source-id: 184c8e0a9
5 years ago
int* p = (int*)malloc(sizeof(int));
wrap_free(p);
}
[pulse] Change to ExitProgram state when calling noreturn function Summary: Since D20736043 (https://github.com/facebook/infer/commit/d84fea52aeff1efde8eb25b080c6c5ca292b142f) is adding edges from the noreturn function node to exit node, analyzers should handle the state differently to normal states. Reviewed By: ezgicicek Differential Revision: D25402576 fbshipit-source-id: a98e41b0c
4 years ago
noreturn void no_return();
void wrap_malloc(int** x) {
*x = (int*)malloc(sizeof(int));
if (!*x) {
no_return();
}
}
void call_no_return_good() {
int* x = NULL;
wrap_malloc(&x);
*x = 5;
free(x);
}
[pulse] FN about bug after malloc Reviewed By: jvillard Differential Revision: D27228212 fbshipit-source-id: 5f1fb629e
4 years ago
[pulse] make sure we do not leak local mutations of formals into the summary Summary: Before returning a summary, restore formals to their initial values. This gets rid of a false latent because the value in the path condition is now garbage-collected. Added a test for the tricky case of structs passed as values. Reviewed By: skcho Differential Revision: D28001229 fbshipit-source-id: 23dda5b43
4 years ago
void bug_after_malloc_result_test_bad(int* x) {
[pulse] FN about bug after malloc Reviewed By: jvillard Differential Revision: D27228212 fbshipit-source-id: 5f1fb629e
4 years ago
x = (int*)malloc(sizeof(int));
if (x) {
int* y = NULL;
*y = 42;
}
}
[pulse][isl] manifest errors Reviewed By: jvillard Differential Revision: D27405377 fbshipit-source-id: e69e02c0d
4 years ago
void bug_after_abduction_bad(int* x) {
*x = 42;
int* y = NULL;
*y = 42;
}
void bug_with_allocation_bad(int* x) {
x = (int*)malloc(sizeof(int*));
int* y = NULL;
*y = 42;
}
[pulse] no longer drop attributes of dead addresses Summary: When garbage-collecting addresses we would also remove their attributes. But even though the addresses are no longer allocated in the heap, they might show up in the formula and so we need to remember facts about them. This forces us to detect leaks closer to the point where addresses are deleted from the heap, in AbductiveDomain.ml. This is a nice refactoring in itself: doing so fixes some other FNs where we sometimes missed leak detection on dead addresses. This also makes it unecessary to simplify InstanceOf eagerly when variables get out of scope. Some new {folly,std}::optionals false positives that either are similar to existing ones or involve unmodelled smart pointers. Reviewed By: da319 Differential Revision: D28126103 fbshipit-source-id: e3a903282
4 years ago
void null_alias_bad(int* x) {
int* y = NULL;
x = (int*)malloc(sizeof(int*));
*x = 42;
}
[pulse][1/5] add a test that we report on the first null access Summary: Spoiler alert: we don't. The next diffs fix that. When there are several invalid accesses to report at a function call instruction, we want to report the first one to occur within the function. This is to avoid confusing reports where pulse reports, eg, a null dereference for a pointer at a point where it's already been dereferenced before in the same function. Reviewed By: skcho Differential Revision: D28674730 fbshipit-source-id: acb029e4b
4 years ago
[pulse][4/5] add a path context to record timestamps Summary: Add a new `PathContext.t` component to the abstract state. For now it tracks only the current "timestamp" of symbolic execution inside the procedure, i.e. which step of symbolic execution we are in (bumped by 1 each time we've executed one instruction). In the future this will also hold, eg, which conditionals we've been through on the path (for reporting traces with that information). Most of the diff is about propagating the path context through many of the APIs. We use timestamps only in `MustBeValid` attributes to report the first incorrect access in a function call for now. Reviewed By: skcho Differential Revision: D28674726 fbshipit-source-id: 2cd825e73
4 years ago
void dereference(int* p) { *p; }
[pulse][1/5] add a test that we report on the first null access Summary: Spoiler alert: we don't. The next diffs fix that. When there are several invalid accesses to report at a function call instruction, we want to report the first one to occur within the function. This is to avoid confusing reports where pulse reports, eg, a null dereference for a pointer at a point where it's already been dereferenced before in the same function. Reviewed By: skcho Differential Revision: D28674730 fbshipit-source-id: acb029e4b
4 years ago
void several_dereferences_ok(int* x, int* y, int* z) {
int* p = x;
*z = 52;
[pulse][4/5] add a path context to record timestamps Summary: Add a new `PathContext.t` component to the abstract state. For now it tracks only the current "timestamp" of symbolic execution inside the procedure, i.e. which step of symbolic execution we are in (bumped by 1 each time we've executed one instruction). In the future this will also hold, eg, which conditionals we've been through on the path (for reporting traces with that information). Most of the diff is about propagating the path context through many of the APIs. We use timestamps only in `MustBeValid` attributes to report the first incorrect access in a function call for now. Reviewed By: skcho Differential Revision: D28674726 fbshipit-source-id: 2cd825e73
4 years ago
dereference(y);
[pulse][1/5] add a test that we report on the first null access Summary: Spoiler alert: we don't. The next diffs fix that. When there are several invalid accesses to report at a function call instruction, we want to report the first one to occur within the function. This is to avoid confusing reports where pulse reports, eg, a null dereference for a pointer at a point where it's already been dereferenced before in the same function. Reviewed By: skcho Differential Revision: D28674730 fbshipit-source-id: acb029e4b
4 years ago
*y = 42;
*x = 32;
*x = 777;
*y = 888;
*z = 999;
}
void report_correct_error_among_multiple_bad() {
int* p = NULL;
// the trace should complain about the first access inside the callee
several_dereferences_ok(p, p, p);
}
[pulse] functional unknown functions Summary: Unknown functions may create false positives as well as false negatives for Pulse. Let's consider that unknown functions behave "functionally", or at least that a functional behaviour is a possible behaviour for them: when called with the same parameter values, they should return the same value. This is implemented purely in the arithmetic domain by recording `v_return = f_unknown(v1, v2, ..., vN)` for each call to unknown functions `f_unknown` with values `v1`, `v2`, ..., `vN` (and return `v_return`). The hope is that this will create more false negatives than false positives, as several FPs have been observed on real code that would be suppressed with this heuristic. The other effect this has on reports is to record hypotheses made on the return values of unknown functions into the "pruned" part of formulas, which inhibits reporting on paths whose feasibility depends on the return value of unknown functions (by making these issues latent instead). This should allow us to control the amount of FPs until we model more functions. Reviewed By: skcho Differential Revision: D27798275 fbshipit-source-id: d31cfb8b6
4 years ago
int unknown(int x);
void unknown_is_functional_ok() {
int* p = NULL;
if (unknown(10) != unknown(10)) {
*p = 42;
}
}
void unknown_with_different_values_bad() {
int* p = NULL;
if (unknown(32) != unknown(52)) {
*p = 42;
}
}
void unknown_from_parameters_latent(int x) {
int* p = NULL;
if (unknown(x) == 999) {
*p = 42;
}
}