pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '86a1bbf1a7'
${ noResults }
infer_clone/sledge/src/control.ml

502 lines
16 KiB
Raw Normal View History Unescape

[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
(*
[copyright] Remove years Reviewed By: jvillard Differential Revision: D15771884 fbshipit-source-id: e2997e3a3
6 years ago
* Copyright (c) Facebook, Inc. and its affiliates.
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
*
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*)
(** Iterative Breadth-First Bounded Exploration
The analysis' semantics of control flow. *)
[sledge] Function summarization: solver can show pre Summary: This diff is preparation for function summarization and focuses on function calls and function summary precondition computation. It introduces `-function-summaries` flag behind most of functionality is hidden, when enabled on each call * A function summary is computed by quantifying all the non-formal/global variables and removing all the segments that are not reachable from them * `pre` and `foot` are computed from function summary and the calling context by replacing formals with actuals again. * A solver is asked if `pre` entails `foot` and a frame is printed if it does Currently this only works for formulas without disjunctions, so when function summaries are enabled, that state is first moved to dnf and then the call is done for each disjunct. Reviewed By: ngorogiannis Differential Revision: D15898928 fbshipit-source-id: 49d32504c
6 years ago
type exec_opts = {bound: int; skip_throw: bool; function_summaries: bool}
[sledge] Add CL option to disable exceptions Summary: Disable exceptional control flow - treat throw as unreachable - confidence in the correctness of the frontend's treatment of exception handling is very low, and making summaries that are expressive enough to talk about exceptions is a complication that isn't needed for the first iteration To facilitate, start on a struct that holds all the CL options. Reviewed By: jberdine, jvillard Differential Revision: D15713601 fbshipit-source-id: ee92dfbd8
6 years ago
[sledge] Fix stack popping Summary: - Ensure that popping Throw or Return does not leave stale Throw or Return frames - Add a module for Control.stack - Add invariant to enforce that a Throw frame can appear only immediately above a Return frame Reviewed By: jvillard Differential Revision: D14547263 fbshipit-source-id: deb31b8af
6 years ago
module Stack : sig
[sledge] Compare stack component of edges as a inlined code location Summary: When comparing stacks as part of a control-flow edge, treat each as a code location in a hypothetical expansion of the program where all non-recursive functions have been completely inlined. In particular, this means to compare stacks as if all Locals frames or Return frames for recursive calls had been removed. Additionally, the from_call info in Return frames is ignored. Reviewed By: jvillard Differential Revision: D14657601 fbshipit-source-id: b8a42d3fa
6 years ago
type t
type as_inlined_location = t [@@deriving compare, sexp_of]
[sledge] Fix stack popping Summary: - Ensure that popping Throw or Return does not leave stale Throw or Return frames - Add a module for Control.stack - Add invariant to enforce that a Throw frame can appear only immediately above a Return frame Reviewed By: jvillard Differential Revision: D14547263 fbshipit-source-id: deb31b8af
6 years ago
val empty : t
val push_call :
[sledge] Add formal parameters to functions for return values Summary: This diff adds a formal parameter to each non-void-returning function to name the return value, and similarly a formal parameter for the thrown exception value. These are interpreted as call-by-reference parameters, so that they can be constrained in formulas to e.g. be equal to the return value, and are still in scope when the function returns, and so can be passed to the return block. Prior to summarizing functions, this means that these formals need to be tracked on the analyzer's control stack. This will be needed to express function specs/summaries in terms of formals, and fixes a bug where in some cases return values were not tracked correctly. Reviewed By: kren1 Differential Revision: D15738026 fbshipit-source-id: fff2d107c
6 years ago
Llair.block
[sledge] Compare stack component of edges as a inlined code location Summary: When comparing stacks as part of a control-flow edge, treat each as a code location in a hypothetical expansion of the program where all non-recursive functions have been completely inlined. In particular, this means to compare stacks as if all Locals frames or Return frames for recursive calls had been removed. Additionally, the from_call info in Return frames is ignored. Reviewed By: jvillard Differential Revision: D14657601 fbshipit-source-id: b8a42d3fa
6 years ago
-> retreating:bool
[sledge] Fix bound not bounding recursion Summary: Sledge does not terminate on programs with recursion, because functions get "infinitely inlined" and therefore recursion is not treated as retreating edge. This patch bounds the number of times the same function can "inlined" to respect the bound (`-b` option). On each call we check the number of occurances of the called function in the call stack. If that is higher than the bound, we skip it. Reviewed By: jvillard Differential Revision: D15577134 fbshipit-source-id: 4cd3b62c6
6 years ago
-> bound:int
[sledge] Fix stack popping Summary: - Ensure that popping Throw or Return does not leave stale Throw or Return frames - Add a module for Control.stack - Add invariant to enforce that a Throw frame can appear only immediately above a Return frame Reviewed By: jvillard Differential Revision: D14547263 fbshipit-source-id: deb31b8af
6 years ago
-> return:Llair.jump
-> Domain.from_call
-> ?throw:Llair.jump
-> t
[sledge] Fix bound not bounding recursion Summary: Sledge does not terminate on programs with recursion, because functions get "infinitely inlined" and therefore recursion is not treated as retreating edge. This patch bounds the number of times the same function can "inlined" to respect the bound (`-b` option). On each call we check the number of occurances of the called function in the call stack. If that is higher than the bound, we skip it. Reviewed By: jvillard Differential Revision: D15577134 fbshipit-source-id: 4cd3b62c6
6 years ago
-> t option
[sledge] Fix stack popping Summary: - Ensure that popping Throw or Return does not leave stale Throw or Return frames - Add a module for Control.stack - Add invariant to enforce that a Throw frame can appear only immediately above a Return frame Reviewed By: jvillard Differential Revision: D14547263 fbshipit-source-id: deb31b8af
6 years ago
[sledge] Move locals from blocks to functions Summary: The entry block contains all locals of the entire function, as required by the backend. This makes the manipulation of the locals of each block redundant. This diff moves the locals from the entry block to the function itself, removes the Locals frames of the Control.Stack, and adds a locals field to Return frames. This is part cleanup and part preparation for removing the Control.Stack. Reviewed By: ngorogiannis Differential Revision: D15963503 fbshipit-source-id: 523ebc260
6 years ago
val pop_return : t -> (Domain.from_call * Llair.jump * t) option
[sledge] Fix stack popping Summary: - Ensure that popping Throw or Return does not leave stale Throw or Return frames - Add a module for Control.stack - Add invariant to enforce that a Throw frame can appear only immediately above a Return frame Reviewed By: jvillard Differential Revision: D14547263 fbshipit-source-id: deb31b8af
6 years ago
val pop_throw :
t
-> init:'a
[sledge] Rework function return value passing Summary: The current handling of the formal return variable scope is not correct. Since it is passed as an actual argument to the return continuation, it is manipulated as if it was a local variable of the caller. However, its scope is not ended with the caller's locals, leading to clashes. This diff reworks the passing of return values to avoid this problem, mainly by introducing a notion of temporary variables during parameter passing. This essentially has the effect of taking a function spec { P } f(x) { λv. Q } and generating a "temporary" variable v, applying the post λv. Q to it to obtain the pre-state for the call to the return continuation k(v). Being a temporary variable just means that it goes out of scope just after parameter passing. This amounts to a long-winded way of applying the post-state to the formal parameter of the return continuation without violating scopes or SSA. This diff also separates the manipulation of the symbolic states as they proceed from: 1. the pre-state before the return instruction; 2. the exit-state after the return instruction (including the binding of the returned value to the return formal variable); 3. the post-state, where the locals are existentially quantified; and 4. the return-state, which is expressed in terms of actual args instead of formal parameters. Also in support of summarization, formal return and throw parameters are no longer tracked on the analyzer's stack. Note that these changes involve changing the locals of blocks and functions to no longer include the formal parameters. Reviewed By: kren1 Differential Revision: D15912148 fbshipit-source-id: e41dd6e42
6 years ago
-> unwind:(Var.t list -> Var.Set.t -> Domain.from_call -> 'a -> 'a)
[sledge] Move locals from blocks to functions Summary: The entry block contains all locals of the entire function, as required by the backend. This makes the manipulation of the locals of each block redundant. This diff moves the locals from the entry block to the function itself, removes the Locals frames of the Control.Stack, and adds a locals field to Return frames. This is part cleanup and part preparation for removing the Control.Stack. Reviewed By: ngorogiannis Differential Revision: D15963503 fbshipit-source-id: 523ebc260
6 years ago
-> (Domain.from_call * Llair.jump * t * 'a) option
[sledge] Fix stack popping Summary: - Ensure that popping Throw or Return does not leave stale Throw or Return frames - Add a module for Control.stack - Add invariant to enforce that a Throw frame can appear only immediately above a Return frame Reviewed By: jvillard Differential Revision: D14547263 fbshipit-source-id: deb31b8af
6 years ago
end = struct
type t =
[sledge] Compare stack component of edges as a inlined code location Summary: When comparing stacks as part of a control-flow edge, treat each as a code location in a hypothetical expansion of the program where all non-recursive functions have been completely inlined. In particular, this means to compare stacks as if all Locals frames or Return frames for recursive calls had been removed. Additionally, the from_call info in Return frames is ignored. Reviewed By: jvillard Differential Revision: D14657601 fbshipit-source-id: b8a42d3fa
6 years ago
| Return of
{ retreating: bool
(** return from a call not known to be nonrecursive *)
; dst: Llair.Jump.t
[sledge] Rework function return value passing Summary: The current handling of the formal return variable scope is not correct. Since it is passed as an actual argument to the return continuation, it is manipulated as if it was a local variable of the caller. However, its scope is not ended with the caller's locals, leading to clashes. This diff reworks the passing of return values to avoid this problem, mainly by introducing a notion of temporary variables during parameter passing. This essentially has the effect of taking a function spec { P } f(x) { λv. Q } and generating a "temporary" variable v, applying the post λv. Q to it to obtain the pre-state for the call to the return continuation k(v). Being a temporary variable just means that it goes out of scope just after parameter passing. This amounts to a long-winded way of applying the post-state to the formal parameter of the return continuation without violating scopes or SSA. This diff also separates the manipulation of the symbolic states as they proceed from: 1. the pre-state before the return instruction; 2. the exit-state after the return instruction (including the binding of the returned value to the return formal variable); 3. the post-state, where the locals are existentially quantified; and 4. the return-state, which is expressed in terms of actual args instead of formal parameters. Also in support of summarization, formal return and throw parameters are no longer tracked on the analyzer's stack. Note that these changes involve changing the locals of blocks and functions to no longer include the formal parameters. Reviewed By: kren1 Differential Revision: D15912148 fbshipit-source-id: e41dd6e42
6 years ago
; params: Var.t list
[sledge] Move locals from blocks to functions Summary: The entry block contains all locals of the entire function, as required by the backend. This makes the manipulation of the locals of each block redundant. This diff moves the locals from the entry block to the function itself, removes the Locals frames of the Control.Stack, and adds a locals field to Return frames. This is part cleanup and part preparation for removing the Control.Stack. Reviewed By: ngorogiannis Differential Revision: D15963503 fbshipit-source-id: 523ebc260
6 years ago
; locals: Var.Set.t
[sledge] Compare stack component of edges as a inlined code location Summary: When comparing stacks as part of a control-flow edge, treat each as a code location in a hypothetical expansion of the program where all non-recursive functions have been completely inlined. In particular, this means to compare stacks as if all Locals frames or Return frames for recursive calls had been removed. Additionally, the from_call info in Return frames is ignored. Reviewed By: jvillard Differential Revision: D14657601 fbshipit-source-id: b8a42d3fa
6 years ago
; from_call: Domain.from_call
; stk: t }
[sledge] Fix stack popping Summary: - Ensure that popping Throw or Return does not leave stale Throw or Return frames - Add a module for Control.stack - Add invariant to enforce that a Throw frame can appear only immediately above a Return frame Reviewed By: jvillard Differential Revision: D14547263 fbshipit-source-id: deb31b8af
6 years ago
| Throw of Llair.Jump.t * t
| Empty
[sledge] Compare stack component of edges as a inlined code location Summary: When comparing stacks as part of a control-flow edge, treat each as a code location in a hypothetical expansion of the program where all non-recursive functions have been completely inlined. In particular, this means to compare stacks as if all Locals frames or Return frames for recursive calls had been removed. Additionally, the from_call info in Return frames is ignored. Reviewed By: jvillard Differential Revision: D14657601 fbshipit-source-id: b8a42d3fa
6 years ago
[@@deriving sexp_of]
type as_inlined_location = t [@@deriving sexp_of]
(* Treat a stack as a code location in a hypothetical expansion of the
program where all non-recursive functions have been completely inlined.
[sledge] Move locals from blocks to functions Summary: The entry block contains all locals of the entire function, as required by the backend. This makes the manipulation of the locals of each block redundant. This diff moves the locals from the entry block to the function itself, removes the Locals frames of the Control.Stack, and adds a locals field to Return frames. This is part cleanup and part preparation for removing the Control.Stack. Reviewed By: ngorogiannis Differential Revision: D15963503 fbshipit-source-id: 523ebc260
6 years ago
In particular, this means to compare stacks as if all Return frames for
recursive calls had been removed. Additionally, the from_call info in
Return frames is ignored. *)
[sledge] Compare stack component of edges as a inlined code location Summary: When comparing stacks as part of a control-flow edge, treat each as a code location in a hypothetical expansion of the program where all non-recursive functions have been completely inlined. In particular, this means to compare stacks as if all Locals frames or Return frames for recursive calls had been removed. Additionally, the from_call info in Return frames is ignored. Reviewed By: jvillard Differential Revision: D14657601 fbshipit-source-id: b8a42d3fa
6 years ago
let rec compare_as_inlined_location x y =
if x == y then 0
else
match (x, y) with
[sledge] Move locals from blocks to functions Summary: The entry block contains all locals of the entire function, as required by the backend. This makes the manipulation of the locals of each block redundant. This diff moves the locals from the entry block to the function itself, removes the Locals frames of the Control.Stack, and adds a locals field to Return frames. This is part cleanup and part preparation for removing the Control.Stack. Reviewed By: ngorogiannis Differential Revision: D15963503 fbshipit-source-id: 523ebc260
6 years ago
| Return {retreating= true; stk= x}, y
[sledge] Compare stack component of edges as a inlined code location Summary: When comparing stacks as part of a control-flow edge, treat each as a code location in a hypothetical expansion of the program where all non-recursive functions have been completely inlined. In particular, this means to compare stacks as if all Locals frames or Return frames for recursive calls had been removed. Additionally, the from_call info in Return frames is ignored. Reviewed By: jvillard Differential Revision: D14657601 fbshipit-source-id: b8a42d3fa
6 years ago
|x, Return {retreating= true; stk= y} ->
compare_as_inlined_location x y
| Return {dst= j; stk= x}, Return {dst= k; stk= y} -> (
match Llair.Jump.compare j k with
| 0 -> compare_as_inlined_location x y
| n -> n )
| Return _, _ -> -1
| _, Return _ -> 1
| Throw (j, x), Throw (k, y) -> (
match Llair.Jump.compare j k with
| 0 -> compare_as_inlined_location x y
| n -> n )
| Throw _, _ -> -1
| _, Throw _ -> 1
| Empty, Empty -> 0
[sledge] Fix stack popping Summary: - Ensure that popping Throw or Return does not leave stale Throw or Return frames - Add a module for Control.stack - Add invariant to enforce that a Throw frame can appear only immediately above a Return frame Reviewed By: jvillard Differential Revision: D14547263 fbshipit-source-id: deb31b8af
6 years ago
let rec print_abbrev fs = function
[sledge] Compare stack component of edges as a inlined code location Summary: When comparing stacks as part of a control-flow edge, treat each as a code location in a hypothetical expansion of the program where all non-recursive functions have been completely inlined. In particular, this means to compare stacks as if all Locals frames or Return frames for recursive calls had been removed. Additionally, the from_call info in Return frames is ignored. Reviewed By: jvillard Differential Revision: D14657601 fbshipit-source-id: b8a42d3fa
6 years ago
| Return {retreating= false; stk= s} ->
[sledge] Fix stack popping Summary: - Ensure that popping Throw or Return does not leave stale Throw or Return frames - Add a module for Control.stack - Add invariant to enforce that a Throw frame can appear only immediately above a Return frame Reviewed By: jvillard Differential Revision: D14547263 fbshipit-source-id: deb31b8af
6 years ago
print_abbrev fs s ;
Format.pp_print_char fs 'R'
[sledge] Compare stack component of edges as a inlined code location Summary: When comparing stacks as part of a control-flow edge, treat each as a code location in a hypothetical expansion of the program where all non-recursive functions have been completely inlined. In particular, this means to compare stacks as if all Locals frames or Return frames for recursive calls had been removed. Additionally, the from_call info in Return frames is ignored. Reviewed By: jvillard Differential Revision: D14657601 fbshipit-source-id: b8a42d3fa
6 years ago
| Return {retreating= true; stk= s} ->
print_abbrev fs s ;
Format.pp_print_string fs "R↑"
[sledge] Fix stack popping Summary: - Ensure that popping Throw or Return does not leave stale Throw or Return frames - Add a module for Control.stack - Add invariant to enforce that a Throw frame can appear only immediately above a Return frame Reviewed By: jvillard Differential Revision: D14547263 fbshipit-source-id: deb31b8af
6 years ago
| Throw (_, s) ->
print_abbrev fs s ;
Format.pp_print_char fs 'T'
| Empty -> ()
let invariant s =
Invariant.invariant [%here] s [%sexp_of: t]
@@ fun () ->
match s with
[sledge] Move locals from blocks to functions Summary: The entry block contains all locals of the entire function, as required by the backend. This makes the manipulation of the locals of each block redundant. This diff moves the locals from the entry block to the function itself, removes the Locals frames of the Control.Stack, and adds a locals field to Return frames. This is part cleanup and part preparation for removing the Control.Stack. Reviewed By: ngorogiannis Differential Revision: D15963503 fbshipit-source-id: 523ebc260
6 years ago
| Return _ | Throw (_, Return _) | Empty -> ()
[sledge] Fix stack popping Summary: - Ensure that popping Throw or Return does not leave stale Throw or Return frames - Add a module for Control.stack - Add invariant to enforce that a Throw frame can appear only immediately above a Return frame Reviewed By: jvillard Differential Revision: D14547263 fbshipit-source-id: deb31b8af
6 years ago
| Throw _ -> fail "malformed stack: %a" print_abbrev s ()
let empty = Empty |> check invariant
[sledge] Move locals from blocks to functions Summary: The entry block contains all locals of the entire function, as required by the backend. This makes the manipulation of the locals of each block redundant. This diff moves the locals from the entry block to the function itself, removes the Locals frames of the Control.Stack, and adds a locals field to Return frames. This is part cleanup and part preparation for removing the Control.Stack. Reviewed By: ngorogiannis Differential Revision: D15963503 fbshipit-source-id: 523ebc260
6 years ago
let push_return ~retreating dst params locals from_call stk =
Return {retreating; dst; params; locals; from_call; stk}
[sledge] Fix stack popping Summary: - Ensure that popping Throw or Return does not leave stale Throw or Return frames - Add a module for Control.stack - Add invariant to enforce that a Throw frame can appear only immediately above a Return frame Reviewed By: jvillard Differential Revision: D14547263 fbshipit-source-id: deb31b8af
6 years ago
|> check invariant
let push_throw jmp stk =
(match jmp with None -> stk | Some jmp -> Throw (jmp, stk))
|> check invariant
[sledge] Move locals from blocks to functions Summary: The entry block contains all locals of the entire function, as required by the backend. This makes the manipulation of the locals of each block redundant. This diff moves the locals from the entry block to the function itself, removes the Locals frames of the Control.Stack, and adds a locals field to Return frames. This is part cleanup and part preparation for removing the Control.Stack. Reviewed By: ngorogiannis Differential Revision: D15963503 fbshipit-source-id: 523ebc260
6 years ago
let push_call (entry : Llair.block) ~retreating ~bound ~return from_call
[sledge] Rework function return value passing Summary: The current handling of the formal return variable scope is not correct. Since it is passed as an actual argument to the return continuation, it is manipulated as if it was a local variable of the caller. However, its scope is not ended with the caller's locals, leading to clashes. This diff reworks the passing of return values to avoid this problem, mainly by introducing a notion of temporary variables during parameter passing. This essentially has the effect of taking a function spec { P } f(x) { λv. Q } and generating a "temporary" variable v, applying the post λv. Q to it to obtain the pre-state for the call to the return continuation k(v). Being a temporary variable just means that it goes out of scope just after parameter passing. This amounts to a long-winded way of applying the post-state to the formal parameter of the return continuation without violating scopes or SSA. This diff also separates the manipulation of the symbolic states as they proceed from: 1. the pre-state before the return instruction; 2. the exit-state after the return instruction (including the binding of the returned value to the return formal variable); 3. the post-state, where the locals are existentially quantified; and 4. the return-state, which is expressed in terms of actual args instead of formal parameters. Also in support of summarization, formal return and throw parameters are no longer tracked on the analyzer's stack. Note that these changes involve changing the locals of blocks and functions to no longer include the formal parameters. Reviewed By: kren1 Differential Revision: D15912148 fbshipit-source-id: e41dd6e42
6 years ago
?throw stk =
[sledge] Fix bound not bounding recursion Summary: Sledge does not terminate on programs with recursion, because functions get "infinitely inlined" and therefore recursion is not treated as retreating edge. This patch bounds the number of times the same function can "inlined" to respect the bound (`-b` option). On each call we check the number of occurances of the called function in the call stack. If that is higher than the bound, we skip it. Reviewed By: jvillard Differential Revision: D15577134 fbshipit-source-id: 4cd3b62c6
6 years ago
[%Trace.call fun {pf} -> pf "%a" print_abbrev stk]
;
let rec count_f_in_stack acc f = function
| Return {stk= next_frame; dst= dest_block} ->
count_f_in_stack
(if Llair.Jump.equal dest_block f then acc + 1 else acc)
f next_frame
| _ -> acc
in
let n = count_f_in_stack 0 return stk in
( if n > bound then None
else
Some
[sledge] Move locals from blocks to functions Summary: The entry block contains all locals of the entire function, as required by the backend. This makes the manipulation of the locals of each block redundant. This diff moves the locals from the entry block to the function itself, removes the Locals frames of the Control.Stack, and adds a locals field to Return frames. This is part cleanup and part preparation for removing the Control.Stack. Reviewed By: ngorogiannis Differential Revision: D15963503 fbshipit-source-id: 523ebc260
6 years ago
(push_throw throw
(push_return ~retreating return entry.params entry.parent.locals
from_call stk)) )
[sledge] Fix bound not bounding recursion Summary: Sledge does not terminate on programs with recursion, because functions get "infinitely inlined" and therefore recursion is not treated as retreating edge. This patch bounds the number of times the same function can "inlined" to respect the bound (`-b` option). On each call we check the number of occurances of the called function in the call stack. If that is higher than the bound, we skip it. Reviewed By: jvillard Differential Revision: D15577134 fbshipit-source-id: 4cd3b62c6
6 years ago
|>
[%Trace.retn fun {pf} _ ->
pf "%d of %a on stack" n Llair.Jump.pp return]
[sledge] Fix stack popping Summary: - Ensure that popping Throw or Return does not leave stale Throw or Return frames - Add a module for Control.stack - Add invariant to enforce that a Throw frame can appear only immediately above a Return frame Reviewed By: jvillard Differential Revision: D14547263 fbshipit-source-id: deb31b8af
6 years ago
[sledge] Move locals from blocks to functions Summary: The entry block contains all locals of the entire function, as required by the backend. This makes the manipulation of the locals of each block redundant. This diff moves the locals from the entry block to the function itself, removes the Locals frames of the Control.Stack, and adds a locals field to Return frames. This is part cleanup and part preparation for removing the Control.Stack. Reviewed By: ngorogiannis Differential Revision: D15963503 fbshipit-source-id: 523ebc260
6 years ago
let rec pop_return = function
| Throw (_, stk) -> pop_return stk
| Return {from_call; dst; stk} -> Some (from_call, dst, stk)
| Empty -> None
[sledge] Fix stack popping Summary: - Ensure that popping Throw or Return does not leave stale Throw or Return frames - Add a module for Control.stack - Add invariant to enforce that a Throw frame can appear only immediately above a Return frame Reviewed By: jvillard Differential Revision: D14547263 fbshipit-source-id: deb31b8af
6 years ago
[sledge] Rework function return value passing Summary: The current handling of the formal return variable scope is not correct. Since it is passed as an actual argument to the return continuation, it is manipulated as if it was a local variable of the caller. However, its scope is not ended with the caller's locals, leading to clashes. This diff reworks the passing of return values to avoid this problem, mainly by introducing a notion of temporary variables during parameter passing. This essentially has the effect of taking a function spec { P } f(x) { λv. Q } and generating a "temporary" variable v, applying the post λv. Q to it to obtain the pre-state for the call to the return continuation k(v). Being a temporary variable just means that it goes out of scope just after parameter passing. This amounts to a long-winded way of applying the post-state to the formal parameter of the return continuation without violating scopes or SSA. This diff also separates the manipulation of the symbolic states as they proceed from: 1. the pre-state before the return instruction; 2. the exit-state after the return instruction (including the binding of the returned value to the return formal variable); 3. the post-state, where the locals are existentially quantified; and 4. the return-state, which is expressed in terms of actual args instead of formal parameters. Also in support of summarization, formal return and throw parameters are no longer tracked on the analyzer's stack. Note that these changes involve changing the locals of blocks and functions to no longer include the formal parameters. Reviewed By: kren1 Differential Revision: D15912148 fbshipit-source-id: e41dd6e42
6 years ago
let pop_throw stk ~init ~unwind =
[sledge] Move locals from blocks to functions Summary: The entry block contains all locals of the entire function, as required by the backend. This makes the manipulation of the locals of each block redundant. This diff moves the locals from the entry block to the function itself, removes the Locals frames of the Control.Stack, and adds a locals field to Return frames. This is part cleanup and part preparation for removing the Control.Stack. Reviewed By: ngorogiannis Differential Revision: D15963503 fbshipit-source-id: 523ebc260
6 years ago
let rec pop_throw_ state = function
| Return {params; locals; from_call; stk} ->
pop_throw_ (unwind params locals from_call state) stk
[sledge] Rework function return value passing Summary: The current handling of the formal return variable scope is not correct. Since it is passed as an actual argument to the return continuation, it is manipulated as if it was a local variable of the caller. However, its scope is not ended with the caller's locals, leading to clashes. This diff reworks the passing of return values to avoid this problem, mainly by introducing a notion of temporary variables during parameter passing. This essentially has the effect of taking a function spec { P } f(x) { λv. Q } and generating a "temporary" variable v, applying the post λv. Q to it to obtain the pre-state for the call to the return continuation k(v). Being a temporary variable just means that it goes out of scope just after parameter passing. This amounts to a long-winded way of applying the post-state to the formal parameter of the return continuation without violating scopes or SSA. This diff also separates the manipulation of the symbolic states as they proceed from: 1. the pre-state before the return instruction; 2. the exit-state after the return instruction (including the binding of the returned value to the return formal variable); 3. the post-state, where the locals are existentially quantified; and 4. the return-state, which is expressed in terms of actual args instead of formal parameters. Also in support of summarization, formal return and throw parameters are no longer tracked on the analyzer's stack. Note that these changes involve changing the locals of blocks and functions to no longer include the formal parameters. Reviewed By: kren1 Differential Revision: D15912148 fbshipit-source-id: e41dd6e42
6 years ago
| Throw (dst, Return {from_call; stk}) ->
[sledge] Move locals from blocks to functions Summary: The entry block contains all locals of the entire function, as required by the backend. This makes the manipulation of the locals of each block redundant. This diff moves the locals from the entry block to the function itself, removes the Locals frames of the Control.Stack, and adds a locals field to Return frames. This is part cleanup and part preparation for removing the Control.Stack. Reviewed By: ngorogiannis Differential Revision: D15963503 fbshipit-source-id: 523ebc260
6 years ago
Some (from_call, dst, stk, state)
[sledge] Fix stack popping Summary: - Ensure that popping Throw or Return does not leave stale Throw or Return frames - Add a module for Control.stack - Add invariant to enforce that a Throw frame can appear only immediately above a Return frame Reviewed By: jvillard Differential Revision: D14547263 fbshipit-source-id: deb31b8af
6 years ago
| Empty -> None
| Throw _ as stk -> violates invariant stk
in
[sledge] Move locals from blocks to functions Summary: The entry block contains all locals of the entire function, as required by the backend. This makes the manipulation of the locals of each block redundant. This diff moves the locals from the entry block to the function itself, removes the Locals frames of the Control.Stack, and adds a locals field to Return frames. This is part cleanup and part preparation for removing the Control.Stack. Reviewed By: ngorogiannis Differential Revision: D15963503 fbshipit-source-id: 523ebc260
6 years ago
pop_throw_ init stk
[sledge] Fix stack popping Summary: - Ensure that popping Throw or Return does not leave stale Throw or Return frames - Add a module for Control.stack - Add invariant to enforce that a Throw frame can appear only immediately above a Return frame Reviewed By: jvillard Differential Revision: D14547263 fbshipit-source-id: deb31b8af
6 years ago
end
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
module Work : sig
type t
[sledge] Make execution bound part of the work queue Summary: No need for it to be global mutable state Reviewed By: ngorogiannis Differential Revision: D15468706 fbshipit-source-id: 840fa8c83
6 years ago
val init : Domain.t -> Llair.block -> int -> t
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
type x
val skip : x
val seq : x -> x -> x
val add :
?prev:Llair.block
-> retreating:bool
[sledge] Fix stack popping Summary: - Ensure that popping Throw or Return does not leave stale Throw or Return frames - Add a module for Control.stack - Add invariant to enforce that a Throw frame can appear only immediately above a Return frame Reviewed By: jvillard Differential Revision: D14547263 fbshipit-source-id: deb31b8af
6 years ago
-> Stack.t
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
-> Domain.t
-> Llair.block
-> x
[sledge] Fix stack popping Summary: - Ensure that popping Throw or Return does not leave stale Throw or Return frames - Add a module for Control.stack - Add invariant to enforce that a Throw frame can appear only immediately above a Return frame Reviewed By: jvillard Differential Revision: D14547263 fbshipit-source-id: deb31b8af
6 years ago
val run : f:(Stack.t -> Domain.t -> Llair.block -> x) -> t -> unit
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
end = struct
module Edge = struct
module T = struct
[sledge] Compare stack component of edges as a inlined code location Summary: When comparing stacks as part of a control-flow edge, treat each as a code location in a hypothetical expansion of the program where all non-recursive functions have been completely inlined. In particular, this means to compare stacks as if all Locals frames or Return frames for recursive calls had been removed. Additionally, the from_call info in Return frames is ignored. Reviewed By: jvillard Differential Revision: D14657601 fbshipit-source-id: b8a42d3fa
6 years ago
type t =
{ dst: Llair.Block.t
; src: Llair.Block.t option
; stk: Stack.as_inlined_location }
[@@deriving compare, sexp_of]
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
end
include T
include Comparator.Make (T)
let pp fs {dst; src} =
Format.fprintf fs "#%i %s <--%a" dst.sort_index dst.lbl
(Option.pp "%a" (fun fs (src : Llair.Block.t) ->
Format.fprintf fs " #%i %s" src.sort_index src.lbl ))
src
end
module Depths = struct
type t = int Map.M(Edge).t
let empty = Map.empty (module Edge)
let find = Map.find
let set = Map.set
let join x y =
Map.merge x y ~f:(fun ~key:_ -> function
| `Left d | `Right d -> Some d
[sledge] Make execution bound part of the work queue Summary: No need for it to be global mutable state Reviewed By: ngorogiannis Differential Revision: D15468706 fbshipit-source-id: 840fa8c83
6 years ago
| `Both (d1, d2) -> Some (Int.max d1 d2) )
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
end
[sledge] Compare stack component of edges as a inlined code location Summary: When comparing stacks as part of a control-flow edge, treat each as a code location in a hypothetical expansion of the program where all non-recursive functions have been completely inlined. In particular, this means to compare stacks as if all Locals frames or Return frames for recursive calls had been removed. Additionally, the from_call info in Return frames is ignored. Reviewed By: jvillard Differential Revision: D14657601 fbshipit-source-id: b8a42d3fa
6 years ago
type priority = int * Edge.t [@@deriving compare]
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
type priority_queue = priority Fheap.t
type waiting_states = (Domain.t * Depths.t) list Map.M(Llair.Block).t
[sledge] Make execution bound part of the work queue Summary: No need for it to be global mutable state Reviewed By: ngorogiannis Differential Revision: D15468706 fbshipit-source-id: 840fa8c83
6 years ago
type t = priority_queue * waiting_states * int
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
type x = Depths.t -> t -> t
[sledge] Print pre/post on function return Summary: Print pre- and post- conditions (aka, summaries) when analyzer hits a function return - plumbing the precondition through the analyzer so that it is available when return is hit Reviewed By: jberdine Differential Revision: D15713725 fbshipit-source-id: b10b6206f
6 years ago
let empty_waiting_states : waiting_states = Map.empty (module Llair.Block)
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
let pp_priority fs (n, e) = Format.fprintf fs "%i: %a" n Edge.pp e
let pp fs pq =
Format.fprintf fs "@[%a@]"
(List.pp " ::@ " pp_priority)
(Sequence.to_list (Fheap.to_sequence pq))
let skip _ w = w
let seq x y d w = y d (x d w)
[sledge] Make execution bound part of the work queue Summary: No need for it to be global mutable state Reviewed By: ngorogiannis Differential Revision: D15468706 fbshipit-source-id: 840fa8c83
6 years ago
let add ?prev ~retreating stk state curr depths ((pq, ws, bound) as work)
=
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
let edge = {Edge.dst= curr; src= prev; stk} in
let depth = Option.value (Depths.find depths edge) ~default:0 in
let depth = if retreating then depth + 1 else depth in
[sledge] Make execution bound part of the work queue Summary: No need for it to be global mutable state Reviewed By: ngorogiannis Differential Revision: D15468706 fbshipit-source-id: 840fa8c83
6 years ago
if depth > bound then (
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
[%Trace.info "prune: %i: %a" depth Edge.pp edge] ;
work )
else
let pq = Fheap.add pq (depth, edge) in
[%Trace.info "@[<6>enqueue %i: %a@ | %a@]" depth Edge.pp edge pp pq] ;
let depths = Depths.set depths ~key:edge ~data:depth in
let ws = Map.add_multi ws ~key:curr ~data:(state, depths) in
[sledge] Make execution bound part of the work queue Summary: No need for it to be global mutable state Reviewed By: ngorogiannis Differential Revision: D15468706 fbshipit-source-id: 840fa8c83
6 years ago
(pq, ws, bound)
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
[sledge] Make execution bound part of the work queue Summary: No need for it to be global mutable state Reviewed By: ngorogiannis Differential Revision: D15468706 fbshipit-source-id: 840fa8c83
6 years ago
let init state curr bound =
[sledge] Fix stack popping Summary: - Ensure that popping Throw or Return does not leave stale Throw or Return frames - Add a module for Control.stack - Add invariant to enforce that a Throw frame can appear only immediately above a Return frame Reviewed By: jvillard Differential Revision: D14547263 fbshipit-source-id: deb31b8af
6 years ago
add ~retreating:false Stack.empty state curr Depths.empty
[sledge] Make execution bound part of the work queue Summary: No need for it to be global mutable state Reviewed By: ngorogiannis Differential Revision: D15468706 fbshipit-source-id: 840fa8c83
6 years ago
(Fheap.create ~cmp:compare_priority, empty_waiting_states, bound)
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
[sledge] Make execution bound part of the work queue Summary: No need for it to be global mutable state Reviewed By: ngorogiannis Differential Revision: D15468706 fbshipit-source-id: 840fa8c83
6 years ago
let rec run ~f (pq0, ws, bnd) =
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
match Fheap.pop pq0 with
| Some ((_, ({Edge.dst; stk} as edge)), pq) -> (
match Map.find_and_remove ws dst with
| Some (state :: states, ws) ->
let join (qa, da) (q, d) = (Domain.join q qa, Depths.join d da) in
let qs, depths = List.fold ~f:join ~init:state states in
[sledge] Make execution bound part of the work queue Summary: No need for it to be global mutable state Reviewed By: ngorogiannis Differential Revision: D15468706 fbshipit-source-id: 840fa8c83
6 years ago
run ~f (f stk qs dst depths (pq, ws, bnd))
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
| _ ->
[%Trace.info "done: %a" Edge.pp edge] ;
[sledge] Make execution bound part of the work queue Summary: No need for it to be global mutable state Reviewed By: ngorogiannis Differential Revision: D15468706 fbshipit-source-id: 840fa8c83
6 years ago
run ~f (pq, ws, bnd) )
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
| None -> [%Trace.info "queue empty"] ; ()
end
[sledge] Skeleton for symbolic execution of unsafe intrinsics Summary: This diff adds support in symbolic execution for calls to intrinsic functions, to be used in lieu of adding a separate Llair instruction for each intrinsic. This involves: - adding skeleton support in Exec for symbolically execution an intrinsic function call; - exposing this in Domain; - allowing symbolic execution of block terminators (e.g. function call) to possibly fail; and - generalizing Report for failing terminators. Reviewed By: ngorogiannis Differential Revision: D14403652 fbshipit-source-id: d86d9d1b8
6 years ago
let exec_goto stk state block ({dst; retreating} : Llair.jump) =
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
Work.add ~prev:block ~retreating stk state dst
[sledge] Rework function return value passing Summary: The current handling of the formal return variable scope is not correct. Since it is passed as an actual argument to the return continuation, it is manipulated as if it was a local variable of the caller. However, its scope is not ended with the caller's locals, leading to clashes. This diff reworks the passing of return values to avoid this problem, mainly by introducing a notion of temporary variables during parameter passing. This essentially has the effect of taking a function spec { P } f(x) { λv. Q } and generating a "temporary" variable v, applying the post λv. Q to it to obtain the pre-state for the call to the return continuation k(v). Being a temporary variable just means that it goes out of scope just after parameter passing. This amounts to a long-winded way of applying the post-state to the formal parameter of the return continuation without violating scopes or SSA. This diff also separates the manipulation of the symbolic states as they proceed from: 1. the pre-state before the return instruction; 2. the exit-state after the return instruction (including the binding of the returned value to the return formal variable); 3. the post-state, where the locals are existentially quantified; and 4. the return-state, which is expressed in terms of actual args instead of formal parameters. Also in support of summarization, formal return and throw parameters are no longer tracked on the analyzer's stack. Note that these changes involve changing the locals of blocks and functions to no longer include the formal parameters. Reviewed By: kren1 Differential Revision: D15912148 fbshipit-source-id: e41dd6e42
6 years ago
let exec_jump ?temps stk state block ({dst; args} as jmp : Llair.jump) =
[sledge] Move locals from blocks to functions Summary: The entry block contains all locals of the entire function, as required by the backend. This makes the manipulation of the locals of each block redundant. This diff moves the locals from the entry block to the function itself, removes the Locals frames of the Control.Stack, and adds a locals field to Return frames. This is part cleanup and part preparation for removing the Control.Stack. Reviewed By: ngorogiannis Differential Revision: D15963503 fbshipit-source-id: 523ebc260
6 years ago
let state = Domain.jump args dst.params ?temps state in
[sledge] Skeleton for symbolic execution of unsafe intrinsics Summary: This diff adds support in symbolic execution for calls to intrinsic functions, to be used in lieu of adding a separate Llair instruction for each intrinsic. This involves: - adding skeleton support in Exec for symbolically execution an intrinsic function call; - exposing this in Domain; - allowing symbolic execution of block terminators (e.g. function call) to possibly fail; and - generalizing Report for failing terminators. Reviewed By: ngorogiannis Differential Revision: D14403652 fbshipit-source-id: d86d9d1b8
6 years ago
exec_goto stk state block jmp
[sledge] Actually use function summaries Summary: If function summaries are enabled calling a function first tries to apply a summary, if succesful, it directly jumps to the return site of the call. Otherwise it proceeds as before. Reviewed By: jvillard Differential Revision: D16201251 fbshipit-source-id: cec52e0e5
5 years ago
let summary_table = Hashtbl.create (module Var)
[sledge] Generate and apply summaries Summary: Define a new function summary type and compute it on function return. As an intermediary step also apply the just computed summary to function pre so it can be compared to what was actually computed. Reviewed By: jvillard Differential Revision: D16149833 fbshipit-source-id: b826c17e8
5 years ago
[sledge] Add CL option to disable exceptions Summary: Disable exceptional control flow - treat throw as unreachable - confidence in the correctness of the frontend's treatment of exception handling is very low, and making summaries that are expressive enough to talk about exceptions is a complication that isn't needed for the first iteration To facilitate, start on a struct that holds all the CL options. Reviewed By: jberdine, jvillard Differential Revision: D15713601 fbshipit-source-id: ee92dfbd8
6 years ago
let exec_call ~opts stk state block ({dst; args; retreating} : Llair.jump)
[sledge] Function summarization: solver can show pre Summary: This diff is preparation for function summarization and focuses on function calls and function summary precondition computation. It introduces `-function-summaries` flag behind most of functionality is hidden, when enabled on each call * A function summary is computed by quantifying all the non-formal/global variables and removing all the segments that are not reachable from them * `pre` and `foot` are computed from function summary and the calling context by replacing formals with actuals again. * A solver is asked if `pre` entails `foot` and a frame is printed if it does Currently this only works for formulas without disjunctions, so when function summaries are enabled, that state is first moved to dnf and then the call is done for each disjunct. Reviewed By: ngorogiannis Differential Revision: D15898928 fbshipit-source-id: 49d32504c
6 years ago
(return : Llair.jump) throw globals =
[sledge] Print pre/post on function return Summary: Print pre- and post- conditions (aka, summaries) when analyzer hits a function return - plumbing the precondition through the analyzer so that it is available when return is hit Reviewed By: jberdine Differential Revision: D15713725 fbshipit-source-id: b10b6206f
6 years ago
[%Trace.call fun {pf} ->
pf "%a from %a" Var.pp dst.parent.name.var Var.pp
return.dst.parent.name.var]
;
[sledge] Function summarization: solver can show pre Summary: This diff is preparation for function summarization and focuses on function calls and function summary precondition computation. It introduces `-function-summaries` flag behind most of functionality is hidden, when enabled on each call * A function summary is computed by quantifying all the non-formal/global variables and removing all the segments that are not reachable from them * `pre` and `foot` are computed from function summary and the calling context by replacing formals with actuals again. * A solver is asked if `pre` entails `foot` and a frame is printed if it does Currently this only works for formulas without disjunctions, so when function summaries are enabled, that state is first moved to dnf and then the call is done for each disjunct. Reviewed By: ngorogiannis Differential Revision: D15898928 fbshipit-source-id: 49d32504c
6 years ago
let dnf_states =
if opts.function_summaries then Domain.dnf state else [state]
in
[sledge] Actually use function summaries Summary: If function summaries are enabled calling a function first tries to apply a summary, if succesful, it directly jumps to the return site of the call. Otherwise it proceeds as before. Reviewed By: jvillard Differential Revision: D16201251 fbshipit-source-id: cec52e0e5
5 years ago
let locals = dst.parent.locals in
let domain_call = Domain.call args dst.params locals globals in
[sledge] Function summarization: solver can show pre Summary: This diff is preparation for function summarization and focuses on function calls and function summary precondition computation. It introduces `-function-summaries` flag behind most of functionality is hidden, when enabled on each call * A function summary is computed by quantifying all the non-formal/global variables and removing all the segments that are not reachable from them * `pre` and `foot` are computed from function summary and the calling context by replacing formals with actuals again. * A solver is asked if `pre` entails `foot` and a frame is printed if it does Currently this only works for formulas without disjunctions, so when function summaries are enabled, that state is first moved to dnf and then the call is done for each disjunct. Reviewed By: ngorogiannis Differential Revision: D15898928 fbshipit-source-id: 49d32504c
6 years ago
List.fold ~init:Work.skip dnf_states ~f:(fun acc state ->
[sledge] Actually use function summaries Summary: If function summaries are enabled calling a function first tries to apply a summary, if succesful, it directly jumps to the return site of the call. Otherwise it proceeds as before. Reviewed By: jvillard Differential Revision: D16201251 fbshipit-source-id: cec52e0e5
5 years ago
let maybe_summary_post =
if opts.function_summaries then
let state = fst (domain_call ~summaries:false state) in
Hashtbl.find summary_table dst.parent.name.var
>>= List.find_map ~f:(Domain.apply_summary state)
else None
[sledge] Function summarization: solver can show pre Summary: This diff is preparation for function summarization and focuses on function calls and function summary precondition computation. It introduces `-function-summaries` flag behind most of functionality is hidden, when enabled on each call * A function summary is computed by quantifying all the non-formal/global variables and removing all the segments that are not reachable from them * `pre` and `foot` are computed from function summary and the calling context by replacing formals with actuals again. * A solver is asked if `pre` entails `foot` and a frame is printed if it does Currently this only works for formulas without disjunctions, so when function summaries are enabled, that state is first moved to dnf and then the call is done for each disjunct. Reviewed By: ngorogiannis Differential Revision: D15898928 fbshipit-source-id: 49d32504c
6 years ago
in
[sledge] Actually use function summaries Summary: If function summaries are enabled calling a function first tries to apply a summary, if succesful, it directly jumps to the return site of the call. Otherwise it proceeds as before. Reviewed By: jvillard Differential Revision: D16201251 fbshipit-source-id: cec52e0e5
5 years ago
[%Trace.info
"Maybe summary post: %a"
(Option.pp "%a" Domain.pp)
maybe_summary_post] ;
match maybe_summary_post with
| None ->
let state, from_call =
domain_call ~summaries:opts.function_summaries state
in
Work.seq acc
( match
Stack.push_call ~bound:opts.bound dst ~retreating ~return
from_call ?throw stk
with
| Some stk -> Work.add stk ~prev:block ~retreating state dst
| None -> Work.skip )
| Some post -> Work.seq acc (exec_goto stk post block return) )
[sledge] Print pre/post on function return Summary: Print pre- and post- conditions (aka, summaries) when analyzer hits a function return - plumbing the precondition through the analyzer so that it is available when return is hit Reviewed By: jberdine Differential Revision: D15713725 fbshipit-source-id: b10b6206f
6 years ago
|>
[%Trace.retn fun {pf} _ -> pf ""]
[sledge] Add printing of some variables in bold Summary: Add a `-color` option to sledge, that prints variable that are existentially bound as bold. Reviewed By: ngorogiannis Differential Revision: D16088750 fbshipit-source-id: bd21cb8a0
5 years ago
let pp_st _ =
[%Trace.printf
"@[<v>%t@]" (fun fs ->
Hashtbl.iteri summary_table ~f:(fun ~key ~data ->
Format.fprintf fs "@[<v>%a:@ @[%a@]@]@ " Var.pp key
[sledge] Generate and apply summaries Summary: Define a new function summary type and compute it on function return. As an intermediary step also apply the just computed summary to function pre so it can be compared to what was actually computed. Reviewed By: jvillard Differential Revision: D16149833 fbshipit-source-id: b826c17e8
5 years ago
(List.pp "@," State_domain.pp_function_summary)
data ) )]
[sledge] Add printing of some variables in bold Summary: Add a `-color` option to sledge, that prints variable that are existentially bound as bold. Reviewed By: ngorogiannis Differential Revision: D16088750 fbshipit-source-id: bd21cb8a0
5 years ago
[sledge] Generate and apply summaries Summary: Define a new function summary type and compute it on function return. As an intermediary step also apply the just computed summary to function pre so it can be compared to what was actually computed. Reviewed By: jvillard Differential Revision: D16149833 fbshipit-source-id: b826c17e8
5 years ago
let exec_return ~opts stk pre_state (block : Llair.block) exp globals =
[%Trace.call fun {pf} -> pf "from %a" Var.pp block.parent.name.var]
[sledge] Print pre/post on function return Summary: Print pre- and post- conditions (aka, summaries) when analyzer hits a function return - plumbing the precondition through the analyzer so that it is available when return is hit Reviewed By: jberdine Differential Revision: D15713725 fbshipit-source-id: b10b6206f
6 years ago
;
[sledge] Rework function return value passing Summary: The current handling of the formal return variable scope is not correct. Since it is passed as an actual argument to the return continuation, it is manipulated as if it was a local variable of the caller. However, its scope is not ended with the caller's locals, leading to clashes. This diff reworks the passing of return values to avoid this problem, mainly by introducing a notion of temporary variables during parameter passing. This essentially has the effect of taking a function spec { P } f(x) { λv. Q } and generating a "temporary" variable v, applying the post λv. Q to it to obtain the pre-state for the call to the return continuation k(v). Being a temporary variable just means that it goes out of scope just after parameter passing. This amounts to a long-winded way of applying the post-state to the formal parameter of the return continuation without violating scopes or SSA. This diff also separates the manipulation of the symbolic states as they proceed from: 1. the pre-state before the return instruction; 2. the exit-state after the return instruction (including the binding of the returned value to the return formal variable); 3. the post-state, where the locals are existentially quantified; and 4. the return-state, which is expressed in terms of actual args instead of formal parameters. Also in support of summarization, formal return and throw parameters are no longer tracked on the analyzer's stack. Note that these changes involve changing the locals of blocks and functions to no longer include the formal parameters. Reviewed By: kren1 Differential Revision: D15912148 fbshipit-source-id: e41dd6e42
6 years ago
( match Stack.pop_return stk with
[sledge] Move locals from blocks to functions Summary: The entry block contains all locals of the entire function, as required by the backend. This makes the manipulation of the locals of each block redundant. This diff moves the locals from the entry block to the function itself, removes the Locals frames of the Control.Stack, and adds a locals field to Return frames. This is part cleanup and part preparation for removing the Control.Stack. Reviewed By: ngorogiannis Differential Revision: D15963503 fbshipit-source-id: 523ebc260
6 years ago
| Some (from_call, retn_site, stk) ->
[sledge] Rework function return value passing Summary: The current handling of the formal return variable scope is not correct. Since it is passed as an actual argument to the return continuation, it is manipulated as if it was a local variable of the caller. However, its scope is not ended with the caller's locals, leading to clashes. This diff reworks the passing of return values to avoid this problem, mainly by introducing a notion of temporary variables during parameter passing. This essentially has the effect of taking a function spec { P } f(x) { λv. Q } and generating a "temporary" variable v, applying the post λv. Q to it to obtain the pre-state for the call to the return continuation k(v). Being a temporary variable just means that it goes out of scope just after parameter passing. This amounts to a long-winded way of applying the post-state to the formal parameter of the return continuation without violating scopes or SSA. This diff also separates the manipulation of the symbolic states as they proceed from: 1. the pre-state before the return instruction; 2. the exit-state after the return instruction (including the binding of the returned value to the return formal variable); 3. the post-state, where the locals are existentially quantified; and 4. the return-state, which is expressed in terms of actual args instead of formal parameters. Also in support of summarization, formal return and throw parameters are no longer tracked on the analyzer's stack. Note that these changes involve changing the locals of blocks and functions to no longer include the formal parameters. Reviewed By: kren1 Differential Revision: D15912148 fbshipit-source-id: e41dd6e42
6 years ago
let freturn = block.parent.freturn in
let exit_state =
match (freturn, exp) with
| Some freturn, Some return_val ->
Domain.exec_return pre_state freturn return_val
| None, None -> pre_state
| _ -> violates Llair.Func.invariant block.parent
in
[sledge] Disable creating of summaries when summaries disabled Summary: Fix a bug where summaries would be created even if summarisation option is disabled. Reviewed By: jvillard Differential Revision: D16259761 fbshipit-source-id: f7319ef03
5 years ago
let exit_state =
if opts.function_summaries then (
let globals =
Var.Set.of_vector
(Vector.map globals ~f:(fun (g : Global.t) -> g.var))
in
let function_summary, exit_state =
Domain.create_summary ~locals:block.parent.locals exit_state
~formals:
(Set.union
(Var.Set.of_list block.parent.entry.params)
globals)
in
Hashtbl.add_multi summary_table ~key:block.parent.name.var
~data:function_summary ;
pp_st () ;
exit_state )
else exit_state
[sledge] Generate and apply summaries Summary: Define a new function summary type and compute it on function return. As an intermediary step also apply the just computed summary to function pre so it can be compared to what was actually computed. Reviewed By: jvillard Differential Revision: D16149833 fbshipit-source-id: b826c17e8
5 years ago
in
[sledge] Move locals from blocks to functions Summary: The entry block contains all locals of the entire function, as required by the backend. This makes the manipulation of the locals of each block redundant. This diff moves the locals from the entry block to the function itself, removes the Locals frames of the Control.Stack, and adds a locals field to Return frames. This is part cleanup and part preparation for removing the Control.Stack. Reviewed By: ngorogiannis Differential Revision: D15963503 fbshipit-source-id: 523ebc260
6 years ago
let post_state =
Domain.post block.parent.locals from_call exit_state
in
[sledge] Rework function return value passing Summary: The current handling of the formal return variable scope is not correct. Since it is passed as an actual argument to the return continuation, it is manipulated as if it was a local variable of the caller. However, its scope is not ended with the caller's locals, leading to clashes. This diff reworks the passing of return values to avoid this problem, mainly by introducing a notion of temporary variables during parameter passing. This essentially has the effect of taking a function spec { P } f(x) { λv. Q } and generating a "temporary" variable v, applying the post λv. Q to it to obtain the pre-state for the call to the return continuation k(v). Being a temporary variable just means that it goes out of scope just after parameter passing. This amounts to a long-winded way of applying the post-state to the formal parameter of the return continuation without violating scopes or SSA. This diff also separates the manipulation of the symbolic states as they proceed from: 1. the pre-state before the return instruction; 2. the exit-state after the return instruction (including the binding of the returned value to the return formal variable); 3. the post-state, where the locals are existentially quantified; and 4. the return-state, which is expressed in terms of actual args instead of formal parameters. Also in support of summarization, formal return and throw parameters are no longer tracked on the analyzer's stack. Note that these changes involve changing the locals of blocks and functions to no longer include the formal parameters. Reviewed By: kren1 Differential Revision: D15912148 fbshipit-source-id: e41dd6e42
6 years ago
let retn_state =
Domain.retn block.parent.entry.params from_call post_state
in
exec_jump stk retn_state block
~temps:(Option.fold ~f:Set.add freturn ~init:Var.Set.empty)
( match freturn with
| Some freturn -> Llair.Jump.push_arg (Exp.var freturn) retn_site
| None -> retn_site )
[sledge] Print pre/post on function return Summary: Print pre- and post- conditions (aka, summaries) when analyzer hits a function return - plumbing the precondition through the analyzer so that it is available when return is hit Reviewed By: jberdine Differential Revision: D15713725 fbshipit-source-id: b10b6206f
6 years ago
| None -> Work.skip )
|>
[sledge] Add printing of some variables in bold Summary: Add a `-color` option to sledge, that prints variable that are existentially bound as bold. Reviewed By: ngorogiannis Differential Revision: D16088750 fbshipit-source-id: bd21cb8a0
5 years ago
[%Trace.retn fun {pf} _ -> pf ""]
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
[sledge] Rework function return value passing Summary: The current handling of the formal return variable scope is not correct. Since it is passed as an actual argument to the return continuation, it is manipulated as if it was a local variable of the caller. However, its scope is not ended with the caller's locals, leading to clashes. This diff reworks the passing of return values to avoid this problem, mainly by introducing a notion of temporary variables during parameter passing. This essentially has the effect of taking a function spec { P } f(x) { λv. Q } and generating a "temporary" variable v, applying the post λv. Q to it to obtain the pre-state for the call to the return continuation k(v). Being a temporary variable just means that it goes out of scope just after parameter passing. This amounts to a long-winded way of applying the post-state to the formal parameter of the return continuation without violating scopes or SSA. This diff also separates the manipulation of the symbolic states as they proceed from: 1. the pre-state before the return instruction; 2. the exit-state after the return instruction (including the binding of the returned value to the return formal variable); 3. the post-state, where the locals are existentially quantified; and 4. the return-state, which is expressed in terms of actual args instead of formal parameters. Also in support of summarization, formal return and throw parameters are no longer tracked on the analyzer's stack. Note that these changes involve changing the locals of blocks and functions to no longer include the formal parameters. Reviewed By: kren1 Differential Revision: D15912148 fbshipit-source-id: e41dd6e42
6 years ago
let exec_throw stk pre_state (block : Llair.block) exc =
[%Trace.call fun {pf} -> pf "from %a" Var.pp block.parent.name.var]
;
let unwind params scope from_call state =
Domain.retn params from_call (Domain.post scope from_call state)
in
( match Stack.pop_throw stk ~unwind ~init:pre_state with
[sledge] Move locals from blocks to functions Summary: The entry block contains all locals of the entire function, as required by the backend. This makes the manipulation of the locals of each block redundant. This diff moves the locals from the entry block to the function itself, removes the Locals frames of the Control.Stack, and adds a locals field to Return frames. This is part cleanup and part preparation for removing the Control.Stack. Reviewed By: ngorogiannis Differential Revision: D15963503 fbshipit-source-id: 523ebc260
6 years ago
| Some (from_call, retn_site, stk, unwind_state) ->
[sledge] Rework function return value passing Summary: The current handling of the formal return variable scope is not correct. Since it is passed as an actual argument to the return continuation, it is manipulated as if it was a local variable of the caller. However, its scope is not ended with the caller's locals, leading to clashes. This diff reworks the passing of return values to avoid this problem, mainly by introducing a notion of temporary variables during parameter passing. This essentially has the effect of taking a function spec { P } f(x) { λv. Q } and generating a "temporary" variable v, applying the post λv. Q to it to obtain the pre-state for the call to the return continuation k(v). Being a temporary variable just means that it goes out of scope just after parameter passing. This amounts to a long-winded way of applying the post-state to the formal parameter of the return continuation without violating scopes or SSA. This diff also separates the manipulation of the symbolic states as they proceed from: 1. the pre-state before the return instruction; 2. the exit-state after the return instruction (including the binding of the returned value to the return formal variable); 3. the post-state, where the locals are existentially quantified; and 4. the return-state, which is expressed in terms of actual args instead of formal parameters. Also in support of summarization, formal return and throw parameters are no longer tracked on the analyzer's stack. Note that these changes involve changing the locals of blocks and functions to no longer include the formal parameters. Reviewed By: kren1 Differential Revision: D15912148 fbshipit-source-id: e41dd6e42
6 years ago
let fthrow = block.parent.fthrow in
let exit_state = Domain.exec_return unwind_state fthrow exc in
[sledge] Move locals from blocks to functions Summary: The entry block contains all locals of the entire function, as required by the backend. This makes the manipulation of the locals of each block redundant. This diff moves the locals from the entry block to the function itself, removes the Locals frames of the Control.Stack, and adds a locals field to Return frames. This is part cleanup and part preparation for removing the Control.Stack. Reviewed By: ngorogiannis Differential Revision: D15963503 fbshipit-source-id: 523ebc260
6 years ago
let post_state =
Domain.post block.parent.locals from_call exit_state
in
[sledge] Rework function return value passing Summary: The current handling of the formal return variable scope is not correct. Since it is passed as an actual argument to the return continuation, it is manipulated as if it was a local variable of the caller. However, its scope is not ended with the caller's locals, leading to clashes. This diff reworks the passing of return values to avoid this problem, mainly by introducing a notion of temporary variables during parameter passing. This essentially has the effect of taking a function spec { P } f(x) { λv. Q } and generating a "temporary" variable v, applying the post λv. Q to it to obtain the pre-state for the call to the return continuation k(v). Being a temporary variable just means that it goes out of scope just after parameter passing. This amounts to a long-winded way of applying the post-state to the formal parameter of the return continuation without violating scopes or SSA. This diff also separates the manipulation of the symbolic states as they proceed from: 1. the pre-state before the return instruction; 2. the exit-state after the return instruction (including the binding of the returned value to the return formal variable); 3. the post-state, where the locals are existentially quantified; and 4. the return-state, which is expressed in terms of actual args instead of formal parameters. Also in support of summarization, formal return and throw parameters are no longer tracked on the analyzer's stack. Note that these changes involve changing the locals of blocks and functions to no longer include the formal parameters. Reviewed By: kren1 Differential Revision: D15912148 fbshipit-source-id: e41dd6e42
6 years ago
let retn_state =
Domain.retn block.parent.entry.params from_call post_state
in
exec_jump stk retn_state block
~temps:(Set.add Var.Set.empty fthrow)
(Llair.Jump.push_arg (Exp.var fthrow) retn_site)
| None -> Work.skip )
|>
[%Trace.retn fun {pf} _ -> pf ""]
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
[sledge] Improve debug tracing Reviewed By: mbouaziz Differential Revision: D10389475 fbshipit-source-id: 28df69903
6 years ago
let exec_skip_func :
[sledge] Fix stack popping Summary: - Ensure that popping Throw or Return does not leave stale Throw or Return frames - Add a module for Control.stack - Add invariant to enforce that a Throw frame can appear only immediately above a Return frame Reviewed By: jvillard Differential Revision: D14547263 fbshipit-source-id: deb31b8af
6 years ago
Stack.t -> Domain.t -> Llair.block -> Llair.jump -> Work.x =
[sledge] Improve debug tracing Reviewed By: mbouaziz Differential Revision: D10389475 fbshipit-source-id: 28df69903
6 years ago
fun stk state block ({dst; args} as return) ->
[sledge] Refactor issue reporting to Report module Summary: Also for debugging support, note that analysis can be stopped after reporting an attempt to call an unknown function with `sledge -tReport.unknown_call` and likewise for invalid memory accesses with `sledge -tReport.invalid_access`. Reviewed By: mbouaziz Differential Revision: D10389474 fbshipit-source-id: b006480d3
6 years ago
Report.unknown_call block.term ;
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
let return =
if List.is_empty dst.params then return
else
let args =
List.fold_right dst.params ~init:args ~f:(fun param args ->
Exp.nondet (Var.name param) :: args )
in
{return with args}
in
exec_jump stk state block return
[sledge] Fix bound not bounding recursion Summary: Sledge does not terminate on programs with recursion, because functions get "infinitely inlined" and therefore recursion is not treated as retreating edge. This patch bounds the number of times the same function can "inlined" to respect the bound (`-b` option). On each call we check the number of occurances of the called function in the call stack. If that is higher than the bound, we skip it. Reviewed By: jvillard Differential Revision: D15577134 fbshipit-source-id: 4cd3b62c6
6 years ago
let exec_term :
[sledge] Add CL option to disable exceptions Summary: Disable exceptional control flow - treat throw as unreachable - confidence in the correctness of the frontend's treatment of exception handling is very low, and making summaries that are expressive enough to talk about exceptions is a complication that isn't needed for the first iteration To facilitate, start on a struct that holds all the CL options. Reviewed By: jberdine, jvillard Differential Revision: D15713601 fbshipit-source-id: ee92dfbd8
6 years ago
opts:exec_opts
-> Llair.t
-> Stack.t
-> Domain.t
-> Llair.block
-> Work.x =
fun ~opts pgm stk state block ->
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
[%Trace.info "exec %a" Llair.Term.pp block.term] ;
match block.term with
| Switch {key; tbl; els} ->
Vector.fold tbl
~f:(fun x (case, jump) ->
[sledge] Rework function return value passing Summary: The current handling of the formal return variable scope is not correct. Since it is passed as an actual argument to the return continuation, it is manipulated as if it was a local variable of the caller. However, its scope is not ended with the caller's locals, leading to clashes. This diff reworks the passing of return values to avoid this problem, mainly by introducing a notion of temporary variables during parameter passing. This essentially has the effect of taking a function spec { P } f(x) { λv. Q } and generating a "temporary" variable v, applying the post λv. Q to it to obtain the pre-state for the call to the return continuation k(v). Being a temporary variable just means that it goes out of scope just after parameter passing. This amounts to a long-winded way of applying the post-state to the formal parameter of the return continuation without violating scopes or SSA. This diff also separates the manipulation of the symbolic states as they proceed from: 1. the pre-state before the return instruction; 2. the exit-state after the return instruction (including the binding of the returned value to the return formal variable); 3. the post-state, where the locals are existentially quantified; and 4. the return-state, which is expressed in terms of actual args instead of formal parameters. Also in support of summarization, formal return and throw parameters are no longer tracked on the analyzer's stack. Note that these changes involve changing the locals of blocks and functions to no longer include the formal parameters. Reviewed By: kren1 Differential Revision: D15912148 fbshipit-source-id: e41dd6e42
6 years ago
match Domain.exec_assume state (Exp.eq key case) with
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
| Some state -> exec_jump stk state block jump |> Work.seq x
| None -> x )
~init:
( match
[sledge] Rework function return value passing Summary: The current handling of the formal return variable scope is not correct. Since it is passed as an actual argument to the return continuation, it is manipulated as if it was a local variable of the caller. However, its scope is not ended with the caller's locals, leading to clashes. This diff reworks the passing of return values to avoid this problem, mainly by introducing a notion of temporary variables during parameter passing. This essentially has the effect of taking a function spec { P } f(x) { λv. Q } and generating a "temporary" variable v, applying the post λv. Q to it to obtain the pre-state for the call to the return continuation k(v). Being a temporary variable just means that it goes out of scope just after parameter passing. This amounts to a long-winded way of applying the post-state to the formal parameter of the return continuation without violating scopes or SSA. This diff also separates the manipulation of the symbolic states as they proceed from: 1. the pre-state before the return instruction; 2. the exit-state after the return instruction (including the binding of the returned value to the return formal variable); 3. the post-state, where the locals are existentially quantified; and 4. the return-state, which is expressed in terms of actual args instead of formal parameters. Also in support of summarization, formal return and throw parameters are no longer tracked on the analyzer's stack. Note that these changes involve changing the locals of blocks and functions to no longer include the formal parameters. Reviewed By: kren1 Differential Revision: D15912148 fbshipit-source-id: e41dd6e42
6 years ago
Domain.exec_assume state
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
(Vector.fold tbl ~init:(Exp.bool true)
[ocamlformat] upgrade ocamlformat to 0.9 Reviewed By: jeremydubreil Differential Revision: D14668400 fbshipit-source-id: 9d22da9a8
6 years ago
~f:(fun b (case, _) -> Exp.and_ (Exp.dq key case) b))
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
with
| Some state -> exec_jump stk state block els
| None -> Work.skip )
| Iswitch {ptr; tbl} ->
Vector.fold tbl ~init:Work.skip ~f:(fun x (jump : Llair.jump) ->
match
[sledge] Rework function return value passing Summary: The current handling of the formal return variable scope is not correct. Since it is passed as an actual argument to the return continuation, it is manipulated as if it was a local variable of the caller. However, its scope is not ended with the caller's locals, leading to clashes. This diff reworks the passing of return values to avoid this problem, mainly by introducing a notion of temporary variables during parameter passing. This essentially has the effect of taking a function spec { P } f(x) { λv. Q } and generating a "temporary" variable v, applying the post λv. Q to it to obtain the pre-state for the call to the return continuation k(v). Being a temporary variable just means that it goes out of scope just after parameter passing. This amounts to a long-winded way of applying the post-state to the formal parameter of the return continuation without violating scopes or SSA. This diff also separates the manipulation of the symbolic states as they proceed from: 1. the pre-state before the return instruction; 2. the exit-state after the return instruction (including the binding of the returned value to the return formal variable); 3. the post-state, where the locals are existentially quantified; and 4. the return-state, which is expressed in terms of actual args instead of formal parameters. Also in support of summarization, formal return and throw parameters are no longer tracked on the analyzer's stack. Note that these changes involve changing the locals of blocks and functions to no longer include the formal parameters. Reviewed By: kren1 Differential Revision: D15912148 fbshipit-source-id: e41dd6e42
6 years ago
Domain.exec_assume state
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
(Exp.eq ptr
(Exp.label
~parent:(Var.name jump.dst.parent.name.var)
~name:jump.dst.lbl))
with
| Some state -> exec_jump stk state block jump |> Work.seq x
| None -> x )
| Call {call= {dst; args; retreating}; return; throw} -> (
match
let lookup name =
Option.to_list (Llair.Func.find pgm.functions name)
in
Domain.resolve_callee lookup dst state
with
| [] -> exec_skip_func stk state block return
| callees ->
List.fold callees ~init:Work.skip ~f:(fun x callee ->
[sledge] Skeleton for symbolic execution of unsafe intrinsics Summary: This diff adds support in symbolic execution for calls to intrinsic functions, to be used in lieu of adding a separate Llair instruction for each intrinsic. This involves: - adding skeleton support in Exec for symbolically execution an intrinsic function call; - exposing this in Domain; - allowing symbolic execution of block terminators (e.g. function call) to possibly fail; and - generalizing Report for failing terminators. Reviewed By: ngorogiannis Differential Revision: D14403652 fbshipit-source-id: d86d9d1b8
6 years ago
( match
[sledge] Model __cxa_allocate_exception as unreachable with -skip-throw Summary: Each call to __cxa_allocate_exception, in practice, is shortly followed by raising an exception. With -skip-throw, execution will not proceed past the throw. Since the concrete implementation of __cxa_allocate_exception and the following initialization of the exception object is very low-level code that plays tricks, the analyzer has trouble with it. So model __cxa_allocate_exception as unreachable to avoid (needlessly) executing that code and potentially failing spuriously. Reviewed By: kren1 Differential Revision: D16069451 fbshipit-source-id: bea1dae09
5 years ago
Domain.exec_intrinsic ~skip_throw:opts.skip_throw state
[sledge] Skeleton for symbolic execution of unsafe intrinsics Summary: This diff adds support in symbolic execution for calls to intrinsic functions, to be used in lieu of adding a separate Llair instruction for each intrinsic. This involves: - adding skeleton support in Exec for symbolically execution an intrinsic function call; - exposing this in Domain; - allowing symbolic execution of block terminators (e.g. function call) to possibly fail; and - generalizing Report for failing terminators. Reviewed By: ngorogiannis Differential Revision: D14403652 fbshipit-source-id: d86d9d1b8
6 years ago
(List.hd return.dst.params)
callee.name.var args
with
| Some (Error ()) ->
[sledge] Revise Report printing Summary: The report output got disturbed by the change from predicate to relational Domain, and the tricky control of printing simplified states. After this diff by default states are printed in full, and in simplified form with `-t State_domain.pp_simp`. Also includes some minor output improvements. Reviewed By: kren1 Differential Revision: D16059780 fbshipit-source-id: b33289887
5 years ago
Report.invalid_access_term (Domain.project state) block.term ;
[sledge] Skeleton for symbolic execution of unsafe intrinsics Summary: This diff adds support in symbolic execution for calls to intrinsic functions, to be used in lieu of adding a separate Llair instruction for each intrinsic. This involves: - adding skeleton support in Exec for symbolically execution an intrinsic function call; - exposing this in Domain; - allowing symbolic execution of block terminators (e.g. function call) to possibly fail; and - generalizing Report for failing terminators. Reviewed By: ngorogiannis Differential Revision: D14403652 fbshipit-source-id: d86d9d1b8
6 years ago
Work.skip
[sledge] Support intrinsics which do not return Summary: Allow intrinsics to return an inconsistent state, to specify that they do not return. Reviewed By: kren1 Differential Revision: D16069453 fbshipit-source-id: deb5d2a22
5 years ago
| Some (Ok state) when Domain.is_false state -> Work.skip
[sledge] Skeleton for symbolic execution of unsafe intrinsics Summary: This diff adds support in symbolic execution for calls to intrinsic functions, to be used in lieu of adding a separate Llair instruction for each intrinsic. This involves: - adding skeleton support in Exec for symbolically execution an intrinsic function call; - exposing this in Domain; - allowing symbolic execution of block terminators (e.g. function call) to possibly fail; and - generalizing Report for failing terminators. Reviewed By: ngorogiannis Differential Revision: D14403652 fbshipit-source-id: d86d9d1b8
6 years ago
| Some (Ok state) -> exec_goto stk state block return
| None when Llair.Func.is_undefined callee ->
exec_skip_func stk state block return
| None ->
[sledge] Add CL option to disable exceptions Summary: Disable exceptional control flow - treat throw as unreachable - confidence in the correctness of the frontend's treatment of exception handling is very low, and making summaries that are expressive enough to talk about exceptions is a complication that isn't needed for the first iteration To facilitate, start on a struct that holds all the CL options. Reviewed By: jberdine, jvillard Differential Revision: D15713601 fbshipit-source-id: ee92dfbd8
6 years ago
exec_call ~opts stk state block
[sledge] Skeleton for symbolic execution of unsafe intrinsics Summary: This diff adds support in symbolic execution for calls to intrinsic functions, to be used in lieu of adding a separate Llair instruction for each intrinsic. This involves: - adding skeleton support in Exec for symbolically execution an intrinsic function call; - exposing this in Domain; - allowing symbolic execution of block terminators (e.g. function call) to possibly fail; and - generalizing Report for failing terminators. Reviewed By: ngorogiannis Differential Revision: D14403652 fbshipit-source-id: d86d9d1b8
6 years ago
{dst= callee.entry; args; retreating}
[sledge] Function summarization: solver can show pre Summary: This diff is preparation for function summarization and focuses on function calls and function summary precondition computation. It introduces `-function-summaries` flag behind most of functionality is hidden, when enabled on each call * A function summary is computed by quantifying all the non-formal/global variables and removing all the segments that are not reachable from them * `pre` and `foot` are computed from function summary and the calling context by replacing formals with actuals again. * A solver is asked if `pre` entails `foot` and a frame is printed if it does Currently this only works for formulas without disjunctions, so when function summaries are enabled, that state is first moved to dnf and then the call is done for each disjunct. Reviewed By: ngorogiannis Differential Revision: D15898928 fbshipit-source-id: 49d32504c
6 years ago
return throw pgm.globals )
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
|> Work.seq x ) )
[sledge] Generate and apply summaries Summary: Define a new function summary type and compute it on function return. As an intermediary step also apply the just computed summary to function pre so it can be compared to what was actually computed. Reviewed By: jvillard Differential Revision: D16149833 fbshipit-source-id: b826c17e8
5 years ago
| Return {exp} -> exec_return ~opts stk state block exp pgm.globals
[sledge] Add CL option to disable exceptions Summary: Disable exceptional control flow - treat throw as unreachable - confidence in the correctness of the frontend's treatment of exception handling is very low, and making summaries that are expressive enough to talk about exceptions is a complication that isn't needed for the first iteration To facilitate, start on a struct that holds all the CL options. Reviewed By: jberdine, jvillard Differential Revision: D15713601 fbshipit-source-id: ee92dfbd8
6 years ago
| Throw {exc} ->
if opts.skip_throw then Work.skip else exec_throw stk state block exc
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
| Unreachable -> Work.skip
[sledge] Skeleton for symbolic execution of unsafe intrinsics Summary: This diff adds support in symbolic execution for calls to intrinsic functions, to be used in lieu of adding a separate Llair instruction for each intrinsic. This involves: - adding skeleton support in Exec for symbolically execution an intrinsic function call; - exposing this in Domain; - allowing symbolic execution of block terminators (e.g. function call) to possibly fail; and - generalizing Report for failing terminators. Reviewed By: ngorogiannis Differential Revision: D14403652 fbshipit-source-id: d86d9d1b8
6 years ago
let exec_inst :
Domain.t -> Llair.inst -> (Domain.t, Domain.t * Llair.inst) result =
fun state inst ->
Domain.exec_inst state inst
|> Result.map_error ~f:(fun () -> (state, inst))
[sledge] Fix bound not bounding recursion Summary: Sledge does not terminate on programs with recursion, because functions get "infinitely inlined" and therefore recursion is not treated as retreating edge. This patch bounds the number of times the same function can "inlined" to respect the bound (`-b` option). On each call we check the number of occurances of the called function in the call stack. If that is higher than the bound, we skip it. Reviewed By: jvillard Differential Revision: D15577134 fbshipit-source-id: 4cd3b62c6
6 years ago
let exec_block :
[sledge] Add CL option to disable exceptions Summary: Disable exceptional control flow - treat throw as unreachable - confidence in the correctness of the frontend's treatment of exception handling is very low, and making summaries that are expressive enough to talk about exceptions is a complication that isn't needed for the first iteration To facilitate, start on a struct that holds all the CL options. Reviewed By: jberdine, jvillard Differential Revision: D15713601 fbshipit-source-id: ee92dfbd8
6 years ago
opts:exec_opts
-> Llair.t
-> Stack.t
-> Domain.t
-> Llair.block
-> Work.x =
fun ~opts pgm stk state block ->
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
[%Trace.info "exec %a" Llair.Block.pp block] ;
[sledge] Skeleton for symbolic execution of unsafe intrinsics Summary: This diff adds support in symbolic execution for calls to intrinsic functions, to be used in lieu of adding a separate Llair instruction for each intrinsic. This involves: - adding skeleton support in Exec for symbolically execution an intrinsic function call; - exposing this in Domain; - allowing symbolic execution of block terminators (e.g. function call) to possibly fail; and - generalizing Report for failing terminators. Reviewed By: ngorogiannis Differential Revision: D14403652 fbshipit-source-id: d86d9d1b8
6 years ago
match Vector.fold_result ~f:exec_inst ~init:state block.cmnd with
[sledge] Add CL option to disable exceptions Summary: Disable exceptional control flow - treat throw as unreachable - confidence in the correctness of the frontend's treatment of exception handling is very low, and making summaries that are expressive enough to talk about exceptions is a complication that isn't needed for the first iteration To facilitate, start on a struct that holds all the CL options. Reviewed By: jberdine, jvillard Differential Revision: D15713601 fbshipit-source-id: ee92dfbd8
6 years ago
| Ok state -> exec_term ~opts pgm stk state block
[sledge] Skeleton for symbolic execution of unsafe intrinsics Summary: This diff adds support in symbolic execution for calls to intrinsic functions, to be used in lieu of adding a separate Llair instruction for each intrinsic. This involves: - adding skeleton support in Exec for symbolically execution an intrinsic function call; - exposing this in Domain; - allowing symbolic execution of block terminators (e.g. function call) to possibly fail; and - generalizing Report for failing terminators. Reviewed By: ngorogiannis Differential Revision: D14403652 fbshipit-source-id: d86d9d1b8
6 years ago
| Error (state, inst) ->
[sledge] Revise Report printing Summary: The report output got disturbed by the change from predicate to relational Domain, and the tricky control of printing simplified states. After this diff by default states are printed in full, and in simplified form with `-t State_domain.pp_simp`. Also includes some minor output improvements. Reviewed By: kren1 Differential Revision: D16059780 fbshipit-source-id: b33289887
5 years ago
Report.invalid_access_inst (Domain.project state) inst ;
[sledge] Skeleton for symbolic execution of unsafe intrinsics Summary: This diff adds support in symbolic execution for calls to intrinsic functions, to be used in lieu of adding a separate Llair instruction for each intrinsic. This involves: - adding skeleton support in Exec for symbolically execution an intrinsic function call; - exposing this in Domain; - allowing symbolic execution of block terminators (e.g. function call) to possibly fail; and - generalizing Report for failing terminators. Reviewed By: ngorogiannis Differential Revision: D14403652 fbshipit-source-id: d86d9d1b8
6 years ago
Work.skip
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
[sledge] Function summarization: solver can show pre Summary: This diff is preparation for function summarization and focuses on function calls and function summary precondition computation. It introduces `-function-summaries` flag behind most of functionality is hidden, when enabled on each call * A function summary is computed by quantifying all the non-formal/global variables and removing all the segments that are not reachable from them * `pre` and `foot` are computed from function summary and the calling context by replacing formals with actuals again. * A solver is asked if `pre` entails `foot` and a frame is printed if it does Currently this only works for formulas without disjunctions, so when function summaries are enabled, that state is first moved to dnf and then the call is done for each disjunct. Reviewed By: ngorogiannis Differential Revision: D15898928 fbshipit-source-id: 49d32504c
6 years ago
let harness : opts:exec_opts -> Llair.t -> (int -> Work.t) option =
fun ~opts pgm ->
[sledge] special case buck-target-patterns Summary: For buck targets that contain at least one of the substrings in `buck-target-pattern` option in config, change the buck target to add `_sledge` suffix. Reviewed By: jberdine Differential Revision: D15920018 fbshipit-source-id: 44c242e99
6 years ago
let entry_points = Config.find_list "entry-points" in
[sledge] Put all the entry points in the config Summary: The entry point functions are used in a couple of places, this puts them in a single source of truth in the config file. Reviewed By: jvillard Differential Revision: D15651976 fbshipit-source-id: a572e8d4d
6 years ago
List.find_map entry_points ~f:(fun name ->
Llair.Func.find pgm.functions (Var.program name) )
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
|> function
[sledge] Move locals from blocks to functions Summary: The entry block contains all locals of the entire function, as required by the backend. This makes the manipulation of the locals of each block redundant. This diff moves the locals from the entry block to the function itself, removes the Locals frames of the Control.Stack, and adds a locals field to Return frames. This is part cleanup and part preparation for removing the Control.Stack. Reviewed By: ngorogiannis Differential Revision: D15963503 fbshipit-source-id: 523ebc260
6 years ago
| Some {locals; entry= {params= []} as block} ->
[sledge][NFC] Simplify harness selection code Summary: Only refactor Reviewed By: jvillard Differential Revision: D15424821 fbshipit-source-id: 0e3ea58c3
6 years ago
Some
(Work.init
[sledge] Function summarization: solver can show pre Summary: This diff is preparation for function summarization and focuses on function calls and function summary precondition computation. It introduces `-function-summaries` flag behind most of functionality is hidden, when enabled on each call * A function summary is computed by quantifying all the non-formal/global variables and removing all the segments that are not reachable from them * `pre` and `foot` are computed from function summary and the calling context by replacing formals with actuals again. * A solver is asked if `pre` entails `foot` and a frame is printed if it does Currently this only works for formulas without disjunctions, so when function summaries are enabled, that state is first moved to dnf and then the call is done for each disjunct. Reviewed By: ngorogiannis Differential Revision: D15898928 fbshipit-source-id: 49d32504c
6 years ago
(fst
(Domain.call ~summaries:opts.function_summaries [] [] locals
pgm.globals (Domain.init pgm.globals)))
[sledge][NFC] Simplify harness selection code Summary: Only refactor Reviewed By: jvillard Differential Revision: D15424821 fbshipit-source-id: 0e3ea58c3
6 years ago
block)
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
| _ -> None
[sledge] Add CL option to disable exceptions Summary: Disable exceptional control flow - treat throw as unreachable - confidence in the correctness of the frontend's treatment of exception handling is very low, and making summaries that are expressive enough to talk about exceptions is a complication that isn't needed for the first iteration To facilitate, start on a struct that holds all the CL options. Reviewed By: jberdine, jvillard Differential Revision: D15713601 fbshipit-source-id: ee92dfbd8
6 years ago
let exec_pgm : exec_opts -> Llair.t -> unit =
fun opts pgm ->
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
[%Trace.call fun {pf} -> pf "@]@,@["]
;
[sledge] Function summarization: solver can show pre Summary: This diff is preparation for function summarization and focuses on function calls and function summary precondition computation. It introduces `-function-summaries` flag behind most of functionality is hidden, when enabled on each call * A function summary is computed by quantifying all the non-formal/global variables and removing all the segments that are not reachable from them * `pre` and `foot` are computed from function summary and the calling context by replacing formals with actuals again. * A solver is asked if `pre` entails `foot` and a frame is printed if it does Currently this only works for formulas without disjunctions, so when function summaries are enabled, that state is first moved to dnf and then the call is done for each disjunct. Reviewed By: ngorogiannis Differential Revision: D15898928 fbshipit-source-id: 49d32504c
6 years ago
( match harness ~opts pgm with
[sledge] Add CL option to disable exceptions Summary: Disable exceptional control flow - treat throw as unreachable - confidence in the correctness of the frontend's treatment of exception handling is very low, and making summaries that are expressive enough to talk about exceptions is a complication that isn't needed for the first iteration To facilitate, start on a struct that holds all the CL options. Reviewed By: jberdine, jvillard Differential Revision: D15713601 fbshipit-source-id: ee92dfbd8
6 years ago
| Some work -> Work.run ~f:(exec_block ~opts pgm) (work opts.bound)
[sledge] Add analysis based on iterative bounded exploration Reviewed By: mbouaziz Differential Revision: D9846736 fbshipit-source-id: 3c3a687b3
6 years ago
| None -> fail "no applicable harness" () )
|>
[%Trace.retn fun {pf} _ -> pf ""]