pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '8a99f4b3bb'
${ noResults }
infer_clone/infer/src/pulse/PulseAbductiveDomain.mli

138 lines
4.3 KiB
Raw Normal View History Unescape

[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
(*
[copyright] Remove years Reviewed By: jvillard Differential Revision: D15771884 fbshipit-source-id: e2997e3a3
6 years ago
* Copyright (c) Facebook, Inc. and its affiliates.
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
*
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*)
open! IStd
[pulse][2/9] add PulseInvalidation to PulseBasicInterface Summary: See explanations in D17955104 Reviewed By: ezgicicek Differential Revision: D17955286 fbshipit-source-id: 831491e47
5 years ago
open PulseBasicInterface
[pulse][8/9] Domain interface Summary: Another poorman's library, this time about Pulse Domains. Also renames `PulseDomain` to `PulseBaseDomain`. Reviewed By: ezgicicek Differential Revision: D17955287 fbshipit-source-id: 9c947cf98
5 years ago
module BaseDomain = PulseBaseDomain
[pulse][10/9] carve out PulseBaseMemory Summary: That module's interface was repeated twice to avoid exposing its internals to PulseDomain itself. It's also quite long so it makes sense to move it to its own file. Reviewed By: ezgicicek Differential Revision: D17977209 fbshipit-source-id: 56a2dac24
5 years ago
module BaseMemory = PulseBaseMemory
[pulse][11/9] carve out PulseBaseStack Summary: To be consistent with PulseBaseMemomy, mostly. Reviewed By: ezgicicek Differential Revision: D17977208 fbshipit-source-id: 6a75c5b0e
5 years ago
module BaseStack = PulseBaseStack
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse][8/9] Domain interface Summary: Another poorman's library, this time about Pulse Domains. Also renames `PulseDomain` to `PulseBaseDomain`. Reviewed By: ezgicicek Differential Revision: D17955287 fbshipit-source-id: 9c947cf98
5 years ago
(* layer on top of {!BaseDomain} to propagate operations on the current state to the pre-condition
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
when necessary
The abstract type [t] is a pre/post pair in the style of biabduction.
*)
include AbstractDomain.NoJoin
[pulse] tighten up summaries Summary: Only throw values to the pre if they can be followed from "abducible" variables: formals of the current method and globals. Because figuring out if a `Pvar.t` is a formal of the current procedure is actually a giant pain, hack something not too bad instead: pre-register all formals at the start of the analysis of the procedure. Then the only other variables we care about in the precondition are globals, which we can detect easily. This is mostly an optimisation (summaries won't include irrelevant "abduced" facts about the procedure's local variables anymore), but it also fixes a bug where we would sometimes overwrite things in the pre. I think that's why the tests improved. Reviewed By: ngorogiannis Differential Revision: D14753493 fbshipit-source-id: 08e73637f
6 years ago
val mk_initial : Procdesc.t -> t
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse][11/9] carve out PulseBaseStack Summary: To be consistent with PulseBaseMemomy, mostly. Reviewed By: ezgicicek Differential Revision: D17977208 fbshipit-source-id: 6a75c5b0e
5 years ago
(** stack operations like {!BaseStack} but that also take care of propagating facts to the
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
precondition *)
module Stack : sig
[pulse][11/9] carve out PulseBaseStack Summary: To be consistent with PulseBaseMemomy, mostly. Reviewed By: ezgicicek Differential Revision: D17977208 fbshipit-source-id: 6a75c5b0e
5 years ago
val add : Var.t -> BaseStack.value -> t -> t
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
val remove_vars : Var.t list -> t -> t
[pulse][11/9] carve out PulseBaseStack Summary: To be consistent with PulseBaseMemomy, mostly. Reviewed By: ezgicicek Differential Revision: D17977208 fbshipit-source-id: 6a75c5b0e
5 years ago
val fold : (Var.t -> BaseStack.value -> 'a -> 'a) -> t -> 'a -> 'a
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse][11/9] carve out PulseBaseStack Summary: To be consistent with PulseBaseMemomy, mostly. Reviewed By: ezgicicek Differential Revision: D17977208 fbshipit-source-id: 6a75c5b0e
5 years ago
val find_opt : Var.t -> t -> BaseStack.value option
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse][7/9] kill `AddrTracePair` Summary: The name had rotten: it should be `AddrHistPair`. There is little value of exposing the type of the pair `AbstractValue.t * ValueHistory.t`, just inline its definition everywhere. Reviewed By: ezgicicek Differential Revision: D17955283 fbshipit-source-id: d145251e0
5 years ago
val eval : ValueHistory.t -> Var.t -> t -> t * (AbstractValue.t * ValueHistory.t)
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
(** return the value of the variable in the stack or create a fresh one if needed *)
val mem : Var.t -> t -> bool
[pulse] C++ temporaries bound to globals do not "escape" Summary: Fixes a false positive where the address of a C++ temporary is bound to a static const reference variable then returned. The fix doesn't try to establish that the variable is a const reference so could lead to false negatives but that can be addressed later. Reviewed By: ezgicicek Differential Revision: D16004538 fbshipit-source-id: e403dbefe
6 years ago
[pulse][11/9] carve out PulseBaseStack Summary: To be consistent with PulseBaseMemomy, mostly. Reviewed By: ezgicicek Differential Revision: D17977208 fbshipit-source-id: 6a75c5b0e
5 years ago
val exists : (Var.t -> BaseStack.value -> bool) -> t -> bool
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
end
[pulse][10/9] carve out PulseBaseMemory Summary: That module's interface was repeated twice to avoid exposing its internals to PulseDomain itself. It's also quite long so it makes sense to move it to its own file. Reviewed By: ezgicicek Differential Revision: D17977209 fbshipit-source-id: 56a2dac24
5 years ago
(** memory operations like {!BaseMemory} but that also take care of propagating facts to the
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
precondition *)
module Memory : sig
[pulse][10/9] carve out PulseBaseMemory Summary: That module's interface was repeated twice to avoid exposing its internals to PulseDomain itself. It's also quite long so it makes sense to move it to its own file. Reviewed By: ezgicicek Differential Revision: D17977209 fbshipit-source-id: 56a2dac24
5 years ago
module Access = BaseMemory.Access
module Edges = BaseMemory.Edges
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse] Record the trace of the address written to Reviewed By: skcho Differential Revision: D17004433 fbshipit-source-id: 937319c27
6 years ago
val add_edge :
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
AbstractValue.t * ValueHistory.t
[pulse] interprocedural histories and traces Summary: bigmacro_bender There are 3 ways pulse tracks history. This is at least one too many. So far, we have: 1. "histories": a humble list of "events" like "assigned here", "returned from call", ... 2. "interproc actions": a structured nesting of calls with a final "action", eg "f calls g calls h which does blah" 3. "traces", which combine one history with one interproc action This diff gets rid of interproc actions and makes histories include "nested" callee histories too. This allows pulse to track and display how a value got assigned across function calls. Traces are now more powerful and interleave histories and interproc actions. This allows pulse to track how a value is fed into an action, for instance performed in callee, which itself creates some more (potentially now interprocedural) history before going to the next step of the action (either another call or the action itself). This gives much better traces, and some examples are added to showcase this. There are a lot of changes when applying summaries to keep track of histories more accurately than was done before, but also a few simplifications that give additional evidence that this is the right concept. Reviewed By: skcho Differential Revision: D17908942 fbshipit-source-id: 3b62eaf78
5 years ago
-> Access.t
[pulse][7/9] kill `AddrTracePair` Summary: The name had rotten: it should be `AddrHistPair`. There is little value of exposing the type of the pair `AbstractValue.t * ValueHistory.t`, just inline its definition everywhere. Reviewed By: ezgicicek Differential Revision: D17955283 fbshipit-source-id: d145251e0
5 years ago
-> AbstractValue.t * ValueHistory.t
[pulse] interprocedural histories and traces Summary: bigmacro_bender There are 3 ways pulse tracks history. This is at least one too many. So far, we have: 1. "histories": a humble list of "events" like "assigned here", "returned from call", ... 2. "interproc actions": a structured nesting of calls with a final "action", eg "f calls g calls h which does blah" 3. "traces", which combine one history with one interproc action This diff gets rid of interproc actions and makes histories include "nested" callee histories too. This allows pulse to track and display how a value got assigned across function calls. Traces are now more powerful and interleave histories and interproc actions. This allows pulse to track how a value is fed into an action, for instance performed in callee, which itself creates some more (potentially now interprocedural) history before going to the next step of the action (either another call or the action itself). This gives much better traces, and some examples are added to showcase this. There are a lot of changes when applying summaries to keep track of histories more accurately than was done before, but also a few simplifications that give additional evidence that this is the right concept. Reviewed By: skcho Differential Revision: D17908942 fbshipit-source-id: 3b62eaf78
5 years ago
-> Location.t
-> t
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
-> t
[pulse] interprocedural histories and traces Summary: bigmacro_bender There are 3 ways pulse tracks history. This is at least one too many. So far, we have: 1. "histories": a humble list of "events" like "assigned here", "returned from call", ... 2. "interproc actions": a structured nesting of calls with a final "action", eg "f calls g calls h which does blah" 3. "traces", which combine one history with one interproc action This diff gets rid of interproc actions and makes histories include "nested" callee histories too. This allows pulse to track and display how a value got assigned across function calls. Traces are now more powerful and interleave histories and interproc actions. This allows pulse to track how a value is fed into an action, for instance performed in callee, which itself creates some more (potentially now interprocedural) history before going to the next step of the action (either another call or the action itself). This gives much better traces, and some examples are added to showcase this. There are a lot of changes when applying summaries to keep track of histories more accurately than was done before, but also a few simplifications that give additional evidence that this is the right concept. Reviewed By: skcho Differential Revision: D17908942 fbshipit-source-id: 3b62eaf78
5 years ago
[pulse] Refactor attributes into domain Summary: Let's move attributes into Pulse's domain. Reviewed By: jvillard Differential Revision: D19533915 fbshipit-source-id: 995fd12da
5 years ago
val eval_edge :
AbstractValue.t * ValueHistory.t -> Access.t -> t -> t * (AbstractValue.t * ValueHistory.t)
(** [eval_edge (addr,hist) access astate] follows the edge [addr --access--> .] in memory and
returns what it points to or creates a fresh value if that edge didn't exist. *)
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse] Refactor attributes into domain Summary: Let's move attributes into Pulse's domain. Reviewed By: jvillard Differential Revision: D19533915 fbshipit-source-id: 995fd12da
5 years ago
val find_opt : AbstractValue.t -> t -> BaseMemory.Edges.t option
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse][7/9] kill `AddrTracePair` Summary: The name had rotten: it should be `AddrHistPair`. There is little value of exposing the type of the pair `AbstractValue.t * ValueHistory.t`, just inline its definition everywhere. Reviewed By: ezgicicek Differential Revision: D17955283 fbshipit-source-id: d145251e0
5 years ago
val find_edge_opt : AbstractValue.t -> Access.t -> t -> (AbstractValue.t * ValueHistory.t) option
[pulse] Refactor attributes into domain Summary: Let's move attributes into Pulse's domain. Reviewed By: jvillard Differential Revision: D19533915 fbshipit-source-id: 995fd12da
5 years ago
end
[pulse] C++ temporaries bound to globals do not "escape" Summary: Fixes a false positive where the address of a C++ temporary is bound to a static const reference variable then returned. The fix doesn't try to establish that the variable is a const reference so could lead to false negatives but that can be addressed later. Reviewed By: ezgicicek Differential Revision: D16004538 fbshipit-source-id: e403dbefe
6 years ago
[pulse] Refactor attributes into domain Summary: Let's move attributes into Pulse's domain. Reviewed By: jvillard Differential Revision: D19533915 fbshipit-source-id: 995fd12da
5 years ago
(** attribute operations like {!BaseAddressAttributes} but that also take care of propagating facts
to the precondition *)
module AddressAttributes : sig
val abduce_attribute : AbstractValue.t -> Attribute.t -> t -> t
(** add the attribute to the pre, if meaningful (does not modify the post) *)
val add_one : AbstractValue.t -> Attribute.t -> t -> t
(** add the attribute only to the post *)
val check_valid : Trace.t -> AbstractValue.t -> t -> (t, Invalidation.t * Trace.t) result
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val invalidate : AbstractValue.t * ValueHistory.t -> Invalidation.t -> Location.t -> t -> t
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse] Add model for malloc Summary: Adding a model for malloc: we add an attribute "Allocated". This can be used for implementing memory leaks: whenever the variables get out of scope, we can check that if the variable has an attribute Allocated, it also has an attribute Invalid CFree. Possibly we will need more details in the Allocated attribute, to know if it's malloc, or other allocation function, but we can add that later when we know how it should look like. Reviewed By: jvillard Differential Revision: D20364541 fbshipit-source-id: 5e667a8c3
5 years ago
val allocate : AbstractValue.t * ValueHistory.t -> Location.t -> t -> t
[typ] extract Procname from Typ Summary: No reason for this to be in Typ Reviewed By: skcho Differential Revision: D19162727 fbshipit-source-id: d6940637a
5 years ago
val get_closure_proc_name : AbstractValue.t -> t -> Procname.t option
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val is_std_vector_reserved : AbstractValue.t -> t -> bool
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val std_vector_reserve : AbstractValue.t -> t -> t
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse] add tracing of arithmetic facts Summary: When reporting null dereference it is useful to know where the null came from. Reviewed By: skcho Differential Revision: D18206459 fbshipit-source-id: 0c8e6781b
5 years ago
val get_arithmetic : AbstractValue.t -> t -> (Arithmetic.t * Trace.t) option
[pulse] Add binop arithmetic for BoItv Summary: This extends semantics of binary operator for BoItv. If there is no known interval value for a pulse value, it returns a symbolic value of the pulse value. Reviewed By: jvillard Differential Revision: D18726768 fbshipit-source-id: ed8ecf78b
5 years ago
[pulsebo] Bottom intervals cannot appear in an abstract state Summary: Refine the type of inferbo intervals attributes to "pure" (non-bottom) ones. This is because were we to get a Bottom value from inferbo we should stop the abstract execution instead of recording it in the state. Reviewed By: ezgicicek Differential Revision: D18811165 fbshipit-source-id: fff8664b7
5 years ago
val get_bo_itv : AbstractValue.t -> t -> Itv.ItvPure.t
[pulse] Refactor attributes into domain Summary: Let's move attributes into Pulse's domain. Reviewed By: jvillard Differential Revision: D19533915 fbshipit-source-id: 995fd12da
5 years ago
val find_opt : AbstractValue.t -> t -> Attributes.t option
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
end
[pulse] Handle stack refs escaping their scope via pointer Summary: Pulse didn't treat local variables going out of scope as invalidating the corresponding address in memory. This diff fixes that by - marking all local variables that exits the scope with the attribute `AddressOfStackVariable` - before we write the summary for the proc, we make sure to invalidate all such addresses local to the procedure as `Invalid.` If such an address is read, then we would raise a use-after-lifetime issue. Reviewed By: jvillard Differential Revision: D16458355 fbshipit-source-id: 3686524cb
6 years ago
val is_local : Var.t -> t -> bool
[pulse] Refactor attributes into domain Summary: Let's move attributes into Pulse's domain. Reviewed By: jvillard Differential Revision: D19533915 fbshipit-source-id: 995fd12da
5 years ago
val find_post_cell_opt : AbstractValue.t -> t -> BaseDomain.cell option
val set_post_cell : AbstractValue.t * ValueHistory.t -> BaseDomain.cell -> Location.t -> t -> t
[pulse] Pull skipped calls into AbductiveDomain Summary: We don't need skipped calls for pre and post. Let's pull them out to `PulseAbductiveDomain`, next to pre and post. Reviewed By: jvillard Differential Revision: D20283589 fbshipit-source-id: 5cf970292
5 years ago
module SkippedTrace : sig
type t = PulseTrace.t
end
module SkippedCalls : AbstractDomain.MapS with type key = Procname.t and type value = SkippedTrace.t
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
module PrePost : sig
type domain_t = t
type t = private domain_t
val pp : Format.formatter -> t -> unit
[pulse] Handle stack refs escaping their scope via pointer Summary: Pulse didn't treat local variables going out of scope as invalidating the corresponding address in memory. This diff fixes that by - marking all local variables that exits the scope with the attribute `AddressOfStackVariable` - before we write the summary for the proc, we make sure to invalidate all such addresses local to the procedure as `Invalid.` If such an address is read, then we would raise a use-after-lifetime issue. Reviewed By: jvillard Differential Revision: D16458355 fbshipit-source-id: 3686524cb
6 years ago
val of_post : Procdesc.t -> domain_t -> t
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
val apply :
[typ] extract Procname from Typ Summary: No reason for this to be in Typ Reviewed By: skcho Differential Revision: D19162727 fbshipit-source-id: d6940637a
5 years ago
Procname.t
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
-> Location.t
-> t
-> formals:Var.t list
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
-> actuals:((AbstractValue.t * ValueHistory.t) * Typ.t) list
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
-> domain_t
[pulse] stop the analysis when precondition cannot be applied for reasons others than errors Summary: If a precondition cannot be applied, it means that this program path somehow doesn't make sense for the caller and so should be pruned. Right now we just treat this as skipping over the call instead. This will become more important when specs start mentioning arithmetic facts that must be satisfied at the call site. As it is we will only stop if we discover aliasing in the pre not present at the call site or vice versa. Reviewed By: dulmarod Differential Revision: D18115230 fbshipit-source-id: 4f1c7a583
5 years ago
-> ((domain_t * (AbstractValue.t * ValueHistory.t) option) option, Diagnostic.t) result
[ocamlformat] Enable parsing and reformatting docstrings Summary: This diff enables parsing and auto-formatting documentation comments (aka docstrings). I have looked at this entire diff and manually made some changes to improve the formatting. In some cases it looked like it would take too much time, or benefit from someone more familiar with the code doing it, and I instead disabled auto-formatting docstrings in those files. Also, there are some source files where the docstrings are invalid, and some where the structure detected by the parser appears not to match what was intended. Auto-formatting has been disabled for these files. Reviewed By: ezgicicek Differential Revision: D18755888 fbshipit-source-id: 68d72465d
5 years ago
(** return the abstract state after the call along with an optional return value, or [None] if the
precondition could not be satisfied (e.g. some aliasing constraints were not satisfied) *)
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
end
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
val discard_unreachable : t -> t
(** garbage collect unreachable addresses in the state to make it smaller, just for convenience and
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
keep its size down *)
[pulse][impurity] Use pulse for detecting impurity Summary: Introduce a new experimental checker (`--impurity`) that detects impurity information, tracking which parameters and global variables of a function are modified. The checker relies on Pulse to detect how the state changes: it traverses the pre and post pairs starting from the parameter/global variable and finds where the pre and post heaps diverge. At diversion points, we expect to see WrittenTo/Invalid attributes containing a trace of how the address was modified. We use these to construct the trace of impurity. This checker is a complement to the purity checker that exists mainly for Java (and used for cost and loop-hoisting analyses). The aim of this new experimental checker is to rely on Pulse's precise memory treatment and come up with a more precise im(purity) analysis. To distinguish the two checkers, we introduce a new issue type `IMPURE_FUNCTION` that reports when a function is impure, rather than when it is pure (as in the purity checker). TODO: - improve the analysis to rely on impurity information of external library calls. Currently, all library calls are assumed to be nops, hence pure. - de-entangle Pulse reporting from analysis. Reviewed By: skcho Differential Revision: D17051567 fbshipit-source-id: 5e10afb4f
6 years ago
[pulse] Remove map suffix from SkippedCalls Reviewed By: jvillard Differential Revision: D19555827 fbshipit-source-id: 8ebc2f41d
5 years ago
val add_skipped_calls : Procname.t -> PulseTrace.t -> t -> t
[pulse] Track skipped functions Summary: Let's collect the list of all skipped functions with a `proc_name` but no summary in Pulse's memory. This will be useful for the impurity analysis later (next diff). Concretely, we extend Pulse's domain with a map from skipped calls to their respective traces. For efficiency, we only keep a single trace per skipped call. For impurity analysis, tracking skipped calls in Pulse allows us to rely on Pulse's strong memory model to get rid of infeasible paths as opposed to creating an independent checker which wouldn't be able to do that. Reviewed By: jvillard Differential Revision: D19428426 fbshipit-source-id: 3c5e482c5
5 years ago
[pulse][8/9] Domain interface Summary: Another poorman's library, this time about Pulse Domains. Also renames `PulseDomain` to `PulseBaseDomain`. Reviewed By: ezgicicek Differential Revision: D17955287 fbshipit-source-id: 9c947cf98
5 years ago
val extract_pre : PrePost.t -> BaseDomain.t
[pulse][impurity] Use pulse for detecting impurity Summary: Introduce a new experimental checker (`--impurity`) that detects impurity information, tracking which parameters and global variables of a function are modified. The checker relies on Pulse to detect how the state changes: it traverses the pre and post pairs starting from the parameter/global variable and finds where the pre and post heaps diverge. At diversion points, we expect to see WrittenTo/Invalid attributes containing a trace of how the address was modified. We use these to construct the trace of impurity. This checker is a complement to the purity checker that exists mainly for Java (and used for cost and loop-hoisting analyses). The aim of this new experimental checker is to rely on Pulse's precise memory treatment and come up with a more precise im(purity) analysis. To distinguish the two checkers, we introduce a new issue type `IMPURE_FUNCTION` that reports when a function is impure, rather than when it is pure (as in the purity checker). TODO: - improve the analysis to rely on impurity information of external library calls. Currently, all library calls are assumed to be nops, hence pure. - de-entangle Pulse reporting from analysis. Reviewed By: skcho Differential Revision: D17051567 fbshipit-source-id: 5e10afb4f
6 years ago
[pulse][8/9] Domain interface Summary: Another poorman's library, this time about Pulse Domains. Also renames `PulseDomain` to `PulseBaseDomain`. Reviewed By: ezgicicek Differential Revision: D17955287 fbshipit-source-id: 9c947cf98
5 years ago
val extract_post : PrePost.t -> BaseDomain.t
[pulse] Pull skipped calls into AbductiveDomain Summary: We don't need skipped calls for pre and post. Let's pull them out to `PulseAbductiveDomain`, next to pre and post. Reviewed By: jvillard Differential Revision: D20283589 fbshipit-source-id: 5cf970292
5 years ago
val extract_skipped_calls : PrePost.t -> SkippedCalls.t