pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a6ab4d38cf'
${ noResults }
infer_clone/infer/tests/codetoanalyze/java/bufferoverrun/ArrayListTest.java

278 lines
6.9 KiB
Raw Normal View History Unescape

[inferbo] Add missing list initialization with initial capacity Summary: Correct the models of ArrayList initialization. Basically, there are two ways to initialize: - by setting an initial capacity, which creates an empty list - by passing another collection as an argument Before, we had only modeled the second case which was resulting in wrong memory model for the first case. This diff fixes that. Reviewed By: skcho Differential Revision: D16711055 fbshipit-source-id: e82faf191
5 years ago
/*
* Copyright (c) Facebook, Inc. and its affiliates.
*
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*/
import java.util.ArrayList;
class ArrayListTest {
void alloc_is_negative_bad() {
// initial capacity cannot be negative
ArrayList<Integer> x = new ArrayList<Integer>(-1);
}
void alloc_is_ok() {
// initial capacity cannot be negative
ArrayList<Integer> x = new ArrayList<Integer>(9);
}
[inferbo] Address collection add in loop Summary: This diff addresses collection adds in loop. For example, ``` ArrayList<...> a = new ArrayList<>(); for (int i = 0; i < size; i++) { a.add(...); } // we want to know the size of `a` here! ``` This is a common pattern on initializing a collection in Java. How we did: Instead of adopting general (but complicated) solutions such as relational domain, we extended the current alias domain of inferbo, to be able to handle this specific case: * An array `a` should have size 0, at the entry of the loop. * The iterating variable `i` should start with 0. * `add` should be called once inside the loop. Reviewed By: jvillard Differential Revision: D17319350 fbshipit-source-id: 99b6acae1
5 years ago
void add_in_loop_ok() {
ArrayList<Integer> a = new ArrayList<>();
for (int i = 0; i < 5; i++) {
a.add(0);
}
int j = a.get(3);
}
void add_in_loop_bad() {
ArrayList<Integer> a = new ArrayList<>();
for (int i = 0; i < 5; i++) {
a.add(0);
}
int j = a.get(6);
}
void add_in_loop_by_param_ok(ArrayList<Integer> b) {
ArrayList<Integer> a = new ArrayList<>();
for (int i = 0; i < b.size(); i++) {
a.add(0);
}
int j = a.get(b.size() - 1);
}
void add_in_loop_by_param_bad(ArrayList<Integer> b) {
ArrayList<Integer> a = new ArrayList<>();
for (int i = 0; i < b.size(); i++) {
a.add(0);
}
int j = a.get(b.size() + 1);
}
[inferbo] Introduce inequality for size alias target Summary: This diff introduces an inequality for the size alias targets, in order to get preciser array lengths after loops. The alias domain in inferbo was able to express strict equality between alias source and its targets, e.g. x=size(array). Now, for the size alias target, it can express less than or equal relations, e.g. x>=size(array). Reviewed By: ezgicicek Differential Revision: D17606222 fbshipit-source-id: 2557d3bd0
5 years ago
boolean unknown_bool;
void add_in_loop_by_param2_ok(ArrayList<Integer> b) {
ArrayList<Integer> a = new ArrayList<>();
for (int i = 0; i < b.size(); i++) {
if (unknown_bool) {
a.add(0);
}
} // a.size should be [0, b.size]
if (a.size() > 0) {
int j = b.get(a.size() - 1);
}
}
void add_in_loop_by_param2_bad(ArrayList<Integer> b) {
ArrayList<Integer> a = new ArrayList<>();
for (int i = 0; i < b.size(); i++) {
if (unknown_bool) {
a.add(0);
}
} // a.size should be [0, b.size]
int j = b.get(a.size());
}
[inferbo] Extend alias for collection iteration loop Summary: This diff extends the alias domain to analyze loop with list comprehensions form in Java precisely. ``` list2 = new List(); for (Element e : list1) { list2.add(e); } ``` 1. `IteratorOffset` is a relation between a iterator offset and a length of another array. For example, in the above example, after n-times of iterations, the offset of the iterator (if it exists) and the length of `list2` are the same as `n`. 2. `IteratorHasNext` is a relation between iterator and its `hasNext` result. 3. At the conditional nodes, it prunes the alias list length of `list2` by that of `list1`. * if `hasNext(list1's iterator)` is true, `list2`'s length is pruned by `< list1's length` * if `hasNext(list1's iterator)` is false, `list2`'s length is pruned by `= list1's length` Reviewed By: ezgicicek Differential Revision: D17667128 fbshipit-source-id: 41fb23a45
5 years ago
[inferbo] Add size alias when i=1 Summary: Sometimes there is a code like `for(int i = 1; i < x; i++){ l.add(); }`, where the first element in a list is addressed specifically. This case was not analyzed precisely, because the alias value is added only when `i` is initialized by 0 by heuristic. This diff extends the heuristic, so it adds a size alias between `i` and `l.size()` when `i` is initialized by 0 or 1. Reviewed By: ezgicicek Differential Revision: D18351867 fbshipit-source-id: e7d19a4ec
5 years ago
void add_in_loop_by_param3_ok(ArrayList<Integer> b) {
ArrayList<Integer> a = new ArrayList<>();
if (b.size() > 0) {
for (int i = 1; i < b.size(); i++) {
a.add(0);
}
int j = a.get(b.size() - 2);
}
}
void add_in_loop_by_param3_bad(ArrayList<Integer> b) {
ArrayList<Integer> a = new ArrayList<>();
if (b.size() > 0) {
for (int i = 1; i < b.size(); i++) {
a.add(0);
}
int j = a.get(b.size() - 1);
}
}
[inferbo] Add size alias when array size is one Summary: Following D18351867, this diff adds more size alias: when initial array size is one. Reviewed By: ezgicicek Differential Revision: D18530598 fbshipit-source-id: 26d57fe30
5 years ago
void add_in_loop_by_param4_ok(ArrayList<Integer> b) {
ArrayList<Integer> a = new ArrayList<>();
a.add(0);
if (b.size() > 0) {
for (int i = 1; i < b.size(); i++) {
a.add(0);
} // a.size = b.size
int j = a.get(b.size() - 1);
}
}
void add_in_loop_by_param4_bad(ArrayList<Integer> b) {
ArrayList<Integer> a = new ArrayList<>();
a.add(0);
if (b.size() > 0) {
for (int i = 1; i < b.size(); i++) {
a.add(0);
} // a.size = b.size
int j = a.get(b.size() + 1);
}
}
[inferbo] Extend alias for collection iteration loop Summary: This diff extends the alias domain to analyze loop with list comprehensions form in Java precisely. ``` list2 = new List(); for (Element e : list1) { list2.add(e); } ``` 1. `IteratorOffset` is a relation between a iterator offset and a length of another array. For example, in the above example, after n-times of iterations, the offset of the iterator (if it exists) and the length of `list2` are the same as `n`. 2. `IteratorHasNext` is a relation between iterator and its `hasNext` result. 3. At the conditional nodes, it prunes the alias list length of `list2` by that of `list1`. * if `hasNext(list1's iterator)` is true, `list2`'s length is pruned by `< list1's length` * if `hasNext(list1's iterator)` is false, `list2`'s length is pruned by `= list1's length` Reviewed By: ezgicicek Differential Revision: D17667128 fbshipit-source-id: 41fb23a45
5 years ago
void add_in_loop_iterator_ok(ArrayList<Integer> b) {
ArrayList<Integer> a = new ArrayList<>();
for (Integer i : b) {
a.add(i);
}
int j = a.get(b.size() - 1);
}
void add_in_loop_iterator_bad(ArrayList<Integer> b) {
ArrayList<Integer> a = new ArrayList<>();
for (Integer i : b) {
a.add(i);
}
int j = a.get(b.size() + 1);
}
void remove_in_loop_iterator_good_FP(ArrayList<Integer> b) {
ArrayList<Integer> a = new ArrayList<>();
for (Integer i : b) {
a.add(i);
}
for (Integer i : b) {
a.remove(i);
}
/* a.size should be 0, but it is analyzed to [-oo, b.size] for now.
- array smashing: It abstracts all members as one abstract value, so cannot precisely analyze
the set of members in the array.
- imprecise remove model: Even with the array smashing, it should have been able to analyze
as [0, b.size], if the semantics of the model was preciser. */
if (a.size() < 0) {
int j = b.get(b.size());
}
}
void remove_in_loop_iterator_bad(ArrayList<Integer> b) {
ArrayList<Integer> a = new ArrayList<>();
for (Integer i : b) {
a.add(i);
}
for (Integer i : b) {
a.remove(i);
} // a.size should be 0
int j = a.get(0);
}
[inferbo] Inequality for iterator alias target Summary: This diff introduces inequality for the iterator alias target, as we did for the size target before. Reviewed By: ezgicicek Differential Revision: D17879208 fbshipit-source-id: cc2f6a723
5 years ago
void add_in_loop_iterator2_ok(ArrayList<Integer> b) {
ArrayList<Integer> a = new ArrayList<>();
for (Integer i : b) {
if (unknown_bool) {
a.add(i);
}
} // a.size should be [0, b.size]
if (a.size() > 0) {
int j = b.get(a.size() - 1);
}
}
void add_in_loop_iterator2_bad(ArrayList<Integer> b) {
ArrayList<Integer> a = new ArrayList<>();
for (Integer i : b) {
if (unknown_bool) {
a.add(i);
}
} // a.size should be [0, b.size]
int j = b.get(a.size());
}
[inferbo] Forget size alias when size changed in model Summary: It should forget size aliases if the size is changed. Reviewed By: ezgicicek Differential Revision: D18083697 fbshipit-source-id: 8b97e0676
5 years ago
void add_and_remove_ok(ArrayList<Integer> a) {
ArrayList<Integer> b = new ArrayList<Integer>();
b.add(0);
for (Integer i : a) {
b.add(0);
b.remove(0);
} // b.size is one here
int j = b.get(0);
}
void add_and_remove_bad(ArrayList<Integer> a) {
ArrayList<Integer> b = new ArrayList<Integer>();
for (Integer i : a) {
b.add(0);
b.remove(0);
} // b.size is zero here
int j = b.get(0);
}
[inferbo] Extend alias domain to have multiple aliases on a variable Summary: This diff extends the alias domain, so each variable can have multiple aliases. It changed `KeyLhs` can be mapped to multiple alias targets in the `AliasMap` domain: ``` before : KeyLhs.t -> KeyRhs.t * AliasTarget.t after : KeyLhs.t -> KeyRhs.t -> AliasTarget.t ``` Reviewed By: ezgicicek Differential Revision: D18062178 fbshipit-source-id: b325a6055
5 years ago
void multi_adds_in_loop_iterator_ok(ArrayList<Integer> b) {
ArrayList<Integer> a1 = new ArrayList<>();
ArrayList<Integer> a2 = new ArrayList<>();
for (Integer i : b) {
a1.add(i);
a2.add(i);
}
int j;
j = a1.get(b.size() - 1);
j = a2.get(b.size() - 1);
}
void multi_adds_in_loop_iterator_bad(ArrayList<Integer> b) {
ArrayList<Integer> a1 = new ArrayList<>();
ArrayList<Integer> a2 = new ArrayList<>();
for (Integer i : b) {
a1.add(i);
a2.add(i);
}
int j;
j = a1.get(b.size() + 1);
j = a2.get(b.size() + 1);
}
[inferbo] Fix a bug in SafeInvertedMap.join Summary: `equals1` and `equals2` in `SafeInvertedMap.join` are references that indicate whether given parameters and the result is physically equal or not. This diff fixes a missing update of them. Reviewed By: ezgicicek Differential Revision: D18450680 fbshipit-source-id: bae19cbe9
5 years ago
void alias_join_bad() {
int i;
ArrayList<Integer> a = new ArrayList<>();
ArrayList<Integer> b = new ArrayList<>();
if (unknown_bool) {
a.add(0);
i = 0; // i = size of b
} else {
b.add(0);
b.add(0);
i = 0; // i = size of a
}
if (i == 0) {
b.get(0); // size of b should be [0, 2]
}
}
[inferbo] Add FN test due to invalid pruning of array list length Reviewed By: ezgicicek Differential Revision: D20628205 fbshipit-source-id: 4077557a3
5 years ago
interface MyI {
public ArrayList<Integer> mk_unknown();
}
boolean unknown_bool2;
ArrayList<Integer> unknown_array_list1;
ArrayList<Integer> unknown_array_list2;
[inferbo] Do not append field to the unknown location Summary: This diff revises how to handle the unknown location in inferbo in two ways: * stop appending field to the `Unknown` location, e.g. `Unknown.x.a` is evaluated to `Unknown` * redesign the abstract of multiple locations, like `Bottom` < `Unknown` < `Known` locations I am doing them in one diff since applying only one of them showed bad results. Background: `Unknown` was adopted for abstracting all unknown concrete locations, so we could avoid missing semantics of assignments to unknown locations. We tried to keep soundness. However, it brought some other problems related to precision and performance. 1. Sometimes especially when Inferbo failed to reason precise pointer values, `Unknown` may point to many other abstract locations. 2. At that time, value assignments to `*Unknown` makes the situation worse: many abstract locations are updated with imprecise values. This problem harmed not only its precision, but also its performance since it introduced more location entries in the abstract memory. Reviewed By: jvillard Differential Revision: D21017789 fbshipit-source-id: 0bb6bd8b5
5 years ago
void loop_on_unknown_iterator_FN(MyI x, int j) {
[inferbo] Add FN test due to invalid pruning of array list length Reviewed By: ezgicicek Differential Revision: D20628205 fbshipit-source-id: 4077557a3
5 years ago
ArrayList<Integer> a = new ArrayList<>();
ArrayList<Integer> b;
if (unknown_bool) {
b = a;
} else {
b = x.mk_unknown();
}
[inferbo] Fix a bug in interval prune Summary: This diff avoids that an invalid interval value, e.g. [0, -1], is genrated by interval pruning. Reviewed By: ezgicicek Differential Revision: D20645488 fbshipit-source-id: 6516c75d1
5 years ago
// `b` points to an zero-sized array and `Unknown` pointer. Thus, the size of array list should
// be evaluated to [0,+oo] in a sound design. However, this would harm overall analysis
// precision with introducing a lot of FPs. To avoie that, we ignore the size of `Unknown`
// array list here, instead we get some FNs.
[inferbo] Add FN test due to invalid pruning of array list length Reviewed By: ezgicicek Differential Revision: D20628205 fbshipit-source-id: 4077557a3
5 years ago
for (Integer i : b) {
[inferbo] Do not append field to the unknown location Summary: This diff revises how to handle the unknown location in inferbo in two ways: * stop appending field to the `Unknown` location, e.g. `Unknown.x.a` is evaluated to `Unknown` * redesign the abstract of multiple locations, like `Bottom` < `Unknown` < `Known` locations I am doing them in one diff since applying only one of them showed bad results. Background: `Unknown` was adopted for abstracting all unknown concrete locations, so we could avoid missing semantics of assignments to unknown locations. We tried to keep soundness. However, it brought some other problems related to precision and performance. 1. Sometimes especially when Inferbo failed to reason precise pointer values, `Unknown` may point to many other abstract locations. 2. At that time, value assignments to `*Unknown` makes the situation worse: many abstract locations are updated with imprecise values. This problem harmed not only its precision, but also its performance since it introduced more location entries in the abstract memory. Reviewed By: jvillard Differential Revision: D21017789 fbshipit-source-id: 0bb6bd8b5
5 years ago
// Since size of `b` is evaluted to [0,0], here is unreachable.
[inferbo] Add FN test due to invalid pruning of array list length Reviewed By: ezgicicek Differential Revision: D20628205 fbshipit-source-id: 4077557a3
5 years ago
if (a.size() <= -1) {
int[] c = new int[5];
c[5] = 0;
} else {
[inferbo] Fix a bug in interval prune Summary: This diff avoids that an invalid interval value, e.g. [0, -1], is genrated by interval pruning. Reviewed By: ezgicicek Differential Revision: D20645488 fbshipit-source-id: 6516c75d1
5 years ago
int[] c = new int[10];
c[10] = 0;
[inferbo] Add FN test due to invalid pruning of array list length Reviewed By: ezgicicek Differential Revision: D20628205 fbshipit-source-id: 4077557a3
5 years ago
}
}
}
[inferbo] Add missing list initialization with initial capacity Summary: Correct the models of ArrayList initialization. Basically, there are two ways to initialize: - by setting an initial capacity, which creates an empty list - by passing another collection as an argument Before, we had only modeled the second case which was resulting in wrong memory model for the first case. This diff fixes that. Reviewed By: skcho Differential Revision: D16711055 fbshipit-source-id: e82faf191
5 years ago
}