pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ccb2d23c5b'
${ noResults }
infer_clone/infer/src/pulse/PulseAbductiveDomain.mli

168 lines
5.9 KiB
Raw Normal View History Unescape

[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
(*
[copyright] Remove years Reviewed By: jvillard Differential Revision: D15771884 fbshipit-source-id: e2997e3a3
6 years ago
* Copyright (c) Facebook, Inc. and its affiliates.
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
*
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*)
[pulse] move interproc call to its own file Summary: PulseAbductiveDomain.ml can be split into two distinct parts: 1. The definition of the "abductive domain" itself. This remains in that file. 2. How to apply a given pre/post pair to the current state (during a function call). This is about the same size as 1. in terms of lines of code(!) and is now in PulseInterproc.ml. Reviewed By: ezgicicek Differential Revision: D21022921 fbshipit-source-id: 431fe061e
5 years ago
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
open! IStd
[pulse] move interproc call to its own file Summary: PulseAbductiveDomain.ml can be split into two distinct parts: 1. The definition of the "abductive domain" itself. This remains in that file. 2. How to apply a given pre/post pair to the current state (during a function call). This is about the same size as 1. in terms of lines of code(!) and is now in PulseInterproc.ml. Reviewed By: ezgicicek Differential Revision: D21022921 fbshipit-source-id: 431fe061e
5 years ago
module F = Format
[pulse][2/9] add PulseInvalidation to PulseBasicInterface Summary: See explanations in D17955104 Reviewed By: ezgicicek Differential Revision: D17955286 fbshipit-source-id: 831491e47
5 years ago
open PulseBasicInterface
[pulse] Memory leak check Summary: First version of a new memory leak check based on Pulse. The idea is to examine unreachable cells in the heap and check that the "Allocated" attribute is available but the "Invalid CFree" isn't. This is done when we remove variables from the state. Currently it only works for malloc, we can extend it to other allocation functions later. Reviewed By: jvillard Differential Revision: D20444097 fbshipit-source-id: 33b6b25a2
5 years ago
module BaseAddressAttributes = PulseBaseAddressAttributes
[pulse][8/9] Domain interface Summary: Another poorman's library, this time about Pulse Domains. Also renames `PulseDomain` to `PulseBaseDomain`. Reviewed By: ezgicicek Differential Revision: D17955287 fbshipit-source-id: 9c947cf98
5 years ago
module BaseDomain = PulseBaseDomain
[pulse][10/9] carve out PulseBaseMemory Summary: That module's interface was repeated twice to avoid exposing its internals to PulseDomain itself. It's also quite long so it makes sense to move it to its own file. Reviewed By: ezgicicek Differential Revision: D17977209 fbshipit-source-id: 56a2dac24
5 years ago
module BaseMemory = PulseBaseMemory
[pulse][11/9] carve out PulseBaseStack Summary: To be consistent with PulseBaseMemomy, mostly. Reviewed By: ezgicicek Differential Revision: D17977208 fbshipit-source-id: 6a75c5b0e
5 years ago
module BaseStack = PulseBaseStack
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse] move interproc call to its own file Summary: PulseAbductiveDomain.ml can be split into two distinct parts: 1. The definition of the "abductive domain" itself. This remains in that file. 2. How to apply a given pre/post pair to the current state (during a function call). This is about the same size as 1. in terms of lines of code(!) and is now in PulseInterproc.ml. Reviewed By: ezgicicek Differential Revision: D21022921 fbshipit-source-id: 431fe061e
5 years ago
(** Layer on top of {!BaseDomain} to propagate operations on the current state to the pre-condition
when necessary
The abstract type [t] is a pre/post pair in the style of biabduction. *)
(** signature common to the "normal" [Domain], representing the post at the current program point,
and the inverted [PreDomain], representing the inferred pre-condition*)
module type BaseDomainSig = sig
(* private because the lattice is not the same for preconditions and postconditions so we don't
want to confuse them *)
type t = private BaseDomain.t
val empty : t
val update : ?stack:BaseStack.t -> ?heap:BaseMemory.t -> ?attrs:BaseAddressAttributes.t -> t -> t
val filter_addr : f:(AbstractValue.t -> bool) -> t -> t
(**filter both heap and attrs *)
val partition_addr :
f:(AbstractValue.t -> bool)
-> t
-> (BaseMemory.t * BaseAddressAttributes.t) * (BaseMemory.t * BaseAddressAttributes.t)
(**partition both heap and attrs *)
val pp : F.formatter -> t -> unit
end
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse][minor] rename AbductiveDomain.Domain -> AbductiveDomain.PostDomain Summary: To be more explicit and symmetric with PreDomain. Reviewed By: ezgicicek Differential Revision: D21022925 fbshipit-source-id: 51885a291
5 years ago
module PostDomain : BaseDomainSig
[pulse] move interproc call to its own file Summary: PulseAbductiveDomain.ml can be split into two distinct parts: 1. The definition of the "abductive domain" itself. This remains in that file. 2. How to apply a given pre/post pair to the current state (during a function call). This is about the same size as 1. in terms of lines of code(!) and is now in PulseInterproc.ml. Reviewed By: ezgicicek Differential Revision: D21022921 fbshipit-source-id: 431fe061e
5 years ago
(** The post abstract state at each program point, or current state. *)
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse] move interproc call to its own file Summary: PulseAbductiveDomain.ml can be split into two distinct parts: 1. The definition of the "abductive domain" itself. This remains in that file. 2. How to apply a given pre/post pair to the current state (during a function call). This is about the same size as 1. in terms of lines of code(!) and is now in PulseInterproc.ml. Reviewed By: ezgicicek Differential Revision: D21022921 fbshipit-source-id: 431fe061e
5 years ago
module PreDomain : BaseDomainSig
(** The inferred pre-condition at each program point, biabduction style.
NOTE: [PreDomain] and [Domain] theoretically differ in that [PreDomain] should be the inverted
lattice of [Domain], but since we never actually join states or check implication the two
collapse into one. * *)
(** biabduction-style pre/post state + skipped calls *)
type t = private
[pulse][minor] rename AbductiveDomain.Domain -> AbductiveDomain.PostDomain Summary: To be more explicit and symmetric with PreDomain. Reviewed By: ezgicicek Differential Revision: D21022925 fbshipit-source-id: 51885a291
5 years ago
{ post: PostDomain.t (** state at the current program point*)
[pulse] move interproc call to its own file Summary: PulseAbductiveDomain.ml can be split into two distinct parts: 1. The definition of the "abductive domain" itself. This remains in that file. 2. How to apply a given pre/post pair to the current state (during a function call). This is about the same size as 1. in terms of lines of code(!) and is now in PulseInterproc.ml. Reviewed By: ezgicicek Differential Revision: D21022921 fbshipit-source-id: 431fe061e
5 years ago
; pre: PreDomain.t (** inferred pre at the current program point *)
[pudge] it's alive! Summary: Add a path condition to each symbolic state, represented in sledge's arithmetic domain. This gives a precise account of arithmetic constraints. In particular, it is relation and thus is more robust in the face of inter-procedural analysis. This is gated behind a flag for now as there are performance issues with the new arithmetic. Reviewed By: jberdine Differential Revision: D20393947 fbshipit-source-id: b780de22a
5 years ago
; skipped_calls: SkippedCalls.t (** set of skipped calls *)
; path_condition: PathCondition.t (** arithmetic facts *) }
[pulse] move interproc call to its own file Summary: PulseAbductiveDomain.ml can be split into two distinct parts: 1. The definition of the "abductive domain" itself. This remains in that file. 2. How to apply a given pre/post pair to the current state (during a function call). This is about the same size as 1. in terms of lines of code(!) and is now in PulseInterproc.ml. Reviewed By: ezgicicek Differential Revision: D21022921 fbshipit-source-id: 431fe061e
5 years ago
val leq : lhs:t -> rhs:t -> bool
val pp : Format.formatter -> t -> unit
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse] tighten up summaries Summary: Only throw values to the pre if they can be followed from "abducible" variables: formals of the current method and globals. Because figuring out if a `Pvar.t` is a formal of the current procedure is actually a giant pain, hack something not too bad instead: pre-register all formals at the start of the analysis of the procedure. Then the only other variables we care about in the precondition are globals, which we can detect easily. This is mostly an optimisation (summaries won't include irrelevant "abduced" facts about the procedure's local variables anymore), but it also fixes a bug where we would sometimes overwrite things in the pre. I think that's why the tests improved. Reviewed By: ngorogiannis Differential Revision: D14753493 fbshipit-source-id: 08e73637f
6 years ago
val mk_initial : Procdesc.t -> t
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse] move interproc call to its own file Summary: PulseAbductiveDomain.ml can be split into two distinct parts: 1. The definition of the "abductive domain" itself. This remains in that file. 2. How to apply a given pre/post pair to the current state (during a function call). This is about the same size as 1. in terms of lines of code(!) and is now in PulseInterproc.ml. Reviewed By: ezgicicek Differential Revision: D21022921 fbshipit-source-id: 431fe061e
5 years ago
val get_pre : t -> BaseDomain.t
val get_post : t -> BaseDomain.t
[pulse][11/9] carve out PulseBaseStack Summary: To be consistent with PulseBaseMemomy, mostly. Reviewed By: ezgicicek Differential Revision: D17977208 fbshipit-source-id: 6a75c5b0e
5 years ago
(** stack operations like {!BaseStack} but that also take care of propagating facts to the
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
precondition *)
module Stack : sig
[pulse][11/9] carve out PulseBaseStack Summary: To be consistent with PulseBaseMemomy, mostly. Reviewed By: ezgicicek Differential Revision: D17977208 fbshipit-source-id: 6a75c5b0e
5 years ago
val add : Var.t -> BaseStack.value -> t -> t
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
val remove_vars : Var.t list -> t -> t
[pulse][11/9] carve out PulseBaseStack Summary: To be consistent with PulseBaseMemomy, mostly. Reviewed By: ezgicicek Differential Revision: D17977208 fbshipit-source-id: 6a75c5b0e
5 years ago
val fold : (Var.t -> BaseStack.value -> 'a -> 'a) -> t -> 'a -> 'a
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse][11/9] carve out PulseBaseStack Summary: To be consistent with PulseBaseMemomy, mostly. Reviewed By: ezgicicek Differential Revision: D17977208 fbshipit-source-id: 6a75c5b0e
5 years ago
val find_opt : Var.t -> t -> BaseStack.value option
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse][7/9] kill `AddrTracePair` Summary: The name had rotten: it should be `AddrHistPair`. There is little value of exposing the type of the pair `AbstractValue.t * ValueHistory.t`, just inline its definition everywhere. Reviewed By: ezgicicek Differential Revision: D17955283 fbshipit-source-id: d145251e0
5 years ago
val eval : ValueHistory.t -> Var.t -> t -> t * (AbstractValue.t * ValueHistory.t)
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
(** return the value of the variable in the stack or create a fresh one if needed *)
val mem : Var.t -> t -> bool
[pulse] C++ temporaries bound to globals do not "escape" Summary: Fixes a false positive where the address of a C++ temporary is bound to a static const reference variable then returned. The fix doesn't try to establish that the variable is a const reference so could lead to false negatives but that can be addressed later. Reviewed By: ezgicicek Differential Revision: D16004538 fbshipit-source-id: e403dbefe
6 years ago
[pulse][11/9] carve out PulseBaseStack Summary: To be consistent with PulseBaseMemomy, mostly. Reviewed By: ezgicicek Differential Revision: D17977208 fbshipit-source-id: 6a75c5b0e
5 years ago
val exists : (Var.t -> BaseStack.value -> bool) -> t -> bool
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
end
[pulse][10/9] carve out PulseBaseMemory Summary: That module's interface was repeated twice to avoid exposing its internals to PulseDomain itself. It's also quite long so it makes sense to move it to its own file. Reviewed By: ezgicicek Differential Revision: D17977209 fbshipit-source-id: 56a2dac24
5 years ago
(** memory operations like {!BaseMemory} but that also take care of propagating facts to the
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
precondition *)
module Memory : sig
[pulse][10/9] carve out PulseBaseMemory Summary: That module's interface was repeated twice to avoid exposing its internals to PulseDomain itself. It's also quite long so it makes sense to move it to its own file. Reviewed By: ezgicicek Differential Revision: D17977209 fbshipit-source-id: 56a2dac24
5 years ago
module Access = BaseMemory.Access
module Edges = BaseMemory.Edges
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse] Record the trace of the address written to Reviewed By: skcho Differential Revision: D17004433 fbshipit-source-id: 937319c27
6 years ago
val add_edge :
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
AbstractValue.t * ValueHistory.t
[pulse] interprocedural histories and traces Summary: bigmacro_bender There are 3 ways pulse tracks history. This is at least one too many. So far, we have: 1. "histories": a humble list of "events" like "assigned here", "returned from call", ... 2. "interproc actions": a structured nesting of calls with a final "action", eg "f calls g calls h which does blah" 3. "traces", which combine one history with one interproc action This diff gets rid of interproc actions and makes histories include "nested" callee histories too. This allows pulse to track and display how a value got assigned across function calls. Traces are now more powerful and interleave histories and interproc actions. This allows pulse to track how a value is fed into an action, for instance performed in callee, which itself creates some more (potentially now interprocedural) history before going to the next step of the action (either another call or the action itself). This gives much better traces, and some examples are added to showcase this. There are a lot of changes when applying summaries to keep track of histories more accurately than was done before, but also a few simplifications that give additional evidence that this is the right concept. Reviewed By: skcho Differential Revision: D17908942 fbshipit-source-id: 3b62eaf78
5 years ago
-> Access.t
[pulse][7/9] kill `AddrTracePair` Summary: The name had rotten: it should be `AddrHistPair`. There is little value of exposing the type of the pair `AbstractValue.t * ValueHistory.t`, just inline its definition everywhere. Reviewed By: ezgicicek Differential Revision: D17955283 fbshipit-source-id: d145251e0
5 years ago
-> AbstractValue.t * ValueHistory.t
[pulse] interprocedural histories and traces Summary: bigmacro_bender There are 3 ways pulse tracks history. This is at least one too many. So far, we have: 1. "histories": a humble list of "events" like "assigned here", "returned from call", ... 2. "interproc actions": a structured nesting of calls with a final "action", eg "f calls g calls h which does blah" 3. "traces", which combine one history with one interproc action This diff gets rid of interproc actions and makes histories include "nested" callee histories too. This allows pulse to track and display how a value got assigned across function calls. Traces are now more powerful and interleave histories and interproc actions. This allows pulse to track how a value is fed into an action, for instance performed in callee, which itself creates some more (potentially now interprocedural) history before going to the next step of the action (either another call or the action itself). This gives much better traces, and some examples are added to showcase this. There are a lot of changes when applying summaries to keep track of histories more accurately than was done before, but also a few simplifications that give additional evidence that this is the right concept. Reviewed By: skcho Differential Revision: D17908942 fbshipit-source-id: 3b62eaf78
5 years ago
-> Location.t
-> t
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
-> t
[pulse] interprocedural histories and traces Summary: bigmacro_bender There are 3 ways pulse tracks history. This is at least one too many. So far, we have: 1. "histories": a humble list of "events" like "assigned here", "returned from call", ... 2. "interproc actions": a structured nesting of calls with a final "action", eg "f calls g calls h which does blah" 3. "traces", which combine one history with one interproc action This diff gets rid of interproc actions and makes histories include "nested" callee histories too. This allows pulse to track and display how a value got assigned across function calls. Traces are now more powerful and interleave histories and interproc actions. This allows pulse to track how a value is fed into an action, for instance performed in callee, which itself creates some more (potentially now interprocedural) history before going to the next step of the action (either another call or the action itself). This gives much better traces, and some examples are added to showcase this. There are a lot of changes when applying summaries to keep track of histories more accurately than was done before, but also a few simplifications that give additional evidence that this is the right concept. Reviewed By: skcho Differential Revision: D17908942 fbshipit-source-id: 3b62eaf78
5 years ago
[pulse] Refactor attributes into domain Summary: Let's move attributes into Pulse's domain. Reviewed By: jvillard Differential Revision: D19533915 fbshipit-source-id: 995fd12da
5 years ago
val eval_edge :
AbstractValue.t * ValueHistory.t -> Access.t -> t -> t * (AbstractValue.t * ValueHistory.t)
(** [eval_edge (addr,hist) access astate] follows the edge [addr --access--> .] in memory and
returns what it points to or creates a fresh value if that edge didn't exist. *)
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse] Refactor attributes into domain Summary: Let's move attributes into Pulse's domain. Reviewed By: jvillard Differential Revision: D19533915 fbshipit-source-id: 995fd12da
5 years ago
val find_opt : AbstractValue.t -> t -> BaseMemory.Edges.t option
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse][7/9] kill `AddrTracePair` Summary: The name had rotten: it should be `AddrHistPair`. There is little value of exposing the type of the pair `AbstractValue.t * ValueHistory.t`, just inline its definition everywhere. Reviewed By: ezgicicek Differential Revision: D17955283 fbshipit-source-id: d145251e0
5 years ago
val find_edge_opt : AbstractValue.t -> Access.t -> t -> (AbstractValue.t * ValueHistory.t) option
[pulse] Refactor attributes into domain Summary: Let's move attributes into Pulse's domain. Reviewed By: jvillard Differential Revision: D19533915 fbshipit-source-id: 995fd12da
5 years ago
end
[pulse] C++ temporaries bound to globals do not "escape" Summary: Fixes a false positive where the address of a C++ temporary is bound to a static const reference variable then returned. The fix doesn't try to establish that the variable is a const reference so could lead to false negatives but that can be addressed later. Reviewed By: ezgicicek Differential Revision: D16004538 fbshipit-source-id: e403dbefe
6 years ago
[pulse] Refactor attributes into domain Summary: Let's move attributes into Pulse's domain. Reviewed By: jvillard Differential Revision: D19533915 fbshipit-source-id: 995fd12da
5 years ago
(** attribute operations like {!BaseAddressAttributes} but that also take care of propagating facts
to the precondition *)
module AddressAttributes : sig
val abduce_attribute : AbstractValue.t -> Attribute.t -> t -> t
(** add the attribute to the pre, if meaningful (does not modify the post) *)
[pulse] move interproc call to its own file Summary: PulseAbductiveDomain.ml can be split into two distinct parts: 1. The definition of the "abductive domain" itself. This remains in that file. 2. How to apply a given pre/post pair to the current state (during a function call). This is about the same size as 1. in terms of lines of code(!) and is now in PulseInterproc.ml. Reviewed By: ezgicicek Differential Revision: D21022921 fbshipit-source-id: 431fe061e
5 years ago
val abduce_and_add : AbstractValue.t -> Attributes.t -> t -> t
(** add the attributes to both the current state and, if meaningful, the pre *)
[pulse] Refactor attributes into domain Summary: Let's move attributes into Pulse's domain. Reviewed By: jvillard Differential Revision: D19533915 fbshipit-source-id: 995fd12da
5 years ago
val add_one : AbstractValue.t -> Attribute.t -> t -> t
(** add the attribute only to the post *)
val check_valid : Trace.t -> AbstractValue.t -> t -> (t, Invalidation.t * Trace.t) result
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val invalidate : AbstractValue.t * ValueHistory.t -> Invalidation.t -> Location.t -> t -> t
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse] Model Core Graphics create and copy functions Summary: This models all the Create and Copy functions from CoreGraphics, examples in the tests. These functions all allocate memory that needs to be manually released. The modelling of the release functions will happen in a following diff. Until then, we have some false positives in the tests. This check is currently in biabduction, and we aim to move it to Pulse. Reviewed By: jvillard Differential Revision: D20626395 fbshipit-source-id: b39eae2d9
5 years ago
val allocate : Procname.t -> AbstractValue.t * ValueHistory.t -> Location.t -> t -> t
[pulse] Add model for malloc Summary: Adding a model for malloc: we add an attribute "Allocated". This can be used for implementing memory leaks: whenever the variables get out of scope, we can check that if the variable has an attribute Allocated, it also has an attribute Invalid CFree. Possibly we will need more details in the Allocated attribute, to know if it's malloc, or other allocation function, but we can add that later when we know how it should look like. Reviewed By: jvillard Differential Revision: D20364541 fbshipit-source-id: 5e667a8c3
5 years ago
[typ] extract Procname from Typ Summary: No reason for this to be in Typ Reviewed By: skcho Differential Revision: D19162727 fbshipit-source-id: d6940637a
5 years ago
val get_closure_proc_name : AbstractValue.t -> t -> Procname.t option
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val is_std_vector_reserved : AbstractValue.t -> t -> bool
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
val std_vector_reserve : AbstractValue.t -> t -> t
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
[pulse] rename "PulseArithmetic" to "PulseCItv" Summary: In preparation for PulseArithmetic to be something else. Reviewed By: ezgicicek Differential Revision: D20393928 fbshipit-source-id: d93131e12
5 years ago
val get_citv : AbstractValue.t -> t -> (CItv.t * Trace.t) option
[pulse] Add binop arithmetic for BoItv Summary: This extends semantics of binary operator for BoItv. If there is no known interval value for a pulse value, it returns a symbolic value of the pulse value. Reviewed By: jvillard Differential Revision: D18726768 fbshipit-source-id: ed8ecf78b
5 years ago
[pulsebo] Bottom intervals cannot appear in an abstract state Summary: Refine the type of inferbo intervals attributes to "pure" (non-bottom) ones. This is because were we to get a Bottom value from inferbo we should stop the abstract execution instead of recording it in the state. Reviewed By: ezgicicek Differential Revision: D18811165 fbshipit-source-id: fff8664b7
5 years ago
val get_bo_itv : AbstractValue.t -> t -> Itv.ItvPure.t
[pulse] Refactor attributes into domain Summary: Let's move attributes into Pulse's domain. Reviewed By: jvillard Differential Revision: D19533915 fbshipit-source-id: 995fd12da
5 years ago
val find_opt : AbstractValue.t -> t -> Attributes.t option
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
end
[pulse] Handle stack refs escaping their scope via pointer Summary: Pulse didn't treat local variables going out of scope as invalidating the corresponding address in memory. This diff fixes that by - marking all local variables that exits the scope with the attribute `AddressOfStackVariable` - before we write the summary for the proc, we make sure to invalidate all such addresses local to the procedure as `Invalid.` If such an address is read, then we would raise a use-after-lifetime issue. Reviewed By: jvillard Differential Revision: D16458355 fbshipit-source-id: 3686524cb
6 years ago
val is_local : Var.t -> t -> bool
[pulse] Refactor attributes into domain Summary: Let's move attributes into Pulse's domain. Reviewed By: jvillard Differential Revision: D19533915 fbshipit-source-id: 995fd12da
5 years ago
val find_post_cell_opt : AbstractValue.t -> t -> BaseDomain.cell option
[pudge] it's alive! Summary: Add a path condition to each symbolic state, represented in sledge's arithmetic domain. This gives a precise account of arithmetic constraints. In particular, it is relation and thus is more robust in the face of inter-procedural analysis. This is gated behind a flag for now as there are performance issues with the new arithmetic. Reviewed By: jberdine Differential Revision: D20393947 fbshipit-source-id: b780de22a
5 years ago
val discard_unreachable : t -> t * AbstractValue.Set.t * BaseAddressAttributes.t
[pulse] Memory leak check Summary: First version of a new memory leak check based on Pulse. The idea is to examine unreachable cells in the heap and check that the "Allocated" attribute is available but the "Invalid CFree" isn't. This is done when we remove variables from the state. Currently it only works for malloc, we can extend it to other allocation functions later. Reviewed By: jvillard Differential Revision: D20444097 fbshipit-source-id: 33b6b25a2
5 years ago
(** [discard_unreachable astate] garbage collects unreachable addresses in the state to make it
[pudge] it's alive! Summary: Add a path condition to each symbolic state, represented in sledge's arithmetic domain. This gives a precise account of arithmetic constraints. In particular, it is relation and thus is more robust in the face of inter-procedural analysis. This is gated behind a flag for now as there are performance issues with the new arithmetic. Reviewed By: jberdine Differential Revision: D20393947 fbshipit-source-id: b780de22a
5 years ago
smaller, and retuns the new state, the live addresses, and the attributes of discarded addresses *)
[pulse] refactor of PrePost.t vs AbductiveDomain.t Summary: Be a bit more careful about the difference between PrePost.t and AbductiveDomain.t. It's needed in another diff where the types will be different. Reviewed By: ezgicicek Differential Revision: D20393927 fbshipit-source-id: beaf80c90
5 years ago
[pulse] enforce short forms for PulseBasicInterface Summary: The "interface" modules define short forms for the internals of pulse and also serve as a guide of which modules you are supposed to use at which "level" in the pulse domains (base domain vs abductive domain vs higher-level PulseOperations.ml). Make sure they are used. Reviewed By: skcho Differential Revision: D21022927 fbshipit-source-id: f890df245
5 years ago
val add_skipped_call : Procname.t -> Trace.t -> t -> t
[pulse] refactor of PrePost.t vs AbductiveDomain.t Summary: Be a bit more careful about the difference between PrePost.t and AbductiveDomain.t. It's needed in another diff where the types will be different. Reviewed By: ezgicicek Differential Revision: D20393927 fbshipit-source-id: beaf80c90
5 years ago
[pulse] move interproc call to its own file Summary: PulseAbductiveDomain.ml can be split into two distinct parts: 1. The definition of the "abductive domain" itself. This remains in that file. 2. How to apply a given pre/post pair to the current state (during a function call). This is about the same size as 1. in terms of lines of code(!) and is now in PulseInterproc.ml. Reviewed By: ezgicicek Differential Revision: D21022921 fbshipit-source-id: 431fe061e
5 years ago
val add_skipped_calls : SkippedCalls.t -> t -> t
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
[pudge] it's alive! Summary: Add a path condition to each symbolic state, represented in sledge's arithmetic domain. This gives a precise account of arithmetic constraints. In particular, it is relation and thus is more robust in the face of inter-procedural analysis. This is gated behind a flag for now as there are performance issues with the new arithmetic. Reviewed By: jberdine Differential Revision: D20393947 fbshipit-source-id: b780de22a
5 years ago
val get_path_condition : t -> PathCondition.t
val set_path_condition : PathCondition.t -> t -> t
[pulse] Distinguish exit state at top level Summary: This diff lifts the `PulseAbductiveDomain.t` in `PulseExecutionState` by tracking whether the program continues the analysis normally or exits unusually (e.g. by calling `exit` or `throw`): ``` type exec_state = | ContinueProgram of PulseAbductiveDomain.t (** represents the state at the program point *) | ExitProgram of PulseAbductiveDomain.t (** represents the state originating at exit/divergence. *) ``` Now, Pulse's actual domain is tracked by `PulseExecutionState` and as soon as we try to analyze an instruction at `ExitProgram`, we simply return its state. The aim is to recover the state at the time of the exit, rather than simply ignoring them (i.e. returning empty disjuncts). This allows us to get rid of some FNs that we were not able to detect before. Moreover, it also allows the impurity analysis to be more precise since we will know how the state changed up to exit. TODO: - Impurity analysis needs to be improved to consider functions that simply exit as impure. - The next goal is to handle error state similarly so that when pulse finds an error, we recover the state at the error location (and potentially continue to analyze?). Disclaimer: currently, we handle throw statements like exit (as was the case before). However, this is not correct. Ideally, control flow from throw nodes follows catch nodes rather than exiting the program entirely. Reviewed By: jvillard Differential Revision: D20791747 fbshipit-source-id: df9e5445a
5 years ago
val of_post : Procdesc.t -> t -> t
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
[pulse] move interproc call to its own file Summary: PulseAbductiveDomain.ml can be split into two distinct parts: 1. The definition of the "abductive domain" itself. This remains in that file. 2. How to apply a given pre/post pair to the current state (during a function call). This is about the same size as 1. in terms of lines of code(!) and is now in PulseInterproc.ml. Reviewed By: ezgicicek Differential Revision: D21022921 fbshipit-source-id: 431fe061e
5 years ago
val set_post_edges : AbstractValue.t -> BaseMemory.Edges.t -> t -> t
(** directly set the edges for the given address, bypassing abduction altogether *)
[pulse][interproc 3/3] interproc call Summary: biggest_diff Reviewed By: jberdine Differential Revision: D14387150 fbshipit-source-id: 6d6ddeffc
6 years ago
[pulse] move interproc call to its own file Summary: PulseAbductiveDomain.ml can be split into two distinct parts: 1. The definition of the "abductive domain" itself. This remains in that file. 2. How to apply a given pre/post pair to the current state (during a function call). This is about the same size as 1. in terms of lines of code(!) and is now in PulseInterproc.ml. Reviewed By: ezgicicek Differential Revision: D21022921 fbshipit-source-id: 431fe061e
5 years ago
val set_post_cell : AbstractValue.t * ValueHistory.t -> BaseDomain.cell -> Location.t -> t -> t
(** directly set the edges and attributes for the given address, bypassing abduction altogether *)