pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ccb2d23c5b'
${ noResults }
infer_clone/infer/src/pulse/PulseOperations.ml

470 lines
18 KiB
Raw Normal View History Unescape

[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
(*
[copyright] Remove years Reviewed By: jvillard Differential Revision: D15771884 fbshipit-source-id: e2997e3a3
6 years ago
* Copyright (c) Facebook, Inc. and its affiliates.
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
*
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*)
open! IStd
module L = Logging
[pulse] monad, monads everywhere Summary: Add let*/+ syntax to `result` types to simplify all the applications of `>>=`, `>>|` that are followed by a binding (eg `>>= fun x -> ...`) in pulse. Reviewed By: skcho Differential Revision: D19940728 fbshipit-source-id: 4df159029
5 years ago
open IResult.Let_syntax
[pulse][3/9] add PulseValueHistory to PulseBasicInterface Summary: See explanations in D17955104 Reviewed By: ezgicicek Differential Revision: D17955285 fbshipit-source-id: 4e93a86df
5 years ago
open PulseBasicInterface
[pulse][8/9] Domain interface Summary: Another poorman's library, this time about Pulse Domains. Also renames `PulseDomain` to `PulseBaseDomain`. Reviewed By: ezgicicek Differential Revision: D17955287 fbshipit-source-id: 9c947cf98
5 years ago
open PulseDomainInterface
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
[pulse][8/9] Domain interface Summary: Another poorman's library, this time about Pulse Domains. Also renames `PulseDomain` to `PulseBaseDomain`. Reviewed By: ezgicicek Differential Revision: D17955287 fbshipit-source-id: 9c947cf98
5 years ago
type t = AbductiveDomain.t
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
[pulse] Distinguish error state at top level Summary: As soon as pulse detects an error, it completely stops the analysis and loses the state where the error occurred. This makes it difficult to debug and understand the state the program failed. Moreover, other analyses that might build on pulse (e.g. impurity), cannot access the error state. This diff aims to restore and display the state at the time of the error in `PulseExecutionState` along with the diagnostic by extending it as follows: ``` type exec_state = | represents the state at the program point that caused an error *) ``` As a result, since we don't immediately stop the analysis as soon as we find an error, we detect both errors in conditional branches simultaneously (see test result changes for examples). NOTE: We need to extend `PulseOperations.access_result` to keep track of the failed state as follows: ``` type 'a access_result = ('a, Diagnostic.t * t [denoting the exit state] ) result ``` Reviewed By: jvillard Differential Revision: D20918920 fbshipit-source-id: 432ac68d6
5 years ago
type 'a access_result = ('a, Diagnostic.t * t) result
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
[pulse] enforce short forms for PulseDomainInterface Summary: See previous diff. Reviewed By: ezgicicek Differential Revision: D21022923 fbshipit-source-id: b1cab2fdc
5 years ago
let ok_continue post = Ok [ExecutionDomain.ContinueProgram post]
[pulse] Distinguish exit state at top level Summary: This diff lifts the `PulseAbductiveDomain.t` in `PulseExecutionState` by tracking whether the program continues the analysis normally or exits unusually (e.g. by calling `exit` or `throw`): ``` type exec_state = | ContinueProgram of PulseAbductiveDomain.t (** represents the state at the program point *) | ExitProgram of PulseAbductiveDomain.t (** represents the state originating at exit/divergence. *) ``` Now, Pulse's actual domain is tracked by `PulseExecutionState` and as soon as we try to analyze an instruction at `ExitProgram`, we simply return its state. The aim is to recover the state at the time of the exit, rather than simply ignoring them (i.e. returning empty disjuncts). This allows us to get rid of some FNs that we were not able to detect before. Moreover, it also allows the impurity analysis to be more precise since we will know how the state changed up to exit. TODO: - Impurity analysis needs to be improved to consider functions that simply exit as impure. - The next goal is to handle error state similarly so that when pulse finds an error, we recover the state at the error location (and potentially continue to analyze?). Disclaimer: currently, we handle throw statements like exit (as was the case before). However, this is not correct. Ideally, control flow from throw nodes follows catch nodes rather than exiting the program entirely. Reviewed By: jvillard Differential Revision: D20791747 fbshipit-source-id: df9e5445a
5 years ago
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
(** Check that the [address] is not known to be invalid *)
[pulse] interprocedural histories and traces Summary: bigmacro_bender There are 3 ways pulse tracks history. This is at least one too many. So far, we have: 1. "histories": a humble list of "events" like "assigned here", "returned from call", ... 2. "interproc actions": a structured nesting of calls with a final "action", eg "f calls g calls h which does blah" 3. "traces", which combine one history with one interproc action This diff gets rid of interproc actions and makes histories include "nested" callee histories too. This allows pulse to track and display how a value got assigned across function calls. Traces are now more powerful and interleave histories and interproc actions. This allows pulse to track how a value is fed into an action, for instance performed in callee, which itself creates some more (potentially now interprocedural) history before going to the next step of the action (either another call or the action itself). This gives much better traces, and some examples are added to showcase this. There are a lot of changes when applying summaries to keep track of histories more accurately than was done before, but also a few simplifications that give additional evidence that this is the right concept. Reviewed By: skcho Differential Revision: D17908942 fbshipit-source-id: 3b62eaf78
5 years ago
let check_addr_access location (address, history) astate =
[pulse] separate traces from their action Summary: This simplifies the code overall. It also makes accessing the action of a "trace" (which is now stored alongside it instead of deep inside it) constant time instead of linear in the number of nested calls. Reviewed By: skcho Differential Revision: D18206460 fbshipit-source-id: 9546ff36f
5 years ago
let access_trace = Trace.Immediate {location; history} in
[pulse] Refactor attributes into domain Summary: Let's move attributes into Pulse's domain. Reviewed By: jvillard Differential Revision: D19533915 fbshipit-source-id: 995fd12da
5 years ago
AddressAttributes.check_valid access_trace address astate
[pulse] separate traces from their action Summary: This simplifies the code overall. It also makes accessing the action of a "trace" (which is now stored alongside it instead of deep inside it) constant time instead of linear in the number of nested calls. Reviewed By: skcho Differential Revision: D18206460 fbshipit-source-id: 9546ff36f
5 years ago
|> Result.map_error ~f:(fun (invalidation, invalidation_trace) ->
[pulse] Distinguish error state at top level Summary: As soon as pulse detects an error, it completely stops the analysis and loses the state where the error occurred. This makes it difficult to debug and understand the state the program failed. Moreover, other analyses that might build on pulse (e.g. impurity), cannot access the error state. This diff aims to restore and display the state at the time of the error in `PulseExecutionState` along with the diagnostic by extending it as follows: ``` type exec_state = | represents the state at the program point that caused an error *) ``` As a result, since we don't immediately stop the analysis as soon as we find an error, we detect both errors in conditional branches simultaneously (see test result changes for examples). NOTE: We need to extend `PulseOperations.access_result` to keep track of the failed state as follows: ``` type 'a access_result = ('a, Diagnostic.t * t [denoting the exit state] ) result ``` Reviewed By: jvillard Differential Revision: D20918920 fbshipit-source-id: 432ac68d6
5 years ago
(Diagnostic.AccessToInvalidAddress {invalidation; invalidation_trace; access_trace}, astate)
)
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
module Closures = struct
[pulse][8/9] Domain interface Summary: Another poorman's library, this time about Pulse Domains. Also renames `PulseDomain` to `PulseBaseDomain`. Reviewed By: ezgicicek Differential Revision: D17955287 fbshipit-source-id: 9c947cf98
5 years ago
module Memory = AbductiveDomain.Memory
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
let fake_capture_field_prefix = "__capture_"
let mk_fake_field ~id =
[typ] extract Fieldname from Typ Summary: There is no reason to have this in Typ. Reviewed By: skcho Differential Revision: D19161946 fbshipit-source-id: 7d9b4f249
5 years ago
Fieldname.make
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
(Typ.CStruct (QualifiedCppName.of_list ["std"; "function"]))
(Printf.sprintf "%s%d" fake_capture_field_prefix id)
let is_captured_fake_access (access : _ HilExp.Access.t) =
match access with
| FieldAccess fieldname
[typ] extract Fieldname from Typ Summary: There is no reason to have this in Typ. Reviewed By: skcho Differential Revision: D19161946 fbshipit-source-id: 7d9b4f249
5 years ago
when String.is_prefix ~prefix:fake_capture_field_prefix (Fieldname.to_string fieldname) ->
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
true
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
| _ ->
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
false
let mk_capture_edges captured =
let fake_fields =
List.rev_mapi captured ~f:(fun id captured_addr_trace ->
(HilExp.Access.FieldAccess (mk_fake_field ~id), captured_addr_trace) )
in
Memory.Edges.of_seq (Caml.List.to_seq fake_fields)
[pulse] Refactor attributes into domain Summary: Let's move attributes into Pulse's domain. Reviewed By: jvillard Differential Revision: D19533915 fbshipit-source-id: 995fd12da
5 years ago
let check_captured_addresses action lambda_addr (astate : t) =
match AbductiveDomain.find_post_cell_opt lambda_addr astate with
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
| None ->
Ok astate
| Some (edges, attributes) ->
[pulse] monad, monads everywhere Summary: Add let*/+ syntax to `result` types to simplify all the applications of `>>=`, `>>|` that are followed by a binding (eg `>>= fun x -> ...`) in pulse. Reviewed By: skcho Differential Revision: D19940728 fbshipit-source-id: 4df159029
5 years ago
let+ () =
IContainer.iter_result ~fold:Attributes.fold attributes ~f:(function
| Attribute.Closure _ ->
IContainer.iter_result
~fold:(IContainer.fold_of_pervasives_map_fold ~fold:Memory.Edges.fold) edges
~f:(fun (access, addr_trace) ->
if is_captured_fake_access access then
let+ _ = check_addr_access action addr_trace astate in
()
else Ok () )
| _ ->
Ok () )
in
astate
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
let record location pname captured astate =
let captured_addresses =
[pulse] model lambda capture by value Summary: Prevent false positives about variables captured by value gone out of scope. Reviewed By: ezgicicek Differential Revision: D16008165 fbshipit-source-id: d70e47db4
6 years ago
List.rev_filter_map captured
~f:(fun (captured_as, (address_captured, trace_captured), mode) ->
match mode with
| `ByValue ->
None
| `ByReference ->
let new_trace = ValueHistory.Capture {captured_as; location} :: trace_captured in
Some (address_captured, new_trace) )
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
in
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
let closure_addr_hist = (AbstractValue.mk_fresh (), [ValueHistory.Assignment location]) in
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
let fake_capture_edges = mk_capture_edges captured_addresses in
let astate =
[pulse] Refactor attributes into domain Summary: Let's move attributes into Pulse's domain. Reviewed By: jvillard Differential Revision: D19533915 fbshipit-source-id: 995fd12da
5 years ago
AbductiveDomain.set_post_cell closure_addr_hist
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
(fake_capture_edges, Attributes.singleton (Closure pname))
[pulse] Record the trace of the address written to Reviewed By: skcho Differential Revision: D17004433 fbshipit-source-id: 937319c27
6 years ago
location astate
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
in
[pulse] interprocedural histories and traces Summary: bigmacro_bender There are 3 ways pulse tracks history. This is at least one too many. So far, we have: 1. "histories": a humble list of "events" like "assigned here", "returned from call", ... 2. "interproc actions": a structured nesting of calls with a final "action", eg "f calls g calls h which does blah" 3. "traces", which combine one history with one interproc action This diff gets rid of interproc actions and makes histories include "nested" callee histories too. This allows pulse to track and display how a value got assigned across function calls. Traces are now more powerful and interleave histories and interproc actions. This allows pulse to track how a value is fed into an action, for instance performed in callee, which itself creates some more (potentially now interprocedural) history before going to the next step of the action (either another call or the action itself). This gives much better traces, and some examples are added to showcase this. There are a lot of changes when applying summaries to keep track of histories more accurately than was done before, but also a few simplifications that give additional evidence that this is the right concept. Reviewed By: skcho Differential Revision: D17908942 fbshipit-source-id: 3b62eaf78
5 years ago
(astate, closure_addr_hist)
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
end
let eval_var var astate = Stack.eval var astate
[pulse] interprocedural histories and traces Summary: bigmacro_bender There are 3 ways pulse tracks history. This is at least one too many. So far, we have: 1. "histories": a humble list of "events" like "assigned here", "returned from call", ... 2. "interproc actions": a structured nesting of calls with a final "action", eg "f calls g calls h which does blah" 3. "traces", which combine one history with one interproc action This diff gets rid of interproc actions and makes histories include "nested" callee histories too. This allows pulse to track and display how a value got assigned across function calls. Traces are now more powerful and interleave histories and interproc actions. This allows pulse to track how a value is fed into an action, for instance performed in callee, which itself creates some more (potentially now interprocedural) history before going to the next step of the action (either another call or the action itself). This gives much better traces, and some examples are added to showcase this. There are a lot of changes when applying summaries to keep track of histories more accurately than was done before, but also a few simplifications that give additional evidence that this is the right concept. Reviewed By: skcho Differential Revision: D17908942 fbshipit-source-id: 3b62eaf78
5 years ago
let eval_access location addr_hist access astate =
[pulse] monad, monads everywhere Summary: Add let*/+ syntax to `result` types to simplify all the applications of `>>=`, `>>|` that are followed by a binding (eg `>>= fun x -> ...`) in pulse. Reviewed By: skcho Differential Revision: D19940728 fbshipit-source-id: 4df159029
5 years ago
let+ astate = check_addr_access location addr_hist astate in
Memory.eval_edge addr_hist access astate
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
let eval location exp0 astate =
let rec eval exp astate =
match (exp : Exp.t) with
| Var id ->
[pulse] interprocedural histories and traces Summary: bigmacro_bender There are 3 ways pulse tracks history. This is at least one too many. So far, we have: 1. "histories": a humble list of "events" like "assigned here", "returned from call", ... 2. "interproc actions": a structured nesting of calls with a final "action", eg "f calls g calls h which does blah" 3. "traces", which combine one history with one interproc action This diff gets rid of interproc actions and makes histories include "nested" callee histories too. This allows pulse to track and display how a value got assigned across function calls. Traces are now more powerful and interleave histories and interproc actions. This allows pulse to track how a value is fed into an action, for instance performed in callee, which itself creates some more (potentially now interprocedural) history before going to the next step of the action (either another call or the action itself). This gives much better traces, and some examples are added to showcase this. There are a lot of changes when applying summaries to keep track of histories more accurately than was done before, but also a few simplifications that give additional evidence that this is the right concept. Reviewed By: skcho Differential Revision: D17908942 fbshipit-source-id: 3b62eaf78
5 years ago
Ok (eval_var (* error in case of missing history? *) [] (Var.of_id id) astate)
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
| Lvar pvar ->
[pulse] interprocedural histories and traces Summary: bigmacro_bender There are 3 ways pulse tracks history. This is at least one too many. So far, we have: 1. "histories": a humble list of "events" like "assigned here", "returned from call", ... 2. "interproc actions": a structured nesting of calls with a final "action", eg "f calls g calls h which does blah" 3. "traces", which combine one history with one interproc action This diff gets rid of interproc actions and makes histories include "nested" callee histories too. This allows pulse to track and display how a value got assigned across function calls. Traces are now more powerful and interleave histories and interproc actions. This allows pulse to track how a value is fed into an action, for instance performed in callee, which itself creates some more (potentially now interprocedural) history before going to the next step of the action (either another call or the action itself). This gives much better traces, and some examples are added to showcase this. There are a lot of changes when applying summaries to keep track of histories more accurately than was done before, but also a few simplifications that give additional evidence that this is the right concept. Reviewed By: skcho Differential Revision: D17908942 fbshipit-source-id: 3b62eaf78
5 years ago
Ok (eval_var [ValueHistory.VariableAccessed (pvar, location)] (Var.of_pvar pvar) astate)
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
| Lfield (exp', field, _) ->
[pulse] monad, monads everywhere Summary: Add let*/+ syntax to `result` types to simplify all the applications of `>>=`, `>>|` that are followed by a binding (eg `>>= fun x -> ...`) in pulse. Reviewed By: skcho Differential Revision: D19940728 fbshipit-source-id: 4df159029
5 years ago
let* astate, addr_hist = eval exp' astate in
let+ astate = check_addr_access location addr_hist astate in
Memory.eval_edge addr_hist (FieldAccess field) astate
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
| Lindex (exp', exp_index) ->
[pulse] monad, monads everywhere Summary: Add let*/+ syntax to `result` types to simplify all the applications of `>>=`, `>>|` that are followed by a binding (eg `>>= fun x -> ...`) in pulse. Reviewed By: skcho Differential Revision: D19940728 fbshipit-source-id: 4df159029
5 years ago
let* astate, addr_hist_index = eval exp_index astate in
let* astate, addr_hist = eval exp' astate in
let+ astate = check_addr_access location addr_hist astate in
[pulse] interprocedural histories and traces Summary: bigmacro_bender There are 3 ways pulse tracks history. This is at least one too many. So far, we have: 1. "histories": a humble list of "events" like "assigned here", "returned from call", ... 2. "interproc actions": a structured nesting of calls with a final "action", eg "f calls g calls h which does blah" 3. "traces", which combine one history with one interproc action This diff gets rid of interproc actions and makes histories include "nested" callee histories too. This allows pulse to track and display how a value got assigned across function calls. Traces are now more powerful and interleave histories and interproc actions. This allows pulse to track how a value is fed into an action, for instance performed in callee, which itself creates some more (potentially now interprocedural) history before going to the next step of the action (either another call or the action itself). This gives much better traces, and some examples are added to showcase this. There are a lot of changes when applying summaries to keep track of histories more accurately than was done before, but also a few simplifications that give additional evidence that this is the right concept. Reviewed By: skcho Differential Revision: D17908942 fbshipit-source-id: 3b62eaf78
5 years ago
Memory.eval_edge addr_hist (ArrayAccess (Typ.void, fst addr_hist_index)) astate
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
| Closure {name; captured_vars} ->
[pulse] monad, monads everywhere Summary: Add let*/+ syntax to `result` types to simplify all the applications of `>>=`, `>>|` that are followed by a binding (eg `>>= fun x -> ...`) in pulse. Reviewed By: skcho Differential Revision: D19940728 fbshipit-source-id: 4df159029
5 years ago
let+ astate, rev_captured =
List.fold_result captured_vars ~init:(astate, [])
~f:(fun (astate, rev_captured) (capt_exp, captured_as, _) ->
let+ astate, addr_trace = eval capt_exp astate in
let mode =
(* HACK: the frontend follows this discipline *)
match (capt_exp : Exp.t) with Lvar _ -> `ByReference | _ -> `ByValue
in
(astate, (captured_as, addr_trace, mode) :: rev_captured) )
in
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
Closures.record location name (List.rev rev_captured) astate
| Cast (_, exp') ->
eval exp' astate
[pulse] intervals! Summary: This adds a more interesting value domain to pulse: concrete intervals. There are still two main limitations: 1. arithmetic operations are all over-approximated: any assignment involving arithmetic operations is replaced by non-determinism 2. abstract values that are discovered to be equal are not merged into one Reviewed By: skcho Differential Revision: D18058972 fbshipit-source-id: 0492a590f
5 years ago
| Const (Cint i) ->
[pulse] record equality to constants as attributes Summary: First step in having a value domain: record concrete values. We record them as equalities to abstract values using a new attribute `Constant`. In a way, attributes are already our "pure" part in the "formulas" that are pulse abstract domains, so this is reminiscent of existing separation logic implementations. Trying to add values directly in the "heap" part proved very cumbersome whereas this approach is very simple, allowing us to ignore values most of the time except when we actually care. Reviewed By: skcho Differential Revision: D17665473 fbshipit-source-id: b8033ad9c
5 years ago
(* TODO: make identical const the same address *)
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
let addr = AbstractValue.mk_fresh () in
[pulse] add tracing of arithmetic facts Summary: When reporting null dereference it is useful to know where the null came from. Reviewed By: skcho Differential Revision: D18206459 fbshipit-source-id: 0c8e6781b
5 years ago
let astate =
[pulse] unified API for arithmetic Summary: Instead of having to remember to update both the inferbo and the concrete intervals domains of pulse, hide these details under a unified API. This should help the transition to adding a third(!) numerical domain later on (pudge!). Reviewed By: ezgicicek Differential Revision: D21022920 fbshipit-source-id: 783157464
5 years ago
PulseArithmetic.and_eq_int (Immediate {location; history= []}) addr i astate
[pulse] Refactor attributes into domain Summary: Let's move attributes into Pulse's domain. Reviewed By: jvillard Differential Revision: D19533915 fbshipit-source-id: 995fd12da
5 years ago
|> AddressAttributes.invalidate
[pulse] report dereference of NULL and constants Summary: Note: Disabled by default. Having some support for values, we can report when a null or constant value is being dereferenced. The particularity here is that we don't report when 0 is a possible value for the address, or even if we know that the value of the address can only be 0 in that branch! Instead, we allow ourselves to report only when we the address has been *set* to NULL (or any constant). This is in line with how pulse deals with other issues: only report when 1. we see an address become invalid, and 2. we see the same address be used later on Reviewed By: skcho Differential Revision: D17665468 fbshipit-source-id: f1ccf94cf
5 years ago
(addr, [ValueHistory.Assignment location])
(ConstantDereference i) location
[pulse] add tracing of arithmetic facts Summary: When reporting null dereference it is useful to know where the null came from. Reviewed By: skcho Differential Revision: D18206459 fbshipit-source-id: 0c8e6781b
5 years ago
in
[pulse] record equality to constants as attributes Summary: First step in having a value domain: record concrete values. We record them as equalities to abstract values using a new attribute `Constant`. In a way, attributes are already our "pure" part in the "formulas" that are pulse abstract domains, so this is reminiscent of existing separation logic implementations. Trying to add values directly in the "heap" part proved very cumbersome whereas this approach is very simple, allowing us to ignore values most of the time except when we actually care. Reviewed By: skcho Differential Revision: D17665473 fbshipit-source-id: b8033ad9c
5 years ago
Ok (astate, (addr, []))
[pulse] eval unops using inferbo Summary: Similarly to binops, let inferbo evaluate unary operations and record the results. Reviewed By: ezgicicek Differential Revision: D18811146 fbshipit-source-id: 8f9e16bbd
5 years ago
| UnOp (unop, exp, _typ) ->
[pulse] monad, monads everywhere Summary: Add let*/+ syntax to `result` types to simplify all the applications of `>>=`, `>>|` that are followed by a binding (eg `>>= fun x -> ...`) in pulse. Reviewed By: skcho Differential Revision: D19940728 fbshipit-source-id: 4df159029
5 years ago
let+ astate, (addr, hist) = eval exp astate in
[pulse] unified API for arithmetic Summary: Instead of having to remember to update both the inferbo and the concrete intervals domains of pulse, hide these details under a unified API. This should help the transition to adding a third(!) numerical domain later on (pudge!). Reviewed By: ezgicicek Differential Revision: D21022920 fbshipit-source-id: 783157464
5 years ago
PulseArithmetic.eval_unop location unop addr hist astate
[pulse] Add binop arithmetic for BoItv Summary: This extends semantics of binary operator for BoItv. If there is no known interval value for a pulse value, it returns a symbolic value of the pulse value. Reviewed By: jvillard Differential Revision: D18726768 fbshipit-source-id: ed8ecf78b
5 years ago
| BinOp (bop, e_lhs, e_rhs) ->
[pulse] monad, monads everywhere Summary: Add let*/+ syntax to `result` types to simplify all the applications of `>>=`, `>>|` that are followed by a binding (eg `>>= fun x -> ...`) in pulse. Reviewed By: skcho Differential Revision: D19940728 fbshipit-source-id: 4df159029
5 years ago
let* astate, (addr_lhs, hist_lhs) = eval e_lhs astate in
let+ ( astate
, ( addr_rhs
, (* NOTE: arbitrarily track only the history of the lhs, maybe not the brightest idea *)
_ ) ) =
eval e_rhs astate
in
[pulse] unified API for arithmetic Summary: Instead of having to remember to update both the inferbo and the concrete intervals domains of pulse, hide these details under a unified API. This should help the transition to adding a third(!) numerical domain later on (pudge!). Reviewed By: ezgicicek Differential Revision: D21022920 fbshipit-source-id: 783157464
5 years ago
PulseArithmetic.eval_binop location bop (AbstractValueOperand addr_lhs)
(AbstractValueOperand addr_rhs) hist_lhs astate
[pulse] arithmetic operations Summary: Model +/- when we know the concrete interval for a value. Reviewed By: skcho Differential Revision: D18528535 fbshipit-source-id: 7c67a7a54
5 years ago
| Const _ | Sizeof _ | Exn _ ->
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
Ok (astate, (AbstractValue.mk_fresh (), (* TODO history *) []))
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
in
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
eval exp0 astate
[pulse] unified API for arithmetic Summary: Instead of having to remember to update both the inferbo and the concrete intervals domains of pulse, hide these details under a unified API. This should help the transition to adding a third(!) numerical domain later on (pudge!). Reviewed By: ezgicicek Differential Revision: D21022920 fbshipit-source-id: 783157464
5 years ago
let eval_to_operand location exp astate =
[pulse] use constant equality to prune unfeasible paths Summary: When we know "x = 3" and we have a condition "x != 3" we know we can prune the corresponding path. Reviewed By: skcho Differential Revision: D17665472 fbshipit-source-id: 988958ea6
5 years ago
match (exp : Exp.t) with
[pulse] intervals! Summary: This adds a more interesting value domain to pulse: concrete intervals. There are still two main limitations: 1. arithmetic operations are all over-approximated: any assignment involving arithmetic operations is replaced by non-determinism 2. abstract values that are discovered to be equal are not merged into one Reviewed By: skcho Differential Revision: D18058972 fbshipit-source-id: 0492a590f
5 years ago
| Const (Cint i) ->
[pulse] unified API for arithmetic Summary: Instead of having to remember to update both the inferbo and the concrete intervals domains of pulse, hide these details under a unified API. This should help the transition to adding a third(!) numerical domain later on (pudge!). Reviewed By: ezgicicek Differential Revision: D21022920 fbshipit-source-id: 783157464
5 years ago
Ok (astate, PulseArithmetic.LiteralOperand i)
[pulse][minor] simplifications in PulseOperations pruning Summary: in preparation for a later commit Reviewed By: skcho Differential Revision: D18889075 fbshipit-source-id: cfc38c570
5 years ago
| exp ->
[pulse] monad, monads everywhere Summary: Add let*/+ syntax to `result` types to simplify all the applications of `>>=`, `>>|` that are followed by a binding (eg `>>= fun x -> ...`) in pulse. Reviewed By: skcho Differential Revision: D19940728 fbshipit-source-id: 4df159029
5 years ago
let+ astate, (value, _) = eval location exp astate in
[pulse] unified API for arithmetic Summary: Instead of having to remember to update both the inferbo and the concrete intervals domains of pulse, hide these details under a unified API. This should help the transition to adding a third(!) numerical domain later on (pudge!). Reviewed By: ezgicicek Differential Revision: D21022920 fbshipit-source-id: 783157464
5 years ago
(astate, PulseArithmetic.AbstractValueOperand value)
[pulse] use constant equality to prune unfeasible paths Summary: When we know "x = 3" and we have a condition "x != 3" we know we can prune the corresponding path. Reviewed By: skcho Differential Revision: D17665472 fbshipit-source-id: 988958ea6
5 years ago
[pulse] add tracing of arithmetic facts Summary: When reporting null dereference it is useful to know where the null came from. Reviewed By: skcho Differential Revision: D18206459 fbshipit-source-id: 0c8e6781b
5 years ago
let prune ~is_then_branch if_kind location ~condition astate =
let rec prune_aux ~negated exp astate =
match (exp : Exp.t) with
[pulse] unified API for arithmetic Summary: Instead of having to remember to update both the inferbo and the concrete intervals domains of pulse, hide these details under a unified API. This should help the transition to adding a third(!) numerical domain later on (pudge!). Reviewed By: ezgicicek Differential Revision: D21022920 fbshipit-source-id: 783157464
5 years ago
| BinOp (bop, exp_lhs, exp_rhs) ->
let* astate, lhs_op = eval_to_operand location exp_lhs astate in
let+ astate, rhs_op = eval_to_operand location exp_rhs astate in
PulseArithmetic.prune_binop ~is_then_branch if_kind location ~negated bop lhs_op rhs_op
astate
[pulse] add tracing of arithmetic facts Summary: When reporting null dereference it is useful to know where the null came from. Reviewed By: skcho Differential Revision: D18206459 fbshipit-source-id: 0c8e6781b
5 years ago
| UnOp (LNot, exp', _) ->
prune_aux ~negated:(not negated) exp' astate
| exp ->
[pudge] it's alive! Summary: Add a path condition to each symbolic state, represented in sledge's arithmetic domain. This gives a precise account of arithmetic constraints. In particular, it is relation and thus is more robust in the face of inter-procedural analysis. This is gated behind a flag for now as there are performance issues with the new arithmetic. Reviewed By: jberdine Differential Revision: D20393947 fbshipit-source-id: b780de22a
5 years ago
prune_aux ~negated (Exp.BinOp (Ne, exp, Exp.zero)) astate
[pulse] add tracing of arithmetic facts Summary: When reporting null dereference it is useful to know where the null came from. Reviewed By: skcho Differential Revision: D18206459 fbshipit-source-id: 0c8e6781b
5 years ago
in
prune_aux ~negated:false condition astate
[pulse] use constant equality to prune unfeasible paths Summary: When we know "x = 3" and we have a condition "x != 3" we know we can prune the corresponding path. Reviewed By: skcho Differential Revision: D17665472 fbshipit-source-id: 988958ea6
5 years ago
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
let eval_deref location exp astate =
[pulse] monad, monads everywhere Summary: Add let*/+ syntax to `result` types to simplify all the applications of `>>=`, `>>|` that are followed by a binding (eg `>>= fun x -> ...`) in pulse. Reviewed By: skcho Differential Revision: D19940728 fbshipit-source-id: 4df159029
5 years ago
let* astate, addr_hist = eval location exp astate in
let+ astate = check_addr_access location addr_hist astate in
Memory.eval_edge addr_hist Dereference astate
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
[pulse] more details about variable declaration events Summary: - add the variable being declared so we can report it back in the trace in addition to its location - distinguish between local vars and formals Reviewed By: skcho Differential Revision: D17930348 fbshipit-source-id: a5b863e64
5 years ago
let realloc_pvar pvar location astate =
Stack.add (Var.of_pvar pvar)
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
(AbstractValue.mk_fresh (), [ValueHistory.VariableDeclared (pvar, location)])
[pulse] more details about variable declaration events Summary: - add the variable being declared so we can report it back in the trace in addition to its location - distinguish between local vars and formals Reviewed By: skcho Differential Revision: D17930348 fbshipit-source-id: a5b863e64
5 years ago
astate
[pulse] reallocate variables on initialisation Summary: We see the magic function `__variable_initialization` at the point where the variable is declared, eg `int x = foo()`. It's safe to reset `&x` at that point. This circumvents an issue that pops up in some rare cases where the ternary conditional operator `?:` and variable initialization conspire to produce weird frontend results. Some test becomes a FN again, but I think it was being reported for the wrong reasons; will investigate more later. Reviewed By: ngorogiannis Differential Revision: D14747980 fbshipit-source-id: e75d6e30f
6 years ago
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
let write_id id new_addr_loc astate = Stack.add (Var.of_id id) new_addr_loc astate
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
let havoc_id id loc_opt astate =
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
if Stack.mem (Var.of_id id) astate then write_id id (AbstractValue.mk_fresh (), loc_opt) astate
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
else astate
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
let write_access location addr_trace_ref access addr_trace_obj astate =
[pulse] interprocedural histories and traces Summary: bigmacro_bender There are 3 ways pulse tracks history. This is at least one too many. So far, we have: 1. "histories": a humble list of "events" like "assigned here", "returned from call", ... 2. "interproc actions": a structured nesting of calls with a final "action", eg "f calls g calls h which does blah" 3. "traces", which combine one history with one interproc action This diff gets rid of interproc actions and makes histories include "nested" callee histories too. This allows pulse to track and display how a value got assigned across function calls. Traces are now more powerful and interleave histories and interproc actions. This allows pulse to track how a value is fed into an action, for instance performed in callee, which itself creates some more (potentially now interprocedural) history before going to the next step of the action (either another call or the action itself). This gives much better traces, and some examples are added to showcase this. There are a lot of changes when applying summaries to keep track of histories more accurately than was done before, but also a few simplifications that give additional evidence that this is the right concept. Reviewed By: skcho Differential Revision: D17908942 fbshipit-source-id: 3b62eaf78
5 years ago
check_addr_access location addr_trace_ref astate
>>| Memory.add_edge addr_trace_ref access addr_trace_obj location
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
let write_deref location ~ref:addr_trace_ref ~obj:addr_trace_obj astate =
write_access location addr_trace_ref Dereference addr_trace_obj astate
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
let write_field location addr_trace_ref field addr_trace_obj astate =
write_access location addr_trace_ref (FieldAccess field) addr_trace_obj astate
let havoc_field location addr_trace field trace_obj astate =
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
write_field location addr_trace field (AbstractValue.mk_fresh (), trace_obj) astate
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
[pulse] Model Core Graphics create and copy functions Summary: This models all the Create and Copy functions from CoreGraphics, examples in the tests. These functions all allocate memory that needs to be manually released. The modelling of the release functions will happen in a following diff. Until then, we have some false positives in the tests. This check is currently in biabduction, and we aim to move it to Pulse. Reviewed By: jvillard Differential Revision: D20626395 fbshipit-source-id: b39eae2d9
5 years ago
let allocate procname location addr_trace astate =
AddressAttributes.allocate procname addr_trace location astate
[pulse] Add model for malloc Summary: Adding a model for malloc: we add an attribute "Allocated". This can be used for implementing memory leaks: whenever the variables get out of scope, we can check that if the variable has an attribute Allocated, it also has an attribute Invalid CFree. Possibly we will need more details in the Allocated attribute, to know if it's malloc, or other allocation function, but we can add that later when we know how it should look like. Reviewed By: jvillard Differential Revision: D20364541 fbshipit-source-id: 5e667a8c3
5 years ago
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
let invalidate location cause addr_trace astate =
[pulse] Refactor attributes into domain Summary: Let's move attributes into Pulse's domain. Reviewed By: jvillard Differential Revision: D19533915 fbshipit-source-id: 995fd12da
5 years ago
check_addr_access location addr_trace astate
>>| AddressAttributes.invalidate addr_trace cause location
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
[pulse] interprocedural histories and traces Summary: bigmacro_bender There are 3 ways pulse tracks history. This is at least one too many. So far, we have: 1. "histories": a humble list of "events" like "assigned here", "returned from call", ... 2. "interproc actions": a structured nesting of calls with a final "action", eg "f calls g calls h which does blah" 3. "traces", which combine one history with one interproc action This diff gets rid of interproc actions and makes histories include "nested" callee histories too. This allows pulse to track and display how a value got assigned across function calls. Traces are now more powerful and interleave histories and interproc actions. This allows pulse to track how a value is fed into an action, for instance performed in callee, which itself creates some more (potentially now interprocedural) history before going to the next step of the action (either another call or the action itself). This gives much better traces, and some examples are added to showcase this. There are a lot of changes when applying summaries to keep track of histories more accurately than was done before, but also a few simplifications that give additional evidence that this is the right concept. Reviewed By: skcho Differential Revision: D17908942 fbshipit-source-id: 3b62eaf78
5 years ago
let invalidate_deref location cause ref_addr_hist astate =
let astate, (addr_obj, _) = Memory.eval_edge ref_addr_hist Dereference astate in
invalidate location cause (addr_obj, snd ref_addr_hist) astate
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
let invalidate_array_elements location cause addr_trace astate =
[pulse] monad, monads everywhere Summary: Add let*/+ syntax to `result` types to simplify all the applications of `>>=`, `>>|` that are followed by a binding (eg `>>= fun x -> ...`) in pulse. Reviewed By: skcho Differential Revision: D19940728 fbshipit-source-id: 4df159029
5 years ago
let+ astate = check_addr_access location addr_trace astate in
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
match Memory.find_opt (fst addr_trace) astate with
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
| None ->
astate
[pulse] Refactor attributes into domain Summary: Let's move attributes into Pulse's domain. Reviewed By: jvillard Differential Revision: D19533915 fbshipit-source-id: 995fd12da
5 years ago
| Some edges ->
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
Memory.Edges.fold
[pulse] traces record how values were constructed Summary: Before: the trace would explain how a value was invalidated and accessed, but not how the value that was invalidated had been constructed. Now: `PulseTrace.t` records breadcrumbs of how the value was constructed in addition to the interproc "action" trace leading to the invalidation or access action. Concretely: ``` void bad(X &x) { X *y = x; X *z = x; delete y; access(z); } ``` will produce the trace: Invalidation part: y = x delete y Access part: z = x access(z) access to z->f inside of access(z) Before this diff the "Access part" would be missing the "z = x" part of the trace, so it might be confusing why `z` has anything to do with `y`. However, such "breadcrumbs" are not recorded in the inter-procedural part, only the sequence of calls is. This is a trade-off for simplicity, maybe it's enough for developers maybe it isn't, we'll find out later. Reviewed By: jberdine Differential Revision: D15354438 fbshipit-source-id: 8d0aed717
6 years ago
(fun access dest_addr_trace astate ->
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
match (access : Memory.Access.t) with
| ArrayAccess _ ->
[pulse] Refactor attributes into domain Summary: Let's move attributes into Pulse's domain. Reviewed By: jvillard Differential Revision: D19533915 fbshipit-source-id: 995fd12da
5 years ago
AddressAttributes.invalidate dest_addr_trace cause location astate
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
| _ ->
astate )
edges astate
[pulse] model `std::function::operator=` Summary: `function::operator=` is called whenever we assign a literal lambda to a variable, so it's pretty useful to be able to report anything on lambdas. Reviewed By: mbouaziz Differential Revision: D16008163 fbshipit-source-id: a9d07668d
6 years ago
let shallow_copy location addr_hist astate =
[pulse] monad, monads everywhere Summary: Add let*/+ syntax to `result` types to simplify all the applications of `>>=`, `>>|` that are followed by a binding (eg `>>= fun x -> ...`) in pulse. Reviewed By: skcho Differential Revision: D19940728 fbshipit-source-id: 4df159029
5 years ago
let+ astate = check_addr_access location addr_hist astate in
[pulse] model `std::function::operator=` Summary: `function::operator=` is called whenever we assign a literal lambda to a variable, so it's pretty useful to be able to report anything on lambdas. Reviewed By: mbouaziz Differential Revision: D16008163 fbshipit-source-id: a9d07668d
6 years ago
let cell =
[pulse] Refactor attributes into domain Summary: Let's move attributes into Pulse's domain. Reviewed By: jvillard Differential Revision: D19533915 fbshipit-source-id: 995fd12da
5 years ago
match AbductiveDomain.find_post_cell_opt (fst addr_hist) astate with
[pulse] model `std::function::operator=` Summary: `function::operator=` is called whenever we assign a literal lambda to a variable, so it's pretty useful to be able to report anything on lambdas. Reviewed By: mbouaziz Differential Revision: D16008163 fbshipit-source-id: a9d07668d
6 years ago
| None ->
(Memory.Edges.empty, Attributes.empty)
| Some cell ->
cell
in
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
let copy = (AbstractValue.mk_fresh (), [ValueHistory.Assignment location]) in
[pulse] Refactor attributes into domain Summary: Let's move attributes into Pulse's domain. Reviewed By: jvillard Differential Revision: D19533915 fbshipit-source-id: 995fd12da
5 years ago
(AbductiveDomain.set_post_cell copy cell location astate, copy)
[pulse] model `std::function::operator=` Summary: `function::operator=` is called whenever we assign a literal lambda to a variable, so it's pretty useful to be able to report anything on lambdas. Reviewed By: mbouaziz Differential Revision: D16008163 fbshipit-source-id: a9d07668d
6 years ago
[pulse] move [PulseTrace] inside [PulseDomain] Summary: Just moving code around. This is needed later to make some types in `PulseTrace` depend on a new that I'll have to define in `PulseDomain`. Also, this gives better names all around I think Reviewed By: mbouaziz Differential Revision: D15881281 fbshipit-source-id: e86c1472e
6 years ago
let check_address_escape escape_location proc_desc address history astate =
[pulse] C++ temporaries bound to globals do not "escape" Summary: Fixes a false positive where the address of a C++ temporary is bound to a static const reference variable then returned. The fix doesn't try to establish that the variable is a const reference so could lead to false negatives but that can be addressed later. Reviewed By: ezgicicek Differential Revision: D16004538 fbshipit-source-id: e403dbefe
6 years ago
let is_assigned_to_global address astate =
let points_to_address pointer address astate =
Memory.find_edge_opt pointer Dereference astate
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
|> Option.exists ~f:(fun (pointee, _) -> AbstractValue.equal pointee address)
[pulse] C++ temporaries bound to globals do not "escape" Summary: Fixes a false positive where the address of a C++ temporary is bound to a static const reference variable then returned. The fix doesn't try to establish that the variable is a const reference so could lead to false negatives but that can be addressed later. Reviewed By: ezgicicek Differential Revision: D16004538 fbshipit-source-id: e403dbefe
6 years ago
in
Stack.exists
(fun var (pointer, _) -> Var.is_global var && points_to_address pointer address astate)
astate
in
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
let check_address_of_cpp_temporary () =
[pulse] Refactor attributes into domain Summary: Let's move attributes into Pulse's domain. Reviewed By: jvillard Differential Revision: D19533915 fbshipit-source-id: 995fd12da
5 years ago
AddressAttributes.find_opt address astate
|> Option.fold_result ~init:() ~f:(fun () attrs ->
[pulse] more efficient representation of attributes Summary: This ensures that each attribute type can only be present once per address. Makes ~80x time improvement on pathological cases such as Duff's device. This introduces a new kind of Set in `PrettyPrintable`. Reviewed By: mbouaziz Differential Revision: D14645091 fbshipit-source-id: c7f9b760c
6 years ago
IContainer.iter_result ~fold:Attributes.fold attrs ~f:(fun attr ->
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
match attr with
[pulse] C++ temporaries bound to globals do not "escape" Summary: Fixes a false positive where the address of a C++ temporary is bound to a static const reference variable then returned. The fix doesn't try to establish that the variable is a const reference so could lead to false negatives but that can be addressed later. Reviewed By: ezgicicek Differential Revision: D16004538 fbshipit-source-id: e403dbefe
6 years ago
| Attribute.AddressOfCppTemporary (variable, _)
when not (is_assigned_to_global address astate) ->
(* The returned address corresponds to a C++ temporary. It will have gone out of
scope by now except if it was bound to a global. *)
[pulse] improve error messages and traces Summary: Feedback from peterogithub: - mention which access path is being invalidated and accessed in the message - mention the line at which it was invalidated (the line at which it's accessed is already the line at which we report) - traces for stack variable/C++ temporary address escapes - delete double implementation of the same functionality in `PulseTrace`: `location_of_action_start` is the same as `outer_location_of_action`... Reviewed By: jberdine Differential Revision: D14800294 fbshipit-source-id: 3d9ab9b3d
6 years ago
Error
[pulse] Distinguish error state at top level Summary: As soon as pulse detects an error, it completely stops the analysis and loses the state where the error occurred. This makes it difficult to debug and understand the state the program failed. Moreover, other analyses that might build on pulse (e.g. impurity), cannot access the error state. This diff aims to restore and display the state at the time of the error in `PulseExecutionState` along with the diagnostic by extending it as follows: ``` type exec_state = | represents the state at the program point that caused an error *) ``` As a result, since we don't immediately stop the analysis as soon as we find an error, we detect both errors in conditional branches simultaneously (see test result changes for examples). NOTE: We need to extend `PulseOperations.access_result` to keep track of the failed state as follows: ``` type 'a access_result = ('a, Diagnostic.t * t [denoting the exit state] ) result ``` Reviewed By: jvillard Differential Revision: D20918920 fbshipit-source-id: 432ac68d6
5 years ago
( Diagnostic.StackVariableAddressEscape
{variable; location= escape_location; history}
, astate )
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
| _ ->
Ok () ) )
in
let check_address_of_stack_variable () =
[pulse] improve error messages and traces Summary: Feedback from peterogithub: - mention which access path is being invalidated and accessed in the message - mention the line at which it was invalidated (the line at which it's accessed is already the line at which we report) - traces for stack variable/C++ temporary address escapes - delete double implementation of the same functionality in `PulseTrace`: `location_of_action_start` is the same as `outer_location_of_action`... Reviewed By: jberdine Differential Revision: D14800294 fbshipit-source-id: 3d9ab9b3d
6 years ago
let proc_name = Procdesc.get_proc_name proc_desc in
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
IContainer.iter_result ~fold:(IContainer.fold_of_pervasives_map_fold ~fold:Stack.fold) astate
[pulse] improve error messages and traces Summary: Feedback from peterogithub: - mention which access path is being invalidated and accessed in the message - mention the line at which it was invalidated (the line at which it's accessed is already the line at which we report) - traces for stack variable/C++ temporary address escapes - delete double implementation of the same functionality in `PulseTrace`: `location_of_action_start` is the same as `outer_location_of_action`... Reviewed By: jberdine Differential Revision: D14800294 fbshipit-source-id: 3d9ab9b3d
6 years ago
~f:(fun (variable, (var_address, _)) ->
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
if
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
AbstractValue.equal var_address address
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
&& ( Var.is_cpp_temporary variable
|| Var.is_local_to_procedure proc_name variable
&& not (Procdesc.is_captured_var proc_desc variable) )
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
then (
[pulse] improve error messages and traces Summary: Feedback from peterogithub: - mention which access path is being invalidated and accessed in the message - mention the line at which it was invalidated (the line at which it's accessed is already the line at which we report) - traces for stack variable/C++ temporary address escapes - delete double implementation of the same functionality in `PulseTrace`: `location_of_action_start` is the same as `outer_location_of_action`... Reviewed By: jberdine Differential Revision: D14800294 fbshipit-source-id: 3d9ab9b3d
6 years ago
L.d_printfln_escaped "Stack variable address &%a detected at address %a" Var.pp variable
[pulse][6/9] add PulseAbstractValue to PulseBasicInterface Summary: See explanations in D17955104. This renames `AbstractAddress` to `AbstractValue` since they are not necessarily addresses. Reviewed By: ezgicicek Differential Revision: D17955290 fbshipit-source-id: 8bb4c61f2
5 years ago
AbstractValue.pp address ;
[pulse] improve error messages and traces Summary: Feedback from peterogithub: - mention which access path is being invalidated and accessed in the message - mention the line at which it was invalidated (the line at which it's accessed is already the line at which we report) - traces for stack variable/C++ temporary address escapes - delete double implementation of the same functionality in `PulseTrace`: `location_of_action_start` is the same as `outer_location_of_action`... Reviewed By: jberdine Differential Revision: D14800294 fbshipit-source-id: 3d9ab9b3d
6 years ago
Error
[pulse] Distinguish error state at top level Summary: As soon as pulse detects an error, it completely stops the analysis and loses the state where the error occurred. This makes it difficult to debug and understand the state the program failed. Moreover, other analyses that might build on pulse (e.g. impurity), cannot access the error state. This diff aims to restore and display the state at the time of the error in `PulseExecutionState` along with the diagnostic by extending it as follows: ``` type exec_state = | represents the state at the program point that caused an error *) ``` As a result, since we don't immediately stop the analysis as soon as we find an error, we detect both errors in conditional branches simultaneously (see test result changes for examples). NOTE: We need to extend `PulseOperations.access_result` to keep track of the failed state as follows: ``` type 'a access_result = ('a, Diagnostic.t * t [denoting the exit state] ) result ``` Reviewed By: jvillard Differential Revision: D20918920 fbshipit-source-id: 432ac68d6
5 years ago
( Diagnostic.StackVariableAddressEscape {variable; location= escape_location; history}
, astate ) )
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
else Ok () )
in
[pulse] monad, monads everywhere Summary: Add let*/+ syntax to `result` types to simplify all the applications of `>>=`, `>>|` that are followed by a binding (eg `>>= fun x -> ...`) in pulse. Reviewed By: skcho Differential Revision: D19940728 fbshipit-source-id: 4df159029
5 years ago
let+ () = check_address_of_cpp_temporary () >>= check_address_of_stack_variable in
astate
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
let mark_address_of_cpp_temporary history variable address astate =
[pulse] Refactor attributes into domain Summary: Let's move attributes into Pulse's domain. Reviewed By: jvillard Differential Revision: D19533915 fbshipit-source-id: 995fd12da
5 years ago
AddressAttributes.add_one address (AddressOfCppTemporary (variable, history)) astate
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
[pulse] Handle stack refs escaping their scope via pointer Summary: Pulse didn't treat local variables going out of scope as invalidating the corresponding address in memory. This diff fixes that by - marking all local variables that exits the scope with the attribute `AddressOfStackVariable` - before we write the summary for the proc, we make sure to invalidate all such addresses local to the procedure as `Invalid.` If such an address is read, then we would raise a use-after-lifetime issue. Reviewed By: jvillard Differential Revision: D16458355 fbshipit-source-id: 3686524cb
6 years ago
let mark_address_of_stack_variable history variable location address astate =
[pulse] Refactor attributes into domain Summary: Let's move attributes into Pulse's domain. Reviewed By: jvillard Differential Revision: D19533915 fbshipit-source-id: 995fd12da
5 years ago
AddressAttributes.add_one address (AddressOfStackVariable (variable, location, history)) astate
[pulse] Handle stack refs escaping their scope via pointer Summary: Pulse didn't treat local variables going out of scope as invalidating the corresponding address in memory. This diff fixes that by - marking all local variables that exits the scope with the attribute `AddressOfStackVariable` - before we write the summary for the proc, we make sure to invalidate all such addresses local to the procedure as `Invalid.` If such an address is read, then we would raise a use-after-lifetime issue. Reviewed By: jvillard Differential Revision: D16458355 fbshipit-source-id: 3686524cb
6 years ago
[pulse] Distinguish error state at top level Summary: As soon as pulse detects an error, it completely stops the analysis and loses the state where the error occurred. This makes it difficult to debug and understand the state the program failed. Moreover, other analyses that might build on pulse (e.g. impurity), cannot access the error state. This diff aims to restore and display the state at the time of the error in `PulseExecutionState` along with the diagnostic by extending it as follows: ``` type exec_state = | represents the state at the program point that caused an error *) ``` As a result, since we don't immediately stop the analysis as soon as we find an error, we detect both errors in conditional branches simultaneously (see test result changes for examples). NOTE: We need to extend `PulseOperations.access_result` to keep track of the failed state as follows: ``` type 'a access_result = ('a, Diagnostic.t * t [denoting the exit state] ) result ``` Reviewed By: jvillard Differential Revision: D20918920 fbshipit-source-id: 432ac68d6
5 years ago
let check_memory_leak_unreachable unreachable_attrs location astate =
[pulse] Memory leak check Summary: First version of a new memory leak check based on Pulse. The idea is to examine unreachable cells in the heap and check that the "Allocated" attribute is available but the "Invalid CFree" isn't. This is done when we remove variables from the state. Currently it only works for malloc, we can extend it to other allocation functions later. Reviewed By: jvillard Differential Revision: D20444097 fbshipit-source-id: 33b6b25a2
5 years ago
let check_memory_leak _ attributes result =
let allocated_not_freed_opt =
Attributes.fold attributes ~init:(None (* allocation trace *), false (* freed *))
~f:(fun acc attr ->
match (attr : Attribute.t) with
[pulse] Model Core Graphics create and copy functions Summary: This models all the Create and Copy functions from CoreGraphics, examples in the tests. These functions all allocate memory that needs to be manually released. The modelling of the release functions will happen in a following diff. Until then, we have some false positives in the tests. This check is currently in biabduction, and we aim to move it to Pulse. Reviewed By: jvillard Differential Revision: D20626395 fbshipit-source-id: b39eae2d9
5 years ago
| Allocated (procname, trace) ->
(Some (procname, trace), snd acc)
[pulse] Memory leak check Summary: First version of a new memory leak check based on Pulse. The idea is to examine unreachable cells in the heap and check that the "Allocated" attribute is available but the "Invalid CFree" isn't. This is done when we remove variables from the state. Currently it only works for malloc, we can extend it to other allocation functions later. Reviewed By: jvillard Differential Revision: D20444097 fbshipit-source-id: 33b6b25a2
5 years ago
| Invalid (CFree, _) ->
(fst acc, true)
| _ ->
acc )
in
match allocated_not_freed_opt with
[pulse] Model Core Graphics create and copy functions Summary: This models all the Create and Copy functions from CoreGraphics, examples in the tests. These functions all allocate memory that needs to be manually released. The modelling of the release functions will happen in a following diff. Until then, we have some false positives in the tests. This check is currently in biabduction, and we aim to move it to Pulse. Reviewed By: jvillard Differential Revision: D20626395 fbshipit-source-id: b39eae2d9
5 years ago
| Some (procname, trace), false ->
[pulse] Memory leak check Summary: First version of a new memory leak check based on Pulse. The idea is to examine unreachable cells in the heap and check that the "Allocated" attribute is available but the "Invalid CFree" isn't. This is done when we remove variables from the state. Currently it only works for malloc, we can extend it to other allocation functions later. Reviewed By: jvillard Differential Revision: D20444097 fbshipit-source-id: 33b6b25a2
5 years ago
(* allocated but not freed *)
[pulse] Distinguish error state at top level Summary: As soon as pulse detects an error, it completely stops the analysis and loses the state where the error occurred. This makes it difficult to debug and understand the state the program failed. Moreover, other analyses that might build on pulse (e.g. impurity), cannot access the error state. This diff aims to restore and display the state at the time of the error in `PulseExecutionState` along with the diagnostic by extending it as follows: ``` type exec_state = | represents the state at the program point that caused an error *) ``` As a result, since we don't immediately stop the analysis as soon as we find an error, we detect both errors in conditional branches simultaneously (see test result changes for examples). NOTE: We need to extend `PulseOperations.access_result` to keep track of the failed state as follows: ``` type 'a access_result = ('a, Diagnostic.t * t [denoting the exit state] ) result ``` Reviewed By: jvillard Differential Revision: D20918920 fbshipit-source-id: 432ac68d6
5 years ago
Error (Diagnostic.MemoryLeak {procname; location; allocation_trace= trace}, astate)
[pulse] Memory leak check Summary: First version of a new memory leak check based on Pulse. The idea is to examine unreachable cells in the heap and check that the "Allocated" attribute is available but the "Invalid CFree" isn't. This is done when we remove variables from the state. Currently it only works for malloc, we can extend it to other allocation functions later. Reviewed By: jvillard Differential Revision: D20444097 fbshipit-source-id: 33b6b25a2
5 years ago
| _ ->
result
in
[pulse] enforce short forms for PulseDomainInterface Summary: See previous diff. Reviewed By: ezgicicek Differential Revision: D21022923 fbshipit-source-id: b1cab2fdc
5 years ago
BaseAddressAttributes.fold check_memory_leak unreachable_attrs (Ok ())
[pulse] Memory leak check Summary: First version of a new memory leak check based on Pulse. The idea is to examine unreachable cells in the heap and check that the "Allocated" attribute is available but the "Invalid CFree" isn't. This is done when we remove variables from the state. Currently it only works for malloc, we can extend it to other allocation functions later. Reviewed By: jvillard Differential Revision: D20444097 fbshipit-source-id: 33b6b25a2
5 years ago
[pulse] Handle stack refs escaping their scope via pointer Summary: Pulse didn't treat local variables going out of scope as invalidating the corresponding address in memory. This diff fixes that by - marking all local variables that exits the scope with the attribute `AddressOfStackVariable` - before we write the summary for the proc, we make sure to invalidate all such addresses local to the procedure as `Invalid.` If such an address is read, then we would raise a use-after-lifetime issue. Reviewed By: jvillard Differential Revision: D16458355 fbshipit-source-id: 3686524cb
6 years ago
let remove_vars vars location astate =
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
let astate =
[pulse] Fix marking of AddressOfCppTemporary in the loop Reviewed By: jvillard Differential Revision: D16457665 fbshipit-source-id: cd52c1309
6 years ago
List.fold vars ~init:astate ~f:(fun astate var ->
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
match Stack.find_opt var astate with
[pulse] Handle stack refs escaping their scope via pointer Summary: Pulse didn't treat local variables going out of scope as invalidating the corresponding address in memory. This diff fixes that by - marking all local variables that exits the scope with the attribute `AddressOfStackVariable` - before we write the summary for the proc, we make sure to invalidate all such addresses local to the procedure as `Invalid.` If such an address is read, then we would raise a use-after-lifetime issue. Reviewed By: jvillard Differential Revision: D16458355 fbshipit-source-id: 3686524cb
6 years ago
| Some (address, history) ->
let astate =
[pulse][8/9] Domain interface Summary: Another poorman's library, this time about Pulse Domains. Also renames `PulseDomain` to `PulseBaseDomain`. Reviewed By: ezgicicek Differential Revision: D17955287 fbshipit-source-id: 9c947cf98
5 years ago
if Var.appears_in_source_code var && AbductiveDomain.is_local var astate then
[pulse] Handle stack refs escaping their scope via pointer Summary: Pulse didn't treat local variables going out of scope as invalidating the corresponding address in memory. This diff fixes that by - marking all local variables that exits the scope with the attribute `AddressOfStackVariable` - before we write the summary for the proc, we make sure to invalidate all such addresses local to the procedure as `Invalid.` If such an address is read, then we would raise a use-after-lifetime issue. Reviewed By: jvillard Differential Revision: D16458355 fbshipit-source-id: 3686524cb
6 years ago
mark_address_of_stack_variable history var location address astate
else astate
in
if Var.is_cpp_temporary var then
mark_address_of_cpp_temporary history var address astate
else astate
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
| _ ->
[pulse] Fix marking of AddressOfCppTemporary in the loop Reviewed By: jvillard Differential Revision: D16457665 fbshipit-source-id: cd52c1309
6 years ago
astate )
[pulse] split PulseDomain.ml Summary: Split into: - `PulseDiagnostic`, formerly `PulseDomain.Diagnostic` - `PulseOperations`, formerly `PulseDomain.Operations` This breaks down the now quite large and complex PulseDomain.ml into more manageable pieces. More importantly, it will allow us to build a bigger pulse domain later, where elements of the domain are pairs of the base domain that include a biabductive "footprint". What's not as nice is that more of the interface of `PulseDomain` is exposed, in particular `PulseDomain.Memory` and `PulseDomain.Stack`. We'll have to be careful not to break abstraction barriers and prefer `PulseOperations` to `PulseDomain` outside of the domain implementation. OCaml forces us to do that because of the multi-file approach. It could be solved by introducing pulse domains as a library but who has time for that... Sending early because rebasing that diff is painful. Reviewed By: ngorogiannis Differential Revision: D13537602 fbshipit-source-id: d211d6e84
6 years ago
in
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
let astate' = Stack.remove_vars vars astate in
[pulse] Memory leak check Summary: First version of a new memory leak check based on Pulse. The idea is to examine unreachable cells in the heap and check that the "Allocated" attribute is available but the "Invalid CFree" isn't. This is done when we remove variables from the state. Currently it only works for malloc, we can extend it to other allocation functions later. Reviewed By: jvillard Differential Revision: D20444097 fbshipit-source-id: 33b6b25a2
5 years ago
if phys_equal astate' astate then Ok astate
else
[pudge] it's alive! Summary: Add a path condition to each symbolic state, represented in sledge's arithmetic domain. This gives a precise account of arithmetic constraints. In particular, it is relation and thus is more robust in the face of inter-procedural analysis. This is gated behind a flag for now as there are performance issues with the new arithmetic. Reviewed By: jberdine Differential Revision: D20393947 fbshipit-source-id: b780de22a
5 years ago
let astate, _, unreachable_attrs = AbductiveDomain.discard_unreachable astate' in
[pulse] Distinguish error state at top level Summary: As soon as pulse detects an error, it completely stops the analysis and loses the state where the error occurred. This makes it difficult to debug and understand the state the program failed. Moreover, other analyses that might build on pulse (e.g. impurity), cannot access the error state. This diff aims to restore and display the state at the time of the error in `PulseExecutionState` along with the diagnostic by extending it as follows: ``` type exec_state = | represents the state at the program point that caused an error *) ``` As a result, since we don't immediately stop the analysis as soon as we find an error, we detect both errors in conditional branches simultaneously (see test result changes for examples). NOTE: We need to extend `PulseOperations.access_result` to keep track of the failed state as follows: ``` type 'a access_result = ('a, Diagnostic.t * t [denoting the exit state] ) result ``` Reviewed By: jvillard Differential Revision: D20918920 fbshipit-source-id: 432ac68d6
5 years ago
let+ () = check_memory_leak_unreachable unreachable_attrs location astate in
[pulse] Memory leak check Summary: First version of a new memory leak check based on Pulse. The idea is to examine unreachable cells in the heap and check that the "Allocated" attribute is available but the "Invalid CFree" isn't. This is done when we remove variables from the state. Currently it only works for malloc, we can extend it to other allocation functions later. Reviewed By: jvillard Differential Revision: D20444097 fbshipit-source-id: 33b6b25a2
5 years ago
astate
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
[pulse] Do not havoc arguments of unknown functions that are pointers to const Reviewed By: skcho Differential Revision: D19331312 fbshipit-source-id: b450a819b
5 years ago
let is_ptr_to_const formal_typ_opt =
Option.value_map formal_typ_opt ~default:false ~f:(fun (formal_typ : Typ.t) ->
match formal_typ.desc with Typ.Tptr (t, _) -> Typ.is_const t.quals | _ -> false )
let unknown_call call_loc reason ~ret ~actuals ~formals_opt astate =
[pulse] havoc formals passed by reference to unknown procedures Summary: This gets rid of false positives when something invalid (eg null) is passed by reference to an initialisation function. Havoc'ing what the contents of the pointer to results in being optimistic about said contents in the future. Also surprisingly gets rid of some FNs (which means it can also introduce FPs) in the `std::atomic` tests because a path condition becomes feasible with havoc'ing. There's a slight refinement possible where we don't havoc pointers to const but that's more involved and left as future work. Reviewed By: skcho Differential Revision: D18726203 fbshipit-source-id: 264b5daeb
5 years ago
let event = ValueHistory.Call {f= reason; location= call_loc; in_call= []} in
let havoc_ret (ret, _) astate = havoc_id ret [event] astate in
[pulse] Do not havoc arguments of unknown functions that are pointers to const Reviewed By: skcho Differential Revision: D19331312 fbshipit-source-id: b450a819b
5 years ago
let havoc_actual_if_ptr (actual, actual_typ) formal_typ_opt astate =
(* We should not havoc when the corresponding formal is a
pointer to const *)
[pulse] Don't write through pointer arguments in Java Summary: Pulse has an extra invalidation mechanism (introduced in D18726203) to prevent something invalid (e.g. `null`) to be passed by reference to an initialisation function. Therefore, it havocs formals passed by reference to skipped functions. However, I don't think this makes sense in Java. So, let's turn it off. A nice consequence of this is that in impurity analysis, we do not consider functions that call skipped library calls with object arguments as writing to their formals. Reviewed By: skcho Differential Revision: D19697110 fbshipit-source-id: 6e3a71f2a
5 years ago
if
(not (Language.curr_language_is Java))
&& Typ.is_pointer actual_typ
&& not (is_ptr_to_const formal_typ_opt)
then
(* HACK: write through the pointer even if it is invalid (except in Java). This is to avoid raising issues when
[pulse] havoc formals passed by reference to unknown procedures Summary: This gets rid of false positives when something invalid (eg null) is passed by reference to an initialisation function. Havoc'ing what the contents of the pointer to results in being optimistic about said contents in the future. Also surprisingly gets rid of some FNs (which means it can also introduce FPs) in the `std::atomic` tests because a path condition becomes feasible with havoc'ing. There's a slight refinement possible where we don't havoc pointers to const but that's more involved and left as future work. Reviewed By: skcho Differential Revision: D18726203 fbshipit-source-id: 264b5daeb
5 years ago
havoc'ing pointer parameters (which normally causes a [check_valid] call. *)
let fresh_value = AbstractValue.mk_fresh () in
Memory.add_edge actual Dereference (fresh_value, [event]) call_loc astate
else astate
in
[pulse] Track skipped functions Summary: Let's collect the list of all skipped functions with a `proc_name` but no summary in Pulse's memory. This will be useful for the impurity analysis later (next diff). Concretely, we extend Pulse's domain with a map from skipped calls to their respective traces. For efficiency, we only keep a single trace per skipped call. For impurity analysis, tracking skipped calls in Pulse allows us to rely on Pulse's strong memory model to get rid of infeasible paths as opposed to creating an independent checker which wouldn't be able to do that. Reviewed By: jvillard Differential Revision: D19428426 fbshipit-source-id: 3c5e482c5
5 years ago
let add_skipped_proc astate =
match reason with
[pulse] enforce short forms for PulseBasicInterface Summary: The "interface" modules define short forms for the internals of pulse and also serve as a guide of which modules you are supposed to use at which "level" in the pulse domains (base domain vs abductive domain vs higher-level PulseOperations.ml). Make sure they are used. Reviewed By: skcho Differential Revision: D21022927 fbshipit-source-id: f890df245
5 years ago
| CallEvent.SkippedKnownCall proc_name ->
[pulse] move interproc call to its own file Summary: PulseAbductiveDomain.ml can be split into two distinct parts: 1. The definition of the "abductive domain" itself. This remains in that file. 2. How to apply a given pre/post pair to the current state (during a function call). This is about the same size as 1. in terms of lines of code(!) and is now in PulseInterproc.ml. Reviewed By: ezgicicek Differential Revision: D21022921 fbshipit-source-id: 431fe061e
5 years ago
AbductiveDomain.add_skipped_call proc_name
[pulse] Track skipped functions Summary: Let's collect the list of all skipped functions with a `proc_name` but no summary in Pulse's memory. This will be useful for the impurity analysis later (next diff). Concretely, we extend Pulse's domain with a map from skipped calls to their respective traces. For efficiency, we only keep a single trace per skipped call. For impurity analysis, tracking skipped calls in Pulse allows us to rely on Pulse's strong memory model to get rid of infeasible paths as opposed to creating an independent checker which wouldn't be able to do that. Reviewed By: jvillard Differential Revision: D19428426 fbshipit-source-id: 3c5e482c5
5 years ago
(Trace.Immediate {location= call_loc; history= []})
astate
| _ ->
astate
in
[pulse] havoc formals passed by reference to unknown procedures Summary: This gets rid of false positives when something invalid (eg null) is passed by reference to an initialisation function. Havoc'ing what the contents of the pointer to results in being optimistic about said contents in the future. Also surprisingly gets rid of some FNs (which means it can also introduce FPs) in the `std::atomic` tests because a path condition becomes feasible with havoc'ing. There's a slight refinement possible where we don't havoc pointers to const but that's more involved and left as future work. Reviewed By: skcho Differential Revision: D18726203 fbshipit-source-id: 264b5daeb
5 years ago
L.d_printfln "skipping unknown procedure@." ;
[pulse] Do not havoc arguments of unknown functions that are pointers to const Reviewed By: skcho Differential Revision: D19331312 fbshipit-source-id: b450a819b
5 years ago
( match formals_opt with
| None ->
List.fold actuals
~f:(fun astate actual_typ -> havoc_actual_if_ptr actual_typ None astate)
~init:astate
[pulse] Fix unequal length Reviewed By: jvillard Differential Revision: D19371310 fbshipit-source-id: 8de1338be
5 years ago
| Some formals -> (
match
List.fold2 actuals formals
[pulse] Do not havoc arguments of unknown functions that are pointers to const Reviewed By: skcho Differential Revision: D19331312 fbshipit-source-id: b450a819b
5 years ago
~f:(fun astate actual_typ (_, formal_typ) ->
havoc_actual_if_ptr actual_typ (Some formal_typ) astate )
[pulse] Fix unequal length Reviewed By: jvillard Differential Revision: D19371310 fbshipit-source-id: 8de1338be
5 years ago
~init:astate
with
| Unequal_lengths ->
L.d_printfln "ERROR: formals have length %d but actuals have length %d"
(List.length formals) (List.length actuals) ;
astate
| Ok result ->
result ) )
[pulse] Track skipped functions Summary: Let's collect the list of all skipped functions with a `proc_name` but no summary in Pulse's memory. This will be useful for the impurity analysis later (next diff). Concretely, we extend Pulse's domain with a map from skipped calls to their respective traces. For efficiency, we only keep a single trace per skipped call. For impurity analysis, tracking skipped calls in Pulse allows us to rely on Pulse's strong memory model to get rid of infeasible paths as opposed to creating an independent checker which wouldn't be able to do that. Reviewed By: jvillard Differential Revision: D19428426 fbshipit-source-id: 3c5e482c5
5 years ago
|> havoc_ret ret |> add_skipped_proc
[pulse] havoc formals passed by reference to unknown procedures Summary: This gets rid of false positives when something invalid (eg null) is passed by reference to an initialisation function. Havoc'ing what the contents of the pointer to results in being optimistic about said contents in the future. Also surprisingly gets rid of some FNs (which means it can also introduce FPs) in the `std::atomic` tests because a path condition becomes feasible with havoc'ing. There's a slight refinement possible where we don't havoc pointers to const but that's more involved and left as future work. Reviewed By: skcho Differential Revision: D18726203 fbshipit-source-id: 264b5daeb
5 years ago
[pulse] Distinguish exit state at top level Summary: This diff lifts the `PulseAbductiveDomain.t` in `PulseExecutionState` by tracking whether the program continues the analysis normally or exits unusually (e.g. by calling `exit` or `throw`): ``` type exec_state = | ContinueProgram of PulseAbductiveDomain.t (** represents the state at the program point *) | ExitProgram of PulseAbductiveDomain.t (** represents the state originating at exit/divergence. *) ``` Now, Pulse's actual domain is tracked by `PulseExecutionState` and as soon as we try to analyze an instruction at `ExitProgram`, we simply return its state. The aim is to recover the state at the time of the exit, rather than simply ignoring them (i.e. returning empty disjuncts). This allows us to get rid of some FNs that we were not able to detect before. Moreover, it also allows the impurity analysis to be more precise since we will know how the state changed up to exit. TODO: - Impurity analysis needs to be improved to consider functions that simply exit as impure. - The next goal is to handle error state similarly so that when pulse finds an error, we recover the state at the error location (and potentially continue to analyze?). Disclaimer: currently, we handle throw statements like exit (as was the case before). However, this is not correct. Ideally, control flow from throw nodes follows catch nodes rather than exiting the program entirely. Reviewed By: jvillard Differential Revision: D20791747 fbshipit-source-id: df9e5445a
5 years ago
let apply_callee callee_pname call_loc callee_exec_state ~ret ~formals ~actuals astate =
let apply callee_prepost ~f =
[pulse] move interproc call to its own file Summary: PulseAbductiveDomain.ml can be split into two distinct parts: 1. The definition of the "abductive domain" itself. This remains in that file. 2. How to apply a given pre/post pair to the current state (during a function call). This is about the same size as 1. in terms of lines of code(!) and is now in PulseInterproc.ml. Reviewed By: ezgicicek Differential Revision: D21022921 fbshipit-source-id: 431fe061e
5 years ago
PulseInterproc.apply_prepost callee_pname call_loc ~callee_prepost ~formals ~actuals astate
[pulse] Distinguish exit state at top level Summary: This diff lifts the `PulseAbductiveDomain.t` in `PulseExecutionState` by tracking whether the program continues the analysis normally or exits unusually (e.g. by calling `exit` or `throw`): ``` type exec_state = | ContinueProgram of PulseAbductiveDomain.t (** represents the state at the program point *) | ExitProgram of PulseAbductiveDomain.t (** represents the state originating at exit/divergence. *) ``` Now, Pulse's actual domain is tracked by `PulseExecutionState` and as soon as we try to analyze an instruction at `ExitProgram`, we simply return its state. The aim is to recover the state at the time of the exit, rather than simply ignoring them (i.e. returning empty disjuncts). This allows us to get rid of some FNs that we were not able to detect before. Moreover, it also allows the impurity analysis to be more precise since we will know how the state changed up to exit. TODO: - Impurity analysis needs to be improved to consider functions that simply exit as impure. - The next goal is to handle error state similarly so that when pulse finds an error, we recover the state at the error location (and potentially continue to analyze?). Disclaimer: currently, we handle throw statements like exit (as was the case before). However, this is not correct. Ideally, control flow from throw nodes follows catch nodes rather than exiting the program entirely. Reviewed By: jvillard Differential Revision: D20791747 fbshipit-source-id: df9e5445a
5 years ago
>>| function
| None ->
(* couldn't apply pre/post pair *) None
| Some (post, return_val_opt) ->
let event = ValueHistory.Call {f= Call callee_pname; location= call_loc; in_call= []} in
let post =
match return_val_opt with
| Some (return_val, return_hist) ->
write_id (fst ret) (return_val, event :: return_hist) post
| None ->
havoc_id (fst ret) [event] post
in
Some (f post)
in
[pulse] enforce short forms for PulseDomainInterface Summary: See previous diff. Reviewed By: ezgicicek Differential Revision: D21022923 fbshipit-source-id: b1cab2fdc
5 years ago
let open ExecutionDomain in
[pulse] Distinguish exit state at top level Summary: This diff lifts the `PulseAbductiveDomain.t` in `PulseExecutionState` by tracking whether the program continues the analysis normally or exits unusually (e.g. by calling `exit` or `throw`): ``` type exec_state = | ContinueProgram of PulseAbductiveDomain.t (** represents the state at the program point *) | ExitProgram of PulseAbductiveDomain.t (** represents the state originating at exit/divergence. *) ``` Now, Pulse's actual domain is tracked by `PulseExecutionState` and as soon as we try to analyze an instruction at `ExitProgram`, we simply return its state. The aim is to recover the state at the time of the exit, rather than simply ignoring them (i.e. returning empty disjuncts). This allows us to get rid of some FNs that we were not able to detect before. Moreover, it also allows the impurity analysis to be more precise since we will know how the state changed up to exit. TODO: - Impurity analysis needs to be improved to consider functions that simply exit as impure. - The next goal is to handle error state similarly so that when pulse finds an error, we recover the state at the error location (and potentially continue to analyze?). Disclaimer: currently, we handle throw statements like exit (as was the case before). However, this is not correct. Ideally, control flow from throw nodes follows catch nodes rather than exiting the program entirely. Reviewed By: jvillard Differential Revision: D20791747 fbshipit-source-id: df9e5445a
5 years ago
match callee_exec_state with
[pulse] Distinguish error state at top level Summary: As soon as pulse detects an error, it completely stops the analysis and loses the state where the error occurred. This makes it difficult to debug and understand the state the program failed. Moreover, other analyses that might build on pulse (e.g. impurity), cannot access the error state. This diff aims to restore and display the state at the time of the error in `PulseExecutionState` along with the diagnostic by extending it as follows: ``` type exec_state = | represents the state at the program point that caused an error *) ``` As a result, since we don't immediately stop the analysis as soon as we find an error, we detect both errors in conditional branches simultaneously (see test result changes for examples). NOTE: We need to extend `PulseOperations.access_result` to keep track of the failed state as follows: ``` type 'a access_result = ('a, Diagnostic.t * t [denoting the exit state] ) result ``` Reviewed By: jvillard Differential Revision: D20918920 fbshipit-source-id: 432ac68d6
5 years ago
| AbortProgram _ ->
(* Callee has failed; don't propagate the failure *)
Ok (Some callee_exec_state)
[pulse] Distinguish exit state at top level Summary: This diff lifts the `PulseAbductiveDomain.t` in `PulseExecutionState` by tracking whether the program continues the analysis normally or exits unusually (e.g. by calling `exit` or `throw`): ``` type exec_state = | ContinueProgram of PulseAbductiveDomain.t (** represents the state at the program point *) | ExitProgram of PulseAbductiveDomain.t (** represents the state originating at exit/divergence. *) ``` Now, Pulse's actual domain is tracked by `PulseExecutionState` and as soon as we try to analyze an instruction at `ExitProgram`, we simply return its state. The aim is to recover the state at the time of the exit, rather than simply ignoring them (i.e. returning empty disjuncts). This allows us to get rid of some FNs that we were not able to detect before. Moreover, it also allows the impurity analysis to be more precise since we will know how the state changed up to exit. TODO: - Impurity analysis needs to be improved to consider functions that simply exit as impure. - The next goal is to handle error state similarly so that when pulse finds an error, we recover the state at the error location (and potentially continue to analyze?). Disclaimer: currently, we handle throw statements like exit (as was the case before). However, this is not correct. Ideally, control flow from throw nodes follows catch nodes rather than exiting the program entirely. Reviewed By: jvillard Differential Revision: D20791747 fbshipit-source-id: df9e5445a
5 years ago
| ContinueProgram astate ->
apply astate ~f:(fun astate -> ContinueProgram astate)
| ExitProgram astate ->
apply astate ~f:(fun astate -> ExitProgram astate)
let call ~caller_summary call_loc callee_pname ~ret ~actuals ~formals_opt
[pulse] enforce short forms for PulseDomainInterface Summary: See previous diff. Reviewed By: ezgicicek Differential Revision: D21022923 fbshipit-source-id: b1cab2fdc
5 years ago
(astate : AbductiveDomain.t) : (ExecutionDomain.t list, Diagnostic.t * t) result =
Introduce method SummaryPayload.read_toplevel_procedure Summary: Cluster checkers call `SummaryPayload.read` but set the `caller_summary` to correspond to the same summary as gives the `callee_pname` This change introduces a new method `read_toplevel_procedure` that does not require a `caller_summary`, to be used by the cluster checkers Reviewed By: ngorogiannis Differential Revision: D16131660 fbshipit-source-id: 12caa1000
6 years ago
match PulsePayload.read_full ~caller_summary ~callee_pname with
[pulse] Distinguish exit state at top level Summary: This diff lifts the `PulseAbductiveDomain.t` in `PulseExecutionState` by tracking whether the program continues the analysis normally or exits unusually (e.g. by calling `exit` or `throw`): ``` type exec_state = | ContinueProgram of PulseAbductiveDomain.t (** represents the state at the program point *) | ExitProgram of PulseAbductiveDomain.t (** represents the state originating at exit/divergence. *) ``` Now, Pulse's actual domain is tracked by `PulseExecutionState` and as soon as we try to analyze an instruction at `ExitProgram`, we simply return its state. The aim is to recover the state at the time of the exit, rather than simply ignoring them (i.e. returning empty disjuncts). This allows us to get rid of some FNs that we were not able to detect before. Moreover, it also allows the impurity analysis to be more precise since we will know how the state changed up to exit. TODO: - Impurity analysis needs to be improved to consider functions that simply exit as impure. - The next goal is to handle error state similarly so that when pulse finds an error, we recover the state at the error location (and potentially continue to analyze?). Disclaimer: currently, we handle throw statements like exit (as was the case before). However, this is not correct. Ideally, control flow from throw nodes follows catch nodes rather than exiting the program entirely. Reviewed By: jvillard Differential Revision: D20791747 fbshipit-source-id: df9e5445a
5 years ago
| Some (callee_proc_desc, exec_states) ->
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
let formals =
Procdesc.get_formals callee_proc_desc
|> List.map ~f:(fun (mangled, _) -> Pvar.mk mangled callee_pname |> Var.of_pvar)
in
[pulse][8/9] Domain interface Summary: Another poorman's library, this time about Pulse Domains. Also renames `PulseDomain` to `PulseBaseDomain`. Reviewed By: ezgicicek Differential Revision: D17955287 fbshipit-source-id: 9c947cf98
5 years ago
(* call {!AbductiveDomain.PrePost.apply} on each pre/post pair in the summary. *)
[pulse] Distinguish exit state at top level Summary: This diff lifts the `PulseAbductiveDomain.t` in `PulseExecutionState` by tracking whether the program continues the analysis normally or exits unusually (e.g. by calling `exit` or `throw`): ``` type exec_state = | ContinueProgram of PulseAbductiveDomain.t (** represents the state at the program point *) | ExitProgram of PulseAbductiveDomain.t (** represents the state originating at exit/divergence. *) ``` Now, Pulse's actual domain is tracked by `PulseExecutionState` and as soon as we try to analyze an instruction at `ExitProgram`, we simply return its state. The aim is to recover the state at the time of the exit, rather than simply ignoring them (i.e. returning empty disjuncts). This allows us to get rid of some FNs that we were not able to detect before. Moreover, it also allows the impurity analysis to be more precise since we will know how the state changed up to exit. TODO: - Impurity analysis needs to be improved to consider functions that simply exit as impure. - The next goal is to handle error state similarly so that when pulse finds an error, we recover the state at the error location (and potentially continue to analyze?). Disclaimer: currently, we handle throw statements like exit (as was the case before). However, this is not correct. Ideally, control flow from throw nodes follows catch nodes rather than exiting the program entirely. Reviewed By: jvillard Differential Revision: D20791747 fbshipit-source-id: df9e5445a
5 years ago
List.fold_result exec_states ~init:[] ~f:(fun posts callee_exec_state ->
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
(* apply all pre/post specs *)
[pulse] Distinguish exit state at top level Summary: This diff lifts the `PulseAbductiveDomain.t` in `PulseExecutionState` by tracking whether the program continues the analysis normally or exits unusually (e.g. by calling `exit` or `throw`): ``` type exec_state = | ContinueProgram of PulseAbductiveDomain.t (** represents the state at the program point *) | ExitProgram of PulseAbductiveDomain.t (** represents the state originating at exit/divergence. *) ``` Now, Pulse's actual domain is tracked by `PulseExecutionState` and as soon as we try to analyze an instruction at `ExitProgram`, we simply return its state. The aim is to recover the state at the time of the exit, rather than simply ignoring them (i.e. returning empty disjuncts). This allows us to get rid of some FNs that we were not able to detect before. Moreover, it also allows the impurity analysis to be more precise since we will know how the state changed up to exit. TODO: - Impurity analysis needs to be improved to consider functions that simply exit as impure. - The next goal is to handle error state similarly so that when pulse finds an error, we recover the state at the error location (and potentially continue to analyze?). Disclaimer: currently, we handle throw statements like exit (as was the case before). However, this is not correct. Ideally, control flow from throw nodes follows catch nodes rather than exiting the program entirely. Reviewed By: jvillard Differential Revision: D20791747 fbshipit-source-id: df9e5445a
5 years ago
apply_callee callee_pname call_loc callee_exec_state ~formals ~actuals ~ret astate
[pulse] stop the analysis when precondition cannot be applied for reasons others than errors Summary: If a precondition cannot be applied, it means that this program path somehow doesn't make sense for the caller and so should be pruned. Right now we just treat this as skipping over the call instead. This will become more important when specs start mentioning arithmetic facts that must be satisfied at the call site. As it is we will only stop if we discover aliasing in the pre not present at the call site or vice versa. Reviewed By: dulmarod Differential Revision: D18115230 fbshipit-source-id: 4f1c7a583
5 years ago
>>| function
[pulse] Distinguish exit state at top level Summary: This diff lifts the `PulseAbductiveDomain.t` in `PulseExecutionState` by tracking whether the program continues the analysis normally or exits unusually (e.g. by calling `exit` or `throw`): ``` type exec_state = | ContinueProgram of PulseAbductiveDomain.t (** represents the state at the program point *) | ExitProgram of PulseAbductiveDomain.t (** represents the state originating at exit/divergence. *) ``` Now, Pulse's actual domain is tracked by `PulseExecutionState` and as soon as we try to analyze an instruction at `ExitProgram`, we simply return its state. The aim is to recover the state at the time of the exit, rather than simply ignoring them (i.e. returning empty disjuncts). This allows us to get rid of some FNs that we were not able to detect before. Moreover, it also allows the impurity analysis to be more precise since we will know how the state changed up to exit. TODO: - Impurity analysis needs to be improved to consider functions that simply exit as impure. - The next goal is to handle error state similarly so that when pulse finds an error, we recover the state at the error location (and potentially continue to analyze?). Disclaimer: currently, we handle throw statements like exit (as was the case before). However, this is not correct. Ideally, control flow from throw nodes follows catch nodes rather than exiting the program entirely. Reviewed By: jvillard Differential Revision: D20791747 fbshipit-source-id: df9e5445a
5 years ago
| None -> (* couldn't apply pre/post pair *) posts | Some post -> post :: posts )
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
| None ->
(* no spec found for some reason (unknown function, ...) *)
[typ] extract Procname from Typ Summary: No reason for this to be in Typ Reviewed By: skcho Differential Revision: D19162727 fbshipit-source-id: d6940637a
5 years ago
L.d_printfln "No spec found for %a@\n" Procname.pp callee_pname ;
[pulse] Distinguish exit state at top level Summary: This diff lifts the `PulseAbductiveDomain.t` in `PulseExecutionState` by tracking whether the program continues the analysis normally or exits unusually (e.g. by calling `exit` or `throw`): ``` type exec_state = | ContinueProgram of PulseAbductiveDomain.t (** represents the state at the program point *) | ExitProgram of PulseAbductiveDomain.t (** represents the state originating at exit/divergence. *) ``` Now, Pulse's actual domain is tracked by `PulseExecutionState` and as soon as we try to analyze an instruction at `ExitProgram`, we simply return its state. The aim is to recover the state at the time of the exit, rather than simply ignoring them (i.e. returning empty disjuncts). This allows us to get rid of some FNs that we were not able to detect before. Moreover, it also allows the impurity analysis to be more precise since we will know how the state changed up to exit. TODO: - Impurity analysis needs to be improved to consider functions that simply exit as impure. - The next goal is to handle error state similarly so that when pulse finds an error, we recover the state at the error location (and potentially continue to analyze?). Disclaimer: currently, we handle throw statements like exit (as was the case before). However, this is not correct. Ideally, control flow from throw nodes follows catch nodes rather than exiting the program entirely. Reviewed By: jvillard Differential Revision: D20791747 fbshipit-source-id: df9e5445a
5 years ago
unknown_call call_loc (SkippedKnownCall callee_pname) ~ret ~actuals ~formals_opt astate
|> ok_continue