pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'da849cc320'
${ noResults }
infer_clone/infer/src/pulse/PulseModels.ml

250 lines
11 KiB
Raw Normal View History Unescape

[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
(*
[copyright] Remove years Reviewed By: jvillard Differential Revision: D15771884 fbshipit-source-id: e2997e3a3
6 years ago
* Copyright (c) Facebook, Inc. and its affiliates.
[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
*
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*)
open! IStd
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
open Result.Monad_infix
[pulse][1/9] create PulseBasicInterface, with CallEvent Summary: Problem: PulseDomain.ml is pretty big, and contains lots of small modules. The Infer build being a bit monolithic at the moment, it is hard to split all these small modules off without creating some confusion about which abstraction barries lay where. For instance, it's fine to use `PulseDomain.ValueHistory` anywhere, but using `PulseDomain` itself is sometimes bad when one should use `PulseAbductiveDomain` instead. Proposal: a poorman's library mechanism based on module aliasing. This stack of diffs creates new Pulse* modules for all these small, safe to use modules, together with `PulseBasicInterface.ml`, which aliases these modules to remove the `Pulse` prefix. At the end of the stack, it will contain: ``` module AbstractValue = PulseAbstractValue module Attribute = PulseAttribute module Attributes = PulseAttribute.Attributes module CallEvent = PulseCallEvent module Diagnostic = PulseDiagnostic module Invalidation = PulseInvalidation module Trace = PulseTrace module ValueHistory = PulseValueHistory ``` This "interface" module can be opened in other pulse modules freely. Reviewed By: ezgicicek Differential Revision: D17955104 fbshipit-source-id: 13d3aa2b5
5 years ago
open PulseBasicInterface
[pulse] model std::integral_constant Summary: cpp_initialization Reviewed By: skcho Differential Revision: D18528537 fbshipit-source-id: ab5f8038a
5 years ago
open PulseDomainInterface
[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
type arg_payload = AbstractValue.t * ValueHistory.t
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
type exec_fun =
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
caller_summary:Summary.t
-> Location.t
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
-> ret:Ident.t * Typ.t
[pulse][interproc 2/3] abductive domain Summary: For each operation on the domain, try to record what it requires of the precondition of the function. This is akin to what happens in the biabduction backend, hence the terminology used. Reviewed By: jberdine Differential Revision: D14387148 fbshipit-source-id: a61fe30c8
6 years ago
-> PulseAbductiveDomain.t
[pulse] allow models to return disjuncts Summary: This is useful for the model of `exit` that returns 0 disjuncts. All other models return 1 disjunct for now, but in the future things like `malloc()` will need to return 2 possible states for instance. Reviewed By: ngorogiannis Differential Revision: D14753491 fbshipit-source-id: 3e7387d6d
6 years ago
-> PulseAbductiveDomain.t list PulseOperations.access_result
[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
type model = exec_fun
[pulse] model some early exit functions Summary: Copied on the ownership checker logic: return the initial value of the domain as return. This can probably be improved. Reviewed By: mbouaziz Differential Revision: D12888102 fbshipit-source-id: 9e2dac7fc
6 years ago
module Misc = struct
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
let shallow_copy model_desc dest_pointer_hist src_pointer_hist : model =
fun ~caller_summary:_ location ~ret:(ret_id, _) astate ->
[pulse][3/9] add PulseValueHistory to PulseBasicInterface Summary: See explanations in D17955104 Reviewed By: ezgicicek Differential Revision: D17955285 fbshipit-source-id: 4e93a86df
5 years ago
let event = ValueHistory.Call {f= Model model_desc; location; in_call= []} in
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
PulseOperations.eval_access location src_pointer_hist Dereference astate
>>= fun (astate, obj) ->
PulseOperations.shallow_copy location obj astate
>>= fun (astate, obj_copy) ->
PulseOperations.write_deref location ~ref:dest_pointer_hist
~obj:(fst obj_copy, event :: snd obj_copy)
astate
[pulse] model `std::function::operator=` Summary: `function::operator=` is called whenever we assign a literal lambda to a variable, so it's pretty useful to be able to report anything on lambdas. Reviewed By: mbouaziz Differential Revision: D16008163 fbshipit-source-id: a9d07668d
6 years ago
>>| fun astate -> [PulseOperations.havoc_id ret_id [event] astate]
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
let early_exit : model = fun ~caller_summary:_ _ ~ret:_ _ -> Ok []
[pulse] skip `folly::SocketAddress::~SocketAddress` Summary: The constructor of `folly::SocketAddress` conditionally deletes some object and then makes that condition false. The destructor then does the same. Pulse ignores conditionals so will see a double delete. Just skip that function for now, but it should be easy for pulse to be more correct here if it knew how to compare constant values. Reviewed By: mbouaziz Differential Revision: D16005395 fbshipit-source-id: 036f5091b
6 years ago
[pulse] model std::integral_constant Summary: cpp_initialization Reviewed By: skcho Differential Revision: D18528537 fbshipit-source-id: ab5f8038a
5 years ago
let return_int : Int64.t -> model =
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
fun i64 ~caller_summary:_ location ~ret:(ret_id, _) astate ->
[pulse] model std::integral_constant Summary: cpp_initialization Reviewed By: skcho Differential Revision: D18528537 fbshipit-source-id: ab5f8038a
5 years ago
let ret_addr = AbstractValue.mk_fresh () in
let astate =
Memory.add_attribute ret_addr
(Arithmetic (Arithmetic.equal_to (IntLit.of_int64 i64), Immediate {location; history= []}))
astate
in
Ok [PulseOperations.write_id ret_id (ret_addr, []) astate]
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
let skip : model = fun ~caller_summary:_ _ ~ret:_ astate -> Ok [astate]
[pulse][impurity] Add Pulse Java models for get and cast Summary: We consider Java collections to be like c++ std::vectors and add models for - `Collections.get(..)` - `__cast` Reviewed By: skcho Differential Revision: D18449607 fbshipit-source-id: 448206c84
5 years ago
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
let id_first_arg arg_access_hist : model =
fun ~caller_summary:_ _ ~ret astate ->
Ok [PulseOperations.write_id (fst ret) arg_access_hist astate]
[pulse] model some early exit functions Summary: Copied on the ownership checker logic: return the initial value of the domain as return. This can probably be improved. Reviewed By: mbouaziz Differential Revision: D12888102 fbshipit-source-id: 9e2dac7fc
6 years ago
end
[pulse] use after free Summary: Model `free` like `delete`. Reviewed By: mbouaziz, skcho Differential Revision: D10509332 fbshipit-source-id: fe4249601
6 years ago
module C = struct
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
let free deleted_access : model =
fun ~caller_summary:_ location ~ret:_ astate ->
PulseOperations.invalidate location Invalidation.CFree deleted_access astate >>| List.return
[pulse] use after free Summary: Model `free` like `delete`. Reviewed By: mbouaziz, skcho Differential Revision: D10509332 fbshipit-source-id: fe4249601
6 years ago
end
[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
module Cplusplus = struct
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
let delete deleted_access : model =
fun ~caller_summary:_ location ~ret:_ astate ->
PulseOperations.invalidate location Invalidation.CppDelete deleted_access astate >>| List.return
[pulse] Model placement new Summary: Modeling `placement new` Reviewed By: jvillard Differential Revision: D10451539 fbshipit-source-id: 43be005e4
6 years ago
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
let placement_new actuals : model =
fun ~caller_summary:_ location ~ret:(ret_id, _) astate ->
[pulse][3/9] add PulseValueHistory to PulseBasicInterface Summary: See explanations in D17955104 Reviewed By: ezgicicek Differential Revision: D17955285 fbshipit-source-id: 4e93a86df
5 years ago
let event = ValueHistory.Call {f= Model "<placement new>()"; location; in_call= []} in
[pulse] model `std::function::operator=` Summary: `function::operator=` is called whenever we assign a literal lambda to a variable, so it's pretty useful to be able to report anything on lambdas. Reviewed By: mbouaziz Differential Revision: D16008163 fbshipit-source-id: a9d07668d
6 years ago
match List.rev actuals with
[infer] Rename value to arg_payload in ProcnameDispatcher.Call.FuncArg Reviewed By: jvillard Differential Revision: D18707511 fbshipit-source-id: 160a02e07
5 years ago
| ProcnameDispatcher.Call.FuncArg.{arg_payload= address, hist} :: _ ->
[pulse] interprocedural histories and traces Summary: bigmacro_bender There are 3 ways pulse tracks history. This is at least one too many. So far, we have: 1. "histories": a humble list of "events" like "assigned here", "returned from call", ... 2. "interproc actions": a structured nesting of calls with a final "action", eg "f calls g calls h which does blah" 3. "traces", which combine one history with one interproc action This diff gets rid of interproc actions and makes histories include "nested" callee histories too. This allows pulse to track and display how a value got assigned across function calls. Traces are now more powerful and interleave histories and interproc actions. This allows pulse to track how a value is fed into an action, for instance performed in callee, which itself creates some more (potentially now interprocedural) history before going to the next step of the action (either another call or the action itself). This gives much better traces, and some examples are added to showcase this. There are a lot of changes when applying summaries to keep track of histories more accurately than was done before, but also a few simplifications that give additional evidence that this is the right concept. Reviewed By: skcho Differential Revision: D17908942 fbshipit-source-id: 3b62eaf78
5 years ago
Ok [PulseOperations.write_id ret_id (address, event :: hist) astate]
[pulse] model `std::function::operator=` Summary: `function::operator=` is called whenever we assign a literal lambda to a variable, so it's pretty useful to be able to report anything on lambdas. Reviewed By: mbouaziz Differential Revision: D16008163 fbshipit-source-id: a9d07668d
6 years ago
| _ ->
Ok [PulseOperations.havoc_id ret_id [event] astate]
end
[pulse] model some of `std::basic_string` Summary: A common gotcha is the new test. Model the minimum amount of `std::basic_string` to catch it. Reviewed By: mbouaziz, ngorogiannis Differential Revision: D16121090 fbshipit-source-id: 66f06cb43
6 years ago
module StdBasicString = struct
let internal_string =
Typ.Fieldname.Clang.from_class_name
(Typ.CStruct (QualifiedCppName.of_list ["std"; "basic_string"]))
"__infer_model_backing_string"
let internal_string_access = HilExp.Access.FieldAccess internal_string
let to_internal_string location bstring astate =
PulseOperations.eval_access location bstring internal_string_access astate
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
let data this_hist : model =
fun ~caller_summary:_ location ~ret:(ret_id, _) astate ->
[pulse][3/9] add PulseValueHistory to PulseBasicInterface Summary: See explanations in D17955104 Reviewed By: ezgicicek Differential Revision: D17955285 fbshipit-source-id: 4e93a86df
5 years ago
let event = ValueHistory.Call {f= Model "std::basic_string::data()"; location; in_call= []} in
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
to_internal_string location this_hist astate
>>= fun (astate, string_addr_hist) ->
PulseOperations.eval_access location string_addr_hist Dereference astate
>>| fun (astate, (string, hist)) ->
[PulseOperations.write_id ret_id (string, event :: hist) astate]
[pulse] model some of `std::basic_string` Summary: A common gotcha is the new test. Model the minimum amount of `std::basic_string` to catch it. Reviewed By: mbouaziz, ngorogiannis Differential Revision: D16121090 fbshipit-source-id: 66f06cb43
6 years ago
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
let destructor this_hist : model =
fun ~caller_summary:_ location ~ret:_ astate ->
[pulse][1/9] create PulseBasicInterface, with CallEvent Summary: Problem: PulseDomain.ml is pretty big, and contains lots of small modules. The Infer build being a bit monolithic at the moment, it is hard to split all these small modules off without creating some confusion about which abstraction barries lay where. For instance, it's fine to use `PulseDomain.ValueHistory` anywhere, but using `PulseDomain` itself is sometimes bad when one should use `PulseAbductiveDomain` instead. Proposal: a poorman's library mechanism based on module aliasing. This stack of diffs creates new Pulse* modules for all these small, safe to use modules, together with `PulseBasicInterface.ml`, which aliases these modules to remove the `Pulse` prefix. At the end of the stack, it will contain: ``` module AbstractValue = PulseAbstractValue module Attribute = PulseAttribute module Attributes = PulseAttribute.Attributes module CallEvent = PulseCallEvent module Diagnostic = PulseDiagnostic module Invalidation = PulseInvalidation module Trace = PulseTrace module ValueHistory = PulseValueHistory ``` This "interface" module can be opened in other pulse modules freely. Reviewed By: ezgicicek Differential Revision: D17955104 fbshipit-source-id: 13d3aa2b5
5 years ago
let model = CallEvent.Model "std::basic_string::~basic_string()" in
[pulse][3/9] add PulseValueHistory to PulseBasicInterface Summary: See explanations in D17955104 Reviewed By: ezgicicek Differential Revision: D17955285 fbshipit-source-id: 4e93a86df
5 years ago
let call_event = ValueHistory.Call {f= model; location; in_call= []} in
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
to_internal_string location this_hist astate
>>= fun (astate, (string_addr, string_hist)) ->
let string_addr_hist = (string_addr, call_event :: string_hist) in
PulseOperations.invalidate_deref location CppDelete string_addr_hist astate
>>= fun astate ->
PulseOperations.invalidate location CppDelete string_addr_hist astate >>| fun astate -> [astate]
[pulse] model some of `std::basic_string` Summary: A common gotcha is the new test. Model the minimum amount of `std::basic_string` to catch it. Reviewed By: mbouaziz, ngorogiannis Differential Revision: D16121090 fbshipit-source-id: 66f06cb43
6 years ago
end
[pulse] model `std::function::operator=` Summary: `function::operator=` is called whenever we assign a literal lambda to a variable, so it's pretty useful to be able to report anything on lambdas. Reviewed By: mbouaziz Differential Revision: D16008163 fbshipit-source-id: a9d07668d
6 years ago
module StdFunction = struct
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
let operator_call lambda_ptr_hist actuals : model =
fun ~caller_summary location ~ret astate ->
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
let havoc_ret (ret_id, _) astate =
[ocamlformat] Upgrade ocamlformat version Reviewed By: jvillard Differential Revision: D18162727 fbshipit-source-id: ffb9f7541
5 years ago
let event = ValueHistory.Call {f= Model "std::function::operator()"; location; in_call= []} in
[pulse] calling known lambdas calls the corresponding proc name Summary: We know how to do interprocedural calls so let's use that! Reviewed By: mbouaziz Differential Revision: D16008164 fbshipit-source-id: 4c34bf704
6 years ago
[PulseOperations.havoc_id ret_id [event] astate]
in
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
PulseOperations.eval_access location lambda_ptr_hist Dereference astate
>>= fun (astate, (lambda, _)) ->
PulseOperations.Closures.check_captured_addresses location lambda astate
>>= fun astate ->
match PulseAbductiveDomain.Memory.get_closure_proc_name lambda astate with
| None ->
(* we don't know what proc name this lambda resolves to *) Ok (havoc_ret ret astate)
| Some callee_proc_name ->
let actuals =
[infer] Rename value to arg_payload in ProcnameDispatcher.Call.FuncArg Reviewed By: jvillard Differential Revision: D18707511 fbshipit-source-id: 160a02e07
5 years ago
List.map actuals ~f:(fun ProcnameDispatcher.Call.FuncArg.{arg_payload; typ} ->
(arg_payload, typ) )
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
in
PulseOperations.call ~caller_summary location callee_proc_name ~ret ~actuals astate
[pulse] pulse models Summary: Some mild refactoring to isolate the modelling part. Reviewed By: mbouaziz Differential Revision: D10406804 fbshipit-source-id: 3be76a5e9
6 years ago
end
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
module StdVector = struct
let internal_array =
Typ.Fieldname.Clang.from_class_name
(Typ.CStruct (QualifiedCppName.of_list ["std"; "vector"]))
[pulse] model some of `std::basic_string` Summary: A common gotcha is the new test. Model the minimum amount of `std::basic_string` to catch it. Reviewed By: mbouaziz, ngorogiannis Differential Revision: D16121090 fbshipit-source-id: 66f06cb43
6 years ago
"__infer_model_backing_array"
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
[pulse] model some of `std::basic_string` Summary: A common gotcha is the new test. Model the minimum amount of `std::basic_string` to catch it. Reviewed By: mbouaziz, ngorogiannis Differential Revision: D16121090 fbshipit-source-id: 66f06cb43
6 years ago
let internal_array_access = HilExp.Access.FieldAccess internal_array
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
let to_internal_array location vector astate =
[pulse] model some of `std::basic_string` Summary: A common gotcha is the new test. Model the minimum amount of `std::basic_string` to catch it. Reviewed By: mbouaziz, ngorogiannis Differential Revision: D16121090 fbshipit-source-id: 66f06cb43
6 years ago
PulseOperations.eval_access location vector internal_array_access astate
[pulse] take array indices into account Summary: This will be useful to make the analysis more precise. In particular, it allows a disjunctive version of pulse to deal will deleting vector elements in a loop: without this, deleting an array element in one iteration will make the analysis think that the next array element is invalid too since they are all the same. By keep track of the index, we can detect when we are sure that two elements are the same and only report in that case. Reviewed By: ngorogiannis Differential Revision: D13431374 fbshipit-source-id: dae82deeb
6 years ago
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
let element_of_internal_array location vector index astate =
to_internal_array location vector astate
>>= fun (astate, vector_internal_array) ->
PulseOperations.eval_access location vector_internal_array
(ArrayAccess (Typ.void, index))
astate
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
[pulse] add traces to the domain Summary: Record per-location traces. Actually, that doesn't quite make sense as a location can be accessed in many ways, so associate a trace to each *edge* in the memory graph. For instance, when doing `x->f = *y`, we want to take the history of the `<val of y> --*--> ..` edge, add "assigned at location blah" to it and store this extended history to the edge `<val of x> --f--> ..`. Use this machinery to print nicer traces in `infer explore` and better error messages too (include the last assignment, like biabduction messages). Reviewed By: da319 Differential Revision: D13518668 fbshipit-source-id: 0a62fb55f
6 years ago
let reallocate_internal_array trace vector vector_f location astate =
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
to_internal_array location vector astate
>>= fun (astate, array_address) ->
[pulse] interprocedural histories and traces Summary: bigmacro_bender There are 3 ways pulse tracks history. This is at least one too many. So far, we have: 1. "histories": a humble list of "events" like "assigned here", "returned from call", ... 2. "interproc actions": a structured nesting of calls with a final "action", eg "f calls g calls h which does blah" 3. "traces", which combine one history with one interproc action This diff gets rid of interproc actions and makes histories include "nested" callee histories too. This allows pulse to track and display how a value got assigned across function calls. Traces are now more powerful and interleave histories and interproc actions. This allows pulse to track how a value is fed into an action, for instance performed in callee, which itself creates some more (potentially now interprocedural) history before going to the next step of the action (either another call or the action itself). This gives much better traces, and some examples are added to showcase this. There are a lot of changes when applying summaries to keep track of histories more accurately than was done before, but also a few simplifications that give additional evidence that this is the right concept. Reviewed By: skcho Differential Revision: D17908942 fbshipit-source-id: 3b62eaf78
5 years ago
PulseOperations.invalidate_array_elements location (StdVector vector_f) array_address astate
>>= PulseOperations.invalidate_deref location (StdVector vector_f) array_address
[pulse] move to SIL proper Summary: [apologies for the unreviewable diff...] Get rid of HIL expressions in pulse. This finishes the HIL -> SIL migration. The first step made pulse start from SIL instructions but would translate most accesses to HIL to re-use most of the existing pulse code. This diff gets rid of the intermediate translation of SIL expressions to HIL expressions. Big changes: 1. `PulseOperations` mostly rewritten, driven by using `Exp.t` instead of `HilExp.AccessExpression.t` for everything. 2. Stop trying to reverse-engineer what addresses mean in terms of access paths from program variables. Rely on the trace pointing at the right places in the code to be enough. This is because it wasn't that useful (and could even be misleading when wrong) but could be prohibitively expensive in degenerate cases (eg nodes with tens of thousands of successive array accesses...) 3. `PulseAbductiveDomain.apply_post` now returns the computed return value instead of recording it itself. 4. Change of vocabulary: `materialize` -> `eval`, `crumb` -> `event` 5. Function calls arguments are now evaluated prior to doing anything else, which saves everything else from having to (remember to) do that. In particular, this changes how models look quite a bit. Reviewed By: mbouaziz Differential Revision: D15986373 fbshipit-source-id: 1d79935de
6 years ago
>>= PulseOperations.havoc_field location vector internal_array trace
[pulse] Model std::vector::reserve to invalidate references to elements Summary: Similarly as `std::vector::push_back`, `std::vector::reserve` can invalidate the references to elements if the new size is bigger than the existing one. More info on `std::vector::reserve`: https://en.cppreference.com/w/cpp/container/vector/reserve Reviewed By: jvillard Differential Revision: D13340324 fbshipit-source-id: bf99b6923
6 years ago
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
let invalidate_references vector_f vector : model =
fun ~caller_summary:_ location ~ret:_ astate ->
let crumb =
ValueHistory.Call
{ f= Model (Format.asprintf "%a()" Invalidation.pp_std_vector_function vector_f)
; location
; in_call= [] }
in
reallocate_internal_array [crumb] vector vector_f location astate >>| List.return
[pulse] Model more std::vector functions that can invalid references to elements Summary: Model more `std::vector` functions that can potentially invalidate references to vector's elements (https://en.cppreference.com/w/cpp/container/vector). Reviewed By: mbouaziz Differential Revision: D13399161 fbshipit-source-id: 95cf2cae6
6 years ago
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
let at ~desc vector index : model =
fun ~caller_summary:_ location ~ret astate ->
[pulse][impurity] Add Pulse Java models for get and cast Summary: We consider Java collections to be like c++ std::vectors and add models for - `Collections.get(..)` - `__cast` Reviewed By: skcho Differential Revision: D18449607 fbshipit-source-id: 448206c84
5 years ago
let event = ValueHistory.Call {f= Model desc; location; in_call= []} in
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
element_of_internal_array location vector (fst index) astate
>>| fun (astate, (addr, hist)) ->
[PulseOperations.write_id (fst ret) (addr, event :: hist) astate]
let reserve vector : model =
fun ~caller_summary:_ location ~ret:_ astate ->
let crumb = ValueHistory.Call {f= Model "std::vector::reserve()"; location; in_call= []} in
reallocate_internal_array [crumb] vector Reserve location astate
>>| PulseAbductiveDomain.Memory.std_vector_reserve (fst vector)
>>| List.return
let push_back vector : model =
fun ~caller_summary:_ location ~ret:_ astate ->
let crumb = ValueHistory.Call {f= Model "std::vector::push_back()"; location; in_call= []} in
if PulseAbductiveDomain.Memory.is_std_vector_reserved (fst vector) astate then
(* assume that any call to [push_back] is ok after one called [reserve] on the same vector
(a perfect analysis would also make sure we don't exceed the reserved size) *)
Ok [astate]
else
(* simulate a re-allocation of the underlying array every time an element is added *)
reallocate_internal_array [crumb] vector PushBack location astate >>| List.return
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
end
module ProcNameDispatcher = struct
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
let dispatch : (Tenv.t, model, arg_payload) ProcnameDispatcher.Call.dispatcher =
let open ProcnameDispatcher.Call in
let match_builtin builtin _ s = String.equal s (Typ.Procname.get_method builtin) in
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
make_dispatcher
[infer] Rename value to arg_payload in ProcnameDispatcher.Call.FuncArg Reviewed By: jvillard Differential Revision: D18707511 fbshipit-source-id: 160a02e07
5 years ago
[ +match_builtin BuiltinDecl.free <>$ capt_arg_payload $--> C.free
; +match_builtin BuiltinDecl.__delete <>$ capt_arg_payload $--> Cplusplus.delete
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
; +match_builtin BuiltinDecl.__placement_new &++> Cplusplus.placement_new
; +match_builtin BuiltinDecl.objc_cpp_throw <>--> Misc.early_exit
[infer] Rename value to arg_payload in ProcnameDispatcher.Call.FuncArg Reviewed By: jvillard Differential Revision: D18707511 fbshipit-source-id: 160a02e07
5 years ago
; +match_builtin BuiltinDecl.__cast <>$ capt_arg_payload $+...$--> Misc.id_first_arg
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
; +match_builtin BuiltinDecl.abort <>--> Misc.early_exit
; +match_builtin BuiltinDecl.exit <>--> Misc.early_exit
; -"folly" &:: "DelayedDestruction" &:: "destroy" &--> Misc.skip
[pulse] skip `folly::Optional::reset()` Summary: Similar to D16005395: `folly::Optional` has a boolean field to know if it needs to destroy the wrapped object and pulse ignores that completely, causing false positives each time an `Optional` is created around something with a non-trivial destructor. Reviewed By: mbouaziz Differential Revision: D16030149 fbshipit-source-id: aeed4a0b3
6 years ago
; -"folly" &:: "Optional" &:: "reset" &--> Misc.skip
[pulse] skip `folly::SocketAddress::~SocketAddress` Summary: The constructor of `folly::SocketAddress` conditionally deletes some object and then makes that condition false. The destructor then does the same. Pulse ignores conditionals so will see a double delete. Just skip that function for now, but it should be easy for pulse to be more correct here if it knew how to compare constant values. Reviewed By: mbouaziz Differential Revision: D16005395 fbshipit-source-id: 036f5091b
6 years ago
; -"folly" &:: "SocketAddress" &:: "~SocketAddress" &--> Misc.skip
[infer] Rename value to arg_payload in ProcnameDispatcher.Call.FuncArg Reviewed By: jvillard Differential Revision: D18707511 fbshipit-source-id: 160a02e07
5 years ago
; -"std" &:: "basic_string" &:: "data" <>$ capt_arg_payload $--> StdBasicString.data
; -"std" &:: "basic_string" &:: "~basic_string" <>$ capt_arg_payload
$--> StdBasicString.destructor
; -"std" &:: "function" &:: "operator()" $ capt_arg_payload $++$--> StdFunction.operator_call
; -"std" &:: "function" &:: "operator=" $ capt_arg_payload $+ capt_arg_payload
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
$--> Misc.shallow_copy "std::function::operator="
[pulse] model std::integral_constant Summary: cpp_initialization Reviewed By: skcho Differential Revision: D18528537 fbshipit-source-id: ab5f8038a
5 years ago
; -"std" &:: "integral_constant" < any_typ &+ capt_int
>::+ (fun _ name -> String.is_prefix ~prefix:"operator_" name)
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
<>--> Misc.return_int
[infer] Rename value to arg_payload in ProcnameDispatcher.Call.FuncArg Reviewed By: jvillard Differential Revision: D18707511 fbshipit-source-id: 160a02e07
5 years ago
; -"std" &:: "vector" &:: "assign" <>$ capt_arg_payload
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
$+...$--> StdVector.invalidate_references Assign
[infer] Rename value to arg_payload in ProcnameDispatcher.Call.FuncArg Reviewed By: jvillard Differential Revision: D18707511 fbshipit-source-id: 160a02e07
5 years ago
; -"std" &:: "vector" &:: "clear" <>$ capt_arg_payload
$--> StdVector.invalidate_references Clear
; -"std" &:: "vector" &:: "emplace" $ capt_arg_payload
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
$+...$--> StdVector.invalidate_references Emplace
[infer] Rename value to arg_payload in ProcnameDispatcher.Call.FuncArg Reviewed By: jvillard Differential Revision: D18707511 fbshipit-source-id: 160a02e07
5 years ago
; -"std" &:: "vector" &:: "emplace_back" $ capt_arg_payload
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
$+...$--> StdVector.invalidate_references EmplaceBack
[infer] Rename value to arg_payload in ProcnameDispatcher.Call.FuncArg Reviewed By: jvillard Differential Revision: D18707511 fbshipit-source-id: 160a02e07
5 years ago
; -"std" &:: "vector" &:: "insert" <>$ capt_arg_payload
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
$+...$--> StdVector.invalidate_references Insert
[infer] Rename value to arg_payload in ProcnameDispatcher.Call.FuncArg Reviewed By: jvillard Differential Revision: D18707511 fbshipit-source-id: 160a02e07
5 years ago
; -"std" &:: "vector" &:: "operator[]" <>$ capt_arg_payload $+ capt_arg_payload
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
$--> StdVector.at ~desc:"std::vector::at()"
[infer] Rename value to arg_payload in ProcnameDispatcher.Call.FuncArg Reviewed By: jvillard Differential Revision: D18707511 fbshipit-source-id: 160a02e07
5 years ago
; -"std" &:: "vector" &:: "shrink_to_fit" <>$ capt_arg_payload
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
$--> StdVector.invalidate_references ShrinkToFit
[infer] Rename value to arg_payload in ProcnameDispatcher.Call.FuncArg Reviewed By: jvillard Differential Revision: D18707511 fbshipit-source-id: 160a02e07
5 years ago
; -"std" &:: "vector" &:: "push_back" <>$ capt_arg_payload $+...$--> StdVector.push_back
; -"std" &:: "vector" &:: "reserve" <>$ capt_arg_payload $+...$--> StdVector.reserve
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
; +PatternMatch.implements_collection
[infer] Rename value to arg_payload in ProcnameDispatcher.Call.FuncArg Reviewed By: jvillard Differential Revision: D18707511 fbshipit-source-id: 160a02e07
5 years ago
&:: "get" <>$ capt_arg_payload $+ capt_arg_payload
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
$--> StdVector.at ~desc:"Collection.get()" ]
[pulse] vector models Summary: Model `x[y]` and `x.push_back(i)` to catch the classic bug of "take reference inside vector, invalidate, then use again". Reviewed By: da319 Differential Revision: D10445824 fbshipit-source-id: 21ffd9677
6 years ago
end
[pulse] Move models to ProcnameDispatcher style Summary: Rather than repeatedly matching actuals, let's use `ProcnameDispatcher.ModeledCall` to pick up the actual arguments with their corresponding values. This simplifies the models. Reviewed By: jvillard Differential Revision: D18685855 fbshipit-source-id: 7788bd8bb
5 years ago
let dispatch tenv proc_name args = ProcNameDispatcher.dispatch tenv proc_name args