pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'fbcee3198e'
${ noResults }
infer_clone/sledge/cli/domain_itv.ml

299 lines
11 KiB
Raw Normal View History Unescape

[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
(*
* Copyright (c) Facebook, Inc. and its affiliates.
*
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*)
(** Interval abstract domain *)
open Apron
[sledge] Handle more LLAIR expressions in APRON interval analysis Summary: Extend the APRON-backed interval analysis to handle a wider range of LLAIR expressions. Reviewed By: jvillard Differential Revision: D17858072 fbshipit-source-id: c50f5bf20
5 years ago
[sledge] Remove dependency on ppx_import Summary: It seems to be effectively unmaintained, as it still doesn't support 4.08. Reviewed By: jvillard Differential Revision: D18708467 fbshipit-source-id: dcb3361fc
5 years ago
let equal_apron_typ =
(* Apron.Texpr1.typ is a sum of nullary constructors *)
Poly.equal
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
(** Apron-managed map from variables to intervals *)
type t = Box.t Abstract1.t
[sledge] Revise Control flow exploration algorithm Summary: Revise the control-flow exploration scheduling algorithm to fix several issues. The main difference is to change the priority queue to keep the control edges on the frontier of exploration in sync with the states that are waiting to be propagated. This fixes several sorts of issue where the decision of which control and state joins to perform was unexpected / wrong. Part of keeping the frontier edges and waiting states in sync is that the waiting states are associated not only with a destination block, but the stack of that block. This fixes several issues. Combined, these changes lead to the algorithm only attempting joins for which the pointwise max join on depth maps is correct (with the caveat of no mathematical proof yet). Reviewed By: jvillard Differential Revision: D25196733 fbshipit-source-id: db007fe1f
4 years ago
let equal : t -> t -> bool = Poly.equal
let compare : t -> t -> int = Poly.compare
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
let man = lazy (Box.manager_alloc ())
[sledge] Revise type of Domain join operation, it is not partial Summary: The only domain with a partial join is the lifting of a predicate domain to a relation one, where the entry states are required to be equal. This situation now indicates a programming error in the analysis, rather than something that the domain should be responsible for. Therefore this diff changes that check to an assertion and simplifies the remaining join operations which are all total. Reviewed By: jvillard Differential Revision: D27828763 fbshipit-source-id: ec52ff741
4 years ago
let join l r = Abstract1.join (Lazy.force man) l r
[sledge] Add n-ary join to Domain and use in analysis Summary: The width of joins in the concurrency analysis is much wider, making it worthwhile to use an n-ary version of join in order to avoid repeated formula simplifiaction. Differential Revision: D29441154 fbshipit-source-id: ae17de37b
3 years ago
let joinN = function
| [] -> Abstract1.bottom (Lazy.force man) (Environment.make [||] [||])
| x :: xs -> List.fold ~f:join xs x
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
let is_false x = Abstract1.is_bottom (Lazy.force man) x
let bindings (itv : t) =
let itv = Abstract1.minimize_environment (Lazy.force man) itv in
let box = Abstract1.to_box (Lazy.force man) itv in
let vars =
Environment.vars box.box1_env |> fun (i, r) -> Array.append i r
in
[sledge] Switch from Base.Array to Containers.Array Reviewed By: jvillard Differential Revision: D24306084 fbshipit-source-id: 93a8e0d74
4 years ago
Array.combine_exn vars box.interval_array
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
let sexp_of_t (itv : t) =
let sexps =
[sledge] Resolve match-on-mutable-state-prevent-uncurry warnings Summary: This warning (68) triggers when a function argument pattern depends on mutable state, which prevents the remaining arguments from being uncurried, causing additional closure allocations. Reviewed By: jvillard Differential Revision: D27188311 fbshipit-source-id: a43354e15
4 years ago
Array.fold_right (bindings itv) [] ~f:(fun (v, i) acc ->
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
Sexp.List
[sledge] Style: Change to less compact ocamlformat style Reviewed By: ngorogiannis Differential Revision: D21720967 fbshipit-source-id: b5794938c
5 years ago
[ Sexp.Atom (Var.to_string v)
[sledge] Resolve match-on-mutable-state-prevent-uncurry warnings Summary: This warning (68) triggers when a function argument pattern depends on mutable state, which prevents the remaining arguments from being uncurried, causing additional closure allocations. Reviewed By: jvillard Differential Revision: D27188311 fbshipit-source-id: a43354e15
4 years ago
; Sexp.Atom (Scalar.to_string i.inf)
; Sexp.Atom (Scalar.to_string i.sup) ]
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
:: acc )
in
Sexp.List sexps
let pp fs =
let pp_pair a_pp b_pp fs (a, b) =
Format.fprintf fs "@[(%a@,%a)@]" a_pp a b_pp b
in
bindings >> Array.pp "@," (pp_pair Var.print Interval.print) fs
let init _gs = Abstract1.top (Lazy.force man) (Environment.make [||] [||])
let apron_var_of_name = (fun nm -> "%" ^ nm) >> Apron.Var.of_string
[sledge] Build: Wrap Llair library Summary: Refer to Llair modules using `Llair.` qualifier, except for in `Frontend`, which makes so much use of `Llair` that it is now opened (`Llair` only contains types and modules, so `open` is safe). Reviewed By: jvillard Differential Revision: D21720979 fbshipit-source-id: dd42075d9
5 years ago
let apron_var_of_reg = Llair.Reg.name >> apron_var_of_name
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
[sledge] Build: Wrap Llair library Summary: Refer to Llair modules using `Llair.` qualifier, except for in `Frontend`, which makes so much use of `Llair` that it is now opened (`Llair` only contains types and modules, so `open` is safe). Reviewed By: jvillard Differential Revision: D21720979 fbshipit-source-id: dd42075d9
5 years ago
let rec apron_typ_of_llair_typ : Llair.Typ.t -> Texpr1.typ option = function
| Pointer {elt= _} -> apron_typ_of_llair_typ Llair.Typ.siz
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
| Integer {bits= _} -> Some Texpr1.Int
| Float {bits= 32; enc= `IEEE} -> Some Texpr1.Single
| Float {bits= 64; enc= `IEEE} -> Some Texpr1.Double
| Float {bits= 80; enc= `Extended} -> Some Texpr1.Extended
| Float {bits= 128; enc= `IEEE} -> Some Texpr1.Quad
| t ->
[sledge] Build: Wrap Llair library Summary: Refer to Llair modules using `Llair.` qualifier, except for in `Frontend`, which makes so much use of `Llair` that it is now opened (`Llair` only contains types and modules, so `open` is safe). Reviewed By: jvillard Differential Revision: D21720979 fbshipit-source-id: dd42075d9
5 years ago
warn "No corresponding apron type for llair type %a " Llair.Typ.pp t
() ;
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
None
[sledge] Implement Domain_itv over Llair.Exp instead of Term Summary: Code is expressed using Llair.Exp, which is potentially higher fidelity than Term. So define the interval analysis directly in terms of the Llair form. Reviewed By: jvillard Differential Revision: D24306085 fbshipit-source-id: f9d876eec
4 years ago
let rec apron_texpr_of_llair_exp exp q =
match (exp : Llair.Exp.t) with
[sledge] Add LLAIR expression form for globals Summary: Distinguish expressions that name globals from registers. This leads to clearer code, and globals are semantically distinct from general registers. In particular, they are constant, so any machinery for handling assignment does not need to consider them. This diff only adds the distinction to LLAIR, it is not pushed through to FOL, which will come later. Reviewed By: jvillard Differential Revision: D24846676 fbshipit-source-id: 3aca025bf
4 years ago
| Reg {name} | Global {name} | Function {name} ->
[sledge] Add LLAIR expression form for function names Summary: Distinguish expressions that name functions from registers. This leads to clearer code, and function names are semantically distinct from general registers. In particular, they are constant, so any machinery for handling assignment does not need to consider them. Unlike general globals, they never have initializer expressions, and in particular not recursive initializers. This diff only adds the distinction to LLAIR, it is not pushed through to FOL, which will come later. Reviewed By: jvillard Differential Revision: D24846672 fbshipit-source-id: 2101f353f
4 years ago
Some (Texpr1.Var (apron_var_of_name name))
[sledge] Handle more LLAIR expressions in APRON interval analysis Summary: Extend the APRON-backed interval analysis to handle a wider range of LLAIR expressions. Reviewed By: jvillard Differential Revision: D17858072 fbshipit-source-id: c50f5bf20
5 years ago
| Integer {data} -> Some (Texpr1.Cst (Coeff.s_of_int (Z.to_int data)))
[sledge] Implement Domain_itv over Llair.Exp instead of Term Summary: Code is expressed using Llair.Exp, which is potentially higher fidelity than Term. So define the interval analysis directly in terms of the Llair form. Reviewed By: jvillard Differential Revision: D24306085 fbshipit-source-id: f9d876eec
4 years ago
| Float {data} -> (
[sledge] Refactor nonstdlib to avoid opening Core Summary: The treatment of comparison and exceptions in Core/Core_kernel/Base makes them questionable as the default. This diff changes nonstdlib so that Core is no longer opened in the global namespace, and makes a few changes to handle the resulting minor API changes. This leads to a lighter-touch nonstdlib, which makes a few definitions of its own, and selects and extends modules from several libraries, including base, core_kernel, containers, iter. Reviewed By: jvillard Differential Revision: D24306090 fbshipit-source-id: 42c91bd1b
4 years ago
match Float.of_string_exn data with
[sledge] Implement Domain_itv over Llair.Exp instead of Term Summary: Code is expressed using Llair.Exp, which is potentially higher fidelity than Term. So define the interval analysis directly in terms of the Llair form. Reviewed By: jvillard Differential Revision: D24306085 fbshipit-source-id: f9d876eec
4 years ago
| f -> Some (Texpr1.Cst (Coeff.s_of_float f))
| exception Invalid_argument _ -> None )
| Ap1 (Signed {bits}, _, _) ->
let n = Int.shift_left 1 (bits - 1) in
Some (Texpr1.Cst (Coeff.i_of_int (-n) (n - 1)))
| Ap1 (Unsigned {bits}, _, _) ->
let n = Int.shift_left 1 (bits - 1) in
Some (Texpr1.Cst (Coeff.i_of_int 0 n))
| Ap1 (Convert {src}, dst, x) ->
let* src' = apron_typ_of_llair_typ src in
let* dst' = apron_typ_of_llair_typ dst in
let subtm = apron_texpr_of_llair_exp x q in
if equal_apron_typ src' dst' then subtm
else
let+ t = subtm in
Texpr1.Unop (Texpr1.Cast, t, dst', Texpr0.Rnd)
| Ap2 (op, typ, x, y) -> (
let* typ' = apron_typ_of_llair_typ typ in
let* x' = apron_texpr_of_llair_exp x q in
let* y' = apron_texpr_of_llair_exp y q in
(* abstract evaluation of boolean binary operation [te1 op te2] at [q]
by translation to [te1 - te2 op 0] and intersection with [q] *)
let bool_binop q op x' y' =
let env = Abstract1.env q in
let lhs = Texpr1.Binop (Texpr1.Sub, x', y', typ', Texpr0.Rnd) in
let tcons = Tcons1.make (Texpr1.of_expr env lhs) op in
let ea =
Tcons1.array_make env 1 $> fun ea -> Tcons1.array_set ea 0 tcons
in
(* if meet of q with tree constraint encoding of binop is: (bottom
-> binop definitely false); (unchanged from q -> binop definitely
true); (else -> binop may be true or false) *)
let meet = Abstract1.meet_tcons_array (Lazy.force man) q ea in
if is_false meet then Some (Texpr1.Cst (Coeff.s_of_int 0))
else if equal meet q then Some (Texpr1.Cst (Coeff.s_of_int (-1)))
else Some (Texpr1.Cst (Coeff.i_of_int (-1) 0))
[sledge] Handle more LLAIR expressions in APRON interval analysis Summary: Extend the APRON-backed interval analysis to handle a wider range of LLAIR expressions. Reviewed By: jvillard Differential Revision: D17858072 fbshipit-source-id: c50f5bf20
5 years ago
in
[sledge] Implement Domain_itv over Llair.Exp instead of Term Summary: Code is expressed using Llair.Exp, which is potentially higher fidelity than Term. So define the interval analysis directly in terms of the Llair form. Reviewed By: jvillard Differential Revision: D24306085 fbshipit-source-id: f9d876eec
4 years ago
let arith_bop op x' y' =
Some (Texpr1.Binop (op, x', y', typ', Texpr0.Rnd))
[sledge] Handle more LLAIR expressions in APRON interval analysis Summary: Extend the APRON-backed interval analysis to handle a wider range of LLAIR expressions. Reviewed By: jvillard Differential Revision: D17858072 fbshipit-source-id: c50f5bf20
5 years ago
in
[sledge] Implement Domain_itv over Llair.Exp instead of Term Summary: Code is expressed using Llair.Exp, which is potentially higher fidelity than Term. So define the interval analysis directly in terms of the Llair form. Reviewed By: jvillard Differential Revision: D24306085 fbshipit-source-id: f9d876eec
4 years ago
match op with
| Eq -> bool_binop q Tcons0.EQ x' y'
| Dq -> bool_binop q Tcons0.DISEQ x' y'
| Gt -> bool_binop q Tcons0.SUP x' y'
| Ge -> bool_binop q Tcons0.SUPEQ x' y'
| Lt -> bool_binop q Tcons0.SUP y' x'
| Le -> bool_binop q Tcons0.SUPEQ y' x'
| Ugt | Uge | Ult | Ule | Ord | Uno -> None
| Add -> arith_bop Texpr1.Add x' y'
| Sub -> arith_bop Texpr1.Sub x' y'
| Mul -> arith_bop Texpr1.Mul x' y'
| Div -> arith_bop Texpr1.Div x' y'
| Rem -> arith_bop Texpr1.Mod x' y'
| Udiv | Urem -> None
| And | Or | Xor | Shl | Lshr | Ashr | Update _ -> None )
| Label _
|Ap1 ((Splat | Select _), _, _)
|Ap3 (Conditional, _, _, _, _)
[sledge] Eliminate recursive records Summary: The support for recursive references to globals from within their initializers is enough to handle all the cases of recursive structs that have been encountered so far. Therefore this diff removes the complication of recursive records entirely. Reviewed By: jvillard Differential Revision: D24772955 fbshipit-source-id: f59f06257
4 years ago
|ApN (Record, _, _) ->
[sledge] Handle more LLAIR expressions in APRON interval analysis Summary: Extend the APRON-backed interval analysis to handle a wider range of LLAIR expressions. Reviewed By: jvillard Differential Revision: D17858072 fbshipit-source-id: c50f5bf20
5 years ago
None
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
let assign reg exp q =
[sledge] Build: Wrap Llair library Summary: Refer to Llair modules using `Llair.` qualifier, except for in `Frontend`, which makes so much use of `Llair` that it is now opened (`Llair` only contains types and modules, so `open` is safe). Reviewed By: jvillard Differential Revision: D21720979 fbshipit-source-id: dd42075d9
5 years ago
[%Trace.call fun {pf} ->
[sledge] Allow more flexibility in Trace.trace breaking Reviewed By: jvillard Differential Revision: D25756584 fbshipit-source-id: b555b1d77
4 years ago
pf "@ {%a}@\n%a := %a" pp q Llair.Reg.pp reg Llair.Exp.pp exp]
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
;
let lval = apron_var_of_reg reg in
[sledge] Implement Domain_itv over Llair.Exp instead of Term Summary: Code is expressed using Llair.Exp, which is potentially higher fidelity than Term. So define the interval analysis directly in terms of the Llair form. Reviewed By: jvillard Differential Revision: D24306085 fbshipit-source-id: f9d876eec
4 years ago
( match apron_texpr_of_llair_exp exp q with
[sledge] Handle more LLAIR expressions in APRON interval analysis Summary: Extend the APRON-backed interval analysis to handle a wider range of LLAIR expressions. Reviewed By: jvillard Differential Revision: D17858072 fbshipit-source-id: c50f5bf20
5 years ago
| Some e ->
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
let env = Abstract1.env q in
let new_env =
match
( Environment.mem_var env lval
[sledge] Build: Wrap Llair library Summary: Refer to Llair modules using `Llair.` qualifier, except for in `Frontend`, which makes so much use of `Llair` that it is now opened (`Llair` only contains types and modules, so `open` is safe). Reviewed By: jvillard Differential Revision: D21720979 fbshipit-source-id: dd42075d9
5 years ago
, apron_typ_of_llair_typ (Llair.Reg.typ reg) )
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
with
| true, _ -> env
| false, Some Texpr1.Int -> Environment.add env [|lval|] [||]
| false, _ -> Environment.add env [||] [|lval|]
in
let man = Lazy.force man in
let q = Abstract1.change_environment man q new_env true in
Abstract1.assign_texpr man q lval (Texpr1.of_expr new_env e) None
| _ -> q )
|>
[%Trace.retn fun {pf} r -> pf "{%a}" pp r]
[sledge] Add concurrency analysis Summary: This diff changes the analysis exploration algorithm from considering only sequential executions to considering executions of the interleaving semantics. As part of this, symbolic states are changed so that each thread has its own registers, while all memory is shared between them. Currently only a simple threads interface is supported: they can be created with `thread_create(&thread_routine)`, they can exit by returning from `thread_routine`, and they can be joined with `thread_join`. Current simplifications include that newly created threads are already runnable, thread routines accept no arguments and return no result, and no failures are possible. The concurrent exploration algorithm gives preference to executions which have fewer context switches, thereby performing an incremental form of context-bounded analysis. A form of partial-order reduction is performed, where the symbolic states are joined across (prefixes of) executions with the same number of context switches which reach a point where the instruction pointers and call stacks of all threads are the same. This has the effect of "dagifying" the concurrent execution tree by merging points after e.g. threads perform actions that commute with each other. This is unlike traditional partial-order reduction in that it relies on the symbolic join to combine the results of commuting operations in a way that the following symbolic execution can take advantage of, rather than performing some up-front analysis to identify commuting operations and quotienting the space of executions. The current state of the symbolic join and execution is significantly suboptimal in this regard. Differential Revision: D29441149 fbshipit-source-id: cf801a6b1
3 years ago
let resolve_int _ _ _ = []
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
(** block if [e] is known to be false; skip otherwise *)
[sledge] Add concurrency analysis Summary: This diff changes the analysis exploration algorithm from considering only sequential executions to considering executions of the interleaving semantics. As part of this, symbolic states are changed so that each thread has its own registers, while all memory is shared between them. Currently only a simple threads interface is supported: they can be created with `thread_create(&thread_routine)`, they can exit by returning from `thread_routine`, and they can be joined with `thread_join`. Current simplifications include that newly created threads are already runnable, thread routines accept no arguments and return no result, and no failures are possible. The concurrent exploration algorithm gives preference to executions which have fewer context switches, thereby performing an incremental form of context-bounded analysis. A form of partial-order reduction is performed, where the symbolic states are joined across (prefixes of) executions with the same number of context switches which reach a point where the instruction pointers and call stacks of all threads are the same. This has the effect of "dagifying" the concurrent execution tree by merging points after e.g. threads perform actions that commute with each other. This is unlike traditional partial-order reduction in that it relies on the symbolic join to combine the results of commuting operations in a way that the following symbolic execution can take advantage of, rather than performing some up-front analysis to identify commuting operations and quotienting the space of executions. The current state of the symbolic join and execution is significantly suboptimal in this regard. Differential Revision: D29441149 fbshipit-source-id: cf801a6b1
3 years ago
let exec_assume _ q e =
[sledge] Implement Domain_itv over Llair.Exp instead of Term Summary: Code is expressed using Llair.Exp, which is potentially higher fidelity than Term. So define the interval analysis directly in terms of the Llair form. Reviewed By: jvillard Differential Revision: D24306085 fbshipit-source-id: f9d876eec
4 years ago
match apron_texpr_of_llair_exp e q with
[sledge] Handle more LLAIR expressions in APRON interval analysis Summary: Extend the APRON-backed interval analysis to handle a wider range of LLAIR expressions. Reviewed By: jvillard Differential Revision: D17858072 fbshipit-source-id: c50f5bf20
5 years ago
| Some e ->
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
let cond =
[sledge] Handle more LLAIR expressions in APRON interval analysis Summary: Extend the APRON-backed interval analysis to handle a wider range of LLAIR expressions. Reviewed By: jvillard Differential Revision: D17858072 fbshipit-source-id: c50f5bf20
5 years ago
Abstract1.bound_texpr (Lazy.force man) q (Texpr1.of_expr q.env e)
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
in
if Interval.is_zero cond then None else Some q
| _ -> Some q
(** existentially quantify killed register [r] out of state [q] *)
[sledge] Add concurrency analysis Summary: This diff changes the analysis exploration algorithm from considering only sequential executions to considering executions of the interleaving semantics. As part of this, symbolic states are changed so that each thread has its own registers, while all memory is shared between them. Currently only a simple threads interface is supported: they can be created with `thread_create(&thread_routine)`, they can exit by returning from `thread_routine`, and they can be joined with `thread_join`. Current simplifications include that newly created threads are already runnable, thread routines accept no arguments and return no result, and no failures are possible. The concurrent exploration algorithm gives preference to executions which have fewer context switches, thereby performing an incremental form of context-bounded analysis. A form of partial-order reduction is performed, where the symbolic states are joined across (prefixes of) executions with the same number of context switches which reach a point where the instruction pointers and call stacks of all threads are the same. This has the effect of "dagifying" the concurrent execution tree by merging points after e.g. threads perform actions that commute with each other. This is unlike traditional partial-order reduction in that it relies on the symbolic join to combine the results of commuting operations in a way that the following symbolic execution can take advantage of, rather than performing some up-front analysis to identify commuting operations and quotienting the space of executions. The current state of the symbolic join and execution is significantly suboptimal in this regard. Differential Revision: D29441149 fbshipit-source-id: cf801a6b1
3 years ago
let exec_kill _ r q =
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
let apron_v = apron_var_of_reg r in
if Environment.mem_var (Abstract1.env q) apron_v then
Abstract1.forget_array (Lazy.force man) q [|apron_v|] false
else q
(** perform a series [move_vec] of reg:=exp moves at state [q] *)
[sledge] Add concurrency analysis Summary: This diff changes the analysis exploration algorithm from considering only sequential executions to considering executions of the interleaving semantics. As part of this, symbolic states are changed so that each thread has its own registers, while all memory is shared between them. Currently only a simple threads interface is supported: they can be created with `thread_create(&thread_routine)`, they can exit by returning from `thread_routine`, and they can be joined with `thread_join`. Current simplifications include that newly created threads are already runnable, thread routines accept no arguments and return no result, and no failures are possible. The concurrent exploration algorithm gives preference to executions which have fewer context switches, thereby performing an incremental form of context-bounded analysis. A form of partial-order reduction is performed, where the symbolic states are joined across (prefixes of) executions with the same number of context switches which reach a point where the instruction pointers and call stacks of all threads are the same. This has the effect of "dagifying" the concurrent execution tree by merging points after e.g. threads perform actions that commute with each other. This is unlike traditional partial-order reduction in that it relies on the symbolic join to combine the results of commuting operations in a way that the following symbolic execution can take advantage of, rather than performing some up-front analysis to identify commuting operations and quotienting the space of executions. The current state of the symbolic join and execution is significantly suboptimal in this regard. Differential Revision: D29441149 fbshipit-source-id: cf801a6b1
3 years ago
let exec_move _ move_vec q =
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
let defs, uses =
[sledge] Change type of fold functions for improved composition Summary: Change the type of `fold` functions to enable them to compose better. The guiding reasoning behind using types such as: ``` val fold : 'a t -> 's -> f:('a -> 's -> 's) -> 's ``` is: 1. The function argument should be labeled. This is so that it can be reordered relative to the others, since it is often a multi-line `fun` expression. 2. The function argument should come last. This enables its arguments (which are often polymorphic) to benefit from type-based disambiguation information determined by the types of the other arguments at the call sites. 3. The function argument's type should produce an accumulator-transformer when partially-applied. That is, `f x : 's -> 's`. This composes well with other functions designed to produce transformers/endofunctions when partially applied, and in particular improves the common case of composing folds into "state-passing style" code. 4. The fold function itself should produce an accumulator-transformer when partially applied. So `'a t -> 's -> f:_ -> 's` rather than `'s -> 'a t -> f:_ -> 's` or `'a t -> init:'s -> f:_ -> 's` etc. Reviewed By: jvillard Differential Revision: D24306063 fbshipit-source-id: 13bd8bbee
4 years ago
IArray.fold move_vec (Llair.Reg.Set.empty, Llair.Reg.Set.empty)
~f:(fun (r, e) (defs, uses) ->
[sledge] Shift to a more standard Set API Summary: The changes in set_intf.ml dictate the rest. The previous API minimized changes when changing the backing implementation. But that API is hostile toward composition, partial application, and state-passing style code. Reviewed By: jvillard Differential Revision: D24306089 fbshipit-source-id: 00a09f486
4 years ago
( Llair.Reg.Set.add r defs
[sledge] Change type of fold functions for improved composition Summary: Change the type of `fold` functions to enable them to compose better. The guiding reasoning behind using types such as: ``` val fold : 'a t -> 's -> f:('a -> 's -> 's) -> 's ``` is: 1. The function argument should be labeled. This is so that it can be reordered relative to the others, since it is often a multi-line `fun` expression. 2. The function argument should come last. This enables its arguments (which are often polymorphic) to benefit from type-based disambiguation information determined by the types of the other arguments at the call sites. 3. The function argument's type should produce an accumulator-transformer when partially-applied. That is, `f x : 's -> 's`. This composes well with other functions designed to produce transformers/endofunctions when partially applied, and in particular improves the common case of composing folds into "state-passing style" code. 4. The fold function itself should produce an accumulator-transformer when partially applied. So `'a t -> 's -> f:_ -> 's` rather than `'s -> 'a t -> f:_ -> 's` or `'a t -> init:'s -> f:_ -> 's` etc. Reviewed By: jvillard Differential Revision: D24306063 fbshipit-source-id: 13bd8bbee
4 years ago
, Llair.Exp.fold_regs ~f:Llair.Reg.Set.add e uses ) )
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
in
[sledge] Fix form of failure in interval analysis Summary: Overwritten variables in move instructions are not impossible. Since Domain_itv does not handle them, the check should be a `todo` rather than an `assert false`. Reviewed By: jvillard Differential Revision: D25146168 fbshipit-source-id: 13d8587c7
4 years ago
if not (Llair.Reg.Set.disjoint defs uses) then
todo "overwritten variables in Domain_itv" () ;
[sledge] Change type of fold functions for improved composition Summary: Change the type of `fold` functions to enable them to compose better. The guiding reasoning behind using types such as: ``` val fold : 'a t -> 's -> f:('a -> 's -> 's) -> 's ``` is: 1. The function argument should be labeled. This is so that it can be reordered relative to the others, since it is often a multi-line `fun` expression. 2. The function argument should come last. This enables its arguments (which are often polymorphic) to benefit from type-based disambiguation information determined by the types of the other arguments at the call sites. 3. The function argument's type should produce an accumulator-transformer when partially-applied. That is, `f x : 's -> 's`. This composes well with other functions designed to produce transformers/endofunctions when partially applied, and in particular improves the common case of composing folds into "state-passing style" code. 4. The fold function itself should produce an accumulator-transformer when partially applied. So `'a t -> 's -> f:_ -> 's` rather than `'s -> 'a t -> f:_ -> 's` or `'a t -> init:'s -> f:_ -> 's` etc. Reviewed By: jvillard Differential Revision: D24306063 fbshipit-source-id: 13bd8bbee
4 years ago
IArray.fold ~f:(fun (r, e) q -> assign r e q) move_vec q
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
[sledge] Add concurrency analysis Summary: This diff changes the analysis exploration algorithm from considering only sequential executions to considering executions of the interleaving semantics. As part of this, symbolic states are changed so that each thread has its own registers, while all memory is shared between them. Currently only a simple threads interface is supported: they can be created with `thread_create(&thread_routine)`, they can exit by returning from `thread_routine`, and they can be joined with `thread_join`. Current simplifications include that newly created threads are already runnable, thread routines accept no arguments and return no result, and no failures are possible. The concurrent exploration algorithm gives preference to executions which have fewer context switches, thereby performing an incremental form of context-bounded analysis. A form of partial-order reduction is performed, where the symbolic states are joined across (prefixes of) executions with the same number of context switches which reach a point where the instruction pointers and call stacks of all threads are the same. This has the effect of "dagifying" the concurrent execution tree by merging points after e.g. threads perform actions that commute with each other. This is unlike traditional partial-order reduction in that it relies on the symbolic join to combine the results of commuting operations in a way that the following symbolic execution can take advantage of, rather than performing some up-front analysis to identify commuting operations and quotienting the space of executions. The current state of the symbolic join and execution is significantly suboptimal in this regard. Differential Revision: D29441149 fbshipit-source-id: cf801a6b1
3 years ago
let exec_inst tid i q =
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
match (i : Llair.inst) with
[sledge] Add concurrency analysis Summary: This diff changes the analysis exploration algorithm from considering only sequential executions to considering executions of the interleaving semantics. As part of this, symbolic states are changed so that each thread has its own registers, while all memory is shared between them. Currently only a simple threads interface is supported: they can be created with `thread_create(&thread_routine)`, they can exit by returning from `thread_routine`, and they can be joined with `thread_join`. Current simplifications include that newly created threads are already runnable, thread routines accept no arguments and return no result, and no failures are possible. The concurrent exploration algorithm gives preference to executions which have fewer context switches, thereby performing an incremental form of context-bounded analysis. A form of partial-order reduction is performed, where the symbolic states are joined across (prefixes of) executions with the same number of context switches which reach a point where the instruction pointers and call stacks of all threads are the same. This has the effect of "dagifying" the concurrent execution tree by merging points after e.g. threads perform actions that commute with each other. This is unlike traditional partial-order reduction in that it relies on the symbolic join to combine the results of commuting operations in a way that the following symbolic execution can take advantage of, rather than performing some up-front analysis to identify commuting operations and quotienting the space of executions. The current state of the symbolic join and execution is significantly suboptimal in this regard. Differential Revision: D29441149 fbshipit-source-id: cf801a6b1
3 years ago
| Move {reg_exps; loc= _} -> Ok (exec_move tid reg_exps q)
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
| Store {ptr; exp; len= _; loc= _} -> (
[sledge] Build: Wrap Llair library Summary: Refer to Llair modules using `Llair.` qualifier, except for in `Frontend`, which makes so much use of `Llair` that it is now opened (`Llair` only contains types and modules, so `open` is safe). Reviewed By: jvillard Differential Revision: D21720979 fbshipit-source-id: dd42075d9
5 years ago
match Llair.Reg.of_exp ptr with
[sledge] Add explicit type for Alarms Summary: Currently all alarms are reported as "Invalid memory access", which is not accurate for `abort` and hence assertion violations. This diff adds an explicit type for alarms which distinguishes these two cases. Further refinement is left for later. Reviewed By: jvillard Differential Revision: D27828754 fbshipit-source-id: 9c33f3c86
4 years ago
| Some reg -> Ok (assign reg exp q)
| None -> Ok q )
| Load {reg; ptr; len= _; loc= _} -> Ok (assign reg ptr q)
[sledge] Add concurrency analysis Summary: This diff changes the analysis exploration algorithm from considering only sequential executions to considering executions of the interleaving semantics. As part of this, symbolic states are changed so that each thread has its own registers, while all memory is shared between them. Currently only a simple threads interface is supported: they can be created with `thread_create(&thread_routine)`, they can exit by returning from `thread_routine`, and they can be joined with `thread_join`. Current simplifications include that newly created threads are already runnable, thread routines accept no arguments and return no result, and no failures are possible. The concurrent exploration algorithm gives preference to executions which have fewer context switches, thereby performing an incremental form of context-bounded analysis. A form of partial-order reduction is performed, where the symbolic states are joined across (prefixes of) executions with the same number of context switches which reach a point where the instruction pointers and call stacks of all threads are the same. This has the effect of "dagifying" the concurrent execution tree by merging points after e.g. threads perform actions that commute with each other. This is unlike traditional partial-order reduction in that it relies on the symbolic join to combine the results of commuting operations in a way that the following symbolic execution can take advantage of, rather than performing some up-front analysis to identify commuting operations and quotienting the space of executions. The current state of the symbolic join and execution is significantly suboptimal in this regard. Differential Revision: D29441149 fbshipit-source-id: cf801a6b1
3 years ago
| Nondet {reg= Some reg; msg= _; loc= _} -> Ok (exec_kill tid reg q)
[sledge] Add explicit type for Alarms Summary: Currently all alarms are reported as "Invalid memory access", which is not accurate for `abort` and hence assertion violations. This diff adds an explicit type for alarms which distinguishes these two cases. Further refinement is left for later. Reviewed By: jvillard Differential Revision: D27828754 fbshipit-source-id: 9c33f3c86
4 years ago
| Nondet {reg= None; msg= _; loc= _} | Alloc _ | Free _ -> Ok q
[sledge] Add concurrency analysis Summary: This diff changes the analysis exploration algorithm from considering only sequential executions to considering executions of the interleaving semantics. As part of this, symbolic states are changed so that each thread has its own registers, while all memory is shared between them. Currently only a simple threads interface is supported: they can be created with `thread_create(&thread_routine)`, they can exit by returning from `thread_routine`, and they can be joined with `thread_join`. Current simplifications include that newly created threads are already runnable, thread routines accept no arguments and return no result, and no failures are possible. The concurrent exploration algorithm gives preference to executions which have fewer context switches, thereby performing an incremental form of context-bounded analysis. A form of partial-order reduction is performed, where the symbolic states are joined across (prefixes of) executions with the same number of context switches which reach a point where the instruction pointers and call stacks of all threads are the same. This has the effect of "dagifying" the concurrent execution tree by merging points after e.g. threads perform actions that commute with each other. This is unlike traditional partial-order reduction in that it relies on the symbolic join to combine the results of commuting operations in a way that the following symbolic execution can take advantage of, rather than performing some up-front analysis to identify commuting operations and quotienting the space of executions. The current state of the symbolic join and execution is significantly suboptimal in this regard. Differential Revision: D29441149 fbshipit-source-id: cf801a6b1
3 years ago
| Intrinsic {reg= Some reg; _} -> Ok (exec_kill tid reg q)
[sledge] Add explicit type for Alarms Summary: Currently all alarms are reported as "Invalid memory access", which is not accurate for `abort` and hence assertion violations. This diff adds an explicit type for alarms which distinguishes these two cases. Further refinement is left for later. Reviewed By: jvillard Differential Revision: D27828754 fbshipit-source-id: 9c33f3c86
4 years ago
| Intrinsic {reg= None; _} -> Ok q
| Abort {loc} ->
Error
{ Alarm.kind= Abort
; loc
; pp_action= Fun.flip Llair.Inst.pp i
; pp_state= Fun.flip pp q }
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
[sledge] Add concurrency analysis Summary: This diff changes the analysis exploration algorithm from considering only sequential executions to considering executions of the interleaving semantics. As part of this, symbolic states are changed so that each thread has its own registers, while all memory is shared between them. Currently only a simple threads interface is supported: they can be created with `thread_create(&thread_routine)`, they can exit by returning from `thread_routine`, and they can be joined with `thread_join`. Current simplifications include that newly created threads are already runnable, thread routines accept no arguments and return no result, and no failures are possible. The concurrent exploration algorithm gives preference to executions which have fewer context switches, thereby performing an incremental form of context-bounded analysis. A form of partial-order reduction is performed, where the symbolic states are joined across (prefixes of) executions with the same number of context switches which reach a point where the instruction pointers and call stacks of all threads are the same. This has the effect of "dagifying" the concurrent execution tree by merging points after e.g. threads perform actions that commute with each other. This is unlike traditional partial-order reduction in that it relies on the symbolic join to combine the results of commuting operations in a way that the following symbolic execution can take advantage of, rather than performing some up-front analysis to identify commuting operations and quotienting the space of executions. The current state of the symbolic join and execution is significantly suboptimal in this regard. Differential Revision: D29441149 fbshipit-source-id: cf801a6b1
3 years ago
let enter_scope _ _ q = q
[sledge] Build: Wrap Llair library Summary: Refer to Llair modules using `Llair.` qualifier, except for in `Frontend`, which makes so much use of `Llair` that it is now opened (`Llair` only contains types and modules, so `open` is safe). Reviewed By: jvillard Differential Revision: D21720979 fbshipit-source-id: dd42075d9
5 years ago
type from_call = {areturn: Llair.Reg.t option; caller_q: t}
[@@deriving sexp_of]
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
let recursion_beyond_bound = `prune
(** existentially quantify locals *)
[sledge] Add concurrency analysis Summary: This diff changes the analysis exploration algorithm from considering only sequential executions to considering executions of the interleaving semantics. As part of this, symbolic states are changed so that each thread has its own registers, while all memory is shared between them. Currently only a simple threads interface is supported: they can be created with `thread_create(&thread_routine)`, they can exit by returning from `thread_routine`, and they can be joined with `thread_join`. Current simplifications include that newly created threads are already runnable, thread routines accept no arguments and return no result, and no failures are possible. The concurrent exploration algorithm gives preference to executions which have fewer context switches, thereby performing an incremental form of context-bounded analysis. A form of partial-order reduction is performed, where the symbolic states are joined across (prefixes of) executions with the same number of context switches which reach a point where the instruction pointers and call stacks of all threads are the same. This has the effect of "dagifying" the concurrent execution tree by merging points after e.g. threads perform actions that commute with each other. This is unlike traditional partial-order reduction in that it relies on the symbolic join to combine the results of commuting operations in a way that the following symbolic execution can take advantage of, rather than performing some up-front analysis to identify commuting operations and quotienting the space of executions. The current state of the symbolic join and execution is significantly suboptimal in this regard. Differential Revision: D29441149 fbshipit-source-id: cf801a6b1
3 years ago
let post _ locals _ (q : t) =
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
let locals =
[sledge] Change type of fold functions for improved composition Summary: Change the type of `fold` functions to enable them to compose better. The guiding reasoning behind using types such as: ``` val fold : 'a t -> 's -> f:('a -> 's -> 's) -> 's ``` is: 1. The function argument should be labeled. This is so that it can be reordered relative to the others, since it is often a multi-line `fun` expression. 2. The function argument should come last. This enables its arguments (which are often polymorphic) to benefit from type-based disambiguation information determined by the types of the other arguments at the call sites. 3. The function argument's type should produce an accumulator-transformer when partially-applied. That is, `f x : 's -> 's`. This composes well with other functions designed to produce transformers/endofunctions when partially applied, and in particular improves the common case of composing folds into "state-passing style" code. 4. The fold function itself should produce an accumulator-transformer when partially applied. So `'a t -> 's -> f:_ -> 's` rather than `'s -> 'a t -> f:_ -> 's` or `'a t -> init:'s -> f:_ -> 's` etc. Reviewed By: jvillard Differential Revision: D24306063 fbshipit-source-id: 13bd8bbee
4 years ago
Llair.Reg.Set.fold locals [] ~f:(fun r a ->
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
let v = apron_var_of_reg r in
if Environment.mem_var q.env v then v :: a else a )
|> Array.of_list
in
Abstract1.forget_array (Lazy.force man) q locals false
(** drop caller-local variables, add returned value to caller state *)
[sledge] Add concurrency analysis Summary: This diff changes the analysis exploration algorithm from considering only sequential executions to considering executions of the interleaving semantics. As part of this, symbolic states are changed so that each thread has its own registers, while all memory is shared between them. Currently only a simple threads interface is supported: they can be created with `thread_create(&thread_routine)`, they can exit by returning from `thread_routine`, and they can be joined with `thread_join`. Current simplifications include that newly created threads are already runnable, thread routines accept no arguments and return no result, and no failures are possible. The concurrent exploration algorithm gives preference to executions which have fewer context switches, thereby performing an incremental form of context-bounded analysis. A form of partial-order reduction is performed, where the symbolic states are joined across (prefixes of) executions with the same number of context switches which reach a point where the instruction pointers and call stacks of all threads are the same. This has the effect of "dagifying" the concurrent execution tree by merging points after e.g. threads perform actions that commute with each other. This is unlike traditional partial-order reduction in that it relies on the symbolic join to combine the results of commuting operations in a way that the following symbolic execution can take advantage of, rather than performing some up-front analysis to identify commuting operations and quotienting the space of executions. The current state of the symbolic join and execution is significantly suboptimal in this regard. Differential Revision: D29441149 fbshipit-source-id: cf801a6b1
3 years ago
let retn tid _ freturn {areturn; caller_q} callee_q =
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
match (areturn, freturn) with
| Some aret, Some fret ->
let env_fret_only =
[sledge] Build: Wrap Llair library Summary: Refer to Llair modules using `Llair.` qualifier, except for in `Frontend`, which makes so much use of `Llair` that it is now opened (`Llair` only contains types and modules, so `open` is safe). Reviewed By: jvillard Differential Revision: D21720979 fbshipit-source-id: dd42075d9
5 years ago
match apron_typ_of_llair_typ (Llair.Reg.typ fret) with
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
| None -> Environment.make [||] [||]
| Some Texpr1.Int -> Environment.make [|apron_var_of_reg fret|] [||]
| _ -> Environment.make [||] [|apron_var_of_reg fret|]
in
let env = Environment.lce env_fret_only (Abstract1.env caller_q) in
let man = Lazy.force man in
let callee_fret =
(* drop all callee vars, scope to (caller + freturn) env *)
Abstract1.change_environment man callee_q env_fret_only false
|> fun q -> Abstract1.change_environment man q env false
in
let caller_q = Abstract1.change_environment man caller_q env false in
let result = Abstract1.meet man callee_fret caller_q in
Abstract1.rename_array man result
[|apron_var_of_reg fret|]
[|apron_var_of_reg aret|]
[sledge] Add concurrency analysis Summary: This diff changes the analysis exploration algorithm from considering only sequential executions to considering executions of the interleaving semantics. As part of this, symbolic states are changed so that each thread has its own registers, while all memory is shared between them. Currently only a simple threads interface is supported: they can be created with `thread_create(&thread_routine)`, they can exit by returning from `thread_routine`, and they can be joined with `thread_join`. Current simplifications include that newly created threads are already runnable, thread routines accept no arguments and return no result, and no failures are possible. The concurrent exploration algorithm gives preference to executions which have fewer context switches, thereby performing an incremental form of context-bounded analysis. A form of partial-order reduction is performed, where the symbolic states are joined across (prefixes of) executions with the same number of context switches which reach a point where the instruction pointers and call stacks of all threads are the same. This has the effect of "dagifying" the concurrent execution tree by merging points after e.g. threads perform actions that commute with each other. This is unlike traditional partial-order reduction in that it relies on the symbolic join to combine the results of commuting operations in a way that the following symbolic execution can take advantage of, rather than performing some up-front analysis to identify commuting operations and quotienting the space of executions. The current state of the symbolic join and execution is significantly suboptimal in this regard. Differential Revision: D29441149 fbshipit-source-id: cf801a6b1
3 years ago
| Some aret, None -> exec_kill tid aret caller_q
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
| None, _ -> caller_q
(** map actuals to formals (via temporary registers), stash constraints on
[sledge] Handle more LLAIR expressions in APRON interval analysis Summary: Extend the APRON-backed interval analysis to handle a wider range of LLAIR expressions. Reviewed By: jvillard Differential Revision: D17858072 fbshipit-source-id: c50f5bf20
5 years ago
caller-local variables. Note that this exploits the non-relational-ness
of Box to ignore all variables other than the formal/actual params/
returns; this will not be possible if extended to a relational domain *)
[sledge] Add concurrency analysis Summary: This diff changes the analysis exploration algorithm from considering only sequential executions to considering executions of the interleaving semantics. As part of this, symbolic states are changed so that each thread has its own registers, while all memory is shared between them. Currently only a simple threads interface is supported: they can be created with `thread_create(&thread_routine)`, they can exit by returning from `thread_routine`, and they can be joined with `thread_join`. Current simplifications include that newly created threads are already runnable, thread routines accept no arguments and return no result, and no failures are possible. The concurrent exploration algorithm gives preference to executions which have fewer context switches, thereby performing an incremental form of context-bounded analysis. A form of partial-order reduction is performed, where the symbolic states are joined across (prefixes of) executions with the same number of context switches which reach a point where the instruction pointers and call stacks of all threads are the same. This has the effect of "dagifying" the concurrent execution tree by merging points after e.g. threads perform actions that commute with each other. This is unlike traditional partial-order reduction in that it relies on the symbolic join to combine the results of commuting operations in a way that the following symbolic execution can take advantage of, rather than performing some up-front analysis to identify commuting operations and quotienting the space of executions. The current state of the symbolic join and execution is significantly suboptimal in this regard. Differential Revision: D29441149 fbshipit-source-id: cf801a6b1
3 years ago
let call ~summaries _ ~globals:_ ~actuals ~areturn ~formals ~freturn:_
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
~locals:_ q =
if summaries then
todo "Summaries not yet implemented for interval analysis" ()
else
[sledge] Build: Wrap Llair library Summary: Refer to Llair modules using `Llair.` qualifier, except for in `Frontend`, which makes so much use of `Llair` that it is now opened (`Llair` only contains types and modules, so `open` is safe). Reviewed By: jvillard Differential Revision: D21720979 fbshipit-source-id: dd42075d9
5 years ago
let mangle r =
[sledge] Add unique int ids to Llair registers Summary: While translating LLVM to LLAIR, compute unique integer ids for registers. Reviewed By: jvillard Differential Revision: D26250534 fbshipit-source-id: 6253f38c7
4 years ago
Llair.Reg.mk (Llair.Reg.typ r) 0 ("__tmp__" ^ Llair.Reg.name r)
[sledge] Build: Wrap Llair library Summary: Refer to Llair modules using `Llair.` qualifier, except for in `Frontend`, which makes so much use of `Llair` that it is now opened (`Llair` only contains types and modules, so `open` is safe). Reviewed By: jvillard Differential Revision: D21720979 fbshipit-source-id: dd42075d9
5 years ago
in
[sledge] Represent function formal parameters and actual arguments in order Summary: Previously, when LLAIR was in SSA form, blocks took parameters just like functions, and it was sometimes necessary to partially apply a block to some of the parameters. For example, blocks to which function calls return would need to accept the return value as an argument, and sometimes immediately jump to another block passing the rest of the arguments as well. These "trampoline" blocks were partial applications of the eventual block to all but the final, return value, argument. This partial application mechanism meant that function parameters and arguments were represented as a stack, with the first argument at the bottom, that is, in reverse order. Now that LLAIR is free of SSA, this confusion is no longer needed, and this diff changes the representation of function formal parameters and actual arguments to be in the natural order. This also brings Call instructions in line with Intrinsic instructions, which will make changing the handling of intrinsics from Calls to Intrinsic less error-prone. Reviewed By: jvillard Differential Revision: D25146163 fbshipit-source-id: d3ed07a45
4 years ago
let args = IArray.combine_exn formals actuals in
let q' =
IArray.fold ~f:(fun (f, a) q -> assign (mangle f) a q) args q
in
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
let callee_env =
[sledge] Represent function formal parameters and actual arguments in order Summary: Previously, when LLAIR was in SSA form, blocks took parameters just like functions, and it was sometimes necessary to partially apply a block to some of the parameters. For example, blocks to which function calls return would need to accept the return value as an argument, and sometimes immediately jump to another block passing the rest of the arguments as well. These "trampoline" blocks were partial applications of the eventual block to all but the final, return value, argument. This partial application mechanism meant that function parameters and arguments were represented as a stack, with the first argument at the bottom, that is, in reverse order. Now that LLAIR is free of SSA, this confusion is no longer needed, and this diff changes the representation of function formal parameters and actual arguments to be in the natural order. This also brings Call instructions in line with Intrinsic instructions, which will make changing the handling of intrinsics from Calls to Intrinsic less error-prone. Reviewed By: jvillard Differential Revision: D25146163 fbshipit-source-id: d3ed07a45
4 years ago
IArray.fold formals ([], []) ~f:(fun f (is, fs) ->
[sledge] Build: Wrap Llair library Summary: Refer to Llair modules using `Llair.` qualifier, except for in `Frontend`, which makes so much use of `Llair` that it is now opened (`Llair` only contains types and modules, so `open` is safe). Reviewed By: jvillard Differential Revision: D21720979 fbshipit-source-id: dd42075d9
5 years ago
match apron_typ_of_llair_typ (Llair.Reg.typ f) with
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
| None -> (is, fs)
| Some Texpr1.Int -> (apron_var_of_reg (mangle f) :: is, fs)
| _ -> (is, apron_var_of_reg (mangle f) :: fs) )
|> fun (is, fs) ->
Environment.make (Array.of_list is) (Array.of_list fs)
in
let man = Lazy.force man in
let q'' = Abstract1.change_environment man q' callee_env false in
let q''' =
Abstract1.rename_array man q''
[sledge] Represent function formal parameters and actual arguments in order Summary: Previously, when LLAIR was in SSA form, blocks took parameters just like functions, and it was sometimes necessary to partially apply a block to some of the parameters. For example, blocks to which function calls return would need to accept the return value as an argument, and sometimes immediately jump to another block passing the rest of the arguments as well. These "trampoline" blocks were partial applications of the eventual block to all but the final, return value, argument. This partial application mechanism meant that function parameters and arguments were represented as a stack, with the first argument at the bottom, that is, in reverse order. Now that LLAIR is free of SSA, this confusion is no longer needed, and this diff changes the representation of function formal parameters and actual arguments to be in the natural order. This also brings Call instructions in line with Intrinsic instructions, which will make changing the handling of intrinsics from Calls to Intrinsic less error-prone. Reviewed By: jvillard Differential Revision: D25146163 fbshipit-source-id: d3ed07a45
4 years ago
(Array.map
~f:(mangle >> apron_var_of_reg)
(IArray.to_array formals))
(Array.map ~f:apron_var_of_reg (IArray.to_array formals))
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
in
(q''', {areturn; caller_q= q})
let dnf q = [q]
[sledge] Add concurrency analysis Summary: This diff changes the analysis exploration algorithm from considering only sequential executions to considering executions of the interleaving semantics. As part of this, symbolic states are changed so that each thread has its own registers, while all memory is shared between them. Currently only a simple threads interface is supported: they can be created with `thread_create(&thread_routine)`, they can exit by returning from `thread_routine`, and they can be joined with `thread_join`. Current simplifications include that newly created threads are already runnable, thread routines accept no arguments and return no result, and no failures are possible. The concurrent exploration algorithm gives preference to executions which have fewer context switches, thereby performing an incremental form of context-bounded analysis. A form of partial-order reduction is performed, where the symbolic states are joined across (prefixes of) executions with the same number of context switches which reach a point where the instruction pointers and call stacks of all threads are the same. This has the effect of "dagifying" the concurrent execution tree by merging points after e.g. threads perform actions that commute with each other. This is unlike traditional partial-order reduction in that it relies on the symbolic join to combine the results of commuting operations in a way that the following symbolic execution can take advantage of, rather than performing some up-front analysis to identify commuting operations and quotienting the space of executions. The current state of the symbolic join and execution is significantly suboptimal in this regard. Differential Revision: D29441149 fbshipit-source-id: cf801a6b1
3 years ago
let resolve_callee _ _ _ _ = []
[sledge] Add APRON-backed Interval abstract domain Summary: Add a new interval abstract domain. This domain uses the APRON numerical analysis library to keep track of the range of values held by llair variables where possible. This works by translating LLAIR expressions into APRON tree expressions, so only handles the subset of the LLAIR expression language that can be embedded. Note also that function summarization is not yet implemented. Future commits will add summarization and improve coverage of LLAIR's expression language. Reviewed By: jberdine Differential Revision: D17763517 fbshipit-source-id: 826ce4cc5
5 years ago
type summary = t
let pp_summary = pp
let apply_summary _ _ = None
[sledge] Add concurrency analysis Summary: This diff changes the analysis exploration algorithm from considering only sequential executions to considering executions of the interleaving semantics. As part of this, symbolic states are changed so that each thread has its own registers, while all memory is shared between them. Currently only a simple threads interface is supported: they can be created with `thread_create(&thread_routine)`, they can exit by returning from `thread_routine`, and they can be joined with `thread_join`. Current simplifications include that newly created threads are already runnable, thread routines accept no arguments and return no result, and no failures are possible. The concurrent exploration algorithm gives preference to executions which have fewer context switches, thereby performing an incremental form of context-bounded analysis. A form of partial-order reduction is performed, where the symbolic states are joined across (prefixes of) executions with the same number of context switches which reach a point where the instruction pointers and call stacks of all threads are the same. This has the effect of "dagifying" the concurrent execution tree by merging points after e.g. threads perform actions that commute with each other. This is unlike traditional partial-order reduction in that it relies on the symbolic join to combine the results of commuting operations in a way that the following symbolic execution can take advantage of, rather than performing some up-front analysis to identify commuting operations and quotienting the space of executions. The current state of the symbolic join and execution is significantly suboptimal in this regard. Differential Revision: D29441149 fbshipit-source-id: cf801a6b1
3 years ago
let create_summary _ ~locals:_ ~formals:_ q = (q, q)