* Copyright (c) 2016-present, Programming Research Laboratory (ROPAS)
* Seoul National University, Korea
* Copyright (c) 2017-present, Facebook, Inc.
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
open! IStd
open AbsLoc
open! AbstractDomain.Types
module BoUtils = BufferOverrunUtils
module Dom = BufferOverrunDomain
module L = Logging
module Models = BufferOverrunModels
module Sem = BufferOverrunSemantics
module Payload = SummaryPayload.Make (struct
type t = BufferOverrunSummary.t
let update_payloads astate (payloads : Payloads.t) = {payloads with buffer_overrun= Some astate}
let of_payloads (payloads : Payloads.t) = payloads.buffer_overrun
type extras = {oenv: Dom.OndemandEnv.t}
module CFG = ProcCfg.NormalOneInstrPerNode
module Init = struct
let initial_state {ProcData.pdesc; tenv; extras= {oenv}} start_node =
let try_decl_local =
let pname = Procdesc.get_proc_name pdesc in
let model_env =
let node_hash = CFG.Node.hash start_node in
let location = CFG.Node.loc start_node in
let integer_type_widths = oenv.Dom.OndemandEnv.integer_type_widths in
BoUtils.ModelEnv.mk_model_env pname ~node_hash location tenv integer_type_widths
fun (mem, inst_num) {ProcAttributes.name; typ} ->
let loc = Loc.of_pvar (Pvar.mk name pname) in
BoUtils.Exec.decl_local model_env (mem, inst_num) (loc, typ)
let mem = Dom.Mem.init oenv in
let mem, _ = List.fold ~f:try_decl_local ~init:(mem, 1) (Procdesc.get_locals pdesc) in
module TransferFunctions = struct
module CFG = CFG
module Domain = Dom.Mem
type nonrec extras = extras
let instantiate_mem_reachable (ret_id, _) callee_pdesc callee_pname ~callee_exit_mem
({Dom.eval_locpath} as eval_sym_trace) mem location =
let formals = Procdesc.get_pvar_formals callee_pdesc in
let copy_reachable_locs_from locs mem =
let copy loc acc =
Option.value_map (Dom.Mem.find_opt loc callee_exit_mem) ~default:acc ~f:(fun v ->
let locs = PowLoc.subst_loc loc eval_locpath in
let v = Dom.Val.subst v eval_sym_trace location in
PowLoc.fold (fun loc acc -> Dom.Mem.add_heap loc v acc) locs acc )
let reachable_locs = Dom.Mem.get_reachable_locs_from formals locs callee_exit_mem in
PowLoc.fold copy reachable_locs mem
let instantiate_ret_alias mem =
let subst_loc l =
Option.find_map (Loc.get_path l) ~f:(fun partial ->
let locs = eval_locpath partial in
match PowLoc.is_singleton_or_more locs with
| IContainer.Singleton loc ->
Some loc
| _ ->
with Caml.Not_found -> None )
let ret_alias =
Option.find_map (Dom.Mem.find_ret_alias callee_exit_mem) ~f:(fun alias_target ->
Dom.AliasTarget.loc_map alias_target ~f:subst_loc )
Option.value_map ret_alias ~default:mem ~f:(fun l -> Dom.Mem.load_alias ret_id l mem)
let ret_var = Loc.of_var (Var.of_id ret_id) in
let ret_val = Dom.Mem.find (Loc.of_pvar (Pvar.get_ret_pvar callee_pname)) callee_exit_mem in
let formal_locs =
List.fold formals ~init:PowLoc.bot ~f:(fun acc (formal, _) ->
let v = Dom.Mem.find (Loc.of_pvar formal) callee_exit_mem in
PowLoc.join acc (Dom.Val.get_all_locs v) )
Dom.Mem.add_stack ret_var (Dom.Val.subst ret_val eval_sym_trace location) mem
|> instantiate_ret_alias
|> copy_reachable_locs_from (PowLoc.join formal_locs (Dom.Val.get_all_locs ret_val))
let forget_ret_relation ret callee_pname mem =
let ret_loc = Loc.of_pvar (Pvar.get_ret_pvar callee_pname) in
let ret_var = Loc.of_var (Var.of_id (fst ret)) in
Dom.Mem.forget_locs (PowLoc.add ret_loc (PowLoc.singleton ret_var)) mem
let is_external pname =
match pname with
| Typ.Procname.Java java_pname ->
Typ.Procname.Java.is_external java_pname
| _ ->
let instantiate_mem :
-> Typ.IntegerWidths.t
-> Ident.t * Typ.t
-> Procdesc.t
-> Typ.Procname.t
-> (Exp.t * Typ.t) list
-> Dom.Mem.t
-> BufferOverrunSummary.memory
-> Location.t
-> Dom.Mem.t =
fun tenv integer_type_widths ret callee_pdesc callee_pname params caller_mem callee_exit_mem
location ->
let rel_subst_map =
Sem.get_subst_map tenv integer_type_widths callee_pdesc params caller_mem callee_exit_mem
let eval_sym_trace =
Sem.mk_eval_sym_trace integer_type_widths callee_pdesc params caller_mem ~strict:false
let caller_mem =
instantiate_mem_reachable ret callee_pdesc callee_pname ~callee_exit_mem eval_sym_trace
caller_mem location
|> forget_ret_relation ret callee_pname
Dom.Mem.instantiate_relation rel_subst_map ~caller:caller_mem ~callee:callee_exit_mem
let exec_instr : Dom.Mem.t -> extras ProcData.t -> CFG.Node.t -> Sil.instr -> Dom.Mem.t =
fun mem {pdesc; tenv; extras= {oenv= {integer_type_widths}}} node instr ->
match instr with
| Load (id, _, _, _) when Ident.is_none id ->
| Load (id, Exp.Lvar pvar, _, location) when Pvar.is_compile_constant pvar || Pvar.is_ice pvar
-> (
match Pvar.get_initializer_pname pvar with
| Some callee_pname -> (
Ondemand.analyze_proc_name ~caller_pdesc:pdesc callee_pname
|> Option.bind ~f:Payload.of_summary
|> Option.map ~f:BufferOverrunSummary.get_output
| Some callee_mem ->
let v = Dom.Mem.find (Loc.of_pvar pvar) callee_mem in
Dom.Mem.add_stack (Loc.of_id id) v mem
| None ->
L.d_printfln_escaped "/!\\ Unknown initializer of global constant %a" (Pvar.pp Pp.text)
pvar ;
Dom.Mem.add_unknown_from id ~callee_pname ~location mem )
| None ->
L.d_printfln_escaped "/!\\ Failed to get initializer name of global constant %a"
(Pvar.pp Pp.text) pvar ;
Dom.Mem.add_unknown id ~location mem )
| Load (id, exp, _, _) ->
BoUtils.Exec.load_locs id (Sem.eval_locs exp mem) mem
| Store (exp1, _, Const (Const.Cstr s), location) ->
let locs = Sem.eval_locs exp1 mem in
let model_env =
let pname = Procdesc.get_proc_name pdesc in
let node_hash = CFG.Node.hash node in
BoUtils.ModelEnv.mk_model_env pname ~node_hash location tenv integer_type_widths
let do_alloc = not (Sem.is_stack_exp exp1 mem) in
BoUtils.Exec.decl_string model_env ~do_alloc locs s mem
| Store (exp1, typ, exp2, location) ->
let locs = Sem.eval_locs exp1 mem in
let v =
Sem.eval integer_type_widths exp2 mem |> Dom.Val.add_assign_trace_elem location locs
let mem =
let sym_exps =
~get_int_sym_f:(Sem.get_sym_f integer_type_widths mem)
~get_offset_sym_f:(Sem.get_offset_sym_f integer_type_widths mem)
~get_size_sym_f:(Sem.get_size_sym_f integer_type_widths mem)
Dom.Mem.store_relation locs sym_exps mem
let mem = Dom.Mem.update_mem locs v mem in
let mem =
if Language.curr_language_is Clang && Typ.is_char typ then
BoUtils.Exec.set_c_strlen ~tgt:(Sem.eval integer_type_widths exp1 mem) ~src:v mem
else mem
let mem =
if not v.represents_multiple_values then
match PowLoc.is_singleton_or_more locs with
| IContainer.Singleton loc_v -> (
let pname = Procdesc.get_proc_name pdesc in
match Typ.Procname.get_method pname with
| "__inferbo_empty" when Loc.is_return loc_v -> (
match Procdesc.get_pvar_formals pdesc with
| [(formal, _)] ->
let formal_v = Dom.Mem.find (Loc.of_pvar formal) mem in
Dom.Mem.store_empty_alias formal_v loc_v mem
| _ ->
assert false )
| _ ->
Dom.Mem.store_simple_alias loc_v exp2 mem )
| _ ->
else mem
let mem = Dom.Mem.update_latest_prune ~updated_locs:locs exp1 exp2 mem in
| Prune (exp, _, _, _) ->
Sem.Prune.prune integer_type_widths exp mem
| Call (((id, ret_typ) as ret), Const (Cfun callee_pname), params, location, _) -> (
let mem = Dom.Mem.add_stack_loc (Loc.of_id id) mem in
match Models.Call.dispatch tenv callee_pname params with
| Some {Models.exec} ->
let model_env =
let node_hash = CFG.Node.hash node in
BoUtils.ModelEnv.mk_model_env callee_pname ~node_hash location tenv
exec model_env ~ret mem
| None -> (
Ondemand.analyze_proc_name ~caller_pdesc:pdesc callee_pname
|> Option.bind ~f:(fun callee_summary ->
Payload.of_summary callee_summary
|> Option.map ~f:(fun payload ->
( BufferOverrunSummary.get_output payload
, Summary.get_proc_desc callee_summary ) ) )
| Some (callee_exit_mem, callee_pdesc) ->
instantiate_mem tenv integer_type_widths ret callee_pdesc callee_pname params mem
callee_exit_mem location
| None ->
(* This may happen for procedures with a biabduction model too. *)
L.d_printfln_escaped "/!\\ Unknown call to %a" Typ.Procname.pp callee_pname ;
if is_external callee_pname then (
L.(debug BufferOverrun Verbose)
"/!\\ External call to unknown %a \n\n" Typ.Procname.pp callee_pname ;
let callsite = CallSite.make callee_pname location in
let path = Symb.SymbolPath.of_callsite ~ret_typ callsite in
let loc = Loc.of_allocsite (Allocsite.make_symbol path) in
let v = Dom.Mem.find loc mem in
Dom.Mem.add_stack (Loc.of_id id) v mem )
else Dom.Mem.add_unknown_from id ~callee_pname ~location mem ) )
| Call ((id, _), fun_exp, _, location, _) ->
let mem = Dom.Mem.add_stack_loc (Loc.of_id id) mem in
L.d_printfln_escaped "/!\\ Call to non-const function %a" Exp.pp fun_exp ;
Dom.Mem.add_unknown id ~location mem
| ExitScope (dead_vars, _) ->
Dom.Mem.remove_temps (List.filter_map dead_vars ~f:Var.get_ident) mem
| Abstract _ | Nullify _ ->
let pp_session_name node fmt = F.fprintf fmt "bufferoverrun %a" CFG.Node.pp_id (CFG.Node.id node)
module Analyzer = AbstractInterpreter.MakeWTO (TransferFunctions)
type invariant_map = Analyzer.invariant_map
type local_decls = PowLoc.t
type memory_summary = BufferOverrunSummary.memory
let extract_pre = Analyzer.extract_pre
let extract_post = Analyzer.extract_post
let extract_state = Analyzer.extract_state
let get_local_decls : Procdesc.t -> local_decls =
fun proc_desc ->
let proc_name = Procdesc.get_proc_name proc_desc in
let accum_local_decls acc {ProcAttributes.name} =
let pvar = Pvar.mk name proc_name in
let loc = Loc.of_pvar pvar in
PowLoc.add loc acc
Procdesc.get_locals proc_desc |> List.fold ~init:PowLoc.empty ~f:accum_local_decls
let cached_compute_invariant_map =
let compute_invariant_map : Procdesc.t -> Tenv.t -> Typ.IntegerWidths.t -> invariant_map =
fun pdesc tenv integer_type_widths ->
Preanal.do_preanalysis pdesc tenv ;
let cfg = CFG.from_pdesc pdesc in
let pdata =
let oenv = Dom.OndemandEnv.mk pdesc tenv integer_type_widths in
ProcData.make pdesc tenv {oenv}
let initial = Init.initial_state pdata (CFG.start_node cfg) in
Analyzer.exec_pdesc ~do_narrowing:true ~initial pdata
(* Use a weak Hashtbl to prevent memory leaks (GC unnecessarily keeps invariant maps around) *)
let module WeakInvMapHashTbl = Caml.Weak.Make (struct
type t = Typ.Procname.t * invariant_map option
let equal (pname1, _) (pname2, _) = Typ.Procname.equal pname1 pname2
let hash (pname, _) = Hashtbl.hash pname
end) in
let inv_map_cache = WeakInvMapHashTbl.create 100 in
fun pdesc tenv integer_type_widths ->
let pname = Procdesc.get_proc_name pdesc in
match WeakInvMapHashTbl.find_opt inv_map_cache (pname, None) with
| Some (_, Some inv_map) ->
| Some (_, None) ->
(* this should never happen *)
assert false
| None ->
let inv_map = compute_invariant_map pdesc tenv integer_type_widths in
WeakInvMapHashTbl.add inv_map_cache (pname, Some inv_map) ;
let compute_summary : local_decls -> CFG.t -> invariant_map -> memory_summary =
fun locals cfg inv_map ->
let exit_node_id = CFG.exit_node cfg |> CFG.Node.id in
match extract_post exit_node_id inv_map with
| Some exit_mem ->
exit_mem |> Dom.Mem.forget_locs locals |> Dom.Mem.unset_oenv
| None ->

* Copyright (c) 2017-present, Facebook, Inc.
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
open! IStd
module CFG = ProcCfg.NormalOneInstrPerNode
module Payload : SummaryPayload.S with type t = BufferOverrunSummary.t
type invariant_map
type local_decls = AbsLoc.PowLoc.t
val cached_compute_invariant_map : Procdesc.t -> Tenv.t -> Typ.IntegerWidths.t -> invariant_map
val compute_summary : local_decls -> CFG.t -> invariant_map -> BufferOverrunSummary.memory
val extract_pre : CFG.Node.id -> invariant_map -> BufferOverrunDomain.Mem.t option
val extract_post : CFG.Node.id -> invariant_map -> BufferOverrunDomain.Mem.t option
val extract_state :
CFG.Node.id -> invariant_map -> BufferOverrunDomain.Mem.t AbstractInterpreter.State.t option
val get_local_decls : Procdesc.t -> local_decls

open AbsLoc open AbsLoc
open! AbstractDomain.Types open! AbstractDomain.Types
module BoUtils = BufferOverrunUtils module BoUtils = BufferOverrunUtils
module CFG = BufferOverrunAnalysis.CFG
module Dom = BufferOverrunDomain module Dom = BufferOverrunDomain
module Relation = BufferOverrunDomainRelation
module L = Logging module L = Logging
module Models = BufferOverrunModels module Models = BufferOverrunModels
module PO = BufferOverrunProofObligations
module Relation = BufferOverrunDomainRelation
module Sem = BufferOverrunSemantics module Sem = BufferOverrunSemantics
module Trace = BufferOverrunTrace module Trace = BufferOverrunTrace
module Payload = SummaryPayload.Make (struct module UnusedBranch = struct
type t = BufferOverrunSummary.t
let update_payloads astate (payloads : Payloads.t) = {payloads with buffer_overrun= Some astate}
let of_payloads (payloads : Payloads.t) = payloads.buffer_overrun
type extras = Dom.OndemandEnv.t
module CFG = ProcCfg.NormalOneInstrPerNode
module Init = struct
let initial_state {ProcData.pdesc; tenv; extras= oenv} start_node =
let try_decl_local =
let pname = Procdesc.get_proc_name pdesc in
let model_env =
let node_hash = CFG.Node.hash start_node in
let location = CFG.Node.loc start_node in
let integer_type_widths = oenv.Dom.OndemandEnv.integer_type_widths in
BoUtils.ModelEnv.mk_model_env pname ~node_hash location tenv integer_type_widths
fun (mem, inst_num) {ProcAttributes.name; typ} ->
let loc = Loc.of_pvar (Pvar.mk name pname) in
BoUtils.Exec.decl_local model_env (mem, inst_num) (loc, typ)
let mem = Dom.Mem.init oenv in
let mem, _ = List.fold ~f:try_decl_local ~init:(mem, 1) (Procdesc.get_locals pdesc) in
module TransferFunctions = struct
module CFG = CFG
module Domain = Dom.Mem
type nonrec extras = extras
let instantiate_mem_reachable (ret_id, _) callee_pdesc callee_pname ~callee_exit_mem
({Dom.eval_locpath} as eval_sym_trace) mem location =
let formals = Procdesc.get_pvar_formals callee_pdesc in
let copy_reachable_locs_from locs mem =
let copy loc acc =
Option.value_map (Dom.Mem.find_opt loc callee_exit_mem) ~default:acc ~f:(fun v ->
let locs = PowLoc.subst_loc loc eval_locpath in
let v = Dom.Val.subst v eval_sym_trace location in
PowLoc.fold (fun loc acc -> Dom.Mem.add_heap loc v acc) locs acc )
let reachable_locs = Dom.Mem.get_reachable_locs_from formals locs callee_exit_mem in
PowLoc.fold copy reachable_locs mem
let instantiate_ret_alias mem =
let subst_loc l =
Option.find_map (Loc.get_path l) ~f:(fun partial ->
let locs = eval_locpath partial in
match PowLoc.is_singleton_or_more locs with
| IContainer.Singleton loc ->
Some loc
| _ ->
with Caml.Not_found -> None )
let ret_alias =
Option.find_map (Dom.Mem.find_ret_alias callee_exit_mem) ~f:(fun alias_target ->
Dom.AliasTarget.loc_map alias_target ~f:subst_loc )
Option.value_map ret_alias ~default:mem ~f:(fun l -> Dom.Mem.load_alias ret_id l mem)
let ret_var = Loc.of_var (Var.of_id ret_id) in
let ret_val = Dom.Mem.find (Loc.of_pvar (Pvar.get_ret_pvar callee_pname)) callee_exit_mem in
let formal_locs =
List.fold formals ~init:PowLoc.bot ~f:(fun acc (formal, _) ->
let v = Dom.Mem.find (Loc.of_pvar formal) callee_exit_mem in
PowLoc.join acc (Dom.Val.get_all_locs v) )
Dom.Mem.add_stack ret_var (Dom.Val.subst ret_val eval_sym_trace location) mem
|> instantiate_ret_alias
|> copy_reachable_locs_from (PowLoc.join formal_locs (Dom.Val.get_all_locs ret_val))
let forget_ret_relation ret callee_pname mem =
let ret_loc = Loc.of_pvar (Pvar.get_ret_pvar callee_pname) in
let ret_var = Loc.of_var (Var.of_id (fst ret)) in
Dom.Mem.forget_locs (PowLoc.add ret_loc (PowLoc.singleton ret_var)) mem
let is_external pname =
match pname with
| Typ.Procname.Java java_pname ->
Typ.Procname.Java.is_external java_pname
| _ ->
let instantiate_mem :
-> Typ.IntegerWidths.t
-> Ident.t * Typ.t
-> Procdesc.t
-> Typ.Procname.t
-> (Exp.t * Typ.t) list
-> Dom.Mem.t
-> BufferOverrunSummary.t
-> Location.t
-> Dom.Mem.t =
fun tenv integer_type_widths ret callee_pdesc callee_pname params caller_mem summary location ->
let callee_exit_mem = BufferOverrunSummary.get_output summary in
let rel_subst_map =
Sem.get_subst_map tenv integer_type_widths callee_pdesc params caller_mem callee_exit_mem
let eval_sym_trace =
Sem.mk_eval_sym_trace integer_type_widths callee_pdesc params caller_mem ~strict:false
let caller_mem =
instantiate_mem_reachable ret callee_pdesc callee_pname ~callee_exit_mem eval_sym_trace
caller_mem location
|> forget_ret_relation ret callee_pname
Dom.Mem.instantiate_relation rel_subst_map ~caller:caller_mem ~callee:callee_exit_mem
let exec_instr : Dom.Mem.t -> extras ProcData.t -> CFG.Node.t -> Sil.instr -> Dom.Mem.t =
fun mem {pdesc; tenv; extras= {integer_type_widths}} node instr ->
match instr with
| Load (id, _, _, _) when Ident.is_none id ->
| Load (id, Exp.Lvar pvar, _, location) when Pvar.is_compile_constant pvar || Pvar.is_ice pvar
-> (
match Pvar.get_initializer_pname pvar with
| Some callee_pname -> (
match Ondemand.analyze_proc_name ~caller_pdesc:pdesc callee_pname with
| Some callee_summary -> (
match Payload.of_summary callee_summary with
| Some payload ->
let callee_mem = BufferOverrunSummary.get_output payload in
let v = Dom.Mem.find (Loc.of_pvar pvar) callee_mem in
Dom.Mem.add_stack (Loc.of_id id) v mem
| None ->
L.d_printfln_escaped "/!\\ Initializer of global constant %a has no inferbo payload"
(Pvar.pp Pp.text) pvar ;
Dom.Mem.add_unknown_from id ~callee_pname ~location mem )
| None ->
L.d_printfln_escaped "/!\\ Unknown initializer of global constant %a" (Pvar.pp Pp.text)
pvar ;
Dom.Mem.add_unknown_from id ~callee_pname ~location mem )
| None ->
L.d_printfln_escaped "/!\\ Failed to get initializer name of global constant %a"
(Pvar.pp Pp.text) pvar ;
Dom.Mem.add_unknown id ~location mem )
| Load (id, exp, _, _) ->
BoUtils.Exec.load_locs id (Sem.eval_locs exp mem) mem
| Store (exp1, _, Const (Const.Cstr s), location) ->
let locs = Sem.eval_locs exp1 mem in
let model_env =
let pname = Procdesc.get_proc_name pdesc in
let node_hash = CFG.Node.hash node in
BoUtils.ModelEnv.mk_model_env pname ~node_hash location tenv integer_type_widths
let do_alloc = not (Sem.is_stack_exp exp1 mem) in
BoUtils.Exec.decl_string model_env ~do_alloc locs s mem
| Store (exp1, typ, exp2, location) ->
let locs = Sem.eval_locs exp1 mem in
let v =
Sem.eval integer_type_widths exp2 mem |> Dom.Val.add_assign_trace_elem location locs
let mem =
let sym_exps =
~get_int_sym_f:(Sem.get_sym_f integer_type_widths mem)
~get_offset_sym_f:(Sem.get_offset_sym_f integer_type_widths mem)
~get_size_sym_f:(Sem.get_size_sym_f integer_type_widths mem)
Dom.Mem.store_relation locs sym_exps mem
let mem = Dom.Mem.update_mem locs v mem in
let mem =
if Language.curr_language_is Clang && Typ.is_char typ then
BoUtils.Exec.set_c_strlen ~tgt:(Sem.eval integer_type_widths exp1 mem) ~src:v mem
else mem
let mem =
if not v.represents_multiple_values then
match PowLoc.is_singleton_or_more locs with
| IContainer.Singleton loc_v -> (
let pname = Procdesc.get_proc_name pdesc in
match Typ.Procname.get_method pname with
| "__inferbo_empty" when Loc.is_return loc_v -> (
match Procdesc.get_pvar_formals pdesc with
| [(formal, _)] ->
let formal_v = Dom.Mem.find (Loc.of_pvar formal) mem in
Dom.Mem.store_empty_alias formal_v loc_v mem
| _ ->
assert false )
| _ ->
Dom.Mem.store_simple_alias loc_v exp2 mem )
| _ ->
else mem
let mem = Dom.Mem.update_latest_prune ~updated_locs:locs exp1 exp2 mem in
| Prune (exp, _, _, _) ->
Sem.Prune.prune integer_type_widths exp mem
| Call (((id, ret_typ) as ret), Const (Cfun callee_pname), params, location, _) -> (
let mem = Dom.Mem.add_stack_loc (Loc.of_id id) mem in
match Models.Call.dispatch tenv callee_pname params with
| Some {Models.exec} ->
let model_env =
let node_hash = CFG.Node.hash node in
BoUtils.ModelEnv.mk_model_env callee_pname ~node_hash location tenv
exec model_env ~ret mem
| None -> (
match Ondemand.analyze_proc_name ~caller_pdesc:pdesc callee_pname with
| Some callee_summary -> (
match Payload.of_summary callee_summary with
| Some payload ->
let callee_pdesc = Summary.get_proc_desc callee_summary in
instantiate_mem tenv integer_type_widths ret callee_pdesc callee_pname params mem
payload location
| None ->
(* This may happen for procedures with a biabduction model. *)
L.d_printfln_escaped "/!\\ Call to %a has no inferbo payload" Typ.Procname.pp
callee_pname ;
Dom.Mem.add_unknown_from id ~callee_pname ~location mem )
| None ->
L.d_printfln_escaped "/!\\ Unknown call to %a" Typ.Procname.pp callee_pname ;
if is_external callee_pname then (
L.(debug BufferOverrun Verbose)
"/!\\ External call to unknown %a \n\n" Typ.Procname.pp callee_pname ;
let callsite = CallSite.make callee_pname location in
let path = Symb.SymbolPath.of_callsite ~ret_typ callsite in
let loc = Loc.of_allocsite (Allocsite.make_symbol path) in
let v = Dom.Mem.find loc mem in
Dom.Mem.add_stack (Loc.of_id id) v mem )
else Dom.Mem.add_unknown_from id ~callee_pname ~location mem ) )
| Call ((id, _), fun_exp, _, location, _) ->
let mem = Dom.Mem.add_stack_loc (Loc.of_id id) mem in
L.d_printfln_escaped "/!\\ Call to non-const function %a" Exp.pp fun_exp ;
Dom.Mem.add_unknown id ~location mem
| ExitScope (dead_vars, _) ->
Dom.Mem.remove_temps (List.filter_map dead_vars ~f:Var.get_ident) mem
| Abstract _ | Nullify _ ->
let pp_session_name node fmt = F.fprintf fmt "bufferoverrun %a" CFG.Node.pp_id (CFG.Node.id node)
module Analyzer = AbstractInterpreter.MakeWTO (TransferFunctions)
type invariant_map = Analyzer.invariant_map
module Report = struct
module UnusedBranch = struct
type t = {node: CFG.Node.t; location: Location.t; condition: Exp.t; true_branch: bool} type t = {node: CFG.Node.t; location: Location.t; condition: Exp.t; true_branch: bool}
let report tenv summary {node; location; condition; true_branch} = let report tenv summary {node; location; condition; true_branch} =
in in
let ltr = [Errlog.make_trace_element 0 location "Here" []] in let ltr = [Errlog.make_trace_element 0 location "Here" []] in
Reporting.log_warning summary ~loc:location ~ltr issue_type desc Reporting.log_warning summary ~loc:location ~ltr issue_type desc
end end
module UnusedBranches = struct module UnusedBranches = struct
type t = UnusedBranch.t list type t = UnusedBranch.t list
let empty = [] let empty = []
let report tenv summary unused_branches = let report tenv summary unused_branches =
List.iter unused_branches ~f:(UnusedBranch.report tenv summary) List.iter unused_branches ~f:(UnusedBranch.report tenv summary)
end end
module UnreachableStatement = struct module UnreachableStatement = struct
type t = {location: Location.t} type t = {location: Location.t}
let report summary {location} = let report summary {location} =
let ltr = [Errlog.make_trace_element 0 location "Here" []] in let ltr = [Errlog.make_trace_element 0 location "Here" []] in
Reporting.log_error summary ~loc:location ~ltr IssueType.unreachable_code_after Reporting.log_error summary ~loc:location ~ltr IssueType.unreachable_code_after
"Unreachable code after statement" "Unreachable code after statement"
end end
module UnreachableStatements = struct module UnreachableStatements = struct
type t = UnreachableStatement.t list type t = UnreachableStatement.t list
let empty = [] let empty = []
let report summary unreachable_statements = let report summary unreachable_statements =
List.iter unreachable_statements ~f:(UnreachableStatement.report summary) List.iter unreachable_statements ~f:(UnreachableStatement.report summary)
end end
module PO = BufferOverrunProofObligations
module Checks = struct module Checks = struct
type t = type t =
{ cond_set: PO.ConditionSet.checked_t { cond_set: PO.ConditionSet.checked_t
; unused_branches: UnusedBranches.t ; unused_branches: UnusedBranches.t
@ -332,9 +76,9 @@ module Report = struct
{ cond_set= PO.ConditionSet.empty { cond_set= PO.ConditionSet.empty
; unused_branches= UnusedBranches.empty ; unused_branches= UnusedBranches.empty
; unreachable_statements= UnreachableStatements.empty } ; unreachable_statements= UnreachableStatements.empty }
end end
module ExitStatement = struct module ExitStatement = struct
(* check that we are the last significant instruction (* check that we are the last significant instruction
* of a procedure (no more significant instruction) * of a procedure (no more significant instruction)
* or of a block (goes directly to a node with multiple predecessors) * or of a block (goes directly to a node with multiple predecessors)
@ -351,9 +95,9 @@ module Report = struct
|| is_end_of_block_or_procedure cfg succ (CFG.instrs succ) || is_end_of_block_or_procedure cfg succ (CFG.instrs succ)
| More -> | More ->
false false
end end
let add_unreachable_code (cfg : CFG.t) (node : CFG.Node.t) instr rem_instrs (checks : Checks.t) = let add_unreachable_code (cfg : CFG.t) (node : CFG.Node.t) instr rem_instrs (checks : Checks.t) =
match instr with match instr with
| Sil.Prune (_, _, _, (Ik_land_lor | Ik_bexp)) -> | Sil.Prune (_, _, _, (Ik_land_lor | Ik_bexp)) ->
checks checks
@ -371,7 +115,7 @@ module Report = struct
{checks with unreachable_statements= unreachable_statement :: checks.unreachable_statements} {checks with unreachable_statements= unreachable_statement :: checks.unreachable_statements}
let check_binop_array_access : let check_binop_array_access :
Typ.IntegerWidths.t Typ.IntegerWidths.t
-> is_plus:bool -> is_plus:bool
-> e1:Exp.t -> e1:Exp.t
@ -383,16 +127,14 @@ module Report = struct
fun integer_type_widths ~is_plus ~e1 ~e2 location mem cond_set -> fun integer_type_widths ~is_plus ~e1 ~e2 location mem cond_set ->
let arr = Sem.eval integer_type_widths e1 mem in let arr = Sem.eval integer_type_widths e1 mem in
let idx = Sem.eval integer_type_widths e2 mem in let idx = Sem.eval integer_type_widths e2 mem in
let idx_sym_exp = let idx_sym_exp = Relation.SymExp.of_exp ~get_sym_f:(Sem.get_sym_f integer_type_widths mem) e2 in
Relation.SymExp.of_exp ~get_sym_f:(Sem.get_sym_f integer_type_widths mem) e2
let relation = Dom.Mem.get_relation mem in let relation = Dom.Mem.get_relation mem in
let latest_prune = Dom.Mem.get_latest_prune mem in let latest_prune = Dom.Mem.get_latest_prune mem in
BoUtils.Check.array_access ~arr ~idx ~idx_sym_exp ~relation ~is_plus ~last_included:false BoUtils.Check.array_access ~arr ~idx ~idx_sym_exp ~relation ~is_plus ~last_included:false
~latest_prune location cond_set ~latest_prune location cond_set
let check_binop : let check_binop :
Typ.IntegerWidths.t Typ.IntegerWidths.t
-> bop:Binop.t -> bop:Binop.t
-> e1:Exp.t -> e1:Exp.t
@ -411,7 +153,7 @@ module Report = struct
cond_set cond_set
let check_expr_for_array_access : let check_expr_for_array_access :
Typ.IntegerWidths.t Typ.IntegerWidths.t
-> Exp.t -> Exp.t
-> Location.t -> Location.t
@ -423,8 +165,8 @@ module Report = struct
match exp with match exp with
| Exp.Lindex (array_exp, index_exp) -> | Exp.Lindex (array_exp, index_exp) ->
cond_set |> check_sub_expr array_exp |> check_sub_expr index_exp cond_set |> check_sub_expr array_exp |> check_sub_expr index_exp
|> BoUtils.Check.lindex integer_type_widths ~array_exp ~index_exp ~last_included:false |> BoUtils.Check.lindex integer_type_widths ~array_exp ~index_exp ~last_included:false mem
mem location location
| Exp.BinOp (_, e1, e2) -> | Exp.BinOp (_, e1, e2) ->
cond_set |> check_sub_expr e1 |> check_sub_expr e2 cond_set |> check_sub_expr e1 |> check_sub_expr e2
| Exp.Lfield (e, _, _) | Exp.UnOp (_, e, _) | Exp.Exn e -> | Exp.Lfield (e, _, _) | Exp.UnOp (_, e, _) | Exp.Exn e ->
@ -452,7 +194,7 @@ module Report = struct
cond_set cond_set
let check_binop_for_integer_overflow integer_type_widths bop ~lhs ~rhs location mem cond_set = let check_binop_for_integer_overflow integer_type_widths bop ~lhs ~rhs location mem cond_set =
match bop with match bop with
| Binop.PlusA (Some _) | Binop.MinusA (Some _) | Binop.Mult (Some _) -> | Binop.PlusA (Some _) | Binop.MinusA (Some _) | Binop.Mult (Some _) ->
let lhs_v = Sem.eval integer_type_widths lhs mem in let lhs_v = Sem.eval integer_type_widths lhs mem in
@ -464,7 +206,7 @@ module Report = struct
cond_set cond_set
let rec check_expr_for_integer_overflow integer_type_widths exp location mem cond_set = let rec check_expr_for_integer_overflow integer_type_widths exp location mem cond_set =
match exp with match exp with
| Exp.UnOp (_, e, _) | Exp.UnOp (_, e, _)
| Exp.Exn e | Exp.Exn e
@ -488,13 +230,13 @@ module Report = struct
cond_set cond_set
let instantiate_cond : let instantiate_cond :
Tenv.t Tenv.t
-> Typ.IntegerWidths.t -> Typ.IntegerWidths.t
-> Procdesc.t -> Procdesc.t
-> (Exp.t * Typ.t) list -> (Exp.t * Typ.t) list
-> Dom.Mem.t -> Dom.Mem.t
-> Payload.t -> BufferOverrunAnalysis.Payload.t
-> Location.t -> Location.t
-> PO.ConditionSet.checked_t = -> PO.ConditionSet.checked_t =
fun tenv integer_type_widths callee_pdesc params caller_mem summary location -> fun tenv integer_type_widths callee_pdesc params caller_mem summary location ->
@ -505,13 +247,11 @@ module Report = struct
in in
let pname = Procdesc.get_proc_name callee_pdesc in let pname = Procdesc.get_proc_name callee_pdesc in
let caller_rel = Dom.Mem.get_relation caller_mem in let caller_rel = Dom.Mem.get_relation caller_mem in
let eval_sym_trace = let eval_sym_trace = Sem.mk_eval_sym_trace integer_type_widths callee_pdesc params caller_mem in
Sem.mk_eval_sym_trace integer_type_widths callee_pdesc params caller_mem
PO.ConditionSet.subst callee_cond eval_sym_trace rel_subst_map caller_rel pname location PO.ConditionSet.subst callee_cond eval_sym_trace rel_subst_map caller_rel pname location
let check_instr : let check_instr :
Procdesc.t Procdesc.t
-> Tenv.t -> Tenv.t
-> Typ.IntegerWidths.t -> Typ.IntegerWidths.t
@ -545,25 +285,26 @@ module Report = struct
in in
check model_env mem cond_set check model_env mem cond_set
| None -> ( | None -> (
match Ondemand.analyze_proc_name ~caller_pdesc:pdesc callee_pname with match
| Some callee_summary -> ( Ondemand.analyze_proc_name ~caller_pdesc:pdesc callee_pname
match Payload.of_summary callee_summary with |> Option.bind ~f:(fun callee_summary ->
| Some callee_payload -> BufferOverrunAnalysis.Payload.of_summary callee_summary
let callee_pdesc = Summary.get_proc_desc callee_summary in |> Option.map ~f:(fun payload -> (payload, Summary.get_proc_desc callee_summary))
| Some (callee_payload, callee_pdesc) ->
instantiate_cond tenv integer_type_widths callee_pdesc params mem callee_payload instantiate_cond tenv integer_type_widths callee_pdesc params mem callee_payload
location location
|> PO.ConditionSet.join cond_set |> PO.ConditionSet.join cond_set
| None -> | None ->
(* no inferbo payload *) cond_set ) (* unknown call / no inferbo payload *) cond_set ) )
| None ->
(* unknown call *) cond_set ) )
| Sil.Prune (exp, location, _, _) -> | Sil.Prune (exp, location, _, _) ->
check_expr_for_integer_overflow integer_type_widths exp location mem cond_set check_expr_for_integer_overflow integer_type_widths exp location mem cond_set
| _ -> | _ ->
cond_set cond_set
let print_debug_info : Sil.instr -> Dom.Mem.t -> PO.ConditionSet.checked_t -> unit = let print_debug_info : Sil.instr -> Dom.Mem.t -> PO.ConditionSet.checked_t -> unit =
fun instr pre cond_set -> fun instr pre cond_set ->
L.(debug BufferOverrun Verbose) "@\n@\n================================@\n" ; L.(debug BufferOverrun Verbose) "@\n@\n================================@\n" ;
L.(debug BufferOverrun Verbose) "@[<v 2>Pre-state : @,%a" Dom.Mem.pp pre ; L.(debug BufferOverrun Verbose) "@[<v 2>Pre-state : @,%a" Dom.Mem.pp pre ;
@ -573,7 +314,7 @@ module Report = struct
L.(debug BufferOverrun Verbose) "================================@\n@." L.(debug BufferOverrun Verbose) "================================@\n@."
let check_instrs : let check_instrs :
Procdesc.t Procdesc.t
-> Tenv.t -> Tenv.t
-> Typ.IntegerWidths.t -> Typ.IntegerWidths.t
@ -605,17 +346,17 @@ module Report = struct
{checks with cond_set} {checks with cond_set}
let check_node : let check_node :
Procdesc.t Procdesc.t
-> Tenv.t -> Tenv.t
-> Typ.IntegerWidths.t -> Typ.IntegerWidths.t
-> CFG.t -> CFG.t
-> invariant_map -> BufferOverrunAnalysis.invariant_map
-> Checks.t -> Checks.t
-> CFG.Node.t -> CFG.Node.t
-> Checks.t = -> Checks.t =
fun pdesc tenv integer_type_widths cfg inv_map checks node -> fun pdesc tenv integer_type_widths cfg inv_map checks node ->
match Analyzer.extract_state (CFG.Node.id node) inv_map with match BufferOverrunAnalysis.extract_state (CFG.Node.id node) inv_map with
| Some state -> | Some state ->
let instrs = CFG.instrs node in let instrs = CFG.instrs node in
check_instrs pdesc tenv integer_type_widths cfg node instrs state checks check_instrs pdesc tenv integer_type_widths cfg node instrs state checks
@ -623,15 +364,22 @@ module Report = struct
checks checks
let check_proc : type checks = Checks.t
Procdesc.t -> Tenv.t -> Typ.IntegerWidths.t -> CFG.t -> invariant_map -> Checks.t =
let compute_checks :
-> Tenv.t
-> Typ.IntegerWidths.t
-> CFG.t
-> BufferOverrunAnalysis.invariant_map
-> checks =
fun pdesc tenv integer_type_widths cfg inv_map -> fun pdesc tenv integer_type_widths cfg inv_map ->
CFG.fold_nodes cfg CFG.fold_nodes cfg ~f:(check_node pdesc tenv integer_type_widths cfg inv_map) ~init:Checks.empty
~f:(check_node pdesc tenv integer_type_widths cfg inv_map)
let report_errors : Tenv.t -> Summary.t -> Checks.t -> unit = type checks_summary = PO.ConditionSet.summary_t
let report_errors : Tenv.t -> Summary.t -> checks -> unit =
fun tenv summary {cond_set; unused_branches; unreachable_statements} -> fun tenv summary {cond_set; unused_branches; unreachable_statements} ->
UnusedBranches.report tenv summary unused_branches ; UnusedBranches.report tenv summary unused_branches ;
UnreachableStatements.report summary unreachable_statements ; UnreachableStatements.report summary unreachable_statements ;
@ -648,105 +396,31 @@ module Report = struct
PO.ConditionSet.report_errors ~report cond_set PO.ConditionSet.report_errors ~report cond_set
let for_summary ~forget_locs let checks_summary : BufferOverrunAnalysis.local_decls -> checks -> checks_summary =
fun locals
Checks.({ cond_set Checks.({ cond_set
; unused_branches= _ (* intra-procedural *) ; unused_branches= _ (* intra-procedural *)
; unreachable_statements= _ (* intra-procedural *) }) = ; unreachable_statements= _ (* intra-procedural *) }) ->
PO.ConditionSet.for_summary ~forget_locs cond_set PO.ConditionSet.for_summary ~forget_locs:locals cond_set
type checks = Report.Checks.t
type checks_summary = Report.PO.ConditionSet.summary_t
type local_decls = PowLoc.t
type memory_summary = BufferOverrunSummary.memory
let extract_pre = Analyzer.extract_pre
let extract_post = Analyzer.extract_post
let get_local_decls : Procdesc.t -> local_decls =
fun proc_desc ->
let proc_name = Procdesc.get_proc_name proc_desc in
let accum_local_decls acc {ProcAttributes.name} =
let pvar = Pvar.mk name proc_name in
let loc = Loc.of_pvar pvar in
PowLoc.add loc acc
Procdesc.get_locals proc_desc |> List.fold ~init:PowLoc.empty ~f:accum_local_decls
let cached_compute_invariant_map =
let compute_invariant_map : Procdesc.t -> Tenv.t -> Typ.IntegerWidths.t -> invariant_map =
fun pdesc tenv integer_type_widths ->
Preanal.do_preanalysis pdesc tenv ;
let cfg = CFG.from_pdesc pdesc in
let pdata =
let oenv = Dom.OndemandEnv.mk pdesc tenv integer_type_widths in
ProcData.make pdesc tenv oenv
let initial = Init.initial_state pdata (CFG.start_node cfg) in
Analyzer.exec_pdesc ~do_narrowing:true ~initial pdata
(* Use a weak Hashtbl to prevent memory leaks (GC unnecessarily keeps invariant maps around) *)
let module WeakInvMapHashTbl = Caml.Weak.Make (struct
type t = Typ.Procname.t * invariant_map option
let equal (pname1, _) (pname2, _) = Typ.Procname.equal pname1 pname2
let hash (pname, _) = Hashtbl.hash pname
end) in
let inv_map_cache = WeakInvMapHashTbl.create 100 in
fun pdesc tenv integer_type_widths ->
let pname = Procdesc.get_proc_name pdesc in
match WeakInvMapHashTbl.find_opt inv_map_cache (pname, None) with
| Some (_, Some inv_map) ->
| Some (_, None) ->
(* this should never happen *)
assert false
| None ->
let inv_map = compute_invariant_map pdesc tenv integer_type_widths in
WeakInvMapHashTbl.add inv_map_cache (pname, Some inv_map) ;
let memory_summary : local_decls -> CFG.t -> invariant_map -> memory_summary =
fun locals cfg inv_map ->
let exit_node_id = CFG.exit_node cfg |> CFG.Node.id in
match extract_post exit_node_id inv_map with
| Some exit_mem ->
exit_mem |> Dom.Mem.forget_locs locals |> Dom.Mem.unset_oenv
| None ->
let compute_checks :
Procdesc.t -> Tenv.t -> Typ.IntegerWidths.t -> CFG.t -> invariant_map -> checks =
let checks_summary : local_decls -> checks -> checks_summary =
fun locals checks -> Report.for_summary ~forget_locs:locals checks
let checker : Callbacks.proc_callback_args -> Summary.t = let checker : Callbacks.proc_callback_args -> Summary.t =
fun {proc_desc; tenv; integer_type_widths; summary} -> fun {proc_desc; tenv; integer_type_widths; summary} ->
let inv_map = cached_compute_invariant_map proc_desc tenv integer_type_widths in let inv_map =
BufferOverrunAnalysis.cached_compute_invariant_map proc_desc tenv integer_type_widths
let underlying_exit_node = Procdesc.get_exit_node proc_desc in let underlying_exit_node = Procdesc.get_exit_node proc_desc in
let pp_name f = F.pp_print_string f "bufferoverrun check" in let pp_name f = F.pp_print_string f "bufferoverrun check" in
NodePrinter.start_session ~pp_name underlying_exit_node ; NodePrinter.start_session ~pp_name underlying_exit_node ;
let summary = let summary =
let cfg = CFG.from_pdesc proc_desc in let cfg = CFG.from_pdesc proc_desc in
let checks = compute_checks proc_desc tenv integer_type_widths cfg inv_map in let checks = compute_checks proc_desc tenv integer_type_widths cfg inv_map in
Report.report_errors tenv summary checks ; report_errors tenv summary checks ;
let locals = get_local_decls proc_desc in let locals = BufferOverrunAnalysis.get_local_decls proc_desc in
let cond_set = checks_summary locals checks in let cond_set = checks_summary locals checks in
let exit_mem = memory_summary locals cfg inv_map in let exit_mem = BufferOverrunAnalysis.compute_summary locals cfg inv_map in
let payload = (exit_mem, cond_set) in let payload = (exit_mem, cond_set) in
Payload.update_summary payload summary BufferOverrunAnalysis.Payload.update_summary payload summary
in in
NodePrinter.finish_session underlying_exit_node ; NodePrinter.finish_session underlying_exit_node ;
summary summary

@ -8,13 +8,3 @@
open! IStd open! IStd
val checker : Callbacks.proc_callback_t val checker : Callbacks.proc_callback_t
module CFG = ProcCfg.NormalOneInstrPerNode
type invariant_map
val cached_compute_invariant_map : Procdesc.t -> Tenv.t -> Typ.IntegerWidths.t -> invariant_map
val extract_pre : CFG.Node.id -> invariant_map -> BufferOverrunDomain.Mem.t option
val extract_post : CFG.Node.id -> invariant_map -> BufferOverrunDomain.Mem.t option

@ -53,7 +53,7 @@ module TransferFunctionsNodesBasicCost = struct
module Domain = NodesBasicCostDomain module Domain = NodesBasicCostDomain
type extras = type extras =
{ inferbo_invariant_map: BufferOverrunChecker.invariant_map { inferbo_invariant_map: BufferOverrunAnalysis.invariant_map
; integer_type_widths: Typ.IntegerWidths.t } ; integer_type_widths: Typ.IntegerWidths.t }
let cost_atomic_instruction = BasicCost.one let cost_atomic_instruction = BasicCost.one
@ -101,7 +101,7 @@ module TransferFunctionsNodesBasicCost = struct
let exec_instr costmap ({ProcData.extras= {inferbo_invariant_map; integer_type_widths}} as pdata) let exec_instr costmap ({ProcData.extras= {inferbo_invariant_map; integer_type_widths}} as pdata)
node instr = node instr =
let inferbo_mem = let inferbo_mem =
Option.value_exn (BufferOverrunChecker.extract_pre (CFG.Node.id node) inferbo_invariant_map) Option.value_exn (BufferOverrunAnalysis.extract_pre (CFG.Node.id node) inferbo_invariant_map)
in in
let costmap = exec_instr_cost integer_type_widths inferbo_mem costmap pdata node instr in let costmap = exec_instr_cost integer_type_widths inferbo_mem costmap pdata node instr in
costmap costmap
@ -151,7 +151,7 @@ module BoundMap = struct
| _ -> ( | _ -> (
let exit_state_opt = let exit_state_opt =
let instr_node_id = InstrCFG.last_of_underlying_node node |> InstrCFG.Node.id in let instr_node_id = InstrCFG.last_of_underlying_node node |> InstrCFG.Node.id in
BufferOverrunChecker.extract_post instr_node_id inferbo_invariant_map BufferOverrunAnalysis.extract_post instr_node_id inferbo_invariant_map
in in
match exit_state_opt with match exit_state_opt with
| Some entry_mem -> | Some entry_mem ->
@ -740,7 +740,7 @@ let check_and_report_top_and_bottom cost proc_desc summary =
let checker {Callbacks.tenv; proc_desc; integer_type_widths; summary} : Summary.t = let checker {Callbacks.tenv; proc_desc; integer_type_widths; summary} : Summary.t =
let inferbo_invariant_map = let inferbo_invariant_map =
BufferOverrunChecker.cached_compute_invariant_map proc_desc tenv integer_type_widths BufferOverrunAnalysis.cached_compute_invariant_map proc_desc tenv integer_type_widths
in in
let node_cfg = NodeCFG.from_pdesc proc_desc in let node_cfg = NodeCFG.from_pdesc proc_desc in
let proc_data = ProcData.make_default proc_desc tenv in let proc_data = ProcData.make_default proc_desc tenv in

@ -94,7 +94,7 @@ let get_issue_to_report tenv Call.({pname; node; params}) integer_type_widths in
let instr_node_id = InstrCFG.last_of_underlying_node node |> InstrCFG.Node.id in let instr_node_id = InstrCFG.last_of_underlying_node node |> InstrCFG.Node.id in
let inferbo_invariant_map = Lazy.force inferbo_invariant_map in let inferbo_invariant_map = Lazy.force inferbo_invariant_map in
let inferbo_mem = let inferbo_mem =
Option.value_exn (BufferOverrunChecker.extract_pre instr_node_id inferbo_invariant_map) Option.value_exn (BufferOverrunAnalysis.extract_pre instr_node_id inferbo_invariant_map)
in in
(* get the cost of the function call *) (* get the cost of the function call *)
Cost.instantiate_cost integer_type_widths ~inferbo_caller_mem:inferbo_mem Cost.instantiate_cost integer_type_widths ~inferbo_caller_mem:inferbo_mem
@ -119,7 +119,7 @@ let checker Callbacks.({tenv; summary; proc_desc; integer_type_widths}) : Summar
~initial:(ReachingDefs.init_reaching_defs_with_formals proc_desc) ~initial:(ReachingDefs.init_reaching_defs_with_formals proc_desc)
in in
let inferbo_invariant_map = let inferbo_invariant_map =
lazy (BufferOverrunChecker.cached_compute_invariant_map proc_desc tenv integer_type_widths) lazy (BufferOverrunAnalysis.cached_compute_invariant_map proc_desc tenv integer_type_widths)
in in
(* get dominators *) (* get dominators *)
let idom = Dominators.get_idoms proc_desc in let idom = Dominators.get_idoms proc_desc in

@ -23,7 +23,7 @@ module Payload = SummaryPayload.Make (struct
end) end)
type purity_extras = type purity_extras =
{inferbo_invariant_map: BufferOverrunChecker.invariant_map; formals: Var.t list} {inferbo_invariant_map: BufferOverrunAnalysis.invariant_map; formals: Var.t list}
module TransferFunctions = struct module TransferFunctions = struct
module CFG = ProcCfg.Normal module CFG = ProcCfg.Normal
@ -139,7 +139,7 @@ module TransferFunctions = struct
CFG.Node.underlying_node node |> InstrCFG.last_of_underlying_node |> InstrCFG.Node.id CFG.Node.underlying_node node |> InstrCFG.last_of_underlying_node |> InstrCFG.Node.id
in in
let inferbo_mem = let inferbo_mem =
Option.value_exn (BufferOverrunChecker.extract_post node_id inferbo_invariant_map) Option.value_exn (BufferOverrunAnalysis.extract_post node_id inferbo_invariant_map)
in in
match instr with match instr with
| Assign (ae, _, _) when is_heap_access ae -> | Assign (ae, _, _) when is_heap_access ae ->
@ -185,7 +185,7 @@ let should_report pdesc =
let checker {Callbacks.tenv; summary; proc_desc; integer_type_widths} : Summary.t = let checker {Callbacks.tenv; summary; proc_desc; integer_type_widths} : Summary.t =
let proc_name = Procdesc.get_proc_name proc_desc in let proc_name = Procdesc.get_proc_name proc_desc in
let inferbo_invariant_map = let inferbo_invariant_map =
BufferOverrunChecker.cached_compute_invariant_map proc_desc tenv integer_type_widths BufferOverrunAnalysis.cached_compute_invariant_map proc_desc tenv integer_type_widths
in in
let formals = let formals =
Procdesc.get_formals proc_desc Procdesc.get_formals proc_desc
