From 5f6280bd1d1330cad9e2355f9bb5aab527ba3845 Mon Sep 17 00:00:00 2001
From: Jules Villard <jul@fb.com>
Date: Mon, 15 Jun 2020 02:20:54 -0700
Subject: [PATCH] document pulse issue types

Summary: As per title

Reviewed By: ngorogiannis

Differential Revision: D22019569

fbshipit-source-id: c9b7dbeac
---
 .../issues/CONSTANT_ADDRESS_DEREFERENCE.md    |  6 +++++
 .../issues/NULLPTR_DEREFERENCE.md             |  1 +
 .../issues/STACK_VARIABLE_ADDRESS_ESCAPE.md   | 13 +++++++++++
 .../documentation/issues/USE_AFTER_DELETE.md  |  1 +
 infer/documentation/issues/USE_AFTER_FREE.md  |  1 +
 .../issues/USE_AFTER_LIFETIME.md              | 14 ++++++++++++
 .../issues/VECTOR_INVALIDATION.md             | 18 +++++++++++++++
 infer/src/base/IssueType.ml                   | 22 +++++++++++++++----
 8 files changed, 72 insertions(+), 4 deletions(-)
 create mode 100644 infer/documentation/issues/CONSTANT_ADDRESS_DEREFERENCE.md
 create mode 100644 infer/documentation/issues/NULLPTR_DEREFERENCE.md
 create mode 100644 infer/documentation/issues/STACK_VARIABLE_ADDRESS_ESCAPE.md
 create mode 100644 infer/documentation/issues/USE_AFTER_DELETE.md
 create mode 100644 infer/documentation/issues/USE_AFTER_FREE.md
 create mode 100644 infer/documentation/issues/USE_AFTER_LIFETIME.md
 create mode 100644 infer/documentation/issues/VECTOR_INVALIDATION.md

diff --git a/infer/documentation/issues/CONSTANT_ADDRESS_DEREFERENCE.md b/infer/documentation/issues/CONSTANT_ADDRESS_DEREFERENCE.md
new file mode 100644
index 000000000..394ffdaa6
--- /dev/null
+++ b/infer/documentation/issues/CONSTANT_ADDRESS_DEREFERENCE.md
@@ -0,0 +1,6 @@
+This is reported when an address obtained via a non-zero constant is
+dereferenced. If the address is zero then
+[`NULLPTR_DEREFERENCE`](#nullptr_dereference) is reported instead.
+
+For example, `int *p = (int *) 123; *p = 42;` generates this issue
+type.
diff --git a/infer/documentation/issues/NULLPTR_DEREFERENCE.md b/infer/documentation/issues/NULLPTR_DEREFERENCE.md
new file mode 100644
index 000000000..8b1378917
--- /dev/null
+++ b/infer/documentation/issues/NULLPTR_DEREFERENCE.md
@@ -0,0 +1 @@
+
diff --git a/infer/documentation/issues/STACK_VARIABLE_ADDRESS_ESCAPE.md b/infer/documentation/issues/STACK_VARIABLE_ADDRESS_ESCAPE.md
new file mode 100644
index 000000000..373fb45cf
--- /dev/null
+++ b/infer/documentation/issues/STACK_VARIABLE_ADDRESS_ESCAPE.md
@@ -0,0 +1,13 @@
+Reported when an address pointing into the stack of the current
+function will escape to its calling context. Such addresses will
+become invalid by the time the function actually returns so are
+potentially dangerous.
+
+For example, directly returning a pointer to a local variable:
+
+```C
+int* foo() {
+   int x = 42;
+   return &x; // <-- warn here that "&x" will escape
+}
+```
diff --git a/infer/documentation/issues/USE_AFTER_DELETE.md b/infer/documentation/issues/USE_AFTER_DELETE.md
new file mode 100644
index 000000000..334a7e9d8
--- /dev/null
+++ b/infer/documentation/issues/USE_AFTER_DELETE.md
@@ -0,0 +1 @@
+An address that was invalidated by a call to `delete` in C++ is dereferenced.
diff --git a/infer/documentation/issues/USE_AFTER_FREE.md b/infer/documentation/issues/USE_AFTER_FREE.md
new file mode 100644
index 000000000..9c7d28eac
--- /dev/null
+++ b/infer/documentation/issues/USE_AFTER_FREE.md
@@ -0,0 +1 @@
+An address that was invalidated by a call to `free` in C is dereferenced.
diff --git a/infer/documentation/issues/USE_AFTER_LIFETIME.md b/infer/documentation/issues/USE_AFTER_LIFETIME.md
new file mode 100644
index 000000000..6a6139eca
--- /dev/null
+++ b/infer/documentation/issues/USE_AFTER_LIFETIME.md
@@ -0,0 +1,14 @@
+The lifetime of an object has ended but that object is being
+accessed. For example, the address of a variable holding a C++ object
+is accessed after the variable has gone out of scope:
+
+```C++
+void foo() {
+     X* p;
+     { // new scope
+       X x = X();
+       p = &x;
+     } // x has gone out of scope
+     p->method(); // ERROR: you should not access *p after x has gone out of scope
+}
+```
diff --git a/infer/documentation/issues/VECTOR_INVALIDATION.md b/infer/documentation/issues/VECTOR_INVALIDATION.md
new file mode 100644
index 000000000..e4d429429
--- /dev/null
+++ b/infer/documentation/issues/VECTOR_INVALIDATION.md
@@ -0,0 +1,18 @@
+An address pointing into a C++ `std::vector` might have become
+invalid. This can happen when an address is taken into a vector, then
+the vector is mutated in a way that might invalidate the address, for
+example by adding elements to the vector, which might trigger a
+re-allocation of the entire vector contents (thereby invalidating the
+pointers into the previous location of the contents).
+
+For example:
+
+```C++
+void deref_vector_element_after_push_back_bad(std::vector<int>& vec) {
+  int* elt = &vec[1];
+  vec.push_back(42); // if the array backing the vector was full already, this
+                     // will re-allocate it and copy the previous contents
+                     // into the new array, then delete the previous array
+  std::cout << *y << "\n"; // bad: elt might be invalid
+}
+```
diff --git a/infer/src/base/IssueType.ml b/infer/src/base/IssueType.ml
index afd5fe203..9d4e62fb6 100644
--- a/infer/src/base/IssueType.ml
+++ b/infer/src/base/IssueType.ml
@@ -370,6 +370,7 @@ let condition_always_true =
 
 let constant_address_dereference =
   register_from_string ~enabled:false ~id:"CONSTANT_ADDRESS_DEREFERENCE" Warning Pulse
+    ~user_documentation:[%blob "../../documentation/issues/CONSTANT_ADDRESS_DEREFERENCE.md"]
 
 
 let create_intent_from_uri = register_from_string ~id:"CREATE_INTENT_FROM_URI" Error Quandary
@@ -709,7 +710,10 @@ let null_test_after_dereference =
   register_from_string ~enabled:false ~id:"NULL_TEST_AFTER_DEREFERENCE" Warning Biabduction
 
 
-let nullptr_dereference = register_from_string ~enabled:false ~id:"NULLPTR_DEREFERENCE" Error Pulse
+let nullptr_dereference =
+  register_from_string ~enabled:false ~id:"NULLPTR_DEREFERENCE" Error Pulse
+    ~user_documentation:"See [NULL_DEREFERENCE](#null_dereference)."
+
 
 let parameter_not_null_checked =
   register_from_string ~id:"PARAMETER_NOT_NULL_CHECKED" Warning Biabduction
@@ -781,6 +785,7 @@ let sql_injection_risk = register_from_string ~id:"SQL_INJECTION_RISK" Error Qua
 
 let stack_variable_address_escape =
   register_from_string ~id:"STACK_VARIABLE_ADDRESS_ESCAPE" Error Pulse
+    ~user_documentation:[%blob "../../documentation/issues/STACK_VARIABLE_ADDRESS_ESCAPE.md"]
 
 
 let starvation =
@@ -838,11 +843,20 @@ let uninitialized_value = register_from_string ~id:"UNINITIALIZED_VALUE" Error U
 
 let unreachable_code_after = register_from_string ~id:"UNREACHABLE_CODE" Error BufferOverrunChecker
 
-let use_after_delete = register_from_string ~id:"USE_AFTER_DELETE" Error Pulse
+let use_after_delete =
+  register_from_string ~id:"USE_AFTER_DELETE" Error Pulse
+    ~user_documentation:[%blob "../../documentation/issues/USE_AFTER_DELETE.md"]
+
+
+let use_after_free =
+  register_from_string ~id:"USE_AFTER_FREE" Error Pulse
+    ~user_documentation:[%blob "../../documentation/issues/USE_AFTER_FREE.md"]
+
 
-let use_after_free = register_from_string ~id:"USE_AFTER_FREE" Error Pulse
+let use_after_lifetime =
+  register_from_string ~id:"USE_AFTER_LIFETIME" Error Pulse
+    ~user_documentation:[%blob "../../documentation/issues/USE_AFTER_LIFETIME.md"]
 
-let use_after_lifetime = register_from_string ~id:"USE_AFTER_LIFETIME" Error Pulse
 
 let user_controlled_sql_risk = register_from_string ~id:"USER_CONTROLLED_SQL_RISK" Error Quandary