Adding a test in symbolic execution when a dangling uninitialized pointer is dereferenced

Summary: The symbolic execution was not stopping in case an unitialized dangling pointer was passed to a function and then dereferenced inside the callee. What would happen is that a wrong footprint would be added to the unititialized pointer at the end of the function call in the caller proposition. This checks that if we do: frame * new_footprint checks that we do not add heap predicates to the frame into uninitialized local variables. If we can identify the variable then we raise a danglind pointer dereference. If instead we cannot give a good explanation we give an internal error. The latter case should be temporary. We should find a general way to raise dangling pointer deref instead of the internal error. I also fixed the model of getc that was the way I found the problem.
9 years ago · 7002d0d24c
parent 795742a3a2
commit 7002d0d24c
11 changed files with 165 additions and 0 deletions
--- a/infer/src/backend/errdesc.ml
+++ b/infer/src/backend/errdesc.ml
@ -929,6 +929,9 @@ let explain_dereference_as_caller_expression
        let position = find_formal_param_number pv_name in
        if !verbose then L.d_strln ("parameter number: " ^ string_of_int position);
        explain_nth_function_parameter use_buckets deref_str actual_pre position pvar_off
      else
      if Prop.has_dangling_uninit_attribute spec_pre exp then
        Localise.desc_uninitialized_dangling_pointer_deref deref_str (pvar_to_string pv) loc
      else Localise.no_desc
  | None ->
      if !verbose then (L.d_str "explain_dereference_as_caller_expression "; Sil.d_exp exp; L.d_str ": cannot explain None "; L.d_ln ());
--- a/infer/src/backend/localise.ml
+++ b/infer/src/backend/localise.ml
@ -702,3 +702,18 @@ let desc_tainted_value_reaching_sensitive_function expr_str loc =
      expr_str
      (at_line tags loc) in
  [description], None, !tags
 let desc_uninitialized_dangling_pointer_deref deref expr_str loc =
  let tags = Tags.create () in
  Tags.add tags Tags.value expr_str;
  let prefix = match deref.value_pre with
    | Some s -> s
    | _ -> "" in
  let description =
    Format.sprintf
      "%s %s %s %s"
      prefix
      expr_str
      deref.problem_str
      (at_line tags loc) in
  [description], None, !tags
--- a/infer/src/backend/localise.mli
+++ b/infer/src/backend/localise.mli
@ -219,3 +219,5 @@ val desc_inherently_dangerous_function : Procname.t -> error_desc
 val desc_unary_minus_applied_to_unsigned_expression : string option -> string -> Sil.location -> error_desc
 val desc_tainted_value_reaching_sensitive_function : string -> Sil.location -> error_desc
 val desc_uninitialized_dangling_pointer_deref : deref_str -> string -> Sil.location -> error_desc
--- a/infer/src/backend/prop.ml
+++ b/infer/src/backend/prop.ml
@ -1773,6 +1773,10 @@ let get_objc_null_attribute prop exp =
 let get_div0_attribute prop exp =
  get_attribute prop exp Sil.ACdiv0
 let has_dangling_uninit_attribute prop exp =
  let la = get_exp_attributes prop exp in
  list_exists (fun a -> Sil.attribute_equal a (Sil.Adangling (Sil.DAuninit))) la
 (** Get all the attributes of the prop *)
 let get_all_attributes prop =
  let res = ref [] in
--- a/infer/src/backend/prop.mli
+++ b/infer/src/backend/prop.mli
@ -289,6 +289,8 @@ val get_objc_null_attribute : 'a t -> exp -> attribute option
 (** Get all the attributes of the prop *)
 val get_all_attributes : 'a t -> (exp * attribute) list
 val has_dangling_uninit_attribute : 'a t -> exp -> bool
 (** Replace an attribute associated to the expression *)
 val add_or_replace_exp_attribute : (Sil.attribute -> Sil.attribute -> unit) -> normal t -> exp -> attribute -> normal t
--- a/infer/src/backend/tabulation.ml
+++ b/infer/src/backend/tabulation.ml
@ -30,6 +30,7 @@ type deref_error =
  | Deref_minusone (** dereference -1 *)
  | Deref_null of Sil.path_pos (** dereference null *)
  | Deref_undef of Procname.t * Sil.location * Sil.path_pos (** dereference a value coming from the given undefined function *)
  | Deref_undef_exp (** dereference an undefined expression *)
 type invalid_res =
  | Dereference_error of deref_error * Localise.error_desc * Paths.Path.t option (** dereference error and description *)
@ -256,6 +257,11 @@ let check_dereferences callee_pname actual_pre sub spec_pre formal_params =
      match deref_no_null_check_pos with
      | Some pos -> Some (Deref_null pos, desc true (Localise.deref_str_null (Some callee_pname)))
      | None -> assert false
    else
      (* Check if the dereferenced expr has the dangling uninitialized attribute. *)
      (* In that case it raise a dangling pointer dereferece *)
    if Prop.has_dangling_uninit_attribute spec_pre e then
      Some (Deref_undef_exp, desc false (Localise.deref_str_dangling (Some Sil.DAuninit)) )
    else if Sil.exp_equal e_sub Sil.exp_minus_one then Some (Deref_minusone, desc true (Localise.deref_str_dangling None))
    else match Prop.get_resource_undef_attribute actual_pre e_sub with
      | Some (Sil.Aundef (s, loc, pos)) ->
@ -809,6 +815,13 @@ let get_check_exn check callee_pname loc ml_location = match check with
  | Prover.Class_cast_check (texp1, texp2, exp) ->
      class_cast_exn (Some callee_pname) texp1 texp2 exp ml_location
 let check_uninitialize_dangling_deref callee_pname actual_pre sub formal_params props =
  list_iter (fun (p, _ ) ->
      match check_dereferences callee_pname actual_pre sub p formal_params with
      | Some (Deref_undef_exp, desc) ->
          raise (Exceptions.Dangling_pointer_dereference (Some Sil.DAuninit, desc, try assert false with Assert_failure x -> x))
      | _ -> ()) props
 (** Perform symbolic execution for a single spec *)
 let exe_spec
    tenv cfg ret_ids (n, nspecs) caller_pdesc callee_pname loc prop path_pre
@ -867,6 +880,8 @@ let exe_spec
                caller_pdesc callee_pname loc with
        | None -> Invalid_res Cannot_combine
        | Some results ->
            (* After combining we check that we have not added a points-to of initialized variables.*)
            check_uninitialize_dangling_deref callee_pname actual_pre split.sub formal_params results;
            let inconsistent_results, consistent_results =
              list_partition (fun (p, _) -> Prover.check_inconsistency p) results in
            let incons_pre_missing = inconsistent_actualpre_missing actual_pre (Some split) in
@ -989,6 +1004,10 @@ let exe_call_postprocess tenv ret_ids trace_call callee_pname loc initial_prop r
                  trace_call Specs.CallStats.CR_not_met;
                  extend_path path_opt None;
                  raise (Exceptions.Dangling_pointer_dereference (Some Sil.DAminusone, desc, try assert false with Assert_failure x -> x))
              | Dereference_error (Deref_undef_exp, desc, path_opt) ->
                  trace_call Specs.CallStats.CR_not_met;
                  extend_path path_opt None;
                  raise (Exceptions.Dangling_pointer_dereference (Some Sil.DAuninit, desc, try assert false with Assert_failure x -> x))
              | Dereference_error (Deref_null pos, desc, path_opt) ->
                  trace_call Specs.CallStats.CR_not_met;
                  extend_path path_opt (Some pos);
--- a/infer/tests/codetoanalyze/c/errors/Makefile
+++ b/infer/tests/codetoanalyze/c/errors/Makefile
@ -9,6 +9,7 @@ all:
 	make -C resource_leaks
 	make -C memory_leaks
 	make -C lists
 	make -C dangling_deref
 clean:
 	make -C arithmetic clean
@ -20,4 +21,5 @@ clean:
 	make -C resource_leaks clean
 	make -C memory_leaks
 	make -C lists
 	make -C dangling_deref
--- a/infer/tests/codetoanalyze/c/errors/dangling_deref/Makefile
+++ b/infer/tests/codetoanalyze/c/errors/dangling_deref/Makefile
@ -0,0 +1,12 @@
 SOURCES = $(shell ls *.c)
 OBJECTS = $(SOURCES:.c=.o)
 all: clean $(OBJECTS)
 	echo $(OBJECTS)
 .c.o:
 	${CC} -c $<
 clean:
 	rm -rf $(OBJECTS)
--- a/infer/tests/codetoanalyze/c/errors/dangling_deref/dpd.c
+++ b/infer/tests/codetoanalyze/c/errors/dangling_deref/dpd.c
@ -0,0 +1,43 @@
 #include <stdio.h>
 #include <stdlib.h>
 int *set42(int* x) {
    *x=42;
    return x;
 }
 void nodpd () {
    int w,z;
    z=set42(&w);
 }
 void nodpd1 () {
    int *y =  malloc(sizeof(int));
    int *z;
    z=set42(y);
    free(y);
 }
 void dpd () {
    int *y;
    int *z;
    z=set42(y);
 }
 void intraprocdpd () {
    int *y;
    int *z;
    *y=42;
    z=y;
 }
--- a/infer/tests/endtoend/c/DanglingDereferenceTest.java
+++ b/infer/tests/endtoend/c/DanglingDereferenceTest.java
@ -0,0 +1,62 @@
 /*
 * Copyright (c) 2013- Facebook.
 * All rights reserved.
 */
 package endtoend.c;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static utils.matchers.ResultContainsExactly.containsExactly;
 import static utils.matchers.ResultContainsLineNumbers.containsLines;
 import static utils.matchers.ResultContainsErrorInMethod.contains;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import java.io.IOException;
 import utils.InferException;
 import utils.InferResults;
 import utils.InferRunner;
 public class DanglingDereferenceTest {
    public static final String SOURCE_FILE =
    "dangling_deref/dpd.c";
    public static final String DANGLING_POINTER_DEREFERENCE = "DANGLING_POINTER_DEREFERENCE";
    private static InferResults inferResults;
    @BeforeClass
    public static void runInfer() throws InterruptedException, IOException {
        inferResults = InferResults.loadCInferResults(
                                                      DanglingDereferenceTest.class,
                                                      SOURCE_FILE);
    }
    @Test
    public void DanglingDereferenceTest1() throws InterruptedException, IOException, InferException {
        assertThat(
                   "Results should contain dangling pointer dereference error",
                   inferResults,
                   contains(
                            DANGLING_POINTER_DEREFERENCE,
                            SOURCE_FILE,
                            "dpd"));
    }
    @Test
    public void DanglingDereferenceTest2() throws InterruptedException, IOException, InferException {
        assertThat(
                   "Results should contain dangling pointer dereference error",
                   inferResults,
                   contains(
                            DANGLING_POINTER_DEREFERENCE,
                            SOURCE_FILE,
                            "intraprocdpd"));
    }
 }
--- a/infer/tests/utils/InferResults.java
+++ b/infer/tests/utils/InferResults.java
@ -60,6 +60,7 @@ public class InferResults {
          errorType.equals("RETURN_VALUE_IGNORED") ||
          errorType.equals("IMMUTABLE_CAST") ||
          errorType.equals("PARAMETER_NOT_NULL_CHECKED") ||
          errorType.equals("DANGLING_POINTER_DEREFERENCE") ||
          errorType.equals("IVAR_NOT_NULL_CHECKED") ||
          errorType.startsWith("ERADICATE")) {
        Integer errorLine = Integer.parseInt(items[5].trim());