pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[inferbo] Top for unanalyzed variables (e.g., global variables)

Browse Source 
Summary:
This commit fixes a problem that the buffer overrun checker incorrectly
stops when a global variable (bottom) is involved in control flow.
In the new version, abstract memories return Top for unanalyzed abstract
variables.

Reviewed By: mbouaziz

Differential Revision: D5016447

fbshipit-source-id: 5132448
master
Kihong Heo 8 years ago committed by Facebook Github Bot
parent d446f0f800
commit 984a81413a
7 changed files with 504 additions and 469 deletions
Show Stats Download Patch File Download Diff File

8
infer/src/bufferoverrun/absLoc.ml
Unescape View File

@ -25,8 +25,10 @@ struct
| Var of Var.t | Var of Var.t
| Allocsite of Allocsite.t | Allocsite of Allocsite.t
| Field of t * Fieldname.t | Field of t * Fieldname.t
| Unknown
[@@deriving compare] [@@deriving compare]
let unknown = Unknown
let rec pp fmt = function let rec pp fmt = function
| Var v -> | Var v ->
Var.pp F.str_formatter v; Var.pp F.str_formatter v;
@ -36,6 +38,7 @@ struct
else F.fprintf fmt "%s" s else F.fprintf fmt "%s" s
| Allocsite a -> Allocsite.pp fmt a | Allocsite a -> Allocsite.pp fmt a
| Field (l, f) -> F.fprintf fmt "%a.%a" pp l Fieldname.pp f | Field (l, f) -> F.fprintf fmt "%a.%a" pp l Fieldname.pp f
| Unknown -> F.fprintf fmt "Unknown"
let is_var = function Var _ -> true | _ -> false let is_var = function Var _ -> true | _ -> false
let is_logical_var = function let is_logical_var = function
| Var (Var.LogicalVar _) -> true | Var (Var.LogicalVar _) -> true
@ -59,7 +62,10 @@ struct
let bot = empty let bot = empty
let is_bot = is_empty let is_bot = is_empty
let unknown = singleton Loc.unknown
let of_pvar pvar = singleton (Loc.of_pvar pvar) let of_pvar pvar = singleton (Loc.of_pvar pvar)
let of_id id = singleton (Loc.of_id id) let of_id id = singleton (Loc.of_id id)
let append_field ploc fn = fold (fun l -> add (Loc.append_field l fn)) ploc empty let append_field ploc fn =
if is_bot ploc then singleton Loc.unknown
else fold (fun l -> add (Loc.append_field l fn)) ploc empty
end end

14
infer/src/bufferoverrun/bufferOverrunChecker.ml
Unescape View File

@ -70,6 +70,14 @@ struct
= fun pname ret params node mem -> = fun pname ret params node mem ->
model_malloc pname ret (List.tl_exn params) node mem model_malloc pname ret (List.tl_exn params) node mem
let model_fgetc : (Ident.t * Typ.t) option -> Dom.Mem.astate -> Dom.Mem.astate
= fun ret mem ->
match ret with
| Some (id, _) ->
let itv = Itv.make (Itv.Bound.of_int (-1)) Itv.Bound.PInf in
Dom.Mem.add_stack (Loc.of_id id) (Dom.Val.of_itv itv) mem
| _ -> mem
let model_natual_itv : (Ident.t * Typ.t) option -> Dom.Mem.astate -> Dom.Mem.astate let model_natual_itv : (Ident.t * Typ.t) option -> Dom.Mem.astate -> Dom.Mem.astate
= fun ret mem -> = fun ret mem ->
match ret with match ret with
@ -103,8 +111,8 @@ struct
| "malloc" | "malloc"
| "__new_array" -> model_malloc pname ret params node mem | "__new_array" -> model_malloc pname ret params node mem
| "realloc" -> model_realloc pname ret params node mem | "realloc" -> model_realloc pname ret params node mem
| "strlen" | "strlen" -> model_natual_itv ret mem
| "fgetc" -> model_natual_itv ret mem | "fgetc" -> model_fgetc ret mem
| "infer_print" -> model_infer_print params mem loc | "infer_print" -> model_infer_print params mem loc
| _ -> model_unknown_itv ret mem | _ -> model_unknown_itv ret mem
@ -148,7 +156,7 @@ struct
in in
let decl_fld (mem, sym_num) (fn, typ, _) = let decl_fld (mem, sym_num) (fn, typ, _) =
let loc = let loc =
mem |> Dom.Mem.find_heap loc |> Dom.Val.get_all_locs |> PowLoc.choose mem |> Dom.Mem.find_heap loc |> Dom.Val.get_array_locs |> PowLoc.choose
in in
let field = Loc.append_field loc fn in let field = Loc.append_field loc fn in
match typ.Typ.desc with match typ.Typ.desc with

10
infer/src/bufferoverrun/bufferOverrunDomain.ml
Unescape View File

@ -87,8 +87,9 @@ let filter1 : t -> bool
let filter2 : t -> bool let filter2 : t -> bool
= fun c -> = fun c ->
(not (Itv.is_finite c.idx) || not (Itv.is_finite c.size)) (* basically, alarms involving infinity are filtered *) (* basically, alarms involving infinity are filtered *)
&& (* except the following cases: *) (not (Itv.is_finite c.idx) || not (Itv.is_finite c.size))
&& (* except the following cases *)
not ((Itv.Bound.is_not_infty (Itv.lb c.idx) && (* idx non-infty lb < 0 *) not ((Itv.Bound.is_not_infty (Itv.lb c.idx) && (* idx non-infty lb < 0 *)
Itv.Bound.lt (Itv.lb c.idx) Itv.Bound.zero) Itv.Bound.lt (Itv.lb c.idx) Itv.Bound.zero)
|| ||
@ -277,6 +278,9 @@ struct
let of_int : int -> t let of_int : int -> t
= fun n -> { bot with itv = Itv.of_int n } = fun n -> { bot with itv = Itv.of_int n }
let of_itv : Itv.t -> t
= fun itv -> { bot with itv }
let of_pow_loc : PowLoc.t -> t let of_pow_loc : PowLoc.t -> t
= fun x -> { bot with powloc = x } = fun x -> { bot with powloc = x }
@ -496,7 +500,7 @@ struct
let find : Loc.t -> astate -> Val.t let find : Loc.t -> astate -> Val.t
= fun l m -> = fun l m ->
try find l m with try find l m with
| Not_found -> Val.bot | Not_found -> Val.top_itv
let find_set : PowLoc.t -> astate -> Val.t let find_set : PowLoc.t -> astate -> Val.t
= fun locs mem -> = fun locs mem ->

14
infer/src/bufferoverrun/bufferOverrunSemantics.ml
Unescape View File

@ -157,13 +157,13 @@ struct
| Exp.Cast (_, e) -> eval e mem loc | Exp.Cast (_, e) -> eval e mem loc
| Exp.Lfield (e, fn, _) -> | Exp.Lfield (e, fn, _) ->
eval e mem loc eval e mem loc
|> Val.get_all_locs |> Val.get_array_locs
|> Fn.flip PowLoc.append_field fn |> Fn.flip PowLoc.append_field fn
|> Val.of_pow_loc |> Val.of_pow_loc
| Exp.Lindex (e1, _) -> | Exp.Lindex (e1, _) ->
let arr = eval e1 mem loc in (* must have array blk *) let arr = eval e1 mem loc |> Val.get_array_blk in (* must have array blk *)
(* let idx = eval e2 mem loc in *) (* let idx = eval e2 mem loc in *)
let ploc = arr |> Val.get_array_blk |> ArrayBlk.get_pow_loc in let ploc = if ArrayBlk.is_bot arr then PowLoc.unknown else ArrayBlk.get_pow_loc arr in
(* if nested array, add the array blk *) (* if nested array, add the array blk *)
let arr = Mem.find_heap_set ploc mem in let arr = Mem.find_heap_set ploc mem in
Val.join (Val.of_pow_loc ploc) arr Val.join (Val.of_pow_loc ploc) arr
@ -356,14 +356,14 @@ struct
let get_size v = v |> Val.get_array_blk |> ArrayBlk.sizeof in let get_size v = v |> Val.get_array_blk |> ArrayBlk.sizeof in
let get_field_name (fn, _, _) = fn in let get_field_name (fn, _, _) = fn in
let deref_field v fn mem = let deref_field v fn mem =
Mem.find_heap_set (PowLoc.append_field (Val.get_all_locs v) fn) mem Mem.find_heap_set (PowLoc.append_field (Val.get_array_locs v) fn) mem
in in
let deref_ptr v mem = Mem.find_heap_set (Val.get_all_locs v) mem in let deref_ptr v mem = Mem.find_heap_set (Val.get_array_locs v) mem in
let add_pair_itv itv1 itv2 l = let add_pair_itv itv1 itv2 l =
let open Itv in let open Itv in
if itv1 <> bot && itv2 <> bot then if itv1 <> bot && itv1 <> top && itv2 <> bot then
(lb itv1, lb itv2) :: (ub itv1, ub itv2) :: l (lb itv1, lb itv2) :: (ub itv1, ub itv2) :: l
else if itv1 <> bot && Itv.eq itv2 bot then else if itv1 <> bot && itv1 <> top && Itv.eq itv2 bot then
(lb itv1, Bound.Bot) :: (ub itv1, Bound.Bot) :: l (lb itv1, Bound.Bot) :: (ub itv1, Bound.Bot) :: l
else else
l l

15
infer/tests/codetoanalyze/c/bufferoverrun/global.c
Unescape View File

@ -0,0 +1,15 @@
/*
* Copyright (c) 2017 - present Facebook, Inc.
* All rights reserved.
*
* This source code is licensed under the BSD style license found in the
* LICENSE file in the root directory of this source tree. An additional grant
* of patent rights can be found in the PATENTS file in the same directory.
*/
int global;
void compare_global_variable_bad() {
char arr[10];
if (global < 10)
arr[10] = 1;
}

1
infer/tests/codetoanalyze/c/bufferoverrun/issues.exp
Unescape View File

@ -4,6 +4,7 @@ codetoanalyze/c/bufferoverrun/do_while.c, do_while, 3, BUFFER_OVERRUN, [Offset:
codetoanalyze/c/bufferoverrun/for_loop.c, for_loop, 10, BUFFER_OVERRUN, [Offset: [0, 9] Size: [5, 10] @ codetoanalyze/c/bufferoverrun/for_loop.c:38:5] codetoanalyze/c/bufferoverrun/for_loop.c, for_loop, 10, BUFFER_OVERRUN, [Offset: [0, 9] Size: [5, 10] @ codetoanalyze/c/bufferoverrun/for_loop.c:38:5]
codetoanalyze/c/bufferoverrun/function_call.c, function_call, 4, BUFFER_OVERRUN, [Offset: [20, 20] Size: [10, 10] @ codetoanalyze/c/bufferoverrun/function_call.c:18:3 by call `arr_access()` ] codetoanalyze/c/bufferoverrun/function_call.c, function_call, 4, BUFFER_OVERRUN, [Offset: [20, 20] Size: [10, 10] @ codetoanalyze/c/bufferoverrun/function_call.c:18:3 by call `arr_access()` ]
codetoanalyze/c/bufferoverrun/function_call.c, function_call, 4, BUFFER_OVERRUN, [Offset: [100, 100] Size: [10, 10] @ codetoanalyze/c/bufferoverrun/function_call.c:17:3 by call `arr_access()` ] codetoanalyze/c/bufferoverrun/function_call.c, function_call, 4, BUFFER_OVERRUN, [Offset: [100, 100] Size: [10, 10] @ codetoanalyze/c/bufferoverrun/function_call.c:17:3 by call `arr_access()` ]
codetoanalyze/c/bufferoverrun/global.c, compare_global_variable_bad, 3, BUFFER_OVERRUN, [Offset: [10, 10] Size: [10, 10] @ codetoanalyze/c/bufferoverrun/global.c:14:5]
codetoanalyze/c/bufferoverrun/goto_loop.c, goto_loop, 11, BUFFER_OVERRUN, [Offset: [10, +oo] Size: [10, 10] @ codetoanalyze/c/bufferoverrun/goto_loop.c:24:3] codetoanalyze/c/bufferoverrun/goto_loop.c, goto_loop, 11, BUFFER_OVERRUN, [Offset: [10, +oo] Size: [10, 10] @ codetoanalyze/c/bufferoverrun/goto_loop.c:24:3]
codetoanalyze/c/bufferoverrun/nested_loop.c, nested_loop, 7, BUFFER_OVERRUN, [Offset: [0, 10] Size: [10, 10] @ codetoanalyze/c/bufferoverrun/nested_loop.c:20:7] codetoanalyze/c/bufferoverrun/nested_loop.c, nested_loop, 7, BUFFER_OVERRUN, [Offset: [0, 10] Size: [10, 10] @ codetoanalyze/c/bufferoverrun/nested_loop.c:20:7]
codetoanalyze/c/bufferoverrun/nested_loop_with_label.c, nested_loop_with_label, 6, BUFFER_OVERRUN, [Offset: [0, +oo] Size: [10, 10] @ codetoanalyze/c/bufferoverrun/nested_loop_with_label.c:19:5] codetoanalyze/c/bufferoverrun/nested_loop_with_label.c, nested_loop_with_label, 6, BUFFER_OVERRUN, [Offset: [0, +oo] Size: [10, 10] @ codetoanalyze/c/bufferoverrun/nested_loop_with_label.c:19:5]

1
infer/tests/codetoanalyze/cpp/bufferoverrun/issues.exp
Unescape View File

@ -1,3 +1,4 @@
codetoanalyze/cpp/bufferoverrun/simple_vector.cpp, instantiate_my_vector_oob_Ok, 3, BUFFER_OVERRUN, [Offset: [-oo, +oo] Size: [0, +oo] @ codetoanalyze/cpp/bufferoverrun/simple_vector.cpp:21:23 by call `my_vector_oob_Bad()` ]
codetoanalyze/cpp/bufferoverrun/simple_vector.cpp, my_vector_oob_Bad, 2, BUFFER_OVERRUN, [Offset: [s$6, s$7] Size: [s$6, s$7] @ codetoanalyze/cpp/bufferoverrun/simple_vector.cpp:21:23 by call `int_vector_access_at()` ] codetoanalyze/cpp/bufferoverrun/simple_vector.cpp, my_vector_oob_Bad, 2, BUFFER_OVERRUN, [Offset: [s$6, s$7] Size: [s$6, s$7] @ codetoanalyze/cpp/bufferoverrun/simple_vector.cpp:21:23 by call `int_vector_access_at()` ]
codetoanalyze/cpp/bufferoverrun/trivial.cpp, trivial, 2, BUFFER_OVERRUN, [Offset: [10, 10] Size: [10, 10] @ codetoanalyze/cpp/bufferoverrun/trivial.cpp:15:3] codetoanalyze/cpp/bufferoverrun/trivial.cpp, trivial, 2, BUFFER_OVERRUN, [Offset: [10, 10] Size: [10, 10] @ codetoanalyze/cpp/bufferoverrun/trivial.cpp:15:3]
codetoanalyze/cpp/bufferoverrun/vector.cpp, out_of_bound_Bad, 2, BUFFER_OVERRUN, [Offset: [s$14, s$15] Size: [s$14, s$15] @ INFER_MODEL/cpp/include/infer_model/vector_bufferoverrun.h:91:24 by call `std::vector<int,std::allocator<int>>_operator[]()` ] codetoanalyze/cpp/bufferoverrun/vector.cpp, out_of_bound_Bad, 2, BUFFER_OVERRUN, [Offset: [s$14, s$15] Size: [s$14, s$15] @ INFER_MODEL/cpp/include/infer_model/vector_bufferoverrun.h:91:24 by call `std::vector<int,std::allocator<int>>_operator[]()` ]

Write Preview
Loading…
Cancel
Save