pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[annotreach] support for new `"symbol_regexps"` matcher

Browse Source 
Summary:
This is more powerful than `"symbols"` for more advanced use-cases. Keep
`"symbols"` unchanged to make migrating easier.

Differential Revision: D16985756

fbshipit-source-id: dfbb09393
master
Jules Villard 5 years ago committed by Facebook Github Bot
parent ed4aac4f66
commit 9e5115a9e0
9 changed files with 71 additions and 39 deletions
Show Stats Download Patch File Download Diff File

15
infer/man/man1/infer-analyze.txt
Unescape View File

@ -337,26 +337,27 @@ CLANG OPTIONS
Specify annotation reachability analyses to be performed on
C/C++/ObjC code. Each entry is a JSON object whose key is the
issue name. "sources" and "sinks" can be specified either by
symbol or path prefix. "sinks" optionally can specify "overrides"
(by symbol or path prefix) that block the reachability analysis
when hit. Example: {
symbol (including regexps) or path prefix. "sinks" optionally can
specify "overrides" (by symbol or path prefix) that block the
reachability analysis when hit. Example: {
"ISOLATED_REACHING_CONNECT": {
"doc_url": "http:://optional/issue/doc/link.html",
"doc_url":
"http:://example.com/issue/doc/optional_link.html",
"sources": {
"desc": "Code that should not call connect [optional]",
"paths": [ "isolated/" ]
},
"sinks": {
"symbols": [ "connect" ],
"overrides": { "symbols": [ "Trusted::" ] }
"overrides": { "symbol_regexps": [ ".*::Trusted::.*" ] }
}
}
}
This will cause us to create a new ISOLATED_REACHING_CONNECT
issue for every function whose source path starts with "isolated/"
that may reach the function named "connect", ignoring paths that
go through a symbol starting with "Trusted::".
go through a symbol matching the OCaml regexp ".*::Trusted::.*".
--annotation-reachability-cxx-sources json
Override sources in all cxx annotation reachability specs with the

15
infer/man/man1/infer-full.txt
Unescape View File

@ -73,26 +73,27 @@ OPTIONS
Specify annotation reachability analyses to be performed on
C/C++/ObjC code. Each entry is a JSON object whose key is the
issue name. "sources" and "sinks" can be specified either by
symbol or path prefix. "sinks" optionally can specify "overrides"
(by symbol or path prefix) that block the reachability analysis
when hit. Example: {
symbol (including regexps) or path prefix. "sinks" optionally can
specify "overrides" (by symbol or path prefix) that block the
reachability analysis when hit. Example: {
"ISOLATED_REACHING_CONNECT": {
"doc_url": "http:://optional/issue/doc/link.html",
"doc_url":
"http:://example.com/issue/doc/optional_link.html",
"sources": {
"desc": "Code that should not call connect [optional]",
"paths": [ "isolated/" ]
},
"sinks": {
"symbols": [ "connect" ],
"overrides": { "symbols": [ "Trusted::" ] }
"overrides": { "symbol_regexps": [ ".*::Trusted::.*" ] }
}
}
}
This will cause us to create a new ISOLATED_REACHING_CONNECT
issue for every function whose source path starts with "isolated/"
that may reach the function named "connect", ignoring paths that
go through a symbol starting with "Trusted::".
go through a symbol matching the OCaml regexp ".*::Trusted::.*".
See also infer-analyze(1).
--annotation-reachability-cxx-sources json

15
infer/man/man1/infer.txt
Unescape View File

@ -73,26 +73,27 @@ OPTIONS
Specify annotation reachability analyses to be performed on
C/C++/ObjC code. Each entry is a JSON object whose key is the
issue name. "sources" and "sinks" can be specified either by
symbol or path prefix. "sinks" optionally can specify "overrides"
(by symbol or path prefix) that block the reachability analysis
when hit. Example: {
symbol (including regexps) or path prefix. "sinks" optionally can
specify "overrides" (by symbol or path prefix) that block the
reachability analysis when hit. Example: {
"ISOLATED_REACHING_CONNECT": {
"doc_url": "http:://optional/issue/doc/link.html",
"doc_url":
"http:://example.com/issue/doc/optional_link.html",
"sources": {
"desc": "Code that should not call connect [optional]",
"paths": [ "isolated/" ]
},
"sinks": {
"symbols": [ "connect" ],
"overrides": { "symbols": [ "Trusted::" ] }
"overrides": { "symbol_regexps": [ ".*::Trusted::.*" ] }
}
}
}
This will cause us to create a new ISOLATED_REACHING_CONNECT
issue for every function whose source path starts with "isolated/"
that may reach the function named "connect", ignoring paths that
go through a symbol starting with "Trusted::".
go through a symbol matching the OCaml regexp ".*::Trusted::.*".
See also infer-analyze(1).
--annotation-reachability-cxx-sources json

17
infer/src/base/Config.ml
Unescape View File

@ -814,22 +814,29 @@ and { annotation_reachability
and annotation_reachability_cxx =
CLOpt.mk_json ~long:"annotation-reachability-cxx"
~in_help:InferCommand.[(Analyze, manual_clang)]
{|Specify annotation reachability analyses to be performed on C/C++/ObjC code. Each entry is a JSON object whose key is the issue name. "sources" and "sinks" can be specified either by symbol or path prefix. "sinks" optionally can specify "overrides" (by symbol or path prefix) that block the reachability analysis when hit. Example:
{
( "Specify annotation reachability analyses to be performed on C/C++/ObjC code. Each entry is \
a JSON object whose key is the issue name. \"sources\" and \"sinks\" can be specified \
either by symbol (including regexps) or path prefix. \"sinks\" optionally can specify \
\"overrides\" (by symbol or path prefix) that block the reachability analysis when hit. \
Example:\n"
^ {|{
"ISOLATED_REACHING_CONNECT": {
"doc_url": "http:://optional/issue/doc/link.html",
"doc_url": "http:://example.com/issue/doc/optional_link.html",
"sources": {
"desc": "Code that should not call connect [optional]",
"paths": [ "isolated/" ]
},
"sinks": {
"symbols": [ "connect" ],
"overrides": { "symbols": [ "Trusted::" ] }
"overrides": { "symbol_regexps": [ ".*::Trusted::.*" ] }
}
}
}
This will cause us to create a new ISOLATED_REACHING_CONNECT issue for every function whose source path starts with "isolated/" that may reach the function named "connect", ignoring paths that go through a symbol starting with "Trusted::".
|}
^ "\n\
This will cause us to create a new ISOLATED_REACHING_CONNECT issue for every function \
whose source path starts with \"isolated/\" that may reach the function named \"connect\", \
ignoring paths that go through a symbol matching the OCaml regexp \".*::Trusted::.*\"." )
and annotation_reachability_cxx_sources =

33
infer/src/checkers/annotationReachability.ml
Unescape View File

@ -263,22 +263,35 @@ module CxxAnnotationSpecs = struct
L.d_printf "%b %s.@." r desc ; r
let at_least_one_nonempty ~src symbols symbol_regexps paths =
if List.is_empty symbols && Option.is_none symbol_regexps && List.is_empty paths then
L.die UserError "Must specify at least one of `paths`, `symbols`, or `symbols_regexps` in %s"
src
let spec_from_config spec_name spec_cfg source_overrides =
let src = option_name ^ " -> " ^ spec_name in
let make_pname_pred entry ~src : Typ.Procname.t -> bool =
let symbols = U.yojson_lookup entry "symbols" ~src ~f:U.string_list_of_yojson ~default:[] in
let symbol_regexps =
U.yojson_lookup entry "symbol_regexps" ~src ~default:None ~f:(fun json ~src ->
U.string_list_of_yojson json ~src |> String.concat ~sep:"\\|" |> Str.regexp
|> Option.some )
in
let paths = U.yojson_lookup entry "paths" ~src ~f:U.string_list_of_yojson ~default:[] in
let sym_pred pname = List.exists ~f:(symbol_match (Typ.Procname.to_string pname)) symbols in
at_least_one_nonempty ~src symbols symbol_regexps paths ;
let sym_pred pname_string = List.exists ~f:(symbol_match pname_string) symbols in
let sym_regexp_pred pname_string =
match symbol_regexps with
| None ->
false
| Some regexp ->
Str.string_match regexp pname_string 0
in
let path_pred pname = List.exists ~f:(path_match (src_path_of pname)) paths in
match (symbols, paths) with
| [], [] ->
L.die UserError "Must specify either `paths` or `symbols` in %s" src
| _, [] ->
sym_pred
| [], _ ->
path_pred
| _, _ ->
fun pname -> sym_pred pname || path_pred pname
fun pname ->
let pname_string = Typ.Procname.to_string pname in
sym_pred pname_string || sym_regexp_pred pname_string || path_pred pname
in
let sources, sources_src =
if List.length source_overrides > 0 then (source_overrides, src_option_name)

7
infer/tests/codetoanalyze/cpp/annotation-reachability/Makefile
Unescape View File

@ -28,11 +28,12 @@ INFER_OPTIONS = --annotation-reachability-only --debug-exceptions --project-root
"sinks": { \
"desc": "a disallowed API", \
"overrides": { \
"symbols": [ \
"safewrapper::" \
"symbol_regexps": [ \
".*::safewrapper::wrapper$$", \
".*::safewrapper::Wrapper::" \
] \
}, \
"symbols" : [ "details::" ], \
"symbols" : [ "library::details::" ], \
"paths": [ "codetoanalyze/cpp/annotation-reachability/forbidden/" ] \
} \
} \

3
infer/tests/codetoanalyze/cpp/annotation-reachability/forbidden/library.cpp
Unescape View File

@ -5,6 +5,8 @@
* LICENSE file in the root directory of this source tree.
*/
namespace library {
// low-level implementation, clients shouldn't use directly
namespace details {
@ -29,3 +31,4 @@ struct Wrapper {
void wrapper() { details::low_level(); }
} // namespace safewrapper
} // namespace library

3
infer/tests/codetoanalyze/cpp/annotation-reachability/forbidden/library.h
Unescape View File

@ -4,6 +4,8 @@
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*/
namespace library {
namespace safewrapper {
struct Wrapper {
@ -22,3 +24,4 @@ struct LowLevel {
~LowLevel();
};
} // namespace details
} // namespace library

2
infer/tests/codetoanalyze/cpp/annotation-reachability/sources/client.cpp
Unescape View File

@ -8,6 +8,8 @@
namespace client {
using namespace library;
void call_protected_api_bad() { details::low_level(); }
void call_wrapper_ok() { safewrapper::wrapper(); }

Write Preview
Loading…
Cancel
Save