[annotreach] support for new `"symbol_regexps"` matcher

Summary:
This is more powerful than `"symbols"` for more advanced use-cases. Keep
`"symbols"` unchanged to make migrating easier.

Differential Revision: D16985756

fbshipit-source-id: dfbb09393
master
Jules Villard 5 years ago committed by Facebook Github Bot
parent ed4aac4f66
commit 9e5115a9e0

@ -337,26 +337,27 @@ CLANG OPTIONS
Specify annotation reachability analyses to be performed on Specify annotation reachability analyses to be performed on
C/C++/ObjC code. Each entry is a JSON object whose key is the C/C++/ObjC code. Each entry is a JSON object whose key is the
issue name. "sources" and "sinks" can be specified either by issue name. "sources" and "sinks" can be specified either by
symbol or path prefix. "sinks" optionally can specify "overrides" symbol (including regexps) or path prefix. "sinks" optionally can
(by symbol or path prefix) that block the reachability analysis specify "overrides" (by symbol or path prefix) that block the
when hit. Example: { reachability analysis when hit. Example: {
"ISOLATED_REACHING_CONNECT": { "ISOLATED_REACHING_CONNECT": {
"doc_url": "http:://optional/issue/doc/link.html", "doc_url":
"http:://example.com/issue/doc/optional_link.html",
"sources": { "sources": {
"desc": "Code that should not call connect [optional]", "desc": "Code that should not call connect [optional]",
"paths": [ "isolated/" ] "paths": [ "isolated/" ]
}, },
"sinks": { "sinks": {
"symbols": [ "connect" ], "symbols": [ "connect" ],
"overrides": { "symbols": [ "Trusted::" ] } "overrides": { "symbol_regexps": [ ".*::Trusted::.*" ] }
} }
} }
} }
This will cause us to create a new ISOLATED_REACHING_CONNECT This will cause us to create a new ISOLATED_REACHING_CONNECT
issue for every function whose source path starts with "isolated/" issue for every function whose source path starts with "isolated/"
that may reach the function named "connect", ignoring paths that that may reach the function named "connect", ignoring paths that
go through a symbol starting with "Trusted::". go through a symbol matching the OCaml regexp ".*::Trusted::.*".
--annotation-reachability-cxx-sources json --annotation-reachability-cxx-sources json
Override sources in all cxx annotation reachability specs with the Override sources in all cxx annotation reachability specs with the

@ -73,26 +73,27 @@ OPTIONS
Specify annotation reachability analyses to be performed on Specify annotation reachability analyses to be performed on
C/C++/ObjC code. Each entry is a JSON object whose key is the C/C++/ObjC code. Each entry is a JSON object whose key is the
issue name. "sources" and "sinks" can be specified either by issue name. "sources" and "sinks" can be specified either by
symbol or path prefix. "sinks" optionally can specify "overrides" symbol (including regexps) or path prefix. "sinks" optionally can
(by symbol or path prefix) that block the reachability analysis specify "overrides" (by symbol or path prefix) that block the
when hit. Example: { reachability analysis when hit. Example: {
"ISOLATED_REACHING_CONNECT": { "ISOLATED_REACHING_CONNECT": {
"doc_url": "http:://optional/issue/doc/link.html", "doc_url":
"http:://example.com/issue/doc/optional_link.html",
"sources": { "sources": {
"desc": "Code that should not call connect [optional]", "desc": "Code that should not call connect [optional]",
"paths": [ "isolated/" ] "paths": [ "isolated/" ]
}, },
"sinks": { "sinks": {
"symbols": [ "connect" ], "symbols": [ "connect" ],
"overrides": { "symbols": [ "Trusted::" ] } "overrides": { "symbol_regexps": [ ".*::Trusted::.*" ] }
} }
} }
} }
This will cause us to create a new ISOLATED_REACHING_CONNECT This will cause us to create a new ISOLATED_REACHING_CONNECT
issue for every function whose source path starts with "isolated/" issue for every function whose source path starts with "isolated/"
that may reach the function named "connect", ignoring paths that that may reach the function named "connect", ignoring paths that
go through a symbol starting with "Trusted::". go through a symbol matching the OCaml regexp ".*::Trusted::.*".
See also infer-analyze(1). See also infer-analyze(1).
--annotation-reachability-cxx-sources json --annotation-reachability-cxx-sources json

@ -73,26 +73,27 @@ OPTIONS
Specify annotation reachability analyses to be performed on Specify annotation reachability analyses to be performed on
C/C++/ObjC code. Each entry is a JSON object whose key is the C/C++/ObjC code. Each entry is a JSON object whose key is the
issue name. "sources" and "sinks" can be specified either by issue name. "sources" and "sinks" can be specified either by
symbol or path prefix. "sinks" optionally can specify "overrides" symbol (including regexps) or path prefix. "sinks" optionally can
(by symbol or path prefix) that block the reachability analysis specify "overrides" (by symbol or path prefix) that block the
when hit. Example: { reachability analysis when hit. Example: {
"ISOLATED_REACHING_CONNECT": { "ISOLATED_REACHING_CONNECT": {
"doc_url": "http:://optional/issue/doc/link.html", "doc_url":
"http:://example.com/issue/doc/optional_link.html",
"sources": { "sources": {
"desc": "Code that should not call connect [optional]", "desc": "Code that should not call connect [optional]",
"paths": [ "isolated/" ] "paths": [ "isolated/" ]
}, },
"sinks": { "sinks": {
"symbols": [ "connect" ], "symbols": [ "connect" ],
"overrides": { "symbols": [ "Trusted::" ] } "overrides": { "symbol_regexps": [ ".*::Trusted::.*" ] }
} }
} }
} }
This will cause us to create a new ISOLATED_REACHING_CONNECT This will cause us to create a new ISOLATED_REACHING_CONNECT
issue for every function whose source path starts with "isolated/" issue for every function whose source path starts with "isolated/"
that may reach the function named "connect", ignoring paths that that may reach the function named "connect", ignoring paths that
go through a symbol starting with "Trusted::". go through a symbol matching the OCaml regexp ".*::Trusted::.*".
See also infer-analyze(1). See also infer-analyze(1).
--annotation-reachability-cxx-sources json --annotation-reachability-cxx-sources json

@ -814,22 +814,29 @@ and { annotation_reachability
and annotation_reachability_cxx = and annotation_reachability_cxx =
CLOpt.mk_json ~long:"annotation-reachability-cxx" CLOpt.mk_json ~long:"annotation-reachability-cxx"
~in_help:InferCommand.[(Analyze, manual_clang)] ~in_help:InferCommand.[(Analyze, manual_clang)]
{|Specify annotation reachability analyses to be performed on C/C++/ObjC code. Each entry is a JSON object whose key is the issue name. "sources" and "sinks" can be specified either by symbol or path prefix. "sinks" optionally can specify "overrides" (by symbol or path prefix) that block the reachability analysis when hit. Example: ( "Specify annotation reachability analyses to be performed on C/C++/ObjC code. Each entry is \
{ a JSON object whose key is the issue name. \"sources\" and \"sinks\" can be specified \
either by symbol (including regexps) or path prefix. \"sinks\" optionally can specify \
\"overrides\" (by symbol or path prefix) that block the reachability analysis when hit. \
Example:\n"
^ {|{
"ISOLATED_REACHING_CONNECT": { "ISOLATED_REACHING_CONNECT": {
"doc_url": "http:://optional/issue/doc/link.html", "doc_url": "http:://example.com/issue/doc/optional_link.html",
"sources": { "sources": {
"desc": "Code that should not call connect [optional]", "desc": "Code that should not call connect [optional]",
"paths": [ "isolated/" ] "paths": [ "isolated/" ]
}, },
"sinks": { "sinks": {
"symbols": [ "connect" ], "symbols": [ "connect" ],
"overrides": { "symbols": [ "Trusted::" ] } "overrides": { "symbol_regexps": [ ".*::Trusted::.*" ] }
} }
} }
} }
This will cause us to create a new ISOLATED_REACHING_CONNECT issue for every function whose source path starts with "isolated/" that may reach the function named "connect", ignoring paths that go through a symbol starting with "Trusted::".
|} |}
^ "\n\
This will cause us to create a new ISOLATED_REACHING_CONNECT issue for every function \
whose source path starts with \"isolated/\" that may reach the function named \"connect\", \
ignoring paths that go through a symbol matching the OCaml regexp \".*::Trusted::.*\"." )
and annotation_reachability_cxx_sources = and annotation_reachability_cxx_sources =

@ -263,22 +263,35 @@ module CxxAnnotationSpecs = struct
L.d_printf "%b %s.@." r desc ; r L.d_printf "%b %s.@." r desc ; r
let at_least_one_nonempty ~src symbols symbol_regexps paths =
if List.is_empty symbols && Option.is_none symbol_regexps && List.is_empty paths then
L.die UserError "Must specify at least one of `paths`, `symbols`, or `symbols_regexps` in %s"
src
let spec_from_config spec_name spec_cfg source_overrides = let spec_from_config spec_name spec_cfg source_overrides =
let src = option_name ^ " -> " ^ spec_name in let src = option_name ^ " -> " ^ spec_name in
let make_pname_pred entry ~src : Typ.Procname.t -> bool = let make_pname_pred entry ~src : Typ.Procname.t -> bool =
let symbols = U.yojson_lookup entry "symbols" ~src ~f:U.string_list_of_yojson ~default:[] in let symbols = U.yojson_lookup entry "symbols" ~src ~f:U.string_list_of_yojson ~default:[] in
let symbol_regexps =
U.yojson_lookup entry "symbol_regexps" ~src ~default:None ~f:(fun json ~src ->
U.string_list_of_yojson json ~src |> String.concat ~sep:"\\|" |> Str.regexp
|> Option.some )
in
let paths = U.yojson_lookup entry "paths" ~src ~f:U.string_list_of_yojson ~default:[] in let paths = U.yojson_lookup entry "paths" ~src ~f:U.string_list_of_yojson ~default:[] in
let sym_pred pname = List.exists ~f:(symbol_match (Typ.Procname.to_string pname)) symbols in at_least_one_nonempty ~src symbols symbol_regexps paths ;
let sym_pred pname_string = List.exists ~f:(symbol_match pname_string) symbols in
let sym_regexp_pred pname_string =
match symbol_regexps with
| None ->
false
| Some regexp ->
Str.string_match regexp pname_string 0
in
let path_pred pname = List.exists ~f:(path_match (src_path_of pname)) paths in let path_pred pname = List.exists ~f:(path_match (src_path_of pname)) paths in
match (symbols, paths) with fun pname ->
| [], [] -> let pname_string = Typ.Procname.to_string pname in
L.die UserError "Must specify either `paths` or `symbols` in %s" src sym_pred pname_string || sym_regexp_pred pname_string || path_pred pname
| _, [] ->
sym_pred
| [], _ ->
path_pred
| _, _ ->
fun pname -> sym_pred pname || path_pred pname
in in
let sources, sources_src = let sources, sources_src =
if List.length source_overrides > 0 then (source_overrides, src_option_name) if List.length source_overrides > 0 then (source_overrides, src_option_name)

@ -28,11 +28,12 @@ INFER_OPTIONS = --annotation-reachability-only --debug-exceptions --project-root
"sinks": { \ "sinks": { \
"desc": "a disallowed API", \ "desc": "a disallowed API", \
"overrides": { \ "overrides": { \
"symbols": [ \ "symbol_regexps": [ \
"safewrapper::" \ ".*::safewrapper::wrapper$$", \
".*::safewrapper::Wrapper::" \
] \ ] \
}, \ }, \
"symbols" : [ "details::" ], \ "symbols" : [ "library::details::" ], \
"paths": [ "codetoanalyze/cpp/annotation-reachability/forbidden/" ] \ "paths": [ "codetoanalyze/cpp/annotation-reachability/forbidden/" ] \
} \ } \
} \ } \

@ -5,6 +5,8 @@
* LICENSE file in the root directory of this source tree. * LICENSE file in the root directory of this source tree.
*/ */
namespace library {
// low-level implementation, clients shouldn't use directly // low-level implementation, clients shouldn't use directly
namespace details { namespace details {
@ -29,3 +31,4 @@ struct Wrapper {
void wrapper() { details::low_level(); } void wrapper() { details::low_level(); }
} // namespace safewrapper } // namespace safewrapper
} // namespace library

@ -4,6 +4,8 @@
* This source code is licensed under the MIT license found in the * This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree. * LICENSE file in the root directory of this source tree.
*/ */
namespace library {
namespace safewrapper { namespace safewrapper {
struct Wrapper { struct Wrapper {
@ -22,3 +24,4 @@ struct LowLevel {
~LowLevel(); ~LowLevel();
}; };
} // namespace details } // namespace details
} // namespace library

@ -8,6 +8,8 @@
namespace client { namespace client {
using namespace library;
void call_protected_api_bad() { details::low_level(); } void call_protected_api_bad() { details::low_level(); }
void call_wrapper_ok() { safewrapper::wrapper(); } void call_wrapper_ok() { safewrapper::wrapper(); }

Loading…
Cancel
Save