From e5b50d7d46cf06d84460ffb2095572e943d450de Mon Sep 17 00:00:00 2001 From: Jules Villard Date: Wed, 11 Mar 2020 04:52:47 -0700 Subject: [PATCH] [quandaryBO] delete :( Summary: This was never quite finished and inferbo has a new way to do sort of the same thing. Reviewed By: skcho, ngorogiannis Differential Revision: D20362619 fbshipit-source-id: 7c7935d47 --- Makefile | 2 +- infer/man/man1/infer-analyze.txt | 8 -- infer/man/man1/infer-full.txt | 10 -- infer/man/man1/infer-report.txt | 2 - infer/man/man1/infer.txt | 10 -- infer/src/IR/Errlog.ml | 24 ---- infer/src/IR/Errlog.mli | 15 --- infer/src/base/Checker.ml | 8 -- infer/src/base/Checker.mli | 1 - infer/src/base/Config.ml | 14 -- infer/src/base/Config.mli | 3 - infer/src/base/IssueType.ml | 4 - infer/src/base/IssueType.mli | 4 - infer/src/checkers/registerCheckers.ml | 7 +- infer/src/integration/JsonReports.ml | 1 - infer/src/quandary/quandaryBO.ml | 127 ------------------ infer/src/quandary/quandaryBO.mli | 10 -- .../codetoanalyze/cpp/quandaryBO/.inferconfig | 8 -- .../codetoanalyze/cpp/quandaryBO/Makefile | 57 -------- .../codetoanalyze/cpp/quandaryBO/codec.cpp | 64 --------- .../cpp/quandaryBO/issues.exp-t1 | 5 - .../cpp/quandaryBO/issues.exp-t2 | 10 -- .../cpp/quandaryBO/issues.exp-t3 | 8 -- .../cpp/quandaryBO/issues.exp-t4 | 15 --- .../cpp/quandaryBO/multitest.make | 15 --- .../cpp/quandaryBO/tainted_index.cpp | 73 ---------- 26 files changed, 4 insertions(+), 501 deletions(-) delete mode 100644 infer/src/quandary/quandaryBO.ml delete mode 100644 infer/src/quandary/quandaryBO.mli delete mode 100644 infer/tests/codetoanalyze/cpp/quandaryBO/.inferconfig delete mode 100644 infer/tests/codetoanalyze/cpp/quandaryBO/Makefile delete mode 100644 infer/tests/codetoanalyze/cpp/quandaryBO/codec.cpp delete mode 100644 infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp-t1 delete mode 100644 infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp-t2 delete mode 100644 infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp-t3 delete mode 100644 infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp-t4 delete mode 100644 infer/tests/codetoanalyze/cpp/quandaryBO/multitest.make delete mode 100644 infer/tests/codetoanalyze/cpp/quandaryBO/tainted_index.cpp diff --git a/Makefile b/Makefile index ee74af76d..b6f13f886 100644 --- a/Makefile +++ b/Makefile @@ -68,7 +68,7 @@ DIRECT_TESTS += \ cpp_linters-for-test-only \ cpp_liveness \ cpp_pulse \ - cpp_quandary cpp_quandaryBO \ + cpp_quandary \ cpp_racerd \ cpp_siof \ cpp_starvation \ diff --git a/infer/man/man1/infer-analyze.txt b/infer/man/man1/infer-analyze.txt index 08a724a85..3099ca267 100644 --- a/infer/man/man1/infer-analyze.txt +++ b/infer/man/man1/infer-analyze.txt @@ -251,14 +251,6 @@ OPTIONS Activates: Enable --quandary and disable all other checkers (Conversely: --no-quandary-only) - --quandaryBO - Activates: [EXPERIMENTAL] The quandaryBO tainted buffer access - analysis (Conversely: --no-quandaryBO) - - --quandaryBO-only - Activates: Enable --quandaryBO and disable all other checkers - (Conversely: --no-quandaryBO-only) - --quiet,-q Activates: Do not print specs on standard output (default: only print for the report command) (Conversely: --no-quiet | -Q) diff --git a/infer/man/man1/infer-full.txt b/infer/man/man1/infer-full.txt index e3104cfc0..be016da1e 100644 --- a/infer/man/man1/infer-full.txt +++ b/infer/man/man1/infer-full.txt @@ -488,8 +488,6 @@ OPTIONS STRICT_MODE_VIOLATION (enabled by default), STRONG_SELF_NOT_CHECKED (enabled by default), Symexec_memory_error (enabled by default), - TAINTED_BUFFER_ACCESS (enabled by default), - TAINTED_MEMORY_ALLOCATION (enabled by default), THREAD_SAFETY_VIOLATION (enabled by default), TOPL_ERROR (enabled by default), UNARY_MINUS_APPLIED_TO_UNSIGNED_EXPRESSION (disabled by @@ -891,14 +889,6 @@ OPTIONS --quandary-sources json Specify custom sources for Quandary See also infer-analyze(1). - --quandaryBO - Activates: [EXPERIMENTAL] The quandaryBO tainted buffer access - analysis (Conversely: --no-quandaryBO) See also infer-analyze(1). - - --quandaryBO-only - Activates: Enable --quandaryBO and disable all other checkers - (Conversely: --no-quandaryBO-only) See also infer-analyze(1). - --quiet,-q Activates: Do not print specs on standard output (default: only print for the report command) (Conversely: --no-quiet | -Q) diff --git a/infer/man/man1/infer-report.txt b/infer/man/man1/infer-report.txt index 926de8ea2..ce8040447 100644 --- a/infer/man/man1/infer-report.txt +++ b/infer/man/man1/infer-report.txt @@ -219,8 +219,6 @@ OPTIONS STRICT_MODE_VIOLATION (enabled by default), STRONG_SELF_NOT_CHECKED (enabled by default), Symexec_memory_error (enabled by default), - TAINTED_BUFFER_ACCESS (enabled by default), - TAINTED_MEMORY_ALLOCATION (enabled by default), THREAD_SAFETY_VIOLATION (enabled by default), TOPL_ERROR (enabled by default), UNARY_MINUS_APPLIED_TO_UNSIGNED_EXPRESSION (disabled by diff --git a/infer/man/man1/infer.txt b/infer/man/man1/infer.txt index b10cb5207..77ac88d0d 100644 --- a/infer/man/man1/infer.txt +++ b/infer/man/man1/infer.txt @@ -488,8 +488,6 @@ OPTIONS STRICT_MODE_VIOLATION (enabled by default), STRONG_SELF_NOT_CHECKED (enabled by default), Symexec_memory_error (enabled by default), - TAINTED_BUFFER_ACCESS (enabled by default), - TAINTED_MEMORY_ALLOCATION (enabled by default), THREAD_SAFETY_VIOLATION (enabled by default), TOPL_ERROR (enabled by default), UNARY_MINUS_APPLIED_TO_UNSIGNED_EXPRESSION (disabled by @@ -891,14 +889,6 @@ OPTIONS --quandary-sources json Specify custom sources for Quandary See also infer-analyze(1). - --quandaryBO - Activates: [EXPERIMENTAL] The quandaryBO tainted buffer access - analysis (Conversely: --no-quandaryBO) See also infer-analyze(1). - - --quandaryBO-only - Activates: Enable --quandaryBO and disable all other checkers - (Conversely: --no-quandaryBO-only) See also infer-analyze(1). - --quiet,-q Activates: Do not print specs on standard output (default: only print for the report command) (Conversely: --no-quiet | -Q) diff --git a/infer/src/IR/Errlog.ml b/infer/src/IR/Errlog.ml index 7264dee37..1eb1088b5 100644 --- a/infer/src/IR/Errlog.ml +++ b/infer/src/IR/Errlog.ml @@ -75,15 +75,6 @@ type node = type err_key = {severity: Exceptions.severity; err_name: IssueType.t; err_desc: Localise.error_desc} [@@deriving compare] -let merge_err_key err_key1 err_key2 ~merge_issues ~merge_descriptions = - let max_sev sev1 sev2 = if Exceptions.compare_severity sev1 sev2 >= 0 then sev1 else sev2 in - { severity= max_sev err_key1.severity err_key2.severity - ; err_name= merge_issues err_key1.err_name err_key2.err_name - ; err_desc= - Localise.verbatim_desc - (merge_descriptions err_key1.err_desc.descriptions err_key2.err_desc.descriptions) } - - (** Data associated to a specific error *) type err_data = { node_id: int @@ -102,21 +93,6 @@ type err_data = let compare_err_data err_data1 err_data2 = Location.compare err_data1.loc err_data2.loc -let merge_err_data err_data1 err_data2 = - { node_id= 0 - ; node_key= None - ; session= 0 - ; loc= {err_data1.loc with col= -1} - ; loc_in_ml_source= None - ; loc_trace= concat_traces [("", err_data1.loc_trace); ("-----------", err_data2.loc_trace)] - ; err_class= Exceptions.Checker - ; visibility= Exceptions.Exn_user - ; linters_def_file= None - ; doc_url= None - ; access= None - ; extras= None } - - module ErrDataSet = (* set err_data with no repeated loc *) Caml.Set.Make (struct type t = err_data diff --git a/infer/src/IR/Errlog.mli b/infer/src/IR/Errlog.mli index 94bfea7d5..1c49d61a8 100644 --- a/infer/src/IR/Errlog.mli +++ b/infer/src/IR/Errlog.mli @@ -44,16 +44,6 @@ type err_key = private {severity: Exceptions.severity; err_name: IssueType.t; err_desc: Localise.error_desc} [@@deriving compare] -val merge_err_key : - err_key - -> err_key - -> merge_issues:(IssueType.t -> IssueType.t -> IssueType.t) - -> merge_descriptions:(string list -> string list -> string) - -> err_key -(** Merges two error keys, setting the result's severity to the maximum of that of the two arguments - and giving the user the opportunity to pass a function to merge the IssueTypes and descriptions - of the two. *) - (** Data associated to a specific error *) type err_data = private { node_id: int @@ -70,11 +60,6 @@ type err_data = private ; extras: Jsonbug_t.extra option } [@@deriving compare] -val merge_err_data : err_data -> err_data -> err_data -(** Merges two err_datas, throwing out most information and setting the trace of the result to the - concatenation of the traces of the two arguments with a separator in between. Used specifically - for QuandaryBO. *) - (** Type of the error log *) type t diff --git a/infer/src/base/Checker.ml b/infer/src/base/Checker.ml index ce74b6b93..f36ab0f33 100644 --- a/infer/src/base/Checker.ml +++ b/infer/src/base/Checker.ml @@ -27,7 +27,6 @@ type t = | Pulse | Purity | Quandary - | QuandaryBO | RacerD | ResourceLeak | SIOF @@ -207,13 +206,6 @@ let config checker = ; cli_flag= "quandary" ; enabled_by_default= false ; cli_deprecated_flags= [] } - | QuandaryBO -> - { support= supports_clang_and_java_experimental - ; short_documentation= "[EXPERIMENTAL] The quandaryBO tainted buffer access analysis" - ; show_in_help= true - ; cli_flag= "quandaryBO" - ; enabled_by_default= false - ; cli_deprecated_flags= [] } | RacerD -> { support= supports_clang_and_java ; short_documentation= "the RacerD thread safety analysis" diff --git a/infer/src/base/Checker.mli b/infer/src/base/Checker.mli index f972f9543..e4b0178ad 100644 --- a/infer/src/base/Checker.mli +++ b/infer/src/base/Checker.mli @@ -27,7 +27,6 @@ type t = | Pulse | Purity | Quandary - | QuandaryBO | RacerD | ResourceLeak | SIOF diff --git a/infer/src/base/Config.ml b/infer/src/base/Config.ml index e7dcb0c19..6098cb53c 100644 --- a/infer/src/base/Config.ml +++ b/infer/src/base/Config.ml @@ -3117,20 +3117,6 @@ let procnames_locks_dir = results_dir ^/ procnames_locks_dir_name information found in the abstract state *) let dynamic_dispatch = is_checker_enabled Biabduction -let quandaryBO_filtered_issues = - if is_checker_enabled QuandaryBO then - IssueType. - [ buffer_overrun_u5 - ; buffer_overrun_l5 - ; buffer_overrun_l4 - ; untrusted_buffer_access - ; untrusted_heap_allocation ] - |> List.filter ~f:(fun issue -> - let enabled = issue.IssueType.enabled || not filtering in - IssueType.set_enabled issue true ; not enabled ) - else [] - - (** Check if a Java package is external to the repository *) let java_package_is_external package = match external_java_packages with diff --git a/infer/src/base/Config.mli b/infer/src/base/Config.mli index 6d5fa811e..ddd0e2147 100644 --- a/infer/src/base/Config.mli +++ b/infer/src/base/Config.mli @@ -679,7 +679,4 @@ val is_in_custom_symbols : string -> string -> bool val java_package_is_external : string -> bool (** Check if a Java package is external to the repository *) -val quandaryBO_filtered_issues : IssueType.t list -(** List of issues that are enabled by QuandaryBO but should not be in the final report.json *) - val execution_id : Int64.t diff --git a/infer/src/base/IssueType.ml b/infer/src/base/IssueType.ml index e31cb318d..f9323cfe9 100644 --- a/infer/src/base/IssueType.ml +++ b/infer/src/base/IssueType.ml @@ -438,10 +438,6 @@ let symexec_memory_error = register_from_string "Symexec_memory_error" ~hum:"Symbolic Execution Memory Error" -let tainted_buffer_access = register_from_string "TAINTED_BUFFER_ACCESS" - -let tainted_memory_allocation = register_from_string "TAINTED_MEMORY_ALLOCATION" - let thread_safety_violation = register_from_string "THREAD_SAFETY_VIOLATION" let complexity_increase ~kind ~is_on_cold_start ~is_on_ui_thread = diff --git a/infer/src/base/IssueType.mli b/infer/src/base/IssueType.mli index 7d001ae6c..9fafd756c 100644 --- a/infer/src/base/IssueType.mli +++ b/infer/src/base/IssueType.mli @@ -300,10 +300,6 @@ val strong_self_not_checked : t val symexec_memory_error : t -val tainted_buffer_access : t - -val tainted_memory_allocation : t - val thread_safety_violation : t val topl_error : t diff --git a/infer/src/checkers/registerCheckers.ml b/infer/src/checkers/registerCheckers.ml index 90471206d..b14e649bb 100644 --- a/infer/src/checkers/registerCheckers.ml +++ b/infer/src/checkers/registerCheckers.ml @@ -44,13 +44,12 @@ let all_checkers = ; active= Config.( is_checker_enabled BufferOverrun || is_checker_enabled Cost - || is_checker_enabled LoopHoisting || is_checker_enabled Purity - || is_checker_enabled QuandaryBO) + || is_checker_enabled LoopHoisting || is_checker_enabled Purity) ; callbacks= [ (Procedure BufferOverrunAnalysis.do_analysis, Language.Clang) ; (Procedure BufferOverrunAnalysis.do_analysis, Language.Java) ] } ; { name= "buffer overrun checker" - ; active= Config.(is_checker_enabled BufferOverrun || is_checker_enabled QuandaryBO) + ; active= Config.(is_checker_enabled BufferOverrun) ; callbacks= [ (Procedure BufferOverrunChecker.checker, Language.Clang) ; (Procedure BufferOverrunChecker.checker, Language.Java) ] } @@ -86,7 +85,7 @@ let all_checkers = ( if Config.is_checker_enabled Impurity then [(Procedure Pulse.checker, Language.Java)] else [] ) } ; { name= "quandary" - ; active= Config.(is_checker_enabled Quandary || is_checker_enabled QuandaryBO) + ; active= Config.(is_checker_enabled Quandary) ; callbacks= [ (Procedure JavaTaintAnalysis.checker, Language.Java) ; (Procedure ClangTaintAnalysis.checker, Language.Clang) ] } diff --git a/infer/src/integration/JsonReports.ml b/infer/src/integration/JsonReports.ml index 1dd9eca7b..e12c6612b 100644 --- a/infer/src/integration/JsonReports.ml +++ b/infer/src/integration/JsonReports.ml @@ -318,7 +318,6 @@ let process_all_summaries_and_issues ~issues_outf ~costs_outf = SpecsFiles.iter_from_config ~f:(fun summary -> all_issues := process_summary ~costs_outf summary !all_issues ) ; all_issues := Issue.sort_filter_issues !all_issues ; - if Config.is_checker_enabled QuandaryBO then all_issues := QuandaryBO.update_issues !all_issues ; List.iter ~f:(fun {Issue.proc_name; proc_location; err_key; err_data} -> let error_filter = mk_error_filter filters proc_name in diff --git a/infer/src/quandary/quandaryBO.ml b/infer/src/quandary/quandaryBO.ml deleted file mode 100644 index e6da20445..000000000 --- a/infer/src/quandary/quandaryBO.ml +++ /dev/null @@ -1,127 +0,0 @@ -(* - * Copyright (c) Facebook, Inc. and its affiliates. - * - * This source code is licensed under the MIT license found in the - * LICENSE file in the root directory of this source tree. - *) - -open! IStd - -let update_issues all_issues = - let quandary_access_issues = [IssueType.untrusted_buffer_access] in - let quandary_alloc_issues = - IssueType.[untrusted_heap_allocation; untrusted_variable_length_array] - in - let inferbo_access_issues = - IssueType. - [ buffer_overrun_l1 - ; buffer_overrun_l2 - ; buffer_overrun_l3 - ; buffer_overrun_l4 - ; buffer_overrun_l5 - ; buffer_overrun_s2 - ; buffer_overrun_u5 ] - in - let inferbo_alloc_issues = - IssueType. - [ inferbo_alloc_is_big - ; inferbo_alloc_is_zero - ; inferbo_alloc_is_negative - ; inferbo_alloc_may_be_big - ; inferbo_alloc_may_be_negative ] - in - let is_quandary_access_issue issue = - List.mem quandary_access_issues issue.Issue.err_key.err_name ~equal:IssueType.equal - in - let is_quandary_alloc_issue issue = - List.mem quandary_alloc_issues issue.Issue.err_key.err_name ~equal:IssueType.equal - in - let is_relevant_quandary_issue issue = - is_quandary_access_issue issue || is_quandary_alloc_issue issue - in - let is_inferbo_access_issue issue = - List.mem inferbo_access_issues issue.Issue.err_key.err_name ~equal:IssueType.equal - in - let is_inferbo_alloc_issue issue = - List.mem inferbo_alloc_issues issue.Issue.err_key.err_name ~equal:IssueType.equal - in - let is_relevant_inferbo_issue issue = - is_inferbo_access_issue issue || is_inferbo_alloc_issue issue - in - let quandary_issues, inferBO_issues = - List.fold all_issues ~init:([], []) ~f:(fun (q_issues, iBO_issues) issue -> - if is_relevant_quandary_issue issue then (issue :: q_issues, iBO_issues) - else if is_relevant_inferbo_issue issue then (q_issues, issue :: iBO_issues) - else (q_issues, iBO_issues) ) - in - let matching_issues quandary_issue inferbo_issue = - let trace_end_match () = - let quandary_trace_end = List.last quandary_issue.Issue.err_data.loc_trace in - let inferbo_trace_end = List.last inferbo_issue.Issue.err_data.loc_trace in - match (quandary_trace_end, inferbo_trace_end) with - | Some quandary_trace_elem, Some inferbo_trace_elem -> - let q_loc = quandary_trace_elem.lt_loc in - let i_loc = inferbo_trace_elem.lt_loc in - SourceFile.equal q_loc.file i_loc.file && Int.equal q_loc.line i_loc.line - | _ -> - false - in - SourceFile.equal quandary_issue.Issue.proc_location.file inferbo_issue.Issue.proc_location.file - && Int.equal quandary_issue.Issue.proc_location.line inferbo_issue.Issue.proc_location.line - && trace_end_match () - && ( (is_quandary_alloc_issue quandary_issue && is_inferbo_alloc_issue inferbo_issue) - || (is_quandary_access_issue quandary_issue && is_inferbo_access_issue inferbo_issue) ) - in - let paired_issues = - (* Can be computed more efficiently (in n*log(n)) by using a Map mapping - file name + line number to quandary_issues to match with inferbo_issues *) - List.concat_map quandary_issues ~f:(fun quandary_issue -> - List.filter_map inferBO_issues ~f:(fun inferbo_issue -> - if matching_issues quandary_issue inferbo_issue then Some (quandary_issue, inferbo_issue) - else None ) ) - in - let merge_issues (issue1, issue2) = - { Issue.proc_name= issue1.Issue.proc_name - ; proc_location= {issue1.Issue.proc_location with col= -1} - ; err_key= - Errlog.merge_err_key issue1.Issue.err_key issue2.Issue.err_key - ~merge_issues:(fun issue1 _ -> - if IssueType.equal issue1 IssueType.untrusted_buffer_access then - IssueType.tainted_buffer_access - else IssueType.tainted_memory_allocation ) - ~merge_descriptions:(fun descs1 descs2 -> - String.concat - ( "QuandaryBO error. Quandary error(s): \"" - :: (descs1 @ ("\". InferBO error(s):\"" :: (descs2 @ ["\"."]))) ) ) - ; err_data= Errlog.merge_err_data issue1.Issue.err_data issue2.Issue.err_data } - in - (* Can merge List.map, List.concat_map and List.filter_map into a single fold. *) - let quandaryBO_issues = List.map ~f:merge_issues paired_issues in - let quandary_issues = - IssueType. - [ quandary_taint_error - ; shell_injection - ; shell_injection_risk - ; sql_injection - ; sql_injection_risk - ; untrusted_buffer_access - ; untrusted_file_risk - ; untrusted_heap_allocation - ; untrusted_url_risk - ; untrusted_variable_length_array - ; user_controlled_sql_risk ] - in - let inferbo_issues = - inferbo_alloc_issues @ inferbo_access_issues @ [IssueType.unreachable_code_after] - in - let filtered_issues = Config.quandaryBO_filtered_issues in - let all_issues_filtered = - List.filter - ~f:(fun issue -> - let issue_in ls = List.mem ls issue.Issue.err_key.err_name ~equal:IssueType.equal in - (Config.is_checker_enabled Quandary || not (issue_in quandary_issues)) - && (Config.is_checker_enabled BufferOverrun || not (issue_in inferbo_issues)) - && not (issue_in filtered_issues) ) - all_issues - in - List.rev_append all_issues_filtered quandaryBO_issues diff --git a/infer/src/quandary/quandaryBO.mli b/infer/src/quandary/quandaryBO.mli deleted file mode 100644 index 1db0726d2..000000000 --- a/infer/src/quandary/quandaryBO.mli +++ /dev/null @@ -1,10 +0,0 @@ -(* - * Copyright (c) Facebook, Inc. and its affiliates. - * - * This source code is licensed under the MIT license found in the - * LICENSE file in the root directory of this source tree. - *) - -open! IStd - -val update_issues : Issue.t list -> Issue.t list diff --git a/infer/tests/codetoanalyze/cpp/quandaryBO/.inferconfig b/infer/tests/codetoanalyze/cpp/quandaryBO/.inferconfig deleted file mode 100644 index e6e9ac25e..000000000 --- a/infer/tests/codetoanalyze/cpp/quandaryBO/.inferconfig +++ /dev/null @@ -1,8 +0,0 @@ -{ - "quandary-sources": [ - { - "procedure": "__infer_taint_source", - "kind": "Other" - } - ] -} diff --git a/infer/tests/codetoanalyze/cpp/quandaryBO/Makefile b/infer/tests/codetoanalyze/cpp/quandaryBO/Makefile deleted file mode 100644 index 92816d881..000000000 --- a/infer/tests/codetoanalyze/cpp/quandaryBO/Makefile +++ /dev/null @@ -1,57 +0,0 @@ -# Copyright (c) Facebook, Inc. and its affiliates. -# -# This source code is licensed under the MIT license found in the -# LICENSE file in the root directory of this source tree. -TESTS_DIR = ../../.. - -OPTIONS_1 = \ - --quandaryBO-only --passthroughs --debug-exceptions --filtering \ - --project-root $(TESTS_DIR) \ - -OPTIONS_2 = \ - --quandaryBO-only --quandary --enable-issue-type UNTRUSTED_BUFFER_ACCESS \ - --passthroughs --debug-exceptions --filtering \ - --project-root $(TESTS_DIR) \ - -OPTIONS_3 = \ - --quandaryBO-only --bufferoverrun --enable-issue-type BUFFER_OVERRUN_U5 \ - --passthroughs --debug-exceptions --filtering \ - --project-root $(TESTS_DIR) \ - -OPTIONS_4 = \ - --quandaryBO-only --bufferoverrun --debug-exceptions --no-filtering \ - --project-root $(TESTS_DIR) \ - -test: test1 test2 test3 test4 - -test1: - $(MAKE) -f multitest.make test TEST_SUFFIX=-t1 TEST_RESULT_SUFFIX=-t1 INFER_OPTIONS="$(OPTIONS_1)" - -test2: - $(MAKE) -f multitest.make test TEST_SUFFIX=-t2 TEST_RESULT_SUFFIX=-t2 INFER_OPTIONS="$(OPTIONS_2)" - -test3: - $(MAKE) -f multitest.make test TEST_SUFFIX=-t3 TEST_RESULT_SUFFIX=-t3 INFER_OPTIONS="$(OPTIONS_3)" - -test4: - $(MAKE) -f multitest.make test TEST_SUFFIX=-t4 TEST_RESULT_SUFFIX=-t4 INFER_OPTIONS="$(OPTIONS_4)" - -replace: replace1 replace2 replace3 replace4 - -replace1: - $(MAKE) -f multitest.make replace TEST_SUFFIX=-t1 TEST_RESULT_SUFFIX=-t1 INFER_OPTIONS="$(OPTIONS_1)" - -replace2: - $(MAKE) -f multitest.make replace TEST_SUFFIX=-t2 TEST_RESULT_SUFFIX=-t2 INFER_OPTIONS="$(OPTIONS_2)" - -replace3: - $(MAKE) -f multitest.make replace TEST_SUFFIX=-t3 TEST_RESULT_SUFFIX=-t3 INFER_OPTIONS="$(OPTIONS_3)" - -replace4: - $(MAKE) -f multitest.make replace TEST_SUFFIX=-t4 TEST_RESULT_SUFFIX=-t4 INFER_OPTIONS="$(OPTIONS_4)" - -clean: - $(MAKE) -f multitest.make clean TEST_SUFFIX=-t1 - $(MAKE) -f multitest.make clean TEST_SUFFIX=-t2 - $(MAKE) -f multitest.make clean TEST_SUFFIX=-t3 - $(MAKE) -f multitest.make clean TEST_SUFFIX=-t4 diff --git a/infer/tests/codetoanalyze/cpp/quandaryBO/codec.cpp b/infer/tests/codetoanalyze/cpp/quandaryBO/codec.cpp deleted file mode 100644 index 73a724ff1..000000000 --- a/infer/tests/codetoanalyze/cpp/quandaryBO/codec.cpp +++ /dev/null @@ -1,64 +0,0 @@ -/* - * Copyright (c) Facebook, Inc. and its affiliates. - * - * This source code is licensed under the MIT license found in the - * LICENSE file in the root directory of this source tree. - */ - -#include -#include -#include - -extern int __infer_taint_source(); - -namespace std { -template -unique_ptr make_unique(size_t n) { - typedef typename remove_extent::type U; - return unique_ptr(new U[n]()); -} -} // namespace std - -namespace Codec_Bad { -uint32_t getP_Bad(uint32_t w) { - auto w4 = w * 4; // BUG: can overflow - auto w4m1 = w4 - 1; // BUG: can underflow (if w = 0) - auto w4m1o15 = w4m1 | 15; // ALWAYS OK - auto w4m1o15p1 = w4m1o15 + 1; // BUG: can overflow - return w4m1o15p1; -} -void foo_Bad_FN() { - int w = __infer_taint_source(); - int h = __infer_taint_source(); - auto p = - getP_Bad(w); // MISSED BUG: downcasting signed int64 -> unsigned int32 - auto s = h * p; // BUG: multiplication can overflow - auto d = std::make_unique(s); // MISSED BUG: casting signed int64 - // -> unsigned int64, -} -} // namespace Codec_Bad - -namespace Codec_Bad2 { -uint64_t getP_Bad(uint64_t w) { - auto w4 = w * 4; // BUG: can overflow - auto w4m1 = w4 - 1; // BUG: can underflow (if w = 0) - auto w4m1o15 = w4m1 | 15; // ALWAYS OK - auto w4m1o15p1 = w4m1o15 + 1; // BUG: can overflow - return w4m1o15p1; -} -uint64_t checkedMultiply_Good(uint64_t a, uint64_t b) { - __uint128_t mul = ((__uint128_t)a) * b; // OK: no overflow - if ((mul >> 64) != 0) { - throw std::runtime_error("Detected overflow in checked multiplcation"); - } - auto result = (uint64_t)mul; // OK: within the bounds - return result; -} -void foo_Bad_FN_FP() { - int w = __infer_taint_source(); - int h = __infer_taint_source(); - auto p = getP_Bad(w); // MISSED BUG: casting signed int64 -> unsigned int64 - auto s = checkedMultiply_Good(h, p); // OK, FP - auto d = std::make_unique(s); // OK -} -} // namespace Codec_Bad2 diff --git a/infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp-t1 b/infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp-t1 deleted file mode 100644 index 11ddfe395..000000000 --- a/infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp-t1 +++ /dev/null @@ -1,5 +0,0 @@ -codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad2::foo_Bad_FN_FP, 3, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,,Parameter `w`,Assignment,Binary operation: ([0, +oo] - 1):unsigned64 by call to `Codec_Bad2::getP_Bad` ] -codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad::foo_Bad_FN, 4, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,,Parameter `w`,Assignment,Binary operation: ([0, +oo] - 1):unsigned32 by call to `Codec_Bad::getP_Bad` ] -codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0,-----------,,Unknown value from: __infer_taint_source,Assignment,,Array declaration,Array access: Offset: [-oo, +oo] Size: 10] -codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad2, 3, TAINTED_MEMORY_ALLOCATION, no_bucket, ERROR, [Return from __infer_taint_source,Call to __set_array_length with tainted index 1,-----------,Unknown value from: __infer_taint_source,Assignment,Allocation: Length: [-oo, 2147483647]] -codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source with tainted data return*,Return from multi_level_source_bad,Call to multi_level_sink_bad with tainted index 0,Call to __array_access with tainted index 0,-----------,Call,Unknown value from: __infer_taint_source,Assignment,Assignment,Call,,Parameter `i`,,Array declaration,Array access: Offset: [1, +oo] Size: 10 by call to `multi_level_sink_bad` ] diff --git a/infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp-t2 b/infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp-t2 deleted file mode 100644 index 6f73e0e92..000000000 --- a/infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp-t2 +++ /dev/null @@ -1,10 +0,0 @@ -codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad2::foo_Bad_FN_FP, 3, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,,Parameter `w`,Assignment,Binary operation: ([0, +oo] - 1):unsigned64 by call to `Codec_Bad2::getP_Bad` ] -codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad::foo_Bad_FN, 4, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,,Parameter `w`,Assignment,Binary operation: ([0, +oo] - 1):unsigned32 by call to `Codec_Bad::getP_Bad` ] -codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0,-----------,,Unknown value from: __infer_taint_source,Assignment,,Array declaration,Array access: Offset: [-oo, +oo] Size: 10] -codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0] -codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad1_FN, 0, UNTRUSTED_VARIABLE_LENGTH_ARRAY, no_bucket, ERROR, [Return from __infer_taint_source,Call to __set_array_length with tainted index 1] -codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad2, 3, TAINTED_MEMORY_ALLOCATION, no_bucket, ERROR, [Return from __infer_taint_source,Call to __set_array_length with tainted index 1,-----------,Unknown value from: __infer_taint_source,Assignment,Allocation: Length: [-oo, 2147483647]] -codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad2, 3, UNTRUSTED_VARIABLE_LENGTH_ARRAY, no_bucket, ERROR, [Return from __infer_taint_source,Call to __set_array_length with tainted index 1] -codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source with tainted data return*,Return from multi_level_source_bad,Call to multi_level_sink_bad with tainted index 0,Call to __array_access with tainted index 0,-----------,Call,Unknown value from: __infer_taint_source,Assignment,Assignment,Call,,Parameter `i`,,Array declaration,Array access: Offset: [1, +oo] Size: 10 by call to `multi_level_sink_bad` ] -codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source with tainted data return*,Return from multi_level_source_bad,Call to multi_level_sink_bad with tainted index 0,Call to __array_access with tainted index 0] -codetoanalyze/cpp/quandaryBO/tainted_index.cpp, overlapping_issues_good, 1, UNTRUSTED_VARIABLE_LENGTH_ARRAY, no_bucket, ERROR, [Return from __infer_taint_source with tainted data @val$0.size*,Return from overlapping_issues_source_good,Call to overlapping_issues_sink_good with tainted index 0,Call to __set_array_length with tainted index 1] diff --git a/infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp-t3 b/infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp-t3 deleted file mode 100644 index e52b61787..000000000 --- a/infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp-t3 +++ /dev/null @@ -1,8 +0,0 @@ -codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad2::foo_Bad_FN_FP, 3, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,,Parameter `w`,Assignment,Binary operation: ([0, +oo] - 1):unsigned64 by call to `Codec_Bad2::getP_Bad` ] -codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad::foo_Bad_FN, 4, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,,Parameter `w`,Assignment,Binary operation: ([0, +oo] - 1):unsigned32 by call to `Codec_Bad::getP_Bad` ] -codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, BUFFER_OVERRUN_U5, no_bucket, ERROR, [,Unknown value from: __infer_taint_source,Assignment,,Array declaration,Array access: Offset: [-oo, +oo] Size: 10] -codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0,-----------,,Unknown value from: __infer_taint_source,Assignment,,Array declaration,Array access: Offset: [-oo, +oo] Size: 10] -codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad2, 3, INFERBO_ALLOC_MAY_BE_BIG, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Allocation: Length: [-oo, 2147483647]] -codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad2, 3, TAINTED_MEMORY_ALLOCATION, no_bucket, ERROR, [Return from __infer_taint_source,Call to __set_array_length with tainted index 1,-----------,Unknown value from: __infer_taint_source,Assignment,Allocation: Length: [-oo, 2147483647]] -codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, BUFFER_OVERRUN_U5, no_bucket, ERROR, [Call,Unknown value from: __infer_taint_source,Assignment,Assignment,Call,,Parameter `i`,,Array declaration,Array access: Offset: [1, +oo] Size: 10 by call to `multi_level_sink_bad` ] -codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source with tainted data return*,Return from multi_level_source_bad,Call to multi_level_sink_bad with tainted index 0,Call to __array_access with tainted index 0,-----------,Call,Unknown value from: __infer_taint_source,Assignment,Assignment,Call,,Parameter `i`,,Array declaration,Array access: Offset: [1, +oo] Size: 10 by call to `multi_level_sink_bad` ] diff --git a/infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp-t4 b/infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp-t4 deleted file mode 100644 index 2a6cb5e10..000000000 --- a/infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp-t4 +++ /dev/null @@ -1,15 +0,0 @@ -codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad2::checkedMultiply_Good, 2, CONDITION_ALWAYS_FALSE, no_bucket, WARNING, [Here] -codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad2::foo_Bad_FN_FP, 3, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,,Parameter `w`,Assignment,Binary operation: ([0, +oo] - 1):unsigned64 by call to `Codec_Bad2::getP_Bad` ] -codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad2::foo_Bad_FN_FP, 3, INTEGER_OVERFLOW_U5, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,,Parameter `w`,Binary operation: ([0, +oo] × 4):unsigned64 by call to `Codec_Bad2::getP_Bad` ] -codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad2::foo_Bad_FN_FP, 4, INTEGER_OVERFLOW_U5, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,,Parameter `a`,,Parameter `b`,Binary operation: ([0, +oo] × [0, +oo]):unsigned32 by call to `Codec_Bad2::checkedMultiply_Good` ] -codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad2::getP_Bad, 4, INTEGER_OVERFLOW_L5, no_bucket, ERROR, [,Parameter `w`,Assignment,Assignment,Assignment,Binary operation: ([-oo, +oo] + 1):unsigned64] -codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad::foo_Bad_FN, 4, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,,Parameter `w`,Assignment,Binary operation: ([0, +oo] - 1):unsigned32 by call to `Codec_Bad::getP_Bad` ] -codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad::foo_Bad_FN, 5, INTEGER_OVERFLOW_U5, no_bucket, ERROR, [,Unknown value from: __infer_taint_source,Assignment,,Call,Parameter `w`,Assignment,Assignment,Assignment,Assignment,Assignment,Assignment,Binary operation: ([-oo, +oo] × [-oo, +oo]):unsigned32] -codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad::getP_Bad, 4, INTEGER_OVERFLOW_L5, no_bucket, ERROR, [,Parameter `w`,Assignment,Assignment,Assignment,Binary operation: ([-oo, +oo] + 1):unsigned32] -codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, BUFFER_OVERRUN_U5, no_bucket, ERROR, [,Unknown value from: __infer_taint_source,Assignment,,Array declaration,Array access: Offset: [-oo, +oo] Size: 10] -codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0,-----------,,Unknown value from: __infer_taint_source,Assignment,,Array declaration,Array access: Offset: [-oo, +oo] Size: 10] -codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad2, 3, INFERBO_ALLOC_MAY_BE_BIG, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Allocation: Length: [-oo, 2147483647]] -codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad2, 3, TAINTED_MEMORY_ALLOCATION, no_bucket, ERROR, [Return from __infer_taint_source,Call to __set_array_length with tainted index 1,-----------,Unknown value from: __infer_taint_source,Assignment,Allocation: Length: [-oo, 2147483647]] -codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, BUFFER_OVERRUN_U5, no_bucket, ERROR, [Call,Unknown value from: __infer_taint_source,Assignment,Assignment,Call,,Parameter `i`,,Array declaration,Array access: Offset: [1, +oo] Size: 10 by call to `multi_level_sink_bad` ] -codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source with tainted data return*,Return from multi_level_source_bad,Call to multi_level_sink_bad with tainted index 0,Call to __array_access with tainted index 0,-----------,Call,Unknown value from: __infer_taint_source,Assignment,Assignment,Call,,Parameter `i`,,Array declaration,Array access: Offset: [1, +oo] Size: 10 by call to `multi_level_sink_bad` ] -codetoanalyze/cpp/quandaryBO/tainted_index.cpp, overlapping_issues_good, 1, BUFFER_OVERRUN_L5, no_bucket, ERROR, [Call,Assignment,Call,Parameter `__param_0->ind`,Assignment,Call,,Parameter `info->ind`,,Parameter `info->size`,Array declaration,Array access: Offset: 10 Size: [0, +oo] by call to `overlapping_issues_sink_good` ] diff --git a/infer/tests/codetoanalyze/cpp/quandaryBO/multitest.make b/infer/tests/codetoanalyze/cpp/quandaryBO/multitest.make deleted file mode 100644 index 8b3bdd24c..000000000 --- a/infer/tests/codetoanalyze/cpp/quandaryBO/multitest.make +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright (c) Facebook, Inc. and its affiliates. -# -# This source code is licensed under the MIT license found in the -# LICENSE file in the root directory of this source tree. - -TESTS_DIR = ../../.. - -# see explanations in cpp/errors/Makefile for the custom isystem -CLANG_OPTIONS = -x c++ -std=c++11 -nostdinc++ -isystem$(ROOT_DIR) -isystem$(CLANG_INCLUDES)/c++/v1/ -c - -INFERPRINT_OPTIONS = --issues-tests - -SOURCES = $(wildcard *.cpp) - -include $(TESTS_DIR)/clang.make diff --git a/infer/tests/codetoanalyze/cpp/quandaryBO/tainted_index.cpp b/infer/tests/codetoanalyze/cpp/quandaryBO/tainted_index.cpp deleted file mode 100644 index ef887f030..000000000 --- a/infer/tests/codetoanalyze/cpp/quandaryBO/tainted_index.cpp +++ /dev/null @@ -1,73 +0,0 @@ -/* - * Copyright (c) Facebook, Inc. and its affiliates. - * - * This source code is licensed under the MIT license found in the - * LICENSE file in the root directory of this source tree. - */ -#include - -extern int __infer_taint_source(); -extern void __infer_taint_sink(int i); - -void basic_bad() { - int arr[10]; - int source = __infer_taint_source(); - arr[source] = 2; -} - -int multi_level_source_bad() { return __infer_taint_source(); } - -void multi_level_sink_bad(int i) { - int arr[10]; - if (i > 0) - arr[i] = 2; -} - -struct arg { - int taint; - int bo; -}; - -arg multi_level_source_ok() { - return {.taint = __infer_taint_source(), .bo = 12}; -} - -void multi_level_sink_ok(int taint, int bo) { - __infer_taint_sink(taint); - int arr[10]; - arr[bo] = 0; -} - -void multi_level_bad() { - int i = multi_level_source_bad(); - multi_level_sink_bad(i); -} - -void multi_level_good() { int i = multi_level_source_bad(); } - -void memory_alloc_bad1_FN() { int arr[__infer_taint_source()]; } - -void memory_alloc_bad2() { - int s = __infer_taint_source(); - if (s <= 2147483647) { - int arr[s]; - } -} - -struct st { - int size; - int ind; -}; - -st overlapping_issues_source_good() { - return {.size = __infer_taint_source(), .ind = 10}; -} - -void overlapping_issues_sink_good(st info) { - int arr[info.size]; - arr[info.ind] = 0; -} - -void overlapping_issues_good() { - overlapping_issues_sink_good(overlapping_issues_source_good()); -}