|
|
@ -17,7 +17,6 @@ module L = Logging
|
|
|
|
module Models = BufferOverrunModels
|
|
|
|
module Models = BufferOverrunModels
|
|
|
|
module Sem = BufferOverrunSemantics
|
|
|
|
module Sem = BufferOverrunSemantics
|
|
|
|
module Trace = BufferOverrunTrace
|
|
|
|
module Trace = BufferOverrunTrace
|
|
|
|
module TypModels = BufferOverrunTypModels
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
module Payload = SummaryPayload.Make (struct
|
|
|
|
module Payload = SummaryPayload.Make (struct
|
|
|
|
type t = BufferOverrunSummary.t
|
|
|
|
type t = BufferOverrunSummary.t
|
|
|
@ -33,31 +32,17 @@ module CFG = ProcCfg.NormalOneInstrPerNode
|
|
|
|
|
|
|
|
|
|
|
|
module Init = struct
|
|
|
|
module Init = struct
|
|
|
|
let initial_state {ProcData.pdesc; tenv; extras= oenv} start_node =
|
|
|
|
let initial_state {ProcData.pdesc; tenv; extras= oenv} start_node =
|
|
|
|
let node_hash = CFG.Node.hash start_node in
|
|
|
|
let try_decl_local =
|
|
|
|
let location = CFG.Node.loc start_node in
|
|
|
|
let pname = Procdesc.get_proc_name pdesc in
|
|
|
|
let pname = Procdesc.get_proc_name pdesc in
|
|
|
|
let model_env =
|
|
|
|
let rec decl_local pname ~node_hash location loc typ ~inst_num ~represents_multiple_values
|
|
|
|
let node_hash = CFG.Node.hash start_node in
|
|
|
|
~dimension mem =
|
|
|
|
let location = CFG.Node.loc start_node in
|
|
|
|
match typ.Typ.desc with
|
|
|
|
let integer_type_widths = oenv.Dom.OndemandEnv.integer_type_widths in
|
|
|
|
| Typ.Tarray {elt= typ; length; stride} ->
|
|
|
|
BoUtils.ModelEnv.mk_model_env pname ~node_hash location tenv integer_type_widths
|
|
|
|
let stride = Option.map ~f:IntLit.to_int_exn stride in
|
|
|
|
in
|
|
|
|
BoUtils.Exec.decl_local_array ~decl_local pname ~node_hash location loc typ ~length
|
|
|
|
fun (mem, inst_num) {ProcAttributes.name; typ} ->
|
|
|
|
?stride ~inst_num ~represents_multiple_values ~dimension mem
|
|
|
|
let loc = Loc.of_pvar (Pvar.mk name pname) in
|
|
|
|
| Typ.Tstruct typname -> (
|
|
|
|
BoUtils.Exec.decl_local model_env (mem, inst_num) (loc, typ)
|
|
|
|
match TypModels.dispatch tenv typname with
|
|
|
|
|
|
|
|
| Some (CArray {element_typ; length}) ->
|
|
|
|
|
|
|
|
BoUtils.Exec.decl_local_array ~decl_local pname ~node_hash location loc element_typ
|
|
|
|
|
|
|
|
~length:(Some length) ~inst_num ~represents_multiple_values ~dimension mem
|
|
|
|
|
|
|
|
| Some JavaCollection | None ->
|
|
|
|
|
|
|
|
(mem, inst_num) )
|
|
|
|
|
|
|
|
| _ ->
|
|
|
|
|
|
|
|
(mem, inst_num)
|
|
|
|
|
|
|
|
in
|
|
|
|
|
|
|
|
let try_decl_local (mem, inst_num) {ProcAttributes.name; typ} =
|
|
|
|
|
|
|
|
let pvar = Pvar.mk name pname in
|
|
|
|
|
|
|
|
let loc = Loc.of_pvar pvar in
|
|
|
|
|
|
|
|
decl_local pname ~node_hash location loc typ ~inst_num ~represents_multiple_values:false
|
|
|
|
|
|
|
|
~dimension:1 mem
|
|
|
|
|
|
|
|
in
|
|
|
|
in
|
|
|
|
let mem = Dom.Mem.init oenv in
|
|
|
|
let mem = Dom.Mem.init oenv in
|
|
|
|
let mem, _ = List.fold ~f:try_decl_local ~init:(mem, 1) (Procdesc.get_locals pdesc) in
|
|
|
|
let mem, _ = List.fold ~f:try_decl_local ~init:(mem, 1) (Procdesc.get_locals pdesc) in
|
|
|
@ -185,10 +170,13 @@ module TransferFunctions = struct
|
|
|
|
| Load (id, exp, _, _) ->
|
|
|
|
| Load (id, exp, _, _) ->
|
|
|
|
BoUtils.Exec.load_locs id (Sem.eval_locs exp mem) mem
|
|
|
|
BoUtils.Exec.load_locs id (Sem.eval_locs exp mem) mem
|
|
|
|
| Store (exp1, _, Const (Const.Cstr s), location) ->
|
|
|
|
| Store (exp1, _, Const (Const.Cstr s), location) ->
|
|
|
|
let pname = Procdesc.get_proc_name pdesc in
|
|
|
|
|
|
|
|
let node_hash = CFG.Node.hash node in
|
|
|
|
|
|
|
|
let locs = Sem.eval_locs exp1 mem in
|
|
|
|
let locs = Sem.eval_locs exp1 mem in
|
|
|
|
BoUtils.Exec.decl_string pname ~node_hash integer_type_widths location locs s mem
|
|
|
|
let model_env =
|
|
|
|
|
|
|
|
let pname = Procdesc.get_proc_name pdesc in
|
|
|
|
|
|
|
|
let node_hash = CFG.Node.hash node in
|
|
|
|
|
|
|
|
BoUtils.ModelEnv.mk_model_env pname ~node_hash location tenv integer_type_widths
|
|
|
|
|
|
|
|
in
|
|
|
|
|
|
|
|
BoUtils.Exec.decl_string model_env locs s mem
|
|
|
|
| Store (exp1, _, exp2, location) ->
|
|
|
|
| Store (exp1, _, exp2, location) ->
|
|
|
|
let locs = Sem.eval_locs exp1 mem in
|
|
|
|
let locs = Sem.eval_locs exp1 mem in
|
|
|
|
let v =
|
|
|
|
let v =
|
|
|
@ -232,9 +220,10 @@ module TransferFunctions = struct
|
|
|
|
let mem = Dom.Mem.add_stack_loc (Loc.of_id id) mem in
|
|
|
|
let mem = Dom.Mem.add_stack_loc (Loc.of_id id) mem in
|
|
|
|
match Models.Call.dispatch tenv callee_pname params with
|
|
|
|
match Models.Call.dispatch tenv callee_pname params with
|
|
|
|
| Some {Models.exec} ->
|
|
|
|
| Some {Models.exec} ->
|
|
|
|
let node_hash = CFG.Node.hash node in
|
|
|
|
|
|
|
|
let model_env =
|
|
|
|
let model_env =
|
|
|
|
Models.mk_model_env callee_pname node_hash location tenv integer_type_widths
|
|
|
|
let node_hash = CFG.Node.hash node in
|
|
|
|
|
|
|
|
BoUtils.ModelEnv.mk_model_env callee_pname ~node_hash location tenv
|
|
|
|
|
|
|
|
integer_type_widths
|
|
|
|
in
|
|
|
|
in
|
|
|
|
exec model_env ~ret mem
|
|
|
|
exec model_env ~ret mem
|
|
|
|
| None -> (
|
|
|
|
| None -> (
|
|
|
@ -509,11 +498,12 @@ module Report = struct
|
|
|
|
in
|
|
|
|
in
|
|
|
|
match Models.Call.dispatch tenv callee_pname params with
|
|
|
|
match Models.Call.dispatch tenv callee_pname params with
|
|
|
|
| Some {Models.check} ->
|
|
|
|
| Some {Models.check} ->
|
|
|
|
let node_hash = CFG.Node.hash node in
|
|
|
|
let model_env =
|
|
|
|
let pname = Procdesc.get_proc_name pdesc in
|
|
|
|
let node_hash = CFG.Node.hash node in
|
|
|
|
check
|
|
|
|
let pname = Procdesc.get_proc_name pdesc in
|
|
|
|
(Models.mk_model_env pname node_hash location tenv integer_type_widths)
|
|
|
|
BoUtils.ModelEnv.mk_model_env pname ~node_hash location tenv integer_type_widths
|
|
|
|
mem cond_set
|
|
|
|
in
|
|
|
|
|
|
|
|
check model_env mem cond_set
|
|
|
|
| None -> (
|
|
|
|
| None -> (
|
|
|
|
match Ondemand.analyze_proc_name ~caller_pdesc:pdesc callee_pname with
|
|
|
|
match Ondemand.analyze_proc_name ~caller_pdesc:pdesc callee_pname with
|
|
|
|
| Some callee_summary -> (
|
|
|
|
| Some callee_summary -> (
|
|
|
|