Summary: public
`this` can't be null in C++ methods, make backend aware of it.
Behavior for other languages remains the same
Reviewed By: dulmarod
Differential Revision: D2668945
fb-gh-sync-id: c85acbf
Summary: public
Infer gets confused with this cast. It happens when objects try
to access superclass field/method, but we shouldn't change type in
this case (for the sake of backend)
Reviewed By: dulmarod
Differential Revision: D2663905
fb-gh-sync-id: bbf1cb2
Summary: public
I realized that this code was returning false for `android.content.Context <: android.content.Context`.
Reviewed By: cristianoc
Differential Revision: D2699112
fb-gh-sync-id: 4c01c42
Summary: public
This allows to run the checker and get feedback about potential expensive call stacks without having to annotate first all the methods that are overriding PerofrmanceCritical-annotated methods
Reviewed By: cristianoc
Differential Revision: D2693556
fb-gh-sync-id: cb60278
Summary: public Translate template instantiations exported by clang.
There is no need to deal with templated code - clang creates one class
for each implementation.
Reviewed By: dulmarod
Differential Revision: D2686269
fb-gh-sync-id: 9249a00
Summary: public
Support MaterializeTemporaryExpr which happens often in real life C++.
For example, it will happen in this code:
std::vector<int> v;
v.push_back(1);
// it's because std::vector<int>::push_back(const int &)
Strategy is to create variable that will store value of init expression (to provide storage)
and then return variable as a result of an expression
Reviewed By: ddino
Differential Revision: D2674340
fb-gh-sync-id: 077ed6a
Summary: public
Translate C++ overloaded operator calls. AST of their children looks slightly differently
which means that we have to be more permissive in params_trans.exps.
Difference:
CXXMemberCallExpr:
MemberExpr:
'ThisExpr' (it's part of method decl ref evaluation)
MethodDeclRef
Param1
Param2
...
CXXOperatorCallExpr
MethodDeclRef/FunctionDeclRef
'ThisExpr' (it's part of parameters list evaluation)
Param1
Param2
...
Reviewed By: dulmarod
Differential Revision: D2679503
fb-gh-sync-id: 1437f73
Summary: public
Add support for translation and calling c++ static methods.
They can be called in two ways:
ClassName::method()
classInstance.method()
Both of them have the same meaning, but AST produced is different
Reviewed By: dulmarod
Differential Revision: D2636489
fb-gh-sync-id: 9294a3f
Summary: public
Some more examples to explain the behaviour of the type checker with inheritance
Reviewed By: cristianoc
Differential Revision: D2639908
fb-gh-sync-id: d038061
Summary: public
The static and global variables used in blocks don't appear in the ast as captured.
We need them however to try and find retain cycles involving those variables.
This diff adds a way of collecting the static variables used in blocks and treat them
like we treat other captured variables to find retain cycles.
Reviewed By: ddino
Differential Revision: D2663727
fb-gh-sync-id: d5b44ec
Summary: public
The classes `java.util.zip.{Inflater/Deflater}` where not modelled as resources. In practice, bad memory leak can happen using these classes and forcing the call to `end()` can help to avoid waisting native memory.
Reviewed By: sblackshear
Differential Revision: D2661249
fb-gh-sync-id: 1e33316
Summary: Add possibility of throwing IOException to model of
java.nio.channels.FileChannel.tryLock, and add test case.
public
Reviewed By: cristianoc
Differential Revision: D2658203
fb-gh-sync-id: 9ca9c02
Summary: public Fix oversight where fields of base classes were
not exported.
Reviewed By: dulmarod
Differential Revision: D2652218
fb-gh-sync-id: 75b93ed
Summary: Add models of the java.nio.channels.FileChannel.tryLock methods which can
return null according to the java docs.
public
Reviewed By: sblackshear, cristianoc
Differential Revision: D2650050
fb-gh-sync-id: ae6c8ce
Summary: public This diff changes the way we treat enums in Infer.
1. The semantics of the translation is now correct, it was a bit incorrect before.
2. We don't add the enum types to the tenv anymore, which saves a lot of disk space
and avoids errors in the backend dealing with the enum type.
Reviewed By: akotulski
Differential Revision: D2641903
fb-gh-sync-id: 6295e5f
Summary: public
This adds the following subtyping rules:
- methods that are not annotated with Expensive cannot be overwritten by a method annotated with Expensive
- methods annotated with PerformanceCritical must be overwitten by method annotated with PerformanceCritical
Reviewed By: cristianoc
Differential Revision: D2636076
fb-gh-sync-id: eb616c9
Summary: public
Just works by running the analysis bottom-up and promoting any method as virtually annotated with `Expensive` whenever one of its callee is annotated with `Expensive`
Reviewed By: cristianoc
Differential Revision: D2635242
fb-gh-sync-id: 4401be6
Summary: public
C++ allows to have one variable declared+initialized as a condition statement.
Handle these cases properly for `if` and `while` statements.
Reviewed By: dulmarod
Differential Revision: D2625774
fb-gh-sync-id: bac95b8
Summary: public
This is an initial version of the Expensive checker which only report violations on direct calls. The main objective is to setup all the files for this new checker.
The next steps are:
1) run the checker in interprocedural mode
2) Save in the summary of a method foo() the annotation attribute Expensive if a direct callee of foo is annotated with Expensive
3) Check that Expensive is enforced by subtyping, i.e. check that non-expensive method cannot be overwritten by a method annotated with Expensive
Reviewed By: cristianoc
Differential Revision: D2629947
fb-gh-sync-id: 0e06f85
Summary: public
Translate CXXConstructExpr that are parts of variable initialization.
Reviewed By: dulmarod
Differential Revision: D2570750
fb-gh-sync-id: 708a457
Summary: public
The context leaks were reported multiple times. If a leaks was found on method `f()` and `g()` calls `f()`, then the same leak was report both in `f()` and in `g()`.
Reviewed By: sblackshear
Differential Revision: D2598110
fb-gh-sync-id: ca90b57
Summary: public
Extends the current activity leak checker to all sort of context leaks.
Reviewed By: sblackshear
Differential Revision: D2572548
fb-gh-sync-id: 9da18e4
Summary: public This diff fixes incorrect mangling of captured variables in blocks. Because they are formals,
they shouldn't be mangled, but this case was not taken into account. This caused an assert false in the
example infer/tests/codetoanalyze/objc/frontend/block/block.m which wasn't caught before because there
wasn't an endtoend test for it.
Reviewed By: akotulski
Differential Revision: D2560379
fb-gh-sync-id: db500b6
Summary: public
C++ assignment operation result is lvalue, while in C it was rvalue.
This leads to different AST produced by clang for then same code!
Use language information from clang (`-x` flag) to distinguish these cases.
More specifically, let's look at following code:
int r;
int f = (r = 3);
// type of (r = 3) expression:
// C/objC -> int rvalue
// C++/objC++ -> int lvalue
Existing code did extra dereference because it was rvalue in C and there was no cast afterwards
in C++ there will be extra LValueToRvalue cast when neccesary so we don't have to do extra dereference manually
Reference:
http://en.cppreference.com/w/c/language/value_category (search for 'assignment and compound assignment operators')
NOTE: AST output doesn't change when something is hidden behind `extern "C"`, so we should use global language information
Reviewed By: ddino
Differential Revision: D2549866
fb-gh-sync-id: b193b11
Summary: public
Dictionary literals are normally implemented using
`+dictionaryWithObjects:forKeys:count:` but were modeled as
`+dictionaryWithObjectsAndKeys:`
In particular, `@{@"aaa": nil}` would trigger a sentinel error instead of an NPE.
This models dictionary literals as a special infer builtin that the backend
interprets so as to give NPEs when passed nil objects or keys.
Reviewed By: dulmarod
Differential Revision: D2550039
fb-gh-sync-id: 1a10656
Summary: @public
This diff changes following things:
1. expression_info.type_ptr has type than decl_ref_info.type_ptr for reference types. Use type from decl_ref_info as a source of truth
2. reference types need to have one extra dereference that is not in AST. Add handling for this.
3. [small refactor] create function that creates temporary variable from res_trans expression and returns new res_trans.
Some caveats:
1. types are not quite right yet (see .dot files).
2. decl_ref_info might not be set for DeclRefExpr, make frontend crash in that case to catch when this happens
This is high risk change since it changes behavior of every translation on very widely used expr.
Reviewed By: @dulmarod
Differential Revision: D2540632
fb-gh-sync-id: aa28936
Summary: @public Add some basic tests to make sure that there is no
regression afterwards
Reviewed By: @dulmarod
Differential Revision: D2521887
fb-gh-sync-id: 1b8a15c
Summary: @public Infer previously did not work correctly when a function returns the result of a skip function:
```
retUndef() {
x = undefined();
return x;
}
derefUndef() {
y = retUndef();
y.doSomething(); // Symexec_memory_error here, prevents spec inference
}
```
The problem is that angelic mode did not know to add the return value of `retUndef()` to the footprint.
This diff fixes the problem by adding return values marked with the `Aundef` attribute to the footprint.
This is done lazily (e.g., a value only gets added to the footprint when you try to deref it).
Reviewed By: @jvillard
Differential Revision: D2444929
Summary:
In the new clang the parameters to these functions have notnull annotations, because of that infer tests fail. More concretely, the tests say there would be a memory leak. In the symbolic execution of those functions though, an inconsistency is created, because the parameter was nil, and the constraint argument should not be nil was also there, which leads to an error in the execution and no object is created, hence, no memory leak.
Summary:
Added two annotations @TrueOnNull and @FalseOnNull to be used for boolean functions to specify what value is returned when the argument is null.
Added model for TextUtils.isEmpty, which corresponds to the annotation
@TrueOnNull
static boolean isEmpty(@Nullable java.lang.CharSequence s)
Summary:
System.getProperty can return null when the property is not found, and expects a non-null argument.
Add models for Infer and Eradicate to reflect that.
Summary:
Errors arising from overriding methods defined in other files were not reported, because during parallel analysis the clusters did not have access to overridden methods, so could not load their annotation.
Changed cluster generation to add location information for the methods overridden by the procedures defined in the current cluster.
Summary:
When someone runs --changed-only mode, there is a risk of corrupting the results
for future analyses. The problem is that changed-only mode does not analyze the callers of changed
procedures. If a subsequent analysis relies on the specs of one of these callers, they will be stale
and may give the wrong results. To be concrete, let's say we know `Parent.foo()` calls `Child.bar()` and we do the following rounds of analysis:
Analysis round 1: Analyze all files, including `Parent` and `Child`
Analysis round 2: Analyze `Child.bar()` only with `--changed-only flag`. `Parent.foo()` is now stale.
Analysis round 3: Add procedure `Parent.baz()` that calls `Parent.foo()`, analyze in (any) incremental mode.
The analysis will only analyze `Parent.baz()`. However, the specs for `Parent.foo()` are stale and may give us bad results for `Parent.baz()`. We want the analysis to re-analyze `Parent.baz()`, but before this diff it will not.
This diff fixes this problem by adding a `STALE` status bit to procedure summaries. In `--changed-only` mode,
the callers of a changed procedures are not re-analyzed, but their summaries are marked as stale. For both
`--changed-only` and regular incremental mode, callees of changed procedures that are marked as stale are
re-analyzed even if they have not changed. This is better than a more obvious solution like deleting stale
procedure summaries, since that would force the next analysis to re-analyze all stale procedures even if it
does not need the results for whatever analysis it is doing. This scheme implemented in this diff ensures
that each analysis only does the work that it needs to compute reliable results for its changed procedures.
Summary: Handler.postDelayed keeps a persistent reference to its Runnable argument that may cause a memory leak if an Activity is reachable from the Runnable.
Summary: The Nullable checker reported FP's when a Nullable field/param was reassigned to a non-Nullable value in the footprint. This diff fixes the problem.
Summary:
This test was actually testing: "at least one Field not initialized error is found" where we actualy want to test "exactly one Field not initialized error is found". The case of @Inject was also missing from the tests.
Summary:
When detecting a resource leak, Infer used to raise an Leak exception and then prevent the specs to be computed for the paths containing a leak. This diff prevents resource leak to stop the analysis.
Summary:
Creating a persistent reference to an Activity leads to a nasty form of memory leaks (see http://android-developers.blogspot.com/2009/01/avoiding-memory-leaks.html, https://corner.squareup.com/2015/05/leak-canary.html). There are many ways to create a bad persistent reference to an Activity, but the most obvious one is via a static field.
This diff implements a very simple form of Activity leak checking by inspecting postconditions to see if a subtype of Activity is reachable from a static field (and it reports an error if so). This is a very simple and limited form of leak checking that does not understand the Android lifecycle at all. In particular, if one creates a persistent reference to an Activity and then nulls it out in `onDestroy` (a reasonably common pattern), this approach will wrongly report a bug.
Summary:
The methods in objc can have the same name in the same class, but one be instance and the other class,
so that we need to take the instance flag into account when defining unique names for ObjC methods.
Summary:
The symbolic execution was not stopping in case an unitialized dangling pointer was
passed to a function and then dereferenced inside the callee.
What would happen is that a wrong footprint would be added to the unititialized pointer
at the end of the function call in the caller proposition.
This checks that if we do:
frame * new_footprint
checks that we do not add heap predicates to the frame into uninitialized local variables.
If we can identify the variable then we raise a danglind pointer dereference. If instead
we cannot give a good explanation we give an internal error.
The latter case should be temporary. We should find a general way to raise dangling pointer
deref instead of the internal error.
I also fixed the model of getc that was the way I found the problem.
Summary:
This adds a sentinel check every time a function carrying a sentinel attribute
is called, regardless of whether we have a definition for that function or not.
Summary:
Treat `arrayWithObjects` as a special case of a sentinel attribute check. This
will make it easier to extend to other variadic functions that use a sentinel
attribute.
This also removes the need for the `Sil.Avariadic_function_argument` attribute,
which will be removed in a subsequent diff.
Summary:
This reverts commit 306f5b71c24042c89f71848898402cbc9269c543.
Turns out that developers think that this bugs should be fixed. So leaving it in for now until I gather more information.
Summary:
@public
There are many FPs of the form init method that contains
if ((self = [super initWithFrame:frame])) {
...
}
return self;
then an object being initialised with that constructor and added to an array or dictionary.
There we flag NPE and very likely that won't be a bug. So I'm removing the option for self
to be nil in the constructor, which should solve the problem.
Test Plan: Changed the relevant test.
Summary:
@public
Using InferBuiltins.assume previously caused an assertion failure in the analyzer. Fixed this, and fixed the implementation of the assume builtin to block when the assumed condition cannot hold.
Test Plan: Added several new tests.
Summary:
@public
Sorting the fields in structs and classes. Was needed in the backend and forgotten.
Fixes the github issue https://github.com/facebook/infer/issues/90.
Test Plan: Added a new test that shows that we now get a spec for the example from the github issue.
Summary:
@public
The models for Java no longer require to keep the original fields since we now make the union of the fields from the models and the fields from the code to analyze.
Test Plan: Infer CI. No functional change intended.