Summary:public
In tracing mode, we translate the runtime checks done by the JVM, so the checks for null happen independently from the what happens before the dereference.
Reviewed By: cristianoc
Differential Revision: D2981515
fb-gh-sync-id: 695de07
shipit-source-id: 695de07
Summary:public
I have seen enough comments in this space by people during code review to switch on the analyses the compiler can already do. This diff is an automated renaming of unused identifiers to _, with a few additional changes made when reading the diff of the results for things that stood out as particularly strange. This base-lines all of the existing warnings. I'm not sure this is a good idea, since it might be better for those familiar with each part of the code to look at these warnings and use them as pointers to suspicious code.
Reviewed By: jeremydubreil
Differential Revision: D2938376
fb-gh-sync-id: 6e67817
shipit-source-id: 6e67817
Summary:
public
Remove the need to create a record with two elements to create a procedure description
Reviewed By: cristianoc
Differential Revision: D2872744
fb-gh-sync-id: d26bbdc
Summary:
public
Fist resolve the method name based on the dynamic types found during the symbolic execution, then run the analysis on-demand with the resolved method name.
Reviewed By: cristianoc
Differential Revision: D2815744
fb-gh-sync-id: c55accd
Summary:
public
In the case of Java, the name of the method is enough to lookup the summary of the callees and run the symbolic execution. This revision separates the case of method call in Java and in C, C++ and Objective C. Most of the code for executing method calls was Clang specific and this is an intermediate step to be able to run the capture and analysis on demand.
Reviewed By: sblackshear
Differential Revision: D2809171
fb-gh-sync-id: da62dce
Summary:
public
When reading from static fields, the translation was overwriting the list of class members with the list of static ones. The backend was only looking up fields from the list of non static fields.
Reviewed By: sblackshear
Differential Revision: D2801759
fb-gh-sync-id: fe8ed80
Summary:
public
Using Typename.t in the list of superclasses to match the type for the key of the type environment. This avoids to make back and forth convertions from typename to type (csu, mangled name).
Depends on D2786574
Reviewed By: jberdine
Differential Revision: D2792116
fb-gh-sync-id: 6100f1a
Summary:
public
This diff cleans up the detection of assertion failures in C, C++ and Objective C which was previously hacked on top of the tracing mode for Java. The code is also generalized to detect any custom errors which can be defined using the `__infer_fail` builtin, and the case of assertion failure is now just the specific case of translating `assert` using `__infer_fail` directly in the clang frontend.
Reviewed By: jberdine
Differential Revision: D2786574
fb-gh-sync-id: dd1e1cf
Summary:
public
Move the naming of types to it own module, so that it can be used by modules `Sil` depends from like `Procname`
Reviewed By: jberdine
Differential Revision: D2773148
fb-gh-sync-id: a89f595
Summary:
public
Move the representation of data-structure into it own module, so that it can be used by modules `Sil` depends from like `Procname`.
Reviewed By: jberdine
Differential Revision: D2772791
fb-gh-sync-id: cda4e3a
Summary: public Crashes during the analysis are classified as timeouts in the .specs file. In addition, when there is a timeout, it does not say *why* the timeout occurred (hard time, symops, or recursion). This diff adds this information to the .specs file and adds a "fail hard" mode where crashes and timeouts will actually stop the analysis in developer mode (but will still be hidden in the normal production mode).
Reviewed By: jeremydubreil
Differential Revision: D2725382
fb-gh-sync-id: b0b4e5e
Summary: public Did this by adding an option to rearrange that turns of error reporting.
Reviewed By: dulmarod
Differential Revision: D2768396
fb-gh-sync-id: 4898d2d
Summary:
public To deal with ObjC nullability and give meaningful error
messages, we introduced the ObjC_NULL attribute in the symbolic execution to
mean that the object carrying the attribute is null because it was the result
of a method call from a null object. However, one cannot add attributes to null,
so we had to delay nullifying the object in order to have the attribute until we
can assign it to a program variable. However, if the temp variable was used in a condition,
we were not taking into account that its meaning is null. This diff addresses that and fixes
many FPs that we have encounter.
Reviewed By: ddino
Differential Revision: D2765167
fb-gh-sync-id: c0878dd
Summary: public First in a series of diffs fixing the __nullable checker for obj-c, which currently reports false positives on property accesses via getters and setters. To fix this problem, we need a special implementation of letderef and set for property accesses that don't report NPE errors. Factoring out the execution of these instructions from the main symbolic executor will make this easier.
Reviewed By: jeremydubreil
Differential Revision: D2763923
fb-gh-sync-id: 883a184
Summary:
public This continues the work on adding builtins for getters and setters
and removing the generated code from the frontend. This is extending it to setters and
removing the preanalysis that is no longer needed.
Reviewed By: akotulski
Differential Revision: D2734499
fb-gh-sync-id: 7cf5749
Summary:
public The ivar corresponding to the property is only available in the ast when the
implementation of the peroperty is available. Otherwise we add an ivar with the correct type
and the default name to the tenv and use it in the getter (and later in the setter).
This was not causing crashes because the generated code was swallowing the Missing_fld exception.
Now it flags it.
Reviewed By: akotulski
Differential Revision: D2734217
fb-gh-sync-id: 21c62af
Summary: public
We were generating getters and setters in the frontend, and then removing them if they were not needed
in the preanalysis. This diff adds a builtin getter that gets called if we are going to skip the function. That
means, if there was a getter written by the developers we still use that one rather than the builtin.
Code for setter and cleanup of preanalysis will come in a next diff.
Reviewed By: jvillard
Differential Revision: D2702890
fb-gh-sync-id: d65f25e
Summary: public
Refactor how propositions are created from prune nodes, especially for
inequalities.
Reviewed By: cristianoc
Differential Revision: D2700119
fb-gh-sync-id: 86a70a3
Summary: public Refactoring Printfargs checker a bit to
make it callable from symbolic executor, then calling it.
Reviewed By: jeremydubreil
Differential Revision: D2361286
fb-gh-sync-id: 4b73855
Summary: public
modules are better for namespacing.
How I made this diff:
1. moved list_* functions from utils.ml{,i} to iList.ml{,i}
2. shell commands:
grep '^val ' infer/src/backend/iList.mli | cut -f 2 -d ' ' | tr '\n' ' '
# gives a list of former list_ functions that IList implements, fed into the loops below:
LISTNAMES=" compare equal append combine exists filter flatten flatten_options find fold_left fold_left2 for_all for_all2 hd iter iter2 length fold_right map mem nth partition rev rev_append rev_map sort split stable_sort tl drop_first drop_last rev_with_acc remove_duplicates remove_irrelevant_duplicates merge_sorted_nodup intersect mem_assoc assoc map2 to_string"
# replace " list_*" function calls with IList.* ones
for i in $LISTNAMES; do find . -name '*.ml' -exec sed -i -e "s/ list_$i\b/ IList.$i/g" \{\} \; ; done
# replace (list_* functions with (IList.* ones
for i in $LISTNAMES; do find . -name '*.ml' -exec sed -i -e "s/(list_$i\b/(IList.$i/g" \{\} \; ; done
# ditto with [
for i in $LISTNAMES; do find . -name '*.ml' -exec sed -i -e "s/\[list_$i\b/[IList.$i/g" \{\} \; ; done
3. Then fix up the rest by hand. In particular, stuff that called Utils.list_*
explicitely, and stuff that used the "Fail" exception that has moved to
IList. (may revisit this in the future)
Reviewed By: jeremydubreil, cristianoc
Differential Revision: D2550241
fb-gh-sync-id: cd64b10
Summary: public
Dictionary literals are normally implemented using
`+dictionaryWithObjects:forKeys:count:` but were modeled as
`+dictionaryWithObjectsAndKeys:`
In particular, `@{@"aaa": nil}` would trigger a sentinel error instead of an NPE.
This models dictionary literals as a special infer builtin that the backend
interprets so as to give NPEs when passed nil objects or keys.
Reviewed By: dulmarod
Differential Revision: D2550039
fb-gh-sync-id: 1a10656
Summary: @public Infer previously did not work correctly when a function returns the result of a skip function:
```
retUndef() {
x = undefined();
return x;
}
derefUndef() {
y = retUndef();
y.doSomething(); // Symexec_memory_error here, prevents spec inference
}
```
The problem is that angelic mode did not know to add the return value of `retUndef()` to the footprint.
This diff fixes the problem by adding return values marked with the `Aundef` attribute to the footprint.
This is done lazily (e.g., a value only gets added to the footprint when you try to deref it).
Reviewed By: @jvillard
Differential Revision: D2444929
Summary:
`get_resource_or_undef` attribute is weird and was causing problems for me in another diff.
This diff refactors the attribute categories to make resource and undef separate.
Summary:
Move proc_attributes to a separate module.
Field err_log, in common between proc desc and summary, can now be moved to ProcAttributes without creating cycles of dependencies.
Summary:
There's a lot of overlap between the representation of a proc desc and a spec summary. This diff moves all the data in common to the single record proc_attributes defined in Sil.
This gives a unified way of accessing most of the data carried by a procedure, whether it is contained in a proc desc or a spec. Also, it ensures that there is a single flow of information from proc desc to spec in the back-end, making sure that the information represented stays consistent.
Summary:
The methods in objc can have the same name in the same class, but one be instance and the other class,
so that we need to take the instance flag into account when defining unique names for ObjC methods.
Summary:
This commit is the result of
`find infer/src -name '*.ml' -or -name '*.mli' -exec ocp-indent -i \{\} \;`
and
`INFER_CHECK_COPYRIGHT=1 InferPrint`
Summary:
In preparation for C++ methods, we need to have type with
class, method, mangled (for overloading?)
1. Change objc method to support it
2. Do some renames to be less confusing
Summary:
This adds a sentinel check every time a function carrying a sentinel attribute
is called, regardless of whether we have a definition for that function or not.
Summary:
Treat `arrayWithObjects` as a special case of a sentinel attribute check. This
will make it easier to extend to other variadic functions that use a sentinel
attribute.
This also removes the need for the `Sil.Avariadic_function_argument` attribute,
which will be removed in a subsequent diff.
Summary:
the name of the return variable of a procedure only depends on the name of that procedure. This simplifies the need for the procedure description in a couple of places
Summary:
This is a refactoring diff with no functional changes in order to move the code using the procedure description of the callees in a single place, in order to replace the approach to use a summary instead in a subsequent step.
Summary:
This reverts commit 306f5b71c24042c89f71848898402cbc9269c543.
Turns out that developers think that this bugs should be fixed. So leaving it in for now until I gather more information.
Summary:
@public
There are many FPs of the form init method that contains
if ((self = [super initWithFrame:frame])) {
...
}
return self;
then an object being initialised with that constructor and added to an array or dictionary.
There we flag NPE and very likely that won't be a bug. So I'm removing the option for self
to be nil in the constructor, which should solve the problem.
Test Plan: Changed the relevant test.
Summary:
@public
Previously, if the close() method was throwing an exception, then code overriding the file attribute with a mem attribute would be skipped, resulting in reporting a wrong resource leak. This diff fixes this.
Test Plan: Added new end-to-end tests which would previously have been failing
Summary:
@public
This is a non-functional refactoring to remove the need for having the procedure description of the callee when execution function calls.
Test Plan: Infer CI. Expecting no change in the results.
Summary: @publicThe first argument of builtin calls in C gets translated twice, which is bad if the argument is a side-effecting expression like a function call.
Test Plan: Attached test previously reported a memory leak because the translation introduces an extra call to malloc(), now reports nothing.
Summary:
@public
Using InferBuiltins.assume previously caused an assertion failure in the analyzer. Fixed this, and fixed the implementation of the assume builtin to block when the assumed condition cannot hold.
Test Plan: Added several new tests.