Summary:
This is a needed step in the direction of making prenalysis functional: it will return a view of the CFG rather than mutating the CFG.
ProcCfg already works by providing a view on the underyling CFG, but the bi-abduction can't leverage this because it uses the "raw" CFG.
This diff does a partial swap of the raw CFG for an exceptional ProcCfg. The goal is to make sure the bi-abduction never calls `Procdesc.get_instrs`; it should use the `ProcCfg` wrapper instead.
That way, preanalyses that add instructions (like the liveness prenalysis) will work.
There's still some calls to `Procdesc.get_succs` etc., but we can remove those in a future diff.
They're not on the critical path because the current preanalyses only add instructions, not nodes or edges.
Reviewed By: jeremydubreil
Differential Revision: D5556387
fbshipit-source-id: 4ffda00
Summary:
Previous version was hard to understand because it was doing many things within same code. New version has different code for Arrays, Structs and others.
There is some copy-paste, but it's easier to follow code (open to suggestions though)
Reviewed By: dulmarod
Differential Revision: D5547999
fbshipit-source-id: 77ecb24
Summary: It wasn't using code from `std::vector::empty` which recently was improved. Instead of inlining `std::vector::empty`, call it to know whether vector is empty or not.
Reviewed By: jvillard
Differential Revision: D5573379
fbshipit-source-id: e024a42
Summary: Useful for identifying user-controlled array accesses that could lead to buffer overflows
Reviewed By: mbouaziz
Differential Revision: D5520985
fbshipit-source-id: 92984f6
Summary:
When a sink name is specified in `.inferconfig` or in OCaml, it might conflict with a function of the same name that has a different number of args.
We shouldn't try to create a sink in this case, and we definitely shouldn't crash.
Reviewed By: jeremydubreil
Differential Revision: D5561216
fbshipit-source-id: fa1859b
Summary: This is unused, as far as I can tell. If we want to revive it, we can do it in AL or as a simple checker; it certainly doesn't require the full might of bi-abduction.
Reviewed By: jeremydubreil
Differential Revision: D5556325
fbshipit-source-id: e3895c2
Summary:
Replace `inferTraceBugs` with `infer-explore` with a similar CLI. Some options changed:
- --max-level -> --max-nesting, and "max" is the default value instead of a possible value
- --no-source -> --no-source-preview
Reviewed By: mbouaziz
Differential Revision: D5526651
fbshipit-source-id: 8383f37
Summary:
In some cases we normalize expressions to check some facts about them. In these
cases, trying to keep as much information as possible in the expression, such
as the fact it comes from a `sizeof()` expression, is not needed. Doing
destructive normalization allows us to replace `sizeof()` by its
statically-known value.
closes#706
Reviewed By: mbouaziz
Differential Revision: D5536685
fbshipit-source-id: cc3d731
Summary: A temporary workaround until we can understand why this happens and fix it.
Reviewed By: jeremydubreil
Differential Revision: D5559838
fbshipit-source-id: dc86eb9
Summary: That was too noisy. Propagate `--quiet` to the Python reporting hook so as to still emit bugs.txt and so on.
Reviewed By: martinoluca
Differential Revision: D5501106
fbshipit-source-id: 63b6451
Summary:
This allows the user to specify a different command to build the current version of the project vs to build the previous version of the project. Here's an example:
```
infer diff --gen-previous-build-command-script "echo clang -c hello.c" ... -- clang -c hello2.c
```
By default the two build commands are the same. If the script is to be used for both the current and the previous versions, then it's on the user to run it once first, eg:
```
infer diff --gen-previous-build-command-script "./myscript.sh previous" ... -- $(./myscript.sh current)
```
Reviewed By: martinoluca
Differential Revision: D5500989
fbshipit-source-id: 7374b44
Summary: Working on making CFG immutable by killing refs to functions that mutate them. This is an easy one because it doesn't do anything :).
Reviewed By: jeremydubreil, mbouaziz
Differential Revision: D5551521
fbshipit-source-id: bec76a9
Summary:
Record the list of access paths (if any) used in the index expression for each array access.
This will make it possible to use array accesses as sinks in Quandary
Reviewed By: jeremydubreil
Differential Revision: D5531356
fbshipit-source-id: 8204909
Summary:
Do not use the deprecated (and slower) `#infer` flavor. Instead, `infer-run`
runs capture with the `#infer-capture-all` flavor, followed by merging targets,
followed by the analysis.
Move the call to `MergeCapture` around to make this change easier.
Reviewed By: mbouaziz
Differential Revision: D5547199
fbshipit-source-id: 53c9996
Summary:
With current model, there are issues with cxx range loop. It looks like
it comes from std::vector::size model.
example of such FP:
```
int t = vec.size();
for(auto& elem : vec) {
auto x = elem
}
```
Reviewed By: jvillard
Differential Revision: D5545914
fbshipit-source-id: fbe55b3
Summary: Those are not particularly relevant for the biabduction analysis. It would be easy to have a dedicated checker for this if we happen to need one day.
Reviewed By: sblackshear
Differential Revision: D5530834
fbshipit-source-id: 316e60f
Summary:
The Eradicate `Nullable` checker should now be run using:
infer -a checkers --eradicate ...
Reviewed By: mbouaziz
Differential Revision: D5529226
fbshipit-source-id: 0de2956
Summary:
It's nice to have "raw" as the default kind of access path, since it's used much more often than the abstraction.
This is also a prereq for supporting index expressions in access paths, since we'll need mutual recursion between accesses and access paths.
Reviewed By: jeremydubreil
Differential Revision: D5529807
fbshipit-source-id: cb3f521
Summary:
This is unsound but will help the analysis to report less false alarms with the common pattern:
if (a.get() != null) {
a.get().foo();
}
Reviewed By: sblackshear
Differential Revision: D5528227
fbshipit-source-id: 750db4a
Summary:
Previously, only the bug type + file name (up to renaming) were taken into
account, which was too coarse. The key is file-independent and provides
additional signal.
Reviewed By: martinoluca
Differential Revision: D5536858
fbshipit-source-id: 70b732b
Summary: This was reusing the side effects of the `add_constraints_on_retval` for the final purpose of being angelic and just assigning a fresh value to the lhs of the load.
Reviewed By: sblackshear
Differential Revision: D5507037
fbshipit-source-id: ec1c89c
Summary: D5526683 assumed that this was the case, and broke the report hook.
Reviewed By: martinoluca
Differential Revision: D5527353
fbshipit-source-id: 2e169b9
Summary:
Bumps facebook-clang-plugins to a version that outputs sizeof() info in bytes and not bits.
update-submodule: facebook-clang-plugins
Reviewed By: akotulski
Differential Revision: D5526747
fbshipit-source-id: 6019542
Summary:
Cosmetic changes to the output of `make clean` and `make test-replace`.
Run the inferTraceBugs tests from tests/build_systems/ like other such e2e
tests, so that they can run in parallel with other tests instead of
sequentially at the end.
Reviewed By: dulmarod
Differential Revision: D5526599
fbshipit-source-id: 57231bd
Summary:
Works the same way as read/write races on fields, except that are more relaxed (er, unsound) in deciding whether two containers may alias.
This is needed to avoid reporting a ton of FP's; full explanation in comments.
Reviewed By: da319
Differential Revision: D5493404
fbshipit-source-id: 0a5d8b1
Summary:
This was hardcoded but it's passed as an option to the script. It can be useful to generate text reports from arbitrary json reports, eg:
./infer/lib/python/report.py --issues-json infer-out/report.json --project-root . --results-dir infer-out --issues-txt foo.txt
Reviewed By: martinoluca
Differential Revision: D5526683
fbshipit-source-id: 3f9c3ee
Summary: This seems more in line with the expectations of the JSON format.
Reviewed By: mbouaziz
Differential Revision: D5500939
fbshipit-source-id: 76dcc47
Summary: This used to be in a different module but now that `driver_mode` is in `Driver` it should really be called `Driver.mode`.
Reviewed By: mbouaziz
Differential Revision: D5499575
fbshipit-source-id: ab96473
Summary: Automatically set --reactive because the diff analysis will be faster that way.
Reviewed By: jeremydubreil
Differential Revision: D5499443
fbshipit-source-id: 1a35cee
Summary:
This was an oversight. The prologue has to be run before capture and analysis
(see eg Infer.run). This sets up a bunch of things that are useful for the
diff analysis as well.
Reviewed By: jeremydubreil
Differential Revision: D5499405
fbshipit-source-id: 8f339cf
Summary:
If -fembed-bitcode is passed, it leads to multiple cc1 commands, which
try to read .bc files that don't get generated, and fail. So pass
-fembed-bitcode=off to disable.
Reviewed By: martinoluca
Differential Revision: D5516879
fbshipit-source-id: 478057a
Summary:
If you run `infer report --issues-txt ilovecats.txt ...` then bugs may mysteriously miss from `ilovecats.txt`, unless you flush. (See rules of thumb for `Format` module.)
Closes https://github.com/facebook/infer/pull/694
Reviewed By: mbouaziz
Differential Revision: D5442335
Pulled By: jvillard
fbshipit-source-id: 73272a0
Summary:
The python scripts support this option but don't do anything with it. Note:
This doesn't remove support for android harnesses.
Reviewed By: sblackshear
Differential Revision: D5501019
fbshipit-source-id: 14c4e3f
Summary: The `--failures-allowed` was doing for the Clang frontend what `--keep-doing` was doing for the backend. This revision merges the two options to simplify the Infer CLI and our tests.
Reviewed By: jvillard
Differential Revision: D5474347
fbshipit-source-id: 09bcea4
Summary:
update-submodule: facebook-clang-plugins
Moving to a newer version of clang, see ffb5dd0114
Reviewed By: jvillard
Differential Revision: D5452529
fbshipit-source-id: 28bc215
Summary:
Better to bail early than have mysterious failures. These used to have the wrong error messages:
```
$ cd examples/android_hello/
$ infer -- ./gradlew rubbish
Capturing in gradle mode...
Running and capturing gradle compilation...
10:46:56.730 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]
10:46:56.730 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter] FAILURE: Build failed with an exception.
10:46:56.730 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]
10:46:56.730 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter] * What went wrong:
10:46:56.730 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter] Task 'rubbish' not found in root project 'android_hello'.
10:46:56.730 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]
10:46:56.730 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter] * Try:
10:46:56.730 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter] Run gradlew tasks to get a list of available tasks. Run with --stacktrace option to get the stack trace.
Nothing to compile. Try running `./gradlew clean` first.
ERROR: (Unix.Exit_or_signal (Exit_non_zero 66))
$ cd -
$ infer --flavors --Xbuck --keep-going -- buck build //toto:toto
Capturing in buck mode...
moving files in buck-out to buck-out/.trash/buck-outwiiL6N
Not using buckd because watchman isn't installed.
BUILD FAILED: No build file at toto/BUCK when resolving target //toto:toto#infer.
Buck failed, but continuing the analysis because --keep-going was passed
Not using buckd because watchman isn't installed.
No build file at toto/BUCK when resolving target //toto:toto#infer.
Traceback (most recent call last):
File "/home/jul/infer/infer/bin/../lib/python/infer.py", line 186, in <module>
main()
File "/home/jul/infer/infer/bin/../lib/python/infer.py", line 168, in main
capture_exitcode = imported_module.gen_instance(args, cmd).capture()
File "/home/jul/infer/infer/lib/python/inferlib/capture/buck.py", line 89, in capture
return self.capture_with_flavors()
File "/home/jul/infer/infer/lib/python/inferlib/capture/buck.py", line 242, in capture_with_flavors
result_paths = self._get_analysis_result_paths()
File "/home/jul/infer/infer/lib/python/inferlib/capture/buck.py", line 148, in _get_analysis_result_paths
out = [x.split(None, 1)[1] for x in buck_output.strip().split('\n')]
IndexError: list index out of range
ERROR: (Unix.Exit_or_signal (Exit_non_zero 1))
$ cd infer/build_systems/ant/ && infer -- ant rubbish
Capturing in ant mode...
BUILD FAILED
Target "rubbish" does not exist in the project "null".
at org.apache.tools.ant.Project.tsort(Project.java:1929)
at org.apache.tools.ant.Project.topoSort(Project.java:1837)
at org.apache.tools.ant.Project.topoSort(Project.java:1800)
at org.apache.tools.ant.Project.executeTarget(Project.java:1376)
at org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41)
at org.apache.tools.ant.Project.executeTargets(Project.java:1260)
at org.apache.tools.ant.Main.runBuild(Main.java:857)
at org.apache.tools.ant.Main.startAnt(Main.java:236)
at org.apache.tools.ant.launch.Launcher.run(Launcher.java:287)
at org.apache.tools.ant.launch.Launcher.main(Launcher.java:113)
Total time: 0 seconds
Nothing to compile. Try running `ant clean` first.
ERROR: (Unix.Exit_or_signal (Exit_non_zero 66))
```
Now we fail better, for instance:
```
$ infer --flavors --Xbuck --keep-going -- buck build //toto:toto
Capturing in buck mode...
moving files in buck-out to buck-out/.trash/buck-outHag8Ji
Not using buckd because watchman isn't installed.
BUILD FAILED: No build file at toto/BUCK when resolving target //toto:toto#infer.
Buck failed, but continuing the analysis because --keep-going was passed
Not using buckd because watchman isn't installed.
No build file at toto/BUCK when resolving target //toto:toto#infer.
ERROR: (Unix.Exit_or_signal (Exit_non_zero 70))
$ cd infer/build_systems/ant/ && infer -- ant rubbish
Capturing in ant mode...
BUILD FAILED
Target "rubbish" does not exist in the project "null".
at org.apache.tools.ant.Project.tsort(Project.java:1929)
at org.apache.tools.ant.Project.topoSort(Project.java:1837)
at org.apache.tools.ant.Project.topoSort(Project.java:1800)
at org.apache.tools.ant.Project.executeTarget(Project.java:1376)
at org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41)
at org.apache.tools.ant.Project.executeTargets(Project.java:1260)
at org.apache.tools.ant.Main.runBuild(Main.java:857)
at org.apache.tools.ant.Main.startAnt(Main.java:236)
at org.apache.tools.ant.launch.Launcher.run(Launcher.java:287)
at org.apache.tools.ant.launch.Launcher.main(Launcher.java:113)
Total time: 0 seconds
ERROR: couldn't run compilation command `['ant', '-verbose', u'rubbish']`
ERROR: (Unix.Exit_or_signal (Exit_non_zero 1))
```
Reviewed By: jeremydubreil
Differential Revision: D5469607
fbshipit-source-id: a3eb05c
Summary:
The way we represented container writes before was pretty hacky: just use a dummy field for the name of the method that performs the container write.
This diff introduces a new access kind for container writes that is much more structured.
This will make it easier to soundly handle aliasing between containers and support container reads in the near future.
Reviewed By: da319
Differential Revision: D5465747
fbshipit-source-id: e021ec2
Summary: Using a dedicated abstract domain, like Quandary does, is more suitable for taint analysis.
Reviewed By: sblackshear
Differential Revision: D5473794
fbshipit-source-id: c917417
Summary: Because making a diff which breaks the tests because it silently fails to create the right posts for the models is notoriously hard to debug
Reviewed By: sblackshear
Differential Revision: D5471611
fbshipit-source-id: ef04539
Summary:
Both `stringWithUTF8String` and `stringWithString` implements copy semantics that copies the content of their parameter into a newly allocated buffer. We modeled this as pointer assignment in the past, which means that once we write
```
NSString* foo() {
char buf[...];
...
return [NSString stringWithUTF8String:buf];
}
```
We are going to get a spurious stack variable address escape report because local pointer `buf` is assigned to the newly created string and the string gets returned.
This diff tries to address the issue by heap-allocating a buffer and `memcpy` the contents in `stringWithUTF8String` and `stringWithString`. But this change will create another problem: the allocated buffer will be reported as leaked by the backend, while in reality those buffers won't actually be leaked as they are allocated in a region that will be periodically autoreleased. To suppress spurious memory leak FPs, I added another attribute `Awont_leak` that will suppress the leakage report on any expressions that get tagged with it.
Reviewed By: jeremydubreil
Differential Revision: D5403084
fbshipit-source-id: df6de7f
Summary: This gives us more expressive power when defining sources--we can use heuristics like "`foo(o)` only returns a source when `o` is not a constant".
Reviewed By: jvillard
Differential Revision: D5467935
fbshipit-source-id: f3d581d
Summary: This should make it faster to use embarassingly big regexps in AL.
Reviewed By: mbouaziz
Differential Revision: D5462938
fbshipit-source-id: 0431730
Summary:
Pretty basic: warn when we see an assignment instruction `x = ...` and `x` is not live in the post of the instruction.
Only enabled for Clang at the moment because linters already warn on this for Java. But we can enable it later if we want to (should be fully generic).
Reviewed By: jeremydubreil
Differential Revision: D5450439
fbshipit-source-id: 693514c
Summary:
oops_house
This was introduced when upgrading Core, as `Unix.readdir` became deprecated in
favour of `Unix.readdir_opt` but the exception-based logic was left unchanged.
Reviewed By: mbouaziz
Differential Revision: D5461353
fbshipit-source-id: c0994c3
Summary:
Phony dependencies are not good for incrementality. Retain the nice
factorization of code introduced by D5415318 but depend directly on the
relevant files instead of the phony target.
Reviewed By: mbouaziz
Differential Revision: D5461188
fbshipit-source-id: 069519b
Summary: Making it simple to add a new access type for "un-annotated interface call" in an upcoming diff.
Reviewed By: da319
Differential Revision: D5445914
fbshipit-source-id: f29e342
Sam Blackshear
Andrzej Kotulski
Dulma Churchill
Jules Villard
Jeremy Dubreil
Jia Chen
Daiva Naudziuniene
Mehdi Bouaziz
Josh Berdine
Radu Grigore
Dino Distefano
Martino Luca