Summary:
public
Fist resolve the method name based on the dynamic types found during the symbolic execution, then run the analysis on-demand with the resolved method name.
Reviewed By: cristianoc
Differential Revision: D2815744
fb-gh-sync-id: c55accd
Summary:
public
In the case of Java, the name of the method is enough to lookup the summary of the callees and run the symbolic execution. This revision separates the case of method call in Java and in C, C++ and Objective C. Most of the code for executing method calls was Clang specific and this is an intermediate step to be able to run the capture and analysis on demand.
Reviewed By: sblackshear
Differential Revision: D2809171
fb-gh-sync-id: da62dce
Summary:
public
Title - instead of just creating dot file in some location, include this information as part of bug description.
Reviewed By: ddino
Differential Revision: D2779941
fb-gh-sync-id: 6bfb02b
Summary:
public
Add extra field that will be used to store extra bug description
in dotty format. This will allow to create better bug reports for
bugs that require images to understand what is going on (such as
retain cycles or activity leaks)
Reviewed By: jeremydubreil
Differential Revision: D2779935
fb-gh-sync-id: d2ecc0d
Summary:
public
When reading from static fields, the translation was overwriting the list of class members with the list of static ones. The backend was only looking up fields from the list of non static fields.
Reviewed By: sblackshear
Differential Revision: D2801759
fb-gh-sync-id: fe8ed80
Summary:
public
4feb93e91c disabled join of tuple values, but also of any two values of the same
type. However, we do know how to join integer values, so re-enable those.
Reviewed By: cristianoc
Differential Revision: D2803286
fb-gh-sync-id: 5bcc725
Summary:
public
Using Typename.t in the list of superclasses to match the type for the key of the type environment. This avoids to make back and forth convertions from typename to type (csu, mangled name).
Depends on D2786574
Reviewed By: jberdine
Differential Revision: D2792116
fb-gh-sync-id: 6100f1a
Summary:
public
This diff cleans up the detection of assertion failures in C, C++ and Objective C which was previously hacked on top of the tracing mode for Java. The code is also generalized to detect any custom errors which can be defined using the `__infer_fail` builtin, and the case of assertion failure is now just the specific case of translating `assert` using `__infer_fail` directly in the clang frontend.
Reviewed By: jberdine
Differential Revision: D2786574
fb-gh-sync-id: dd1e1cf
Summary:
public
It seems that restricting printing to stdout and stderr to developer
mode has broken InferPrint. So unconditionally turn developer mode on
in InferPrint.
Reviewed By: sblackshear
Differential Revision: D2786897
fb-gh-sync-id: 44b5772
Summary:
public
The function Sil.get_typ was actually always call with the optional parameter being `Csu.Class`
Reviewed By: sblackshear
Differential Revision: D2786055
fb-gh-sync-id: 4337258
Summary:
public
The paramtere where defined as simple strings in the procedure description. This diff force the use of the Mangled module to avoid possible conflict when converting variable back and forth from string to pvar. The code is now more consistent as the local variable were already named using mangled names.
Reviewed By: jberdine
Differential Revision: D2782863
fb-gh-sync-id: 1867574
Summary:
public
Move the naming of types to it own module, so that it can be used by modules `Sil` depends from like `Procname`
Reviewed By: jberdine
Differential Revision: D2773148
fb-gh-sync-id: a89f595
Summary:
public
Move the representation of data-structure into it own module, so that it can be used by modules `Sil` depends from like `Procname`.
Reviewed By: jberdine
Differential Revision: D2772791
fb-gh-sync-id: cda4e3a
Summary: public Crashes during the analysis are classified as timeouts in the .specs file. In addition, when there is a timeout, it does not say *why* the timeout occurred (hard time, symops, or recursion). This diff adds this information to the .specs file and adds a "fail hard" mode where crashes and timeouts will actually stop the analysis in developer mode (but will still be hidden in the normal production mode).
Reviewed By: jeremydubreil
Differential Revision: D2725382
fb-gh-sync-id: b0b4e5e
Summary: public Did this by adding an option to rearrange that turns of error reporting.
Reviewed By: dulmarod
Differential Revision: D2768396
fb-gh-sync-id: 4898d2d
Summary:
public To deal with ObjC nullability and give meaningful error
messages, we introduced the ObjC_NULL attribute in the symbolic execution to
mean that the object carrying the attribute is null because it was the result
of a method call from a null object. However, one cannot add attributes to null,
so we had to delay nullifying the object in order to have the attribute until we
can assign it to a program variable. However, if the temp variable was used in a condition,
we were not taking into account that its meaning is null. This diff addresses that and fixes
many FPs that we have encounter.
Reviewed By: ddino
Differential Revision: D2765167
fb-gh-sync-id: c0878dd
Summary: public First in a series of diffs fixing the __nullable checker for obj-c, which currently reports false positives on property accesses via getters and setters. To fix this problem, we need a special implementation of letderef and set for property accesses that don't report NPE errors. Factoring out the execution of these instructions from the main symbolic executor will make this easier.
Reviewed By: jeremydubreil
Differential Revision: D2763923
fb-gh-sync-id: 883a184
Summary:
public
This moves the hardcoded version numbers in one place and simplifies the logic
to compute the version a bit.
Reviewed By: jberdine
Differential Revision: D2759779
fb-gh-sync-id: 0e4d3c1
Summary:
public
The function `Procname.to_simplified_string ~withclass:true` used to print `MyClass.MyClass()` when printing the name of a Java constructor. It now prints `MyClass()`.
I made a separate diff for this changes as it affects the bug hash, especially for resource leaks.
Reviewed By: sblackshear
Differential Revision: D2748661
fb-gh-sync-id: 9f51871
Summary:
public there was a problem with
templated method names that had '/' in its names.
This happened for names like this: `method_name<(anonymous lambda in path/to/src:1:1)>`
Plus random fix to backend logging
Reviewed By: dulmarod
Differential Revision: D2749359
fb-gh-sync-id: b9a0fcd
Summary:
public
version.ml changes at each commit, which triggers the recompilation of all .ml
files that depend on it. Adding version.mli should prevent that.
Reviewed By: jberdine
Differential Revision: D2748986
fb-gh-sync-id: 5a59a14
Summary:
public
Added special modelling for m.put(k,v) as assigning value v to map m at key k.
The modelling is analogous to the one for containsKey: the variable used to represent m.get(k) is generated, and assigned the value v.
Reviewed By: jberdine
Differential Revision: D2743844
fb-gh-sync-id: 56d3581
Summary:
public
Change the contructor names to a more standard capitalisation style + remove some dead code
Reviewed By: sblackshear
Differential Revision: D2738157
fb-gh-sync-id: 6d9734b
Summary:
public The concept of generated method is not used anymore, so it is removed.
In general, I think we have noticed that generating code in the frontend is not the best
idea because it decreases performance, it's better to do it in the backend like with the
getters/setters.
Reviewed By: akotulski
Differential Revision: D2739142
fb-gh-sync-id: 0cf9535
Summary:
public This continues the work on adding builtins for getters and setters
and removing the generated code from the frontend. This is extending it to setters and
removing the preanalysis that is no longer needed.
Reviewed By: akotulski
Differential Revision: D2734499
fb-gh-sync-id: 7cf5749
Summary:
public The ivar corresponding to the property is only available in the ast when the
implementation of the peroperty is available. Otherwise we add an ivar with the correct type
and the default name to the tenv and use it in the getter (and later in the setter).
This was not causing crashes because the generated code was swallowing the Missing_fld exception.
Now it flags it.
Reviewed By: akotulski
Differential Revision: D2734217
fb-gh-sync-id: 21c62af
Summary:
public
The resource leak warning messages can sometimes be confusing especially when several type of resources are involved in the code where the warning is reported. This diff adds the class name of the resource being leaked to the error message.
Reviewed By: sblackshear
Differential Revision: D2706538
fb-gh-sync-id: ccf364e
Summary: public so that we don't introduce more string mutations in the future.
Reviewed By: jberdine
Differential Revision: D2729167
fb-gh-sync-id: 746319a
Summary:
public
Add the backwards-compatibility Bytes module if we detect OCaml version <
4.02.0.
Reviewed By: jberdine
Differential Revision: D2728924
fb-gh-sync-id: 39cf76b
Summary: public This only supports parameters for now, but should be easy to extend to return values and fields. The work of this diff is all in the translation--the task of finding annotations and doing the actual checking is handled by existing code.
Reviewed By: akotulski
Differential Revision: D2706791
fb-gh-sync-id: 0d706a8
Summary: public
We were generating getters and setters in the frontend, and then removing them if they were not needed
in the preanalysis. This diff adds a builtin getter that gets called if we are going to skip the function. That
means, if there was a getter written by the developers we still use that one rather than the builtin.
Code for setter and cleanup of preanalysis will come in a next diff.
Reviewed By: jvillard
Differential Revision: D2702890
fb-gh-sync-id: d65f25e
Summary: public
The method `android.view.View.findViewById` and should not be run performance critical parts of the code like scrolling.
Reviewed By: sblackshear
Differential Revision: D2698196
fb-gh-sync-id: 2716ad7
Summary: public
Refactor how propositions are created from prune nodes, especially for
inequalities.
Reviewed By: cristianoc
Differential Revision: D2700119
fb-gh-sync-id: 86a70a3
Summary: public
`this` can't be null in C++ methods, make backend aware of it.
Behavior for other languages remains the same
Reviewed By: dulmarod
Differential Revision: D2668945
fb-gh-sync-id: c85acbf
Summary: public
This allows to run the checker and get feedback about potential expensive call stacks without having to annotate first all the methods that are overriding PerofrmanceCritical-annotated methods
Reviewed By: cristianoc
Differential Revision: D2693556
fb-gh-sync-id: cb60278
Summary: public
Currently payloads for different analyses are stored in a disjoint union.
After this diff, a record is used to enable running different analyses using the same spec files.
Reviewed By: jvillard
Differential Revision: D2695566
fb-gh-sync-id: 3d2886d
Summary: public
Use the analysis summary to store call stacks from PerformanceCritical-annotated methods to Expensive-annotated methods.
This use the on demand scheduling in order to make sure that the summary of the callee is always analyzed before the callers.
Reviewed By: cristianoc
Differential Revision: D2685347
fb-gh-sync-id: ab403d9
Summary: public
With this change, it will be possible to pass to InferAnalyze a list of folders to be
searched for spec files, through a file containing those paths, separated by the newline
character.
For example, if there's a `PathList.txt` file containing
/path/to/specs/folder1
/path/to/specs/folder2
/path/to/specs/folder3
Then invoking `infer --specs-dir-list-file PathList.txt [--other_args, ...] -- <build_cmd>`
will instruct the analyzer to lookup to those three folders whenever it searches for specs.
It's important to note that since the analyzer runs in parallel from different locations, it's necessary to pass **absolute** paths, or the analyzer will fail with an error.
Reviewed By: jvillard
Differential Revision: D2668700
fb-gh-sync-id: b407a57
Summary: public so that we don't get thousands of memory leaks in debug mode.
We will still get them if we pass ml_bucket internal.
Reviewed By: jvillard
Differential Revision: D2648200
fb-gh-sync-id: 8dce66f
Summary: public
When analysing projects we would not always display the numbers of procs and
files analysed. This fixes it, and also prints the stats before the reports for
readability. This way we also don't need to print "Analysis done" anymore.
Before:
$ infer -- gcc -c hello.c
Starting analysis (Infer version git-436690cf022a16313dda8447121a5934529e6e5c)
Analysis done
hello.c:5: error: NULL_DEREFERENCE
pointer s last assigned on line 4 could be null and is dereferenced at line 5, column 3
3. void test() {
4. int *s = NULL;
5. > *s = 42;
6. }
After:
$ infer -- gcc -c hello.c
Starting analysis (Infer version git-5b7ff3ac10d58e7ffd17c44574ab330ed07cb188)
Computing dependencies... 100%
Analyzing 1 cluster. 100%
Analyzed 1 procedure in 1 file
Found 1 issue
hello.c:5: error: NULL_DEREFERENCE
pointer s last assigned on line 4 could be null and is dereferenced at line 5, column 3
3. void test() {
4. int *s = NULL;
5. > *s = 42;
6. }
Also looked at the results on buck and gradle
Reviewed By: cristianoc
Differential Revision: D2636991
fb-gh-sync-id: 32b9a7c
Summary: public
This cleans up the output of infer. Before:
$ touch empty.c
$ infer -- gcc -c empty.c
Starting analysis (Infer version git-436690cf022a16313dda8447121a5934529e6e5c)
Analysis done
No issues found
$ infer -- javac Hello.java
Starting analysis (Infer version git-436690cf022a16313dda8447121a5934529e6e5c)
Analysis done
Hello.java:4: error: NULL_DEREFERENCE
object s last assigned on line 3 could be null and is dereferenced at line 4
2. int test() {
3. String s = null;
4. > return s.length();
5. }
6. }
Analyzed 2 procedures in 1 file
$
After:
$ infer -- gcc -c empty.c
Starting analysis (Infer version git-434faa7f70f6b9498615d3ead8c12bcfec6fc553)
Analyzing 0 clusters
Analysis done
No issues found
$ infer -- javac Hello.java
Starting analysis (Infer version git-434faa7f70f6b9498615d3ead8c12bcfec6fc553)
Computing dependencies... 100%
Analyzing 1 cluster. 100%
Analysis done
Found 1 issue
Hello.java:4: error: NULL_DEREFERENCE
object s last assigned on line 3 could be null and is dereferenced at line 4
2. int test() {
3. String s = null;
4. > return s.length();
5. }
6. }
Analyzed 2 procedures in 1 file
$
Also tested with buck, gradle.
Reviewed By: cristianoc
Differential Revision: D2636969
fb-gh-sync-id: 52f06f0
Summary: public
This is an initial version of the Expensive checker which only report violations on direct calls. The main objective is to setup all the files for this new checker.
The next steps are:
1) run the checker in interprocedural mode
2) Save in the summary of a method foo() the annotation attribute Expensive if a direct callee of foo is annotated with Expensive
3) Check that Expensive is enforced by subtyping, i.e. check that non-expensive method cannot be overwritten by a method annotated with Expensive
Reviewed By: cristianoc
Differential Revision: D2629947
fb-gh-sync-id: 0e06f85
Summary: public
Adding a progress bar to the analysis phase to check progress.
The progress bar for the analysing procedures part is just printing dots at the moment and will be
improved soon when we do all the multithreading inside Ocaml.
There is also a no_progress_bar option in the scripts to hide it, for instance in CI.
Reviewed By: cristianoc
Differential Revision: D2625763
fb-gh-sync-id: daf6f96
Summary: public
The context leaks were reported multiple times. If a leaks was found on method `f()` and `g()` calls `f()`, then the same leak was report both in `f()` and in `g()`.
Reviewed By: sblackshear
Differential Revision: D2598110
fb-gh-sync-id: ca90b57
Summary: public
Extends the current activity leak checker to all sort of context leaks.
Reviewed By: sblackshear
Differential Revision: D2572548
fb-gh-sync-id: 9da18e4
Summary: public
This allow to tell Infer to skip the translation of some files. This is especially useful to skip the translation of some generated files following the syntax:
> cat .inferconfig
{
"skip_translation": [
{
"language": "Java",
"source_contains": "_SHOULD_BE_SKIPPED_"
}
]
}
Reviewed By: cristianoc
Differential Revision: D2588095
fb-gh-sync-id: 3fda816
Summary: public Refactoring Printfargs checker a bit to
make it callable from symbolic executor, then calling it.
Reviewed By: jeremydubreil
Differential Revision: D2361286
fb-gh-sync-id: 4b73855
Summary: public
modules are better for namespacing.
How I made this diff:
1. moved list_* functions from utils.ml{,i} to iList.ml{,i}
2. shell commands:
grep '^val ' infer/src/backend/iList.mli | cut -f 2 -d ' ' | tr '\n' ' '
# gives a list of former list_ functions that IList implements, fed into the loops below:
LISTNAMES=" compare equal append combine exists filter flatten flatten_options find fold_left fold_left2 for_all for_all2 hd iter iter2 length fold_right map mem nth partition rev rev_append rev_map sort split stable_sort tl drop_first drop_last rev_with_acc remove_duplicates remove_irrelevant_duplicates merge_sorted_nodup intersect mem_assoc assoc map2 to_string"
# replace " list_*" function calls with IList.* ones
for i in $LISTNAMES; do find . -name '*.ml' -exec sed -i -e "s/ list_$i\b/ IList.$i/g" \{\} \; ; done
# replace (list_* functions with (IList.* ones
for i in $LISTNAMES; do find . -name '*.ml' -exec sed -i -e "s/(list_$i\b/(IList.$i/g" \{\} \; ; done
# ditto with [
for i in $LISTNAMES; do find . -name '*.ml' -exec sed -i -e "s/\[list_$i\b/[IList.$i/g" \{\} \; ; done
3. Then fix up the rest by hand. In particular, stuff that called Utils.list_*
explicitely, and stuff that used the "Fail" exception that has moved to
IList. (may revisit this in the future)
Reviewed By: jeremydubreil, cristianoc
Differential Revision: D2550241
fb-gh-sync-id: cd64b10
Summary: public
Dictionary literals are normally implemented using
`+dictionaryWithObjects:forKeys:count:` but were modeled as
`+dictionaryWithObjectsAndKeys:`
In particular, `@{@"aaa": nil}` would trigger a sentinel error instead of an NPE.
This models dictionary literals as a special infer builtin that the backend
interprets so as to give NPEs when passed nil objects or keys.
Reviewed By: dulmarod
Differential Revision: D2550039
fb-gh-sync-id: 1a10656
Summary: @public
There was an inconsistency with the type of `stats.json` created by `inferlib.py` and InferAnalyze. This diff cleans up the thing and uses two different files to saves the statistics to clarify what gets created by the analysis, i.e. `proc_stats.json` and what gets created all the time `stats.json`.
Reviewed By: @sblackshear
Differential Revision: D2500517
Summary: @public Infer previously did not work correctly when a function returns the result of a skip function:
```
retUndef() {
x = undefined();
return x;
}
derefUndef() {
y = retUndef();
y.doSomething(); // Symexec_memory_error here, prevents spec inference
}
```
The problem is that angelic mode did not know to add the return value of `retUndef()` to the footprint.
This diff fixes the problem by adding return values marked with the `Aundef` attribute to the footprint.
This is done lazily (e.g., a value only gets added to the footprint when you try to deref it).
Reviewed By: @jvillard
Differential Revision: D2444929
Summary:
`get_resource_or_undef` attribute is weird and was causing problems for me in another diff.
This diff refactors the attribute categories to make resource and undef separate.
Summary:
Some build systems compile files both under the project root and under temporary
directories (e.g., /tmp), so there need not be a single project root. Just use absolute paths
in the case that we can't resolve a relative path from the project root.
Summary:
Move proc_attributes to a separate module.
Field err_log, in common between proc desc and summary, can now be moved to ProcAttributes without creating cycles of dependencies.
Summary:
There's a lot of overlap between the representation of a proc desc and a spec summary. This diff moves all the data in common to the single record proc_attributes defined in Sil.
This gives a unified way of accessing most of the data carried by a procedure, whether it is contained in a proc desc or a spec. Also, it ensures that there is a single flow of information from proc desc to spec in the back-end, making sure that the information represented stays consistent.
Summary:
Errors arising from overriding methods defined in other files were not reported, because during parallel analysis the clusters did not have access to overridden methods, so could not load their annotation.
Changed cluster generation to add location information for the methods overridden by the procedures defined in the current cluster.
Summary:
When someone runs --changed-only mode, there is a risk of corrupting the results
for future analyses. The problem is that changed-only mode does not analyze the callers of changed
procedures. If a subsequent analysis relies on the specs of one of these callers, they will be stale
and may give the wrong results. To be concrete, let's say we know `Parent.foo()` calls `Child.bar()` and we do the following rounds of analysis:
Analysis round 1: Analyze all files, including `Parent` and `Child`
Analysis round 2: Analyze `Child.bar()` only with `--changed-only flag`. `Parent.foo()` is now stale.
Analysis round 3: Add procedure `Parent.baz()` that calls `Parent.foo()`, analyze in (any) incremental mode.
The analysis will only analyze `Parent.baz()`. However, the specs for `Parent.foo()` are stale and may give us bad results for `Parent.baz()`. We want the analysis to re-analyze `Parent.baz()`, but before this diff it will not.
This diff fixes this problem by adding a `STALE` status bit to procedure summaries. In `--changed-only` mode,
the callers of a changed procedures are not re-analyzed, but their summaries are marked as stale. For both
`--changed-only` and regular incremental mode, callees of changed procedures that are marked as stale are
re-analyzed even if they have not changed. This is better than a more obvious solution like deleting stale
procedure summaries, since that would force the next analysis to re-analyze all stale procedures even if it
does not need the results for whatever analysis it is doing. This scheme implemented in this diff ensures
that each analysis only does the work that it needs to compute reliable results for its changed procedures.
Summary:
Passing the list of SuppressWarnings annotations detected during the compilation to InferPrint. The next step will be to add support for error filtering in .inferconfig and use the same mechanism. The annotation processor will generate an .inferconfig like config file and use it to suppress the reports.
Summary:
Procdesc comparison can be fragile because internal variable names
and source positions in a procedure can vary even if the procedure stays exactly the
same. This diff makes pdesc comparisons less fragile by defining structural comparsions
over instructions, nodes and expressions. These structural comparsions work by lazily
creating a mapping between names in the two procdesc's that and checking that the mapped
names are used consistently.
Summary: Another step toward getting procedure-level incrementality for Infer. Here, we just assume that *all* procs in a file have changed when the file changes, but we will filter this list using the pd_changed field of the procdesc for each procedure in the future.
Summary: Handler.postDelayed keeps a persistent reference to its Runnable argument that may cause a memory leak if an Activity is reachable from the Runnable.
Summary: The Nullable checker reported FP's when a Nullable field/param was reassigned to a non-Nullable value in the footprint. This diff fixes the problem.
Summary:
This diff allows to use to make Infer failing when using the function `failwith`. This is especially useful to use while applying complex refactoring.
Summary: Infer cannot tell if a procdesc has changed across procedure runs. If we want procedure-level incrementality, it has to know how to compute this information. This diff implements this capability by comparing a procdesc to an existing one before it is saved to disk, and marking the new one as unchanged if applicable.
Summary:
When detecting a resource leak, Infer used to raise an Leak exception and then prevent the specs to be computed for the paths containing a leak. This diff prevents resource leak to stop the analysis.
Summary:
Creating a persistent reference to an Activity leads to a nasty form of memory leaks (see http://android-developers.blogspot.com/2009/01/avoiding-memory-leaks.html, https://corner.squareup.com/2015/05/leak-canary.html). There are many ways to create a bad persistent reference to an Activity, but the most obvious one is via a static field.
This diff implements a very simple form of Activity leak checking by inspecting postconditions to see if a subtype of Activity is reachable from a static field (and it reports an error if so). This is a very simple and limited form of leak checking that does not understand the Android lifecycle at all. In particular, if one creates a persistent reference to an Activity and then nulls it out in `onDestroy` (a reasonably common pattern), this approach will wrongly report a bug.
Summary:
The methods in objc can have the same name in the same class, but one be instance and the other class,
so that we need to take the instance flag into account when defining unique names for ObjC methods.
Summary:
While `-results_dir` is still the main place to look for specs files and to write reports,
it's necessary to load specs from multiple folders because some build tools that run Infer with a target-level granularity may need to move specs files around in order to get complete reports, whereas with this change they just need to keep track of the `specs` folders generated for each target, and pass them through `-lib dir1 -lib dir2 ... -lib dirN`
Summary:
The symbolic execution was not stopping in case an unitialized dangling pointer was
passed to a function and then dereferenced inside the callee.
What would happen is that a wrong footprint would be added to the unititialized pointer
at the end of the function call in the caller proposition.
This checks that if we do:
frame * new_footprint
checks that we do not add heap predicates to the frame into uninitialized local variables.
If we can identify the variable then we raise a danglind pointer dereference. If instead
we cannot give a good explanation we give an internal error.
The latter case should be temporary. We should find a general way to raise dangling pointer
deref instead of the internal error.
I also fixed the model of getc that was the way I found the problem.
Summary:
This is small code cleanup of the code to report leaks. No functional changes, just removing code that is longer used and reorganising the control flow.
Summary:
This commit is the result of
`find infer/src -name '*.ml' -or -name '*.mli' -exec ocp-indent -i \{\} \;`
and
`INFER_CHECK_COPYRIGHT=1 InferPrint`
Summary:
The old scheme for pruning away garbage from abducted retvars/abducted params passed by ref failed to eliminate garbage in the pure constraints (pi). This occasionally caused PRECONDITION_NOT_FOUND errors that stop the analysis.
Summary:
In preparation for C++ methods, we need to have type with
class, method, mangled (for overloading?)
1. Change objc method to support it
2. Do some renames to be less confusing
Summary:
This adds a sentinel check every time a function carrying a sentinel attribute
is called, regardless of whether we have a definition for that function or not.
Summary:
This attribute was used to tag arguments to variadic functions, as a way to
detect premature sentinels. The approach to detect premature sentinels has
changed making it obsolete.
Summary:
Treat `arrayWithObjects` as a special case of a sentinel attribute check. This
will make it easier to extend to other variadic functions that use a sentinel
attribute.
This also removes the need for the `Sil.Avariadic_function_argument` attribute,
which will be removed in a subsequent diff.
Summary:
the name of the return variable of a procedure only depends on the name of that procedure. This simplifies the need for the procedure description in a couple of places
Summary:
This is a refactoring diff with no functional changes in order to move the code using the procedure description of the callees in a single place, in order to replace the approach to use a summary instead in a subsequent step.
Summary:
This reverts commit 306f5b71c24042c89f71848898402cbc9269c543.
Turns out that developers think that this bugs should be fixed. So leaving it in for now until I gather more information.
Summary:
@public
There are many FPs of the form init method that contains
if ((self = [super initWithFrame:frame])) {
...
}
return self;
then an object being initialised with that constructor and added to an array or dictionary.
There we flag NPE and very likely that won't be a bug. So I'm removing the option for self
to be nil in the constructor, which should solve the problem.
Test Plan: Changed the relevant test.
Summary:
@public
Previously, if the close() method was throwing an exception, then code overriding the file attribute with a mem attribute would be skipped, resulting in reporting a wrong resource leak. This diff fixes this.
Test Plan: Added new end-to-end tests which would previously have been failing
Summary:
@public
This is a non-functional refactoring to remove the need for having the procedure description of the callee when execution function calls.
Test Plan: Infer CI. Expecting no change in the results.
Summary: @publicThe first argument of builtin calls in C gets translated twice, which is bad if the argument is a side-effecting expression like a function call.
Test Plan: Attached test previously reported a memory leak because the translation introduces an extra call to malloc(), now reports nothing.
Summary:
@public
Currently InferAnalyze always adds bucket to the message. Later, python code
strips it, but not everywhere. Changes:
1. Since it's easy to not write bucket in ocaml, stop writing them by default.
2. Add option to print them to InferAnalyze and pass it if infer is in debug mode.
Test Plan:
1. Run on openssl, confirm that no bucket info is written to stdout and csv
2. Run on small example in debug mode and see buckets on stdout
Summary:
@public
Using InferBuiltins.assume previously caused an assertion failure in the analyzer. Fixed this, and fixed the implementation of the assume builtin to block when the assumed condition cannot hold.
Test Plan: Added several new tests.
Summary:
@public
This adds basic support for function attributes in Sil, and for translating
attributes from the clang frontend to these new Sil attributes. For now only
the sentinel attribute is translated.
Note that attributes normally have parameters, but they are currently missing
from the clang plugin.
Test Plan:
Add
(match Sil.get_sentinel_func_attribute_value (Cfg.Procdesc.get_attributes callee_pdesc).Sil.func_attributes with
| Some _ -> L.out "found sentinel attribute!\n"
| _ -> ());
between lines 947 and 948 of symbExec.ml, then analyze a file containing:
int add_all_ints(int a, ...) __attribute__ ((sentinel));
int foo(void) { return add_all_ints(1, 2, 3, (void *)0); }
then `grep 'found sentinel' infer-out/log/analyzer_out`
-> the sentinel attribute is correctly passed from the frontend to the backend.
Summary:
@public
This changes "Starting analysis" into
"Starting analysis (Infer version XXX)".
Test Plan:
infer -- clang -c hello.c
shows "Starting analysis (Infer version git-6b9fb8838bcabd2af881554d296963a849b14f50)"