(* * Copyright (c) Facebook, Inc. and its affiliates. * * This source code is licensed under the MIT license found in the * LICENSE file in the root directory of this source tree. *) (** Interval abstract domain *) open Apron let equal_apron_typ = (* Apron.Texpr1.typ is a sum of nullary constructors *) Poly.equal (** Apron-managed map from variables to intervals *) type t = Box.t Abstract1.t let man = lazy (Box.manager_alloc ()) let join l r = Some (Abstract1.join (Lazy.force man) l r) let equal l r = Abstract1.is_eq (Lazy.force man) l r let is_false x = Abstract1.is_bottom (Lazy.force man) x let bindings (itv : t) = let itv = Abstract1.minimize_environment (Lazy.force man) itv in let box = Abstract1.to_box (Lazy.force man) itv in let vars = Environment.vars box.box1_env |> fun (i, r) -> Array.append i r in Array.zip_exn vars box.interval_array let sexp_of_t (itv : t) = let sexps = Array.fold (bindings itv) ~init:[] ~f:(fun acc (v, {inf; sup}) -> Sexp.List [ Sexp.Atom (Var.to_string v); Sexp.Atom (Scalar.to_string inf) ; Sexp.Atom (Scalar.to_string sup) ] :: acc ) in Sexp.List sexps let pp fs = let pp_pair a_pp b_pp fs (a, b) = Format.fprintf fs "@[(%a@,%a)@]" a_pp a b_pp b in bindings >> Array.pp "@," (pp_pair Var.print Interval.print) fs let report_fmt_thunk = Fn.flip pp let init _gs = Abstract1.top (Lazy.force man) (Environment.make [||] [||]) let apron_var_of_name = (fun nm -> "%" ^ nm) >> Apron.Var.of_string let apron_var_of_reg = Reg.name >> apron_var_of_name let rec apron_typ_of_llair_typ : Typ.t -> Texpr1.typ option = function | Pointer {elt= _} -> apron_typ_of_llair_typ Typ.siz | Integer {bits= _} -> Some Texpr1.Int | Float {bits= 32; enc= `IEEE} -> Some Texpr1.Single | Float {bits= 64; enc= `IEEE} -> Some Texpr1.Double | Float {bits= 80; enc= `Extended} -> Some Texpr1.Extended | Float {bits= 128; enc= `IEEE} -> Some Texpr1.Quad | t -> warn "No corresponding apron type for llair type %a " Typ.pp t () ; None let apron_of_q = Q.to_float >> fun fp -> Texpr1.Cst (Coeff.s_of_float fp) let rec pow base typ = function | 1 -> base | z -> Texpr1.Binop (Texpr1.Mul, base, pow base typ (z - 1), typ, Texpr0.Rnd) (* An n-ary term with [subtms] {(q0, e0), ..., (qn, en)} is interpreted as: * ∑ᵢ eᵢ*qᵢ (when [op] is [Texpr1.Add]) * ∏ᵢ eᵢ^qᵢ (when [op] is [Texpr1.Mul]) * (See sledge/src/llair/term.ml functions assert_(mono|poly)mial for details) *) let rec texpr_of_nary_term subtms typ q op = assert (Qset.length subtms >= 2) ; let term_to_texpr (tm, coeff) = let* base = apron_texpr_of_llair_term tm q typ in match op with | Texpr1.Add -> Some (Texpr1.Binop (Texpr1.Mul, base, apron_of_q coeff, typ, Texpr0.Rnd)) | Texpr1.Mul (* only handle positive integer exponents *) when Z.equal Z.one (Q.den coeff) && Q.sign coeff = 1 -> Some (pow base typ (Q.to_int coeff)) | _ -> None in match Qset.to_list subtms with | hd :: tl -> List.fold tl ~init:(term_to_texpr hd) ~f:(fun acc curr -> let* c = term_to_texpr curr in let+ a = acc in Texpr1.Binop (op, c, a, typ, Texpr0.Rnd) ) | _ -> assert false and apron_texpr_of_llair_term tm q typ = match (tm : Term.t) with | Add terms -> texpr_of_nary_term terms typ q Texpr1.Add | Mul terms -> texpr_of_nary_term terms typ q Texpr1.Mul | Var {name} -> Some (Texpr1.Var (apron_var_of_name name)) | Integer {data} -> Some (Texpr1.Cst (Coeff.s_of_int (Z.to_int data))) | Float {data} -> let f = try Float.of_string data with Invalid_argument _ -> failwith "malformed float: %s" in Some (Texpr1.Cst (Coeff.s_of_float f)) | Ap1 (Convert {dst; src}, t) -> ( match (apron_typ_of_llair_typ dst, apron_typ_of_llair_typ src) with | None, _ | _, None -> None | Some dst, Some src -> let subtm = apron_texpr_of_llair_term t q src in if equal_apron_typ src dst then subtm else let+ t = subtm in Texpr1.Unop (Texpr1.Cast, t, dst, Texpr0.Rnd) ) (* extraction to unsigned 1-bit int is llvm encoding of C boolean; restrict to [0,1] *) | Ap1 (Unsigned {bits= 1}, _t) -> Some (Texpr1.Cst (Coeff.i_of_int 0 1)) (* "t xor true" and "true xor t" are negation *) | Ap2 (Xor, t, Integer {data}) when Z.is_true data -> let+ t = apron_texpr_of_llair_term t q typ in Texpr1.Unop (Texpr1.Neg, t, typ, Texpr0.Rnd) | Ap2 (Xor, Integer {data}, t) when Z.is_true data -> let+ t = apron_texpr_of_llair_term t q typ in Texpr1.Unop (Texpr1.Neg, t, typ, Texpr0.Rnd) (* query apron for abstract evaluation of binary operations*) | Ap2 (op, t1, t2) -> let* f = match op with | Rem -> Some (mk_arith_binop typ Texpr0.Mod) | Div -> Some (mk_arith_binop typ Texpr0.Div) | Eq -> Some (mk_bool_binop typ q Tcons0.EQ) | Dq -> Some (mk_bool_binop typ q Tcons0.DISEQ) | Lt -> Some (Fn.flip (mk_bool_binop typ q Tcons0.SUP)) | Le -> Some (Fn.flip (mk_bool_binop typ q Tcons0.SUPEQ)) | _ -> None in let* te1 = apron_texpr_of_llair_term t1 q typ in let+ te2 = apron_texpr_of_llair_term t2 q typ in f te1 te2 | x -> [%Trace.info "No corresponding apron term for llair term: %a" Term.pp x] ; None and mk_arith_binop typ op te1 te2 = Texpr1.Binop (op, te1, te2, typ, Texpr0.Rnd) (** abstract evaluation of boolean binary operation [te1 op te2] at [q] by translation to [te1 - te2 op 0] and intersection with [q]*) and mk_bool_binop typ q op te1 te2 = let env = Abstract1.env q in let lhs = Texpr1.Binop (Texpr1.Sub, te1, te2, typ, Texpr0.Rnd) in let tcons = Tcons1.make (Texpr1.of_expr env lhs) op in let ea = Tcons1.array_make env 1 $> fun ea -> Tcons1.array_set ea 0 tcons in (* if meet of q with tree constraint encoding of binop is: (bottom -> binop definitely false); (unchanged from q -> binop definitely true); (else -> binop may be true or false) *) let meet = Abstract1.meet_tcons_array (Lazy.force man) q ea in if is_false meet then Texpr1.Cst (Coeff.s_of_int 0) else if equal meet q then Texpr1.Cst (Coeff.s_of_int (-1)) else Texpr1.Cst (Coeff.i_of_int (-1) 0) let assign reg exp q = [%Trace.call fun {pf} -> pf "{%a}@\n%a := %a" pp q Reg.pp reg Exp.pp exp] ; let lval = apron_var_of_reg reg in ( match Option.bind ~f:(apron_texpr_of_llair_term (Exp.term exp) q) (apron_typ_of_llair_typ (Reg.typ reg)) with | Some e -> let env = Abstract1.env q in let new_env = match ( Environment.mem_var env lval , apron_typ_of_llair_typ (Reg.typ reg) ) with | true, _ -> env | false, Some Texpr1.Int -> Environment.add env [|lval|] [||] | false, _ -> Environment.add env [||] [|lval|] in let man = Lazy.force man in let q = Abstract1.change_environment man q new_env true in Abstract1.assign_texpr man q lval (Texpr1.of_expr new_env e) None | _ -> q ) |> [%Trace.retn fun {pf} r -> pf "{%a}" pp r] (** block if [e] is known to be false; skip otherwise *) let exec_assume q e = match Option.bind ~f:(apron_texpr_of_llair_term (Exp.term e) q) (apron_typ_of_llair_typ (Exp.typ e)) with | Some e -> let cond = Abstract1.bound_texpr (Lazy.force man) q (Texpr1.of_expr q.env e) in if Interval.is_zero cond then None else Some q | _ -> Some q (** existentially quantify killed register [r] out of state [q] *) let exec_kill q r = let apron_v = apron_var_of_reg r in if Environment.mem_var (Abstract1.env q) apron_v then Abstract1.forget_array (Lazy.force man) q [|apron_v|] false else q (** perform a series [move_vec] of reg:=exp moves at state [q] *) let exec_move q move_vec = let defs, uses = Vector.fold move_vec ~init:(Reg.Set.empty, Reg.Set.empty) ~f:(fun (defs, uses) (r, e) -> (Set.add defs r, Exp.fold_regs e ~init:uses ~f:Set.add) ) in assert (Set.disjoint defs uses) ; Vector.fold move_vec ~init:q ~f:(fun a (r, e) -> assign r e a) let exec_inst q i = match (i : Llair.inst) with | Move {reg_exps; loc= _} -> Some (exec_move q reg_exps) | Store {ptr; exp; len= _; loc= _} -> ( match Reg.of_exp ptr with | Some reg -> Some (assign reg exp q) | None -> Some q ) | Load {reg; ptr; len= _; loc= _} -> Some (assign reg ptr q) | Nondet {reg= Some reg; msg= _; loc= _} -> Some (exec_kill q reg) | Nondet {reg= None; msg= _; loc= _} |Alloc _ | Memset _ | Memcpy _ | Memmov _ | Free _ -> Some q | Abort _ -> None (** Treat any intrinsic function as havoc on the return register [aret] *) let exec_intrinsic ~skip_throw:_ pre aret i _ = let name = Reg.name i in if List.exists [ "malloc"; "aligned_alloc"; "calloc"; "posix_memalign"; "realloc" ; "mallocx"; "rallocx"; "xallocx"; "sallocx"; "dallocx"; "sdallocx" ; "nallocx"; "malloc_usable_size"; "mallctl"; "mallctlnametomib" ; "mallctlbymib"; "malloc_stats_print"; "strlen" ; "__cxa_allocate_exception"; "_ZN5folly13usingJEMallocEv" ] ~f:(String.equal name) then Option.map ~f:(Option.some << exec_kill pre) aret else None type from_call = {areturn: Reg.t option; caller_q: t} [@@deriving sexp_of] let recursion_beyond_bound = `prune (** existentially quantify locals *) let post locals _ (q : t) = let locals = Set.fold locals ~init:[] ~f:(fun a r -> let v = apron_var_of_reg r in if Environment.mem_var q.env v then v :: a else a ) |> Array.of_list in Abstract1.forget_array (Lazy.force man) q locals false (** drop caller-local variables, add returned value to caller state *) let retn _ freturn {areturn; caller_q} callee_q = match (areturn, freturn) with | Some aret, Some fret -> let env_fret_only = match apron_typ_of_llair_typ (Reg.typ fret) with | None -> Environment.make [||] [||] | Some Texpr1.Int -> Environment.make [|apron_var_of_reg fret|] [||] | _ -> Environment.make [||] [|apron_var_of_reg fret|] in let env = Environment.lce env_fret_only (Abstract1.env caller_q) in let man = Lazy.force man in let callee_fret = (* drop all callee vars, scope to (caller + freturn) env *) Abstract1.change_environment man callee_q env_fret_only false |> fun q -> Abstract1.change_environment man q env false in let caller_q = Abstract1.change_environment man caller_q env false in let result = Abstract1.meet man callee_fret caller_q in Abstract1.rename_array man result [|apron_var_of_reg fret|] [|apron_var_of_reg aret|] | Some aret, None -> exec_kill caller_q aret | None, _ -> caller_q (** map actuals to formals (via temporary registers), stash constraints on caller-local variables. Note that this exploits the non-relational-ness of Box to ignore all variables other than the formal/actual params/ returns; this will not be possible if extended to a relational domain *) let call ~summaries ~globals:_ ~actuals ~areturn ~formals ~freturn:_ ~locals:_ q = if summaries then todo "Summaries not yet implemented for interval analysis" () else let mangle r = Reg.program (Reg.typ r) ("__tmp__" ^ Reg.name r) in let args = List.zip_exn formals actuals in let q' = List.fold args ~init:q ~f:(fun q (f, a) -> assign (mangle f) a q) in let callee_env = List.fold formals ~init:([], []) ~f:(fun (is, fs) f -> match apron_typ_of_llair_typ (Reg.typ f) with | None -> (is, fs) | Some Texpr1.Int -> (apron_var_of_reg (mangle f) :: is, fs) | _ -> (is, apron_var_of_reg (mangle f) :: fs) ) |> fun (is, fs) -> Environment.make (Array.of_list is) (Array.of_list fs) in let man = Lazy.force man in let q'' = Abstract1.change_environment man q' callee_env false in let q''' = Abstract1.rename_array man q'' (Array.of_list_map ~f:(mangle >> apron_var_of_reg) formals) (Array.of_list_map ~f:apron_var_of_reg formals) in (q''', {areturn; caller_q= q}) let dnf q = [q] let resolve_callee lookup ptr q = match Reg.of_exp ptr with | Some callee -> (lookup (Reg.name callee), q) | None -> ([], q) type summary = t let pp_summary = pp let apply_summary _ _ = None let create_summary ~locals:_ ~formals:_ q = (q, q)