(* * Copyright (c) 2018-present, Facebook, Inc. * * This source code is licensed under the MIT license found in the * LICENSE file in the root directory of this source tree. *) open! IStd module F = Format module L = Logging module MF = MarkupFormatter let debug fmt = L.(debug Analysis Verbose fmt) let is_on_ui_thread pn = ConcurrencyModels.(match get_thread pn with MainThread -> true | _ -> false) let is_nonblocking tenv proc_desc = let proc_attributes = Procdesc.get_attributes proc_desc in let is_method_suppressed = Annotations.pdesc_has_return_annot proc_desc Annotations.ia_is_nonblocking in let is_class_suppressed = PatternMatch.get_this_type proc_attributes |> Option.bind ~f:(PatternMatch.type_get_annotation tenv) |> Option.value_map ~default:false ~f:Annotations.ia_is_nonblocking in is_method_suppressed || is_class_suppressed module Payload = SummaryPayload.Make (struct type t = StarvationDomain.summary let update_payloads post (payloads : Payloads.t) = {payloads with starvation= Some post} let of_payloads (payloads : Payloads.t) = payloads.starvation end) (* using an indentifier for a class object, create an access path representing that lock; this is for synchronizing on class objects only *) let lock_of_class class_id = let ident = Ident.create_normal class_id 0 in let type_name = Typ.Name.Java.from_string "java.lang.Class" in let typ = Typ.mk (Typ.Tstruct type_name) in let typ' = Typ.mk (Typ.Tptr (typ, Typ.Pk_pointer)) in AccessPath.of_id ident typ' let is_call_to_superclass tenv ~caller ~callee = match (caller, callee) with | Typ.Procname.Java caller_method, Typ.Procname.Java callee_method -> let caller_type = Typ.Procname.Java.get_class_type_name caller_method in let callee_type = Typ.Procname.Java.get_class_type_name callee_method in PatternMatch.is_subtype tenv caller_type callee_type | _ -> L.(die InternalError "Not supposed to run on non-Java code.") module TransferFunctions (CFG : ProcCfg.S) = struct module CFG = CFG module Domain = StarvationDomain type extras = FormalMap.t let exec_instr (astate : Domain.astate) {ProcData.pdesc; tenv; extras} _ (instr : HilInstr.t) = let open ConcurrencyModels in let open StarvationModels in let is_formal base = FormalMap.is_formal base extras in let get_path actuals = match actuals with | HilExp.AccessExpression access_exp :: _ -> ( match AccessExpression.to_access_path access_exp with | (((Var.ProgramVar pvar, _) as base), _) as path when is_formal base || Pvar.is_global pvar -> Some (AccessPath.inner_class_normalize path) | _ -> (* ignore paths on local or logical variables *) None ) | HilExp.Constant (Const.Cclass class_id) :: _ -> (* this is a synchronized/lock(CLASSNAME.class) construct *) Some (lock_of_class class_id) | _ -> None in let do_lock actuals loc astate = get_path actuals |> Option.value_map ~default:astate ~f:(Domain.acquire astate loc) in let do_unlock actuals astate = get_path actuals |> Option.value_map ~default:astate ~f:(Domain.release astate) in match instr with | Call (_, Direct callee, actuals, _, loc) -> ( match get_lock callee actuals with | Lock -> do_lock actuals loc astate | Unlock -> do_unlock actuals astate | LockedIfTrue -> astate | NoEffect when should_skip_analysis tenv callee actuals -> astate | NoEffect when is_synchronized_library_call tenv callee -> (* model a synchronized call without visible internal behaviour *) do_lock actuals loc astate |> do_unlock actuals | NoEffect when is_on_ui_thread callee -> let explanation = F.asprintf "it calls %a" (MF.wrap_monospaced Typ.Procname.pp) callee in Domain.set_on_ui_thread astate loc explanation | NoEffect -> ( let caller = Procdesc.get_proc_name pdesc in match may_block tenv callee actuals with | Some sev -> Domain.blocking_call ~caller ~callee sev loc astate | None -> Payload.read pdesc callee |> Option.value_map ~default:astate ~f:(fun summary -> (* if not calling a method in a superclass then set order to empty to avoid blaming a caller in one class for deadlock/starvation happening in the callee class *) let summary = if is_call_to_superclass tenv ~caller ~callee then summary else {summary with Domain.order= Domain.OrderDomain.empty} in Domain.integrate_summary astate callee loc summary ) ) ) | _ -> astate let pp_session_name _node fmt = F.pp_print_string fmt "starvation" end module Analyzer = LowerHil.MakeAbstractInterpreter (ProcCfg.Normal) (TransferFunctions) let die_if_not_java proc_desc = let is_java = Procdesc.get_proc_name proc_desc |> Typ.Procname.get_language |> Language.(equal Java) in if not is_java then L.(die InternalError "Not supposed to run on non-Java code yet.") let analyze_procedure {Callbacks.proc_desc; tenv; summary} = let open StarvationDomain in die_if_not_java proc_desc ; let pname = Procdesc.get_proc_name proc_desc in let formals = FormalMap.make proc_desc in let proc_data = ProcData.make proc_desc tenv formals in let loc = Procdesc.get_loc proc_desc in let initial = if not (Procdesc.is_java_synchronized proc_desc) then StarvationDomain.empty else let lock = match pname with | Typ.Procname.Java java_pname when Typ.Procname.Java.is_static java_pname -> (* this is crafted so as to match synchronized(CLASSNAME.class) constructs *) Typ.Procname.Java.get_class_type_name java_pname |> Typ.Name.name |> Ident.string_to_name |> lock_of_class |> Option.some | _ -> FormalMap.get_formal_base 0 formals |> Option.map ~f:(fun base -> (base, [])) in Option.value_map lock ~default:StarvationDomain.empty ~f:(StarvationDomain.acquire StarvationDomain.empty loc) in let initial = ConcurrencyModels.runs_on_ui_thread tenv proc_desc |> Option.value_map ~default:initial ~f:(StarvationDomain.set_on_ui_thread initial loc) in let filter_blocks = if is_nonblocking tenv proc_desc then fun ({events; order} as astate) -> { astate with events= EventDomain.filter (function {elem= MayBlock _} -> false | _ -> true) events ; order= OrderDomain.filter (function {elem= {eventually= {elem= MayBlock _}}} -> false | _ -> true) order } else Fn.id in Analyzer.compute_post proc_data ~initial |> Option.map ~f:filter_blocks |> Option.value_map ~default:summary ~f:(fun astate -> Payload.update_summary astate summary) (** per-procedure report map, which takes care of deduplication *) module ReportMap : sig type t val empty : t val add_deadlock : Tenv.t -> Procdesc.t -> Location.t -> Errlog.loc_trace -> string -> t -> t val add_starvation : Tenv.t -> StarvationDomain.Event.severity_t -> Procdesc.t -> Location.t -> Errlog.loc_trace -> string -> t -> t val log : t -> unit end = struct type starvation_t = StarvationDomain.Event.severity_t type deadlock_t = int type 'weight_t report_t = {weight: 'weight_t; pname: Typ.Procname.t; ltr: Errlog.loc_trace; message: string} module LocMap = PrettyPrintable.MakePPMap (Location) type t = (deadlock_t report_t list * starvation_t report_t list) LocMap.t let empty : t = LocMap.empty let add_deadlock tenv pdesc loc ltr message (map : t) = let pname = Procdesc.get_proc_name pdesc in if Reporting.is_suppressed tenv pdesc IssueType.deadlock ~field_name:None then map else let rep = {weight= -List.length ltr; pname; ltr; message} in let deadlocks, starvations = try LocMap.find loc map with Caml.Not_found -> ([], []) in let new_reports = (rep :: deadlocks, starvations) in LocMap.add loc new_reports map let add_starvation tenv sev pdesc loc ltr message map = let pname = Procdesc.get_proc_name pdesc in if Reporting.is_suppressed tenv pdesc IssueType.starvation ~field_name:None then map else let rep = {weight= sev; pname; ltr; message} in let deadlocks, starvations = try LocMap.find loc map with Caml.Not_found -> ([], []) in let new_reports = (deadlocks, rep :: starvations) in LocMap.add loc new_reports map let log map = let log_report issuetype loc {pname; ltr; message} = Reporting.log_issue_external pname Exceptions.Error ~loc ~ltr issuetype message in let mk_deduped_report num_of_reports ({message} as report) = { report with message= Printf.sprintf "%s %d more report(s) on the same line suppressed." message (num_of_reports - 1) } in let log_loc_reports issuetype compare loc = function | [] -> () | [report] -> log_report issuetype loc report | reports -> List.max_elt ~compare:(fun {weight} {weight= weight'} -> compare weight weight') reports |> Option.iter ~f:(fun rep -> mk_deduped_report (List.length reports) rep |> log_report issuetype loc ) in let log_location loc (deadlocks, starvations) = log_loc_reports IssueType.deadlock Int.compare loc deadlocks ; log_loc_reports IssueType.starvation StarvationDomain.Event.compare_severity_t loc starvations in LocMap.iter log_location map end let should_report_deadlock_on_current_proc current_elem endpoint_elem = let open StarvationDomain in match (current_elem.Order.elem.first, current_elem.Order.elem.eventually.elem) with | _, MayBlock _ -> (* should never happen *) L.die InternalError "Deadlock cannot occur without two lock events: %a" Order.pp current_elem | ((Var.LogicalVar _, _), []), _ -> (* first elem is a class object (see [lock_of_class]), so always report because the reverse ordering on the events will not occur *) true | ((Var.LogicalVar _, _), _ :: _), _ | _, LockAcquire ((Var.LogicalVar _, _), _) -> (* first elem has an ident root, but has a non-empty access path, which means we are not filtering out local variables (see [exec_instr]), or, second elem has an ident root, which should not happen if we are filtering locals *) L.die InternalError "Deadlock cannot occur on these logical variables: %a @." Order.pp current_elem | ((_, typ1), _), LockAcquire ((_, typ2), _) -> (* use string comparison on types as a stable order to decide whether to report a deadlock *) let c = String.compare (Typ.to_string typ1) (Typ.to_string typ2) in c < 0 || Int.equal 0 c && (* same class, so choose depending on location *) Location.compare current_elem.Order.elem.eventually.Event.loc endpoint_elem.Order.elem.eventually.Event.loc < 0 let public_package_prefixes = ["java"; "android"] let should_report pdesc = match Procdesc.get_proc_name pdesc with | Typ.Procname.Java java_pname -> ( if Config.dev_android_strict_mode then match Typ.Procname.Java.get_package java_pname with | None -> false | Some package -> (* the proc must be package-public, but we can't check for that *) List.exists public_package_prefixes ~f:(fun prefix -> String.is_prefix package ~prefix) else true ) && Procdesc.get_access pdesc <> PredSymb.Private && (not (Typ.Procname.Java.is_autogen_method java_pname)) && not (Typ.Procname.Java.is_class_initializer java_pname) | _ -> L.(die InternalError "Not supposed to run on non-Java code.") let fold_reportable_summaries (tenv, current_pdesc) clazz ~init ~f = let methods = Tenv.lookup tenv clazz |> Option.value_map ~default:[] ~f:(fun tstruct -> tstruct.Typ.Struct.methods) in let f acc mthd = Ondemand.get_proc_desc mthd |> Option.value_map ~default:acc ~f:(fun other_pdesc -> if should_report other_pdesc then Payload.read current_pdesc mthd |> Option.map ~f:(fun payload -> (mthd, payload)) |> Option.fold ~init:acc ~f else acc ) in List.fold methods ~init ~f (* Note about how many times we report a deadlock: normally twice, at each trace starting point. Due to the fact we look for deadlocks in the summaries of the class at the root of a path, this will fail when (a) the lock is of class type (ie as used in static sync methods), because then the root is an identifier of type java.lang.Class and (b) when the lock belongs to an inner class but this is no longer obvious in the path, because of nested-class path normalisation. The net effect of the above issues is that we will only see these locks in conflicting pairs once, as opposed to twice with all other deadlock pairs. *) let report_deadlocks env {StarvationDomain.order; ui} report_map' = if Config.dev_android_strict_mode then ReportMap.empty else let open StarvationDomain in let tenv, current_pdesc = env in let current_pname = Procdesc.get_proc_name current_pdesc in let pp_acquire fmt (lock, loc, pname) = F.fprintf fmt "%a (%a in %a)" Lock.pp lock Location.pp loc (MF.wrap_monospaced Typ.Procname.pp) pname in let pp_thread fmt ( pname , { Order.loc= loc1 ; trace= trace1 ; elem= {first= lock1; eventually= {elem= event; loc= loc2; trace= trace2}} } ) = match event with | LockAcquire lock2 -> let pname1 = List.last trace1 |> Option.value_map ~default:pname ~f:CallSite.pname in let pname2 = List.last trace2 |> Option.value_map ~default:pname1 ~f:CallSite.pname in F.fprintf fmt "first %a and then %a" pp_acquire (lock1, loc1, pname1) pp_acquire (lock2, loc2, pname2) | _ -> L.die InternalError "Trying to report a deadlock without two lock events." in let report_endpoint_elem current_elem endpoint_pname elem report_map = if not ( Order.may_deadlock current_elem elem && should_report_deadlock_on_current_proc current_elem elem ) then report_map else let () = debug "Possible deadlock:@.%a@.%a@." Order.pp current_elem Order.pp elem in match (current_elem.Order.elem.eventually.elem, elem.Order.elem.eventually.elem) with | LockAcquire _, LockAcquire _ -> let error_message = Format.asprintf "Potential deadlock.@.Trace 1 (starts at %a) %a.@.Trace 2 (starts at %a), %a." (MF.wrap_monospaced Typ.Procname.pp) current_pname pp_thread (current_pname, current_elem) (MF.wrap_monospaced Typ.Procname.pp) endpoint_pname pp_thread (endpoint_pname, elem) in let first_trace = Order.make_trace ~header:"[Trace 1] " current_pname current_elem in let second_trace = Order.make_trace ~header:"[Trace 2] " endpoint_pname elem in let ltr = first_trace @ second_trace in let loc = Order.get_loc current_elem in ReportMap.add_deadlock tenv current_pdesc loc ltr error_message report_map | _, _ -> report_map in let report_on_current_elem elem report_map = match elem.Order.elem.eventually.elem with | MayBlock _ -> report_map | LockAcquire endpoint_lock -> Lock.owner_class endpoint_lock |> Option.value_map ~default:report_map ~f:(fun endpoint_class -> (* get the class of the root variable of the lock in the endpoint elem and retrieve all the summaries of the methods of that class *) (* for each summary related to the endpoint, analyse and report on its pairs *) fold_reportable_summaries env endpoint_class ~init:report_map ~f:(fun acc (endp_pname, endpoint_summary) -> let endp_order = endpoint_summary.order in let endp_ui = endpoint_summary.ui in if UIThreadDomain.is_empty ui || UIThreadDomain.is_empty endp_ui then OrderDomain.fold (report_endpoint_elem elem endp_pname) endp_order acc else acc ) ) in OrderDomain.fold report_on_current_elem order report_map' let report_starvation env {StarvationDomain.events; ui} report_map' = let open StarvationDomain in let tenv, current_pdesc = env in let current_pname = Procdesc.get_proc_name current_pdesc in let report_remote_block ui_explain event current_lock endpoint_pname endpoint_elem report_map = let lock = endpoint_elem.Order.elem.first in match endpoint_elem.Order.elem.eventually.elem with | MayBlock (block_descr, sev) when Lock.equal current_lock lock -> let error_message = Format.asprintf "Method %a runs on UI thread (because %a) and %a, which may be held by another thread \ which %s." (MF.wrap_monospaced Typ.Procname.pp) current_pname UIThreadExplanationDomain.pp ui_explain Lock.pp lock block_descr in let first_trace = Event.make_trace ~header:"[Trace 1] " current_pname event in let second_trace = Order.make_trace ~header:"[Trace 2] " endpoint_pname endpoint_elem in let ui_trace = UIThreadExplanationDomain.make_trace ~header:"[Trace 1 on UI thread] " current_pname ui_explain in let ltr = first_trace @ second_trace @ ui_trace in let loc = Event.get_loc event in ReportMap.add_starvation tenv sev current_pdesc loc ltr error_message report_map | _ -> report_map in let report_on_current_elem ui_explain event report_map = match event.Event.elem with | MayBlock (_, sev) -> let error_message = Format.asprintf "Method %a runs on UI thread (because %a), and may block; %a." (MF.wrap_monospaced Typ.Procname.pp) current_pname UIThreadExplanationDomain.pp ui_explain Event.pp event in let loc = Event.get_loc event in let trace = Event.make_trace current_pname event in let ui_trace = UIThreadExplanationDomain.make_trace ~header:"[Trace on UI thread] " current_pname ui_explain in let ltr = trace @ ui_trace in ReportMap.add_starvation tenv sev current_pdesc loc ltr error_message report_map | LockAcquire endpoint_lock -> Lock.owner_class endpoint_lock |> Option.value_map ~default:report_map ~f:(fun endpoint_class -> (* get the class of the root variable of the lock in the endpoint elem and retrieve all the summaries of the methods of that class *) (* for each summary related to the endpoint, analyse and report on its pairs *) fold_reportable_summaries env endpoint_class ~init:report_map ~f:(fun acc (endpoint_pname, {order; ui}) -> (* skip methods known to run on ui thread, as they cannot run in parallel to us *) if UIThreadDomain.is_empty ui then OrderDomain.fold (report_remote_block ui_explain event endpoint_lock endpoint_pname) order acc else acc ) ) in let report_strict_mode event rmap = match event.Event.elem with | MayBlock (_, sev) -> let error_message = Format.asprintf "Method %a commits a strict mode violation; %a." (MF.wrap_monospaced Typ.Procname.pp) current_pname Event.pp event in let loc = Event.get_loc event in let ltr = Event.make_trace current_pname event in ReportMap.add_starvation tenv sev current_pdesc loc ltr error_message rmap | _ -> rmap in if Config.dev_android_strict_mode then EventDomain.fold report_strict_mode events report_map' else match ui with | AbstractDomain.Types.Bottom -> report_map' | AbstractDomain.Types.NonBottom ui_explain -> EventDomain.fold (report_on_current_elem ui_explain) events report_map' let reporting {Callbacks.procedures; source_file} = let report_procedure ((_, proc_desc) as env) = die_if_not_java proc_desc ; if should_report proc_desc then Payload.read proc_desc (Procdesc.get_proc_name proc_desc) |> Option.iter ~f:(fun summary -> report_deadlocks env summary ReportMap.empty |> report_starvation env summary |> ReportMap.log ) in List.iter procedures ~f:report_procedure ; IssueLog.store Config.starvation_issues_dir_name source_file