Source: alarmset.ml (p.frama-c.32.0~beta.doc.src.frama-c-eva.core)

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409(**************************************************************************) (* *) (* SPDX-License-Identifier LGPL-2.1 *) (* Copyright (C) *) (* CEA (Commissariat à l'énergie atomique et aux énergies alternatives) *) (* *) (**************************************************************************) open Cil_types module M = Alarms.Map type alarm = Alarms.t type status = Abstract_interp.Comp.result = True | False | Unknown type s = status M.t type t = Just of s | AllBut of s type 'a if_consistent = [ `Value of 'a | `Inconsistent ] let string_of_predicate_status = function | Unknown -> "unknown" | True -> "valid" | False -> "invalid" let pretty_status fmt v = Format.fprintf fmt "%s" (string_of_predicate_status v) module Status = struct include Datatype.Make_with_collections (struct type t = status include Datatype.Serializable_undefined let name = "Alarmset.status" let reprs = [ True; False; False; Unknown ] let mem_project = Datatype.never_any_project let pretty = pretty_status let compare (s1:t) (s2:t) = Stdlib.compare s1 s2 let equal (s1:t) (s2:t) = s1 = s2 let hash (s:t) = Hashtbl.hash s end) let join x y = match x, y with | True, True -> True | False, False -> False | True, False | False, True | Unknown, _ | _, Unknown -> Unknown let inter x y = match x, y with | Unknown, _ -> `Value y | _, Unknown -> `Value x | True, True -> `Value True | False, False -> `Value False | True, False | False, True -> `Inconsistent end module D = Alarms.Map.Make (Status) let pretty fmt = function | Just m -> Format.fprintf fmt "Just %a" D.pretty m | AllBut m -> Format.fprintf fmt "AllBut %a" D.pretty m let none = Just M.empty let all = AllBut M.empty let equal a b = match a, b with | Just m, Just n | AllBut m, AllBut n -> M.equal Status.equal m n | _, _ -> false let get = function Just m | AllBut m -> m let is_empty = function | AllBut _ -> false | Just m -> M.is_empty m let singleton ?(status=Unknown) a = if status = True then Just M.empty else Just (M.singleton a status) let set alarm status = function | Just m -> if status = True then Just (M.remove alarm m) else Just (M.add alarm status m) | AllBut m -> if status = Unknown then AllBut (M.remove alarm m) else AllBut (M.add alarm status m) let default = function | Just _ -> True | AllBut _ -> Unknown let find alarm set = try match set with | Just m | AllBut m -> M.find alarm m with Not_found -> default set (* Merges two alarm maps [s1] and [s2], using [merge_status] to merge merge the statuses bound to a same alarm. If [combine] is true, both alarm maps [s1] and [s2] have been produced in the same state but for different expressions [e1] and [e2]: they may contain different alarms, but should always have the same status bound to a same alarm. Do not use the default status for alarms in [s1] missing in [s2] (and vice versa): such alarms may have no meaning for [e2], and should have the same status in [s2] than in [s1] anyway. If [combine] is false, both maps come from the evaluation of the same expression in different states. In this case, use the default status for any alarm missing in one side. *) let merge ~combine merge_status s1 s2 = let d1 = default s1 and d2 = default s2 in let m1 = get s1 and m2 = get s2 in let closed_set = match merge_status d1 d2 with | True -> true | Unknown -> false | False -> assert false in let return = if closed_set then function True -> None | p -> Some p else function Unknown -> None | p -> Some p in let merge _ p1 p2 = match p1, p2 with | None, None -> assert false | Some p, None -> if combine then Some p else return (merge_status p d2) | None, Some p -> if combine then Some p else return (merge_status d1 p) | Some p1, Some p2 -> return (merge_status p1 p2) in if closed_set then Just (M.merge merge m1 m2) else AllBut (M.merge merge m1 m2) let union = merge ~combine:false Status.join exception Inconsistent let intersect status1 status2 = match Status.inter status1 status2 with | `Value status -> status | `Inconsistent -> raise Inconsistent let inter s1 s2 = try `Value (merge ~combine:false intersect s1 s2) with Inconsistent -> `Inconsistent let combine s1 s2 = (* [intersect] is only applied if both maps explicitly contain the same alarm. As both maps have been produced in the same state, the statuses for this alarm should be consistent. *) try merge ~combine:true intersect s1 s2 with Inconsistent -> Self.fatal ~current:true "Inconsistent combination of two alarm maps %a and %a." pretty s1 pretty s2 let iter f = function | Just m -> M.iter f m | AllBut _ -> assert false let fold f acc = function | Just m -> M.fold f m acc | AllBut _ -> assert false let exists test ~default = function | Just m -> M.exists test m || default True | AllBut m -> M.exists test m || default Unknown let for_all test ~default = function | Just m -> M.for_all test m && default True | AllBut m -> M.for_all test m && default Unknown (* -------------------------------------------------------------------------- Alarms ------------------------------------------------------------------------ *) let emitter = Eva_utils.emitter (* Printer that shows additional information about temporaries *) let local_printer: Printer.extensible_printer = let open Cil_types in object (self) inherit Printer.extensible_printer () as super (* Temporary variables for which we want to print more information *) val mutable temporaries = Cil_datatype.Varinfo.Set.empty method! code_annotation fmt ca = temporaries <- Cil_datatype.Varinfo.Set.empty; match ca.annot_content with | AAssert (_, p) -> (* ignore the ACSL name *) let p = p.tp_statement.pred_content in Format.fprintf fmt "@[<v>@[assert@ %a;@]" self#predicate_node p; (* print temporary variables information *) if not (Cil_datatype.Varinfo.Set.is_empty temporaries) then begin Format.fprintf fmt "@ @[(%t)@]" self#pp_temporaries end; Format.fprintf fmt "@]"; | _ -> assert false method private pp_temporaries fmt = let pp_var fmt vi = Format.fprintf fmt "%s from@ @[%s@]" vi.vname (Option.get vi.vdescr) in Pretty_utils.pp_iter Cil_datatype.Varinfo.Set.iter ~pre:"" ~suf:"" ~sep:",@ " pp_var fmt temporaries method! logic_var fmt lvi = (match lvi.lv_origin with | None | Some { vdescr = None }-> () | Some ({ vdescr = Some _ } as vi) -> temporaries <- Cil_datatype.Varinfo.Set.add vi temporaries ); super#logic_var fmt lvi end let pr_annot = local_printer#code_annotation (* Default behaviour: print one alarm per kinstr. *) module Alarm_key = Datatype.Pair_with_collections (Cil_datatype.Kinstr) (Alarms) module Alarm_cache = State_builder.Hashtbl (Alarm_key.Hashtbl) (Datatype.Unit) (struct let name = "Value_messages.Alarm_cache" let dependencies = [Self.state] let size = 35 end) (* Has the given alarm already been emitted by the current analysis? For now, alarms emitted at Kglobal are bound to the first statement of the main function by the kernel, so we also need to check this case. *) let already_emitted stmt alarm = Alarm_cache.mem (Kstmt stmt, alarm) || Kernel_function.is_first_stmt (fst (Globals.entry_point ())) stmt && Alarm_cache.mem (Kglobal, alarm) let loc = function | Cil_types.Kglobal -> (* can occur in case of obscure bugs (already happened) with wacky initializers. Module Initial_state of value analysis correctly positions the loc *) Current_loc.get () | Cil_types.Kstmt s -> Cil_datatype.Stmt.loc s let report_alarm ~pos annot msg = Self.warning ~wkey:Self.wkey_alarm ~pos ~stacktrace:true "@[%s.@ @[<hov 2>%a@]@]" msg pr_annot annot let string_fkind = function | Cil_types.FFloat -> "float" | Cil_types.FDouble -> "double" | Cil_types.FLongDouble -> "long double" (** Emitting alarms *) let register_alarm ~pos alarm status str = let ki = Position.kinstr pos in let status = match status with | True -> Property_status.True | False -> (* We cannot soundly emit a red status on an alarm, because we may have emitted a green status earlier on. Thus we store the information for logging purposes, and emit an Unknown status. *) Red_statuses.add_red_alarm ki alarm; Property_status.Dont_know | Unknown -> Property_status.Dont_know in let annot, _is_new = Alarms.register ~loc:(loc ki) ~status emitter ki alarm in (* Report each alarm only once per analysis. The boolean [is_new] returned by {{Alarms.register}} is inadequate, as an alarm emitted by another plugin or by a previous run of Eva would be considered as not new. *) Alarm_cache.memo (fun (_ki,_alarm) -> report_alarm ~pos annot str) (ki, alarm) let emit_alarm ~pos alarm (status:status) = let register_alarm = register_alarm ~pos alarm status in match alarm with | Alarms.Pointer_comparison (_, _) -> register_alarm "pointer comparison" | Alarms.Division_by_zero _ -> register_alarm "division by zero" | Alarms.Overflow (kind, _, _, _) -> let str = match kind with | Alarms.Signed -> "signed overflow" | Alarms.Unsigned -> "unsigned overflow" | Alarms.Signed_downcast -> "signed downcast" | Alarms.Unsigned_downcast -> "unsigned downcast" | Alarms.Pointer_downcast -> "pointer downcast" in register_alarm str | Alarms.Float_to_int _ -> register_alarm "overflow in conversion from floating-point to integer" | Alarms.Invalid_shift (_, Some _) -> register_alarm "invalid RHS operand for shift" | Alarms.Invalid_shift (_, None) -> register_alarm "invalid LHS operand for left shift" | Alarms.Memory_access (_, access_kind) -> let access = match access_kind with | Alarms.For_reading -> "read" | Alarms.For_writing -> "write" in register_alarm (Format.sprintf "out of bounds %s" access) | Alarms.Index_out_of_bound _ -> register_alarm "accessing out of bounds index" | Alarms.Unaligned_pointer _ -> register_alarm "unaligned pointer creation" | Alarms.Invalid_pointer _ -> register_alarm "invalid pointer creation" | Alarms.Differing_blocks _ -> register_alarm "pointer subtraction" | Alarms.Is_nan_or_infinite (_, fkind) -> let sfkind = string_fkind fkind in register_alarm (Format.sprintf "non-finite %s value" sfkind) | Alarms.Is_nan (_, fkind) -> let sfkind = string_fkind fkind in register_alarm (Format.sprintf "NaN %s value" sfkind) | Alarms.Uninitialized _ -> register_alarm "accessing uninitialized left-value" | Alarms.Dangling _ -> register_alarm "accessing left-value that contains escaping addresses" | Alarms.Not_separated _ -> register_alarm "undefined multiple accesses in expression" | Alarms.Overlap _ -> register_alarm "partially overlapping lvalue assignment" | Alarms.Function_pointer _ -> register_alarm "pointer to function with incompatible type" | Alarms.Invalid_bool _ -> register_alarm "trap representation of a _Bool lvalue" let height_alarm = let open Eva_utils in function | Alarms.Division_by_zero e | Alarms.Index_out_of_bound (e,_) | Alarms.Unaligned_pointer (e,_) | Alarms.Invalid_pointer e | Alarms.Invalid_shift (e,_) | Alarms.Overflow (_,e,_,_) | Alarms.Float_to_int (e,_,_) | Alarms.Function_pointer (e, _) | Alarms.Pointer_comparison (None,e) -> height_expr e + 2 | Alarms.Memory_access (lv,_) | Alarms.Dangling lv | Alarms.Invalid_bool lv -> height_lval lv + 1 | Alarms.Uninitialized lv -> height_lval lv | Alarms.Pointer_comparison (Some e1, e2) -> max (height_expr e1) (height_expr e2) + 2 | Alarms.Differing_blocks (e1, e2) -> max (height_expr e1) (height_expr e2) + 1 | Alarms.Not_separated (lv1,lv2) | Alarms.Overlap (lv1,lv2) -> max (height_lval lv1) (height_lval lv2) + 1 | Alarms.Is_nan_or_infinite (e, fkind) | Alarms.Is_nan (e, fkind) -> let trivial = match Cil.(typeOf e).tnode with | TFloat fk -> fk = fkind | _ -> false in if trivial then height_expr e else height_expr e + 1 let cmp a1 a2 = Datatype.Int.compare (height_alarm (fst a1)) (height_alarm (fst a2)) let remove_redundant_alarms map = let filter alarm status = match alarm with | Alarms.Invalid_pointer expr -> let lval = Mem expr, NoOffset in let implies alarm s = status = s && match alarm with | Alarms.Memory_access (lv, _access_kind) -> Cil_datatype.LvalStructEq.equal lv lval | _ -> false in not (M.exists implies map) | _ -> true in M.filter filter map let emit_alarms ~pos map = let map = remove_redundant_alarms map in let list = M.bindings map in let sorted_list = List.sort cmp list in List.iter (fun (alarm, status) -> emit_alarm ~pos alarm status) sorted_list; if Alarm_cache.length () >= Parameters.StopAtNthAlarm.get () then Self.abort "Stopping at nth alarm" let emit ~pos = function | Just map -> if not (M.is_empty map) then emit_alarms ~pos map (* TODO: use GADT to avoid this assert false ? *) | AllBut _ -> Self.abort ~current:true ~once:true "All alarms may arise: \ abstract state too imprecise to continue the analysis."