flaw_detector 0.0.1

data/lib/flaw_detector/detector/nil_false_path_flow.rb

@@ -0,0 +1,179 @@
+module FlawDetector
+  module Detector
+    class NilFalsePathFlow
+      NIL_CHECK_METHODS = [:nil?]
+      VAR_BRANCH_KLASS = {:klass => [NilClass, FalseClass], :message => {:branchif => :last, :branchunless => :first}}
+      # if methods return true, RCEV type is decided
+      RCEV_KLASS_OF_METHODS = {
+        :nil? => 
+        {:klass => [NilClass],
+          :message => {:branchif => :first, :branchunless => :last}}
+      }
+      REVERSE_EDGE = {:first => :last, :last => :first}
+      NIL_METHODS = nil.methods
+      FALSE_CLASS_METHODS = FalseClass.methods
+      CALC_CODE = {:opt_plus => :+, :opt_minus => :-, :opt_mult => :*, :opt_div => :/, :opt_mod => :%,
+        :opt_eq => :==, :opt_neq => :!=, :opt_lt => :<, :opt_le => :<=, :opt_gt => :>, :opt_ge => :>=,
+        :opt_ltlt => :<<}
+      def initialize
+        
+      end
+      
+      # == Arguments & Return
+      # _dom_       :: 
+      # *Return* :: [Array] array of hash. each hash key must be [:msgid,:file,:line,:short_desc,:long_desc,:details]
+      def analyze(dom)
+        result = []
+        
+        search_frames = dom.select_methods + [dom.top] + dom.select_classes
+        search_frames.each do |frame|
+          klass_specified_variable_list = []
+          # *search
+          frame.insns.each_with_index do |insn, index|
+            next unless [:getlocal, :getdynamic].include?(insn[0])
+            varframe, varname = frame.insn2variable(insn)
+            obj_index,argnum = frame.find_use_insn_index_of_ret(index, insn)
+            unless obj_index
+              # @todo support using variable at multiple branchif ;ex) case-when syntax
+              next
+            end
+            obj_insn = frame.raw_block_data[:body][:insns][obj_index]
+            p_cfg = frame.find_cfg_node_by_insn_index(obj_index)
+            klass_specified_edge = nil
+            case obj_insn[0]
+            when :send
+              if argnum == 0 && RCEV_KLASS_OF_METHODS.has_key?(obj_insn[1]) #varnum is the receiver and method is a nil check
+                next_obj_index,next_argnum = frame.find_use_insn_index_of_ret(obj_index, obj_insn)
+                next_obj_insn = frame.raw_block_data[:body][:insns][next_obj_index]
+                case next_obj_insn[0]
+                when :branchif, :branchunless
+                  klass_specified_edge = RCEV_KLASS_OF_METHODS[obj_insn[1]][:message][next_obj_insn[0]]
+                  klass = RCEV_KLASS_OF_METHODS[obj_insn[1]][:klass]
+                end
+              end
+            when :branchif, :branchunless
+              klass_specified_edge = VAR_BRANCH_KLASS[:message][obj_insn[0]]
+              klass = VAR_BRANCH_KLASS[:klass]
+            end
+            
+            next unless klass_specified_edge
+            ks_variable = {:specified_edge => klass_specified_edge,  :branch_node => p_cfg, :variable => {:frame => varframe, :name => varname, :klass => klass}, :already_checked => false}
+            ks_variable[:complement_edge] = REVERSE_EDGE[ks_variable[:specified_edge]]
+            nn = ks_variable[:branch_node].next_nodes
+            tmperase = []
+            tmperase << :complement_edge if nn.send(ks_variable[:specified_edge]).is_dominance_frontier_of?(nn.send(ks_variable[:complement_edge]))
+            tmperase << :specified_edge if nn.send(ks_variable[:complement_edge]).is_dominance_frontier_of?(nn.send(ks_variable[:specified_edge]))
+            tmperase.each{|k| ks_variable.delete(k)}
+
+            klass_specified_variable_list << ks_variable
+          end
+
+          # *detection
+          klass_specified_variable_list.each do |ks_variable|
+            next if ks_variable[:already_checked]
+            if ks_variable[:specified_edge]
+              cfg = ks_variable[:branch_node].next_nodes.send(ks_variable[:specified_edge])
+              cfg.visit_specified_dominators do |node|
+                check_end, ng_list = check_nil_var_ref(node, ks_variable[:variable])
+                ng_list.each do |elem|
+                  line = elem[:frame].index2line(elem[:index])
+                  result << FlawDetector::make_info(:file => dom.filepath, :line => line, :msgid => "NP_ALWAYS_FALSE", :params => [elem[:variable][:name]])
+                end
+                if check_end
+                  next :none
+                else
+                  redundant = find_redundant_node(klass_specified_variable_list, node, ks_variable)
+                  if redundant
+                    redundant[:already_checked] = true
+                    line = redundant[:branch_node].last_line
+                    result << FlawDetector::make_info(:file => dom.filepath, :line => line, :msgid => "RCN_REDUNDANT_FALSECHECK_OF_FALSE_VALUE", :params => [redundant[:variable][:name], ks_variable[:branch_node].last_line])
+                    next redundant[:specified_edge]
+                  else
+                    next :all
+                  end
+                end
+              end
+            end
+
+            if ks_variable[:complement_edge]
+              cfg = ks_variable[:branch_node].next_nodes.send(ks_variable[:complement_edge])
+              cfg.visit_specified_dominators do |node|
+                redundant = find_redundant_node(klass_specified_variable_list, node, ks_variable)
+                if redundant
+                  redundant[:already_checked] = true
+                  line = redundant[:branch_node].last_line
+                  result << FlawDetector::make_info(:file => dom.filepath, :line => line, :msgid => "RCN_REDUNDANT_FALSECHECK_OF_TRUE_VALUE", :params => [redundant[:variable][:name], ks_variable[:branch_node].last_line])
+                  next redundant[:complement_edge]
+                else
+                  next :all
+                end
+              end
+            end
+            # [p_cfg's dominators - s_cfg's dominators] check send method except nil methods
+            #TODO: add warning list if get localvar and nil checked. # deadcode
+            #TODO: implements
+          end
+        end
+
+        #* remove duplicate result
+        #NOTE: it be caused that input code to analyzer has deadcode.
+        return result
+      end
+
+      # _variable_ :: nil variable on node
+      # return: check_end?, detected ngs
+      def check_nil_var_ref(node, variable)
+        ng_list = [] # each element has keys: {:variable, :index, :frame}
+        unless node.prev_nodes.first == node.prev_nodes.last
+          # check setlocal opcode at dominance frontier
+          pfpl = node.prev_nodes.first.dominators - node.prev_nodes.last.dominators
+          plpf = node.prev_nodes.last.dominators - node.prev_nodes.first.dominators
+          #TODO: return if pfpl/plpf have set localvar
+        end
+        
+        frame = node.insns_frame
+
+        node.bb[0].each do |index|
+          insn = frame.insns[index]
+          case insn[0]
+          when :setlocal, :setdynamic
+            varframe,varname = frame.insn2variable(insn)
+            # return if insn of index set localvar
+            return true, ng_list if variable[:name] == varname && variable[:frame] == varframe
+          when :getlocal, :getdynamic
+            varframe,varname = frame.insn2variable(insn)
+            if variable[:name] == varname && variable[:frame] == varframe
+              use_index, use_argnum = frame.find_use_insn_index_of_ret(index, insn)
+              use_insn = frame.insns[use_index]
+              case use_insn[0]
+              when :send
+                use_insn[1]
+                if use_argnum == 0 && !NIL_METHODS.include?(use_insn[1])
+                  ng_list << {:variable => variable, :index => use_index, :frame => frame}
+                end
+              when *(CALC_CODE.keys)
+                # ASSERT: nil not operand method
+                unless NIL_METHODS.include?(CALC_CODE[use_insn[0]])
+                  ng_list << {:variable => variable, :index => use_index, :frame => frame}
+                end
+              end
+            end
+          end
+        end
+        return false, ng_list
+      end
+
+      def find_redundant_node(klass_specified_variable_list, node, ks_variable)
+        redundant = klass_specified_variable_list.find do |other_info| # @todo sort by tree parent first
+          next if other_info[:branch_node] == ks_variable[:branch_node]
+          next unless other_info[:variable][:name] == ks_variable[:variable][:name] &&
+            other_info[:variable][:frame] == ks_variable[:variable][:frame]
+          next unless other_info[:branch_node] == node
+          next unless (ks_variable[:variable][:klass] - other_info[:variable][:klass]).empty?
+          true
+        end
+        return redundant
+      end      
+    end
+  end
+end

data/lib/flaw_detector/formatter/csv_formatter.rb

@@ -0,0 +1,24 @@
+require 'csv'
+
+module FlawDetector
+  module Formatter
+    class CsvFormatter
+      def initialize(io = STDOUT)
+        @io = io
+      end
+      
+      # == Arguments & Return
+      # _result_       :: [Array] array of hash. each hash key must be [:msgid,:file,:line,:summary,:description]
+      # *Return* :: [String]
+      def render(result)
+        headers = [:msgid,:file,:line,:short_desc,:long_desc,:details]
+        data = CSV.generate("", :row_sep => "\r\n", :headers => headers, :write_headers => true) do |csv|
+          result.each do |row|
+            csv << row.values_at(*headers)
+          end
+        end
+        @io << data
+      end
+    end
+  end
+end

data/lib/flaw_detector/message.rb

@@ -0,0 +1,45 @@
+module FlawDetector
+  MESSAGE_IDS = {
+    "RCN_REDUNDANT_FALSECHECK_WOULD_HAVE_BEEN_A_NPE" => { # @todo rewrite it to meaningful message
+      :short_desc => "Falsecheck of value previously dereferenced",
+      :long_desc => "Falsecheck of %{0} at %{1} of value previously dereferenced in %{2}",
+      :details => "A value is checked here to see whether it is false, but this value can't be false because it was previously dereferenced and if it were false a false pointer exception would have occurred at the earlier dereference. Essentially, this code and the previous dereference disagree as to whether this value is allowed to be false. Either the check is redundant or the previous dereference is erroneous."
+    },
+    "RCN_REDUNDANT_FALSECHECK_OF_FALSE_VALUE" => {
+      :short_desc => "Redundant falsecheck of value known to be false",
+      :long_desc => "Redundant falsecheck of %{0} which is known to be false in LINE:%{1}",
+      :details => "This method contains a redundant check of a known false value against the constant false."
+    },
+    "RCN_REDUNDANT_FALSECHECK_OF_TRUE_VALUE" => {
+      :short_desc => "Redundant falsecheck of value known to be false",
+      :long_desc => "Redundant falsecheck of %{0} which is known to be false in LINE:%{1}",
+      :details => "This method contains a redundant check of a known false value against the constant false."
+    },
+    "NP_ALWAYS_FALSE" => {
+      :short_desc => "False value missing method received",
+      :long_desc => "False value missing method received in %{0}",
+      :details => "A false value, which is NilClass or FalseClass, is received missing method here. This will lead to a NoMethodError when the code is executed."
+    },
+    "NP_FALSE_ON_SOME_PATH" =>{ # @todo rewrite it to meaningful message
+      :short_desc => "Possible false pointer dereference",
+      :long_desc => "Possible false pointer dereference in %{0}",
+      :details => "There is a branch of statement that, if executed, guarantees that a false value will be dereferenced, which would generate a RuntimeError when the code is executed. Of course, the problem might be that the branch or statement is infeasible and that the false pointer exception can't ever be executed; deciding that is beyond the ability of FlawDetector."
+    }
+  }
+
+  def make_info(params={})
+    info = {}
+    info[:msgid] = params[:msgid]
+    info[:file] = params[:file]
+    info[:line] = params[:line]
+    hash = {}
+    params[:params].each_with_index do |elem, index|
+      hash["%{#{index}}"] = elem
+    end
+    pattern = Regexp.new(hash.keys.map{|n| Regexp.escape(n)}.join("|"))
+    info[:short_desc] = MESSAGE_IDS[info[:msgid]][:short_desc].gsub(pattern, hash)
+    info[:long_desc] = MESSAGE_IDS[info[:msgid]][:long_desc].gsub(pattern, hash)
+    info[:details] = MESSAGE_IDS[info[:msgid]][:details].gsub(pattern, hash)
+    return info                            
+  end
+end

data/lib/flaw_detector/version.rb

@@ -0,0 +1,3 @@
+module FlawDetector
+  VERSION = "0.0.1"
+end

data/lib/flaw_detector.rb

@@ -0,0 +1,169 @@
+require "flaw_detector/version"
+require "flaw_detector/controller"
+require "flaw_detector/message"
+require "flaw_detector/formatter/csv_formatter"
+require "flaw_detector/detector/nil_false_path_flow"
+require "flaw_detector/code_model/code_document"
+require "flaw_detector/code_model/insns_frame"
+require "flaw_detector/code_model/cfg_node"
+require File.expand_path("../../ext/insns_ext/insn_ext.rb", __FILE__)
+
+module FlawDetector
+  OPERAND_0 = 1
+  OPERAND_1 = 2
+  OPERAND_2 = 3
+  OPERAND_3 = 4
+  
+  module ISeqHeader
+    TYPE_TOP = :top
+    TYPE_CLASS = :class
+    TYPE_METHOD = :method
+    TYPE_BLOCK = :block
+  end
+
+  include CodeModel
+  
+  # (key,val) = (opcode, operand number from 0)
+  INSNS_HAVE_ISEQ_IN_OPERAND = {"putiseq" => OPERAND_0, "defineclass" => OPERAND_1, "send" => OPERAND_2, "invokesuper" => OPERAND_1}
+  # ASSERT: operand number 0 is offset
+  INSNS_OF_BRANCH = ["branchif", "branchunless"]
+  
+  def parse(code_str, filepath="<compiled>")
+    isqns = RubyVM::InstructionSequence.new(code_str)
+    data = iseq_parse(isqns.to_a)
+    CodeDocument.create(data, filepath)
+  end
+
+  def parse_file(file)
+    case file
+    when String
+      code_str = File.open(file, "r"){|f| f.read}
+      filepath = file
+    when File
+      code_str = file.read
+      filepath = file.path
+    when IO
+      code_str = file.read
+      filepath = "<compiled>"
+    else
+      raise "not support class#{file.class}"
+    end
+    parse(code_str, filepath)
+  end
+  
+  def iseq_parse(iseq)
+    return nil unless iseq
+    
+    header = {}
+    header[:magic] = iseq[0]
+    header[:major] = iseq[1]
+    header[:minor] = iseq[2]
+    header[:format_type] = iseq[3]
+    header[:misc] = iseq[4]
+    header[:name] = iseq[5]
+    header[:filename] = iseq[6]
+    header[:filepath] = iseq[7]
+    header[:line_no] = iseq[8]
+    header[:type] = iseq[9]
+    header[:locals] = iseq[10]
+    header[:args] = iseq[11]
+    header[:exceptions] = iseq[12]
+    
+    insns = []
+    insns_pos_to_lineno = []
+    label_pos = {}
+    lineno_and_insns_pos = [nil,nil]
+    insns_pos_to_operand_iseq = {}
+    branch_info = [] # element = {:pos =>, :label =>}
+    basic_block = [] # element type is (Range, Array). It is guaranteed that each element Range doesn't overlap
+    tmp_bb_start_pos = 0
+    
+    iseq[13].each do |mixed|
+      case mixed
+      when Array # instruction
+        insns << mixed
+        opcode = mixed.first.to_s
+        if INSNS_HAVE_ISEQ_IN_OPERAND.keys.include?(opcode)
+          operand_num = INSNS_HAVE_ISEQ_IN_OPERAND[opcode]
+          iseq_in_operand = iseq_parse(mixed[operand_num])
+          insn_pos = insns.count-1
+          insns_pos_to_operand_iseq[insn_pos] = iseq_in_operand
+          
+          #replace to link
+          mixed[operand_num] = insn_pos
+          
+          if insns_pos_to_operand_iseq[insn_pos] &&
+              insns_pos_to_operand_iseq[insn_pos][:header][:type] == ISeqHeader::TYPE_BLOCK
+            # NOTE: bb is changed becase iseq of block type may have break, raise, or etc...
+            if tmp_bb_start_pos < insn_pos
+              basic_block << [tmp_bb_start_pos...insn_pos, insn_pos]
+            end
+            basic_block << [insn_pos...(insn_pos+1), insn_pos+1, :exception]
+            tmp_bb_start_pos = insns.count
+          end
+        elsif INSNS_OF_BRANCH.include?(opcode)
+          basic_block << [tmp_bb_start_pos...insns.count, mixed[OPERAND_0], insns.count]
+          tmp_bb_start_pos = insns.count
+        elsif opcode == "jump"
+          basic_block << [tmp_bb_start_pos...insns.count, mixed[OPERAND_0]]
+          tmp_bb_start_pos = insns.count            
+        elsif opcode == "leave"
+          basic_block << [tmp_bb_start_pos...insns.count, :leave]
+          tmp_bb_start_pos = insns.count
+        end
+      when Fixnum # lineno
+        if lineno_and_insns_pos[0]
+          range = lineno_and_insns_pos[1]...(insns.count)
+          insns_pos_to_lineno << [range, lineno_and_insns_pos[0]]
+        end
+        lineno_and_insns_pos[0] = mixed
+        lineno_and_insns_pos[1] = insns.count
+      when Symbol # label
+        label_pos[mixed] = insns.count
+        basic_block << [tmp_bb_start_pos...insns.count, insns.count]
+        tmp_bb_start_pos = insns.count
+      end
+    end
+    if lineno_and_insns_pos[0]
+      if insns_pos_to_lineno.empty? || !insns_pos_to_lineno.last.include?(insns.count-1)
+        range = lineno_and_insns_pos[1]...(insns.count)
+        insns_pos_to_lineno << [range, lineno_and_insns_pos[0]]
+      end
+    end
+    # remove redundant bb
+    basic_block.reject! {|bb| bb[0].to_a.size == 0}
+    basic_block.each do |bb|
+      bb.map! do |elem|
+        if elem.to_s =~ /label_.+/
+          label_pos[elem]
+        else
+          elem
+        end
+      end
+    end
+    #TODO: add remove redundant bb code
+
+    #set name
+    cnt = 0
+    bs = {}
+    basic_block.each do |bb|
+      sym = "bb_#{bs.count}".to_sym
+      bs[sym] = bb
+    end
+    bs[:entry] = [0...0,0]
+    bs[:leave] = [0...0]
+
+    body = {}
+    body[:insns] = insns
+    
+    extra = {}
+    extra[:insns_pos_to_lineno] = insns_pos_to_lineno
+    extra[:label_pos] = label_pos
+    extra[:insns_pos_to_operand_iseq] = insns_pos_to_operand_iseq
+    extra[:basic_blocks] = bs
+
+    return {:header => header, :body => body, :extra => extra}
+  end
+
+  module_function :iseq_parse, :parse, :make_info, :parse_file
+end

data/sample/flaw_in_code.rb

@@ -0,0 +1,9 @@
+def flaw(a)
+  if a
+    rl = a + 1
+  elsif a      #**RCN_REDUNDANT_FALSECHECK_OF_FALSE_VALUE,a,2**
+    rl = 1 + a 
+  else
+    rl = a + 1 #**NP_ALWAYS_FALSE,a**
+  end
+end