/// <summary> /// Analyzes the ownership of the given-up symbol /// in the expression. /// </summary> /// <param name="givenUpSymbol">GivenUpOwnershipSymbol</param> /// <param name="expr">ExpressionSyntax</param> /// <param name="statement">Statement</param> /// <param name="machine">StateMachine</param> /// <param name="model">SemanticModel</param> /// <param name="trace">TraceInfo</param> private void AnalyzeOwnershipInExpression(GivenUpOwnershipSymbol givenUpSymbol, ExpressionSyntax expr, Statement statement, StateMachine machine, SemanticModel model, TraceInfo trace) { if (expr is IdentifierNameSyntax || expr is MemberAccessExpressionSyntax) { IdentifierNameSyntax rightIdentifier = base.AnalysisContext.GetRootIdentifier(expr); if (rightIdentifier != null) { var rightSymbol = model.GetSymbolInfo(rightIdentifier).Symbol; this.AnalyzeGivingUpFieldOwnership(givenUpSymbol, rightSymbol, statement, machine, trace); } } else if (expr is InvocationExpressionSyntax || expr is ObjectCreationExpressionSyntax) { trace.InsertCall(statement.Summary.Method, expr); HashSet <ISymbol> returnSymbols = base.AnalyzeOwnershipInCall(givenUpSymbol, expr, statement, machine, model, trace); foreach (var returnSymbol in returnSymbols) { this.AnalyzeGivingUpFieldOwnership(givenUpSymbol, returnSymbol, statement, machine, trace); } } }
/// <summary> /// Analyzes the ownership of the given-up symbol /// in the candidate callee. /// </summary> /// <param name="givenUpSymbol">GivenUpOwnershipSymbol</param> /// <param name="calleeSummary">MethodSummary</param> /// <param name="call">ExpressionSyntax</param> /// <param name="statement">Statement</param> /// <param name="machine">StateMachine</param> /// <param name="model">SemanticModel</param> /// <param name="trace">TraceInfo</param> protected override void AnalyzeOwnershipInCandidateCallee(GivenUpOwnershipSymbol givenUpSymbol, MethodSummary calleeSummary, ExpressionSyntax call, Statement statement, StateMachine machine, SemanticModel model, TraceInfo trace) { ArgumentListSyntax argumentList = base.AnalysisContext.GetArgumentList(call); if (argumentList == null) { return; } for (int idx = 0; idx < argumentList.Arguments.Count; idx++) { var argIdentifier = base.AnalysisContext.GetRootIdentifier( argumentList.Arguments[idx].Expression); if (argIdentifier == null) { continue; } ISymbol argSymbol = model.GetSymbolInfo(argIdentifier).Symbol; if (statement.Summary.DataFlowAnalysis.FlowsIntoSymbol(argSymbol, givenUpSymbol.ContainingSymbol, statement, givenUpSymbol.Statement)) { if (calleeSummary.SideEffectsInfo.FieldFlowParamIndexes.Any(v => v.Value.Contains(idx) && base.IsFieldAccessedInSuccessor(v.Key, statement.Summary, machine))) { base.ErrorReporter.ReportGivenUpFieldOwnershipError(trace, argSymbol); } } } }
/// <summary> /// Analyzes the ownership of the given-up symbol /// in the call. /// </summary> /// <param name="givenUpSymbol">GivenUpOwnershipSymbol</param> /// <param name="call">ExpressionSyntax</param> /// <param name="statement">Statement</param> /// <param name="machine">StateMachine</param> /// <param name="model">SemanticModel</param> /// <param name="trace">TraceInfo</param> /// <returns>Set of return symbols</returns> protected HashSet <ISymbol> AnalyzeOwnershipInCall(GivenUpOwnershipSymbol givenUpSymbol, ExpressionSyntax call, Statement statement, StateMachine machine, SemanticModel model, TraceInfo trace) { var potentialReturnSymbols = new HashSet <ISymbol>(); var invocation = call as InvocationExpressionSyntax; var objCreation = call as ObjectCreationExpressionSyntax; if ((invocation == null && objCreation == null)) { return(potentialReturnSymbols); } TraceInfo callTrace = new TraceInfo(); callTrace.Merge(trace); callTrace.AddErrorTrace(call); var callSymbol = model.GetSymbolInfo(call).Symbol; if (callSymbol == null) { AnalysisErrorReporter.ReportExternalInvocation(callTrace); return(potentialReturnSymbols); } if (callSymbol.ContainingType.ToString().Equals("Microsoft.PSharp.Machine")) { this.AnalyzeOwnershipInGivesUpCall(givenUpSymbol, invocation, statement, machine, model, callTrace); return(potentialReturnSymbols); } if (SymbolFinder.FindSourceDefinitionAsync(callSymbol, this.AnalysisContext.Solution).Result == null) { AnalysisErrorReporter.ReportExternalInvocation(callTrace); return(potentialReturnSymbols); } var candidateSummaries = MethodSummary.GetCachedSummaries(callSymbol, statement); foreach (var candidateSummary in candidateSummaries) { this.AnalyzeOwnershipInCandidateCallee(givenUpSymbol, candidateSummary, call, statement, machine, model, callTrace); if (invocation != null) { var resolvedReturnSymbols = candidateSummary.GetResolvedReturnSymbols(invocation, model); foreach (var resolvedReturnSymbol in resolvedReturnSymbols) { potentialReturnSymbols.Add(resolvedReturnSymbol); } } } return(potentialReturnSymbols); }
/// <summary> /// Analyzes the ownership of the given-up symbol /// in the control-flow graph node. /// </summary> protected void AnalyzeOwnershipInStatement(GivenUpOwnershipSymbol givenUpSymbol, Statement statement, StateMachine machine, SemanticModel model, TraceInfo trace) { var localDecl = statement.SyntaxNode.DescendantNodesAndSelf(). OfType <LocalDeclarationStatementSyntax>().FirstOrDefault(); var expr = statement.SyntaxNode.DescendantNodesAndSelf(). OfType <ExpressionStatementSyntax>().FirstOrDefault(); if (localDecl != null) { var varDecl = localDecl.Declaration; this.AnalyzeOwnershipInLocalDeclaration(givenUpSymbol, varDecl, statement, machine, model, trace); } else if (expr != null) { if (expr.Expression is AssignmentExpressionSyntax) { var assignment = expr.Expression as AssignmentExpressionSyntax; this.AnalyzeOwnershipInAssignment(givenUpSymbol, assignment, statement, machine, model, trace); } else if (expr.Expression is InvocationExpressionSyntax || expr.Expression is ObjectCreationExpressionSyntax) { trace.InsertCall(statement.Summary.Method, expr.Expression); this.AnalyzeOwnershipInCall(givenUpSymbol, expr.Expression, statement, machine, model, trace); } } }
/// <summary> /// Analyzes the ownership of the given-up symbol /// in the assignment expression. /// </summary> /// <param name="givenUpSymbol">GivenUpOwnershipSymbol</param> /// <param name="assignment">AssignmentExpressionSyntax</param> /// <param name="statement">Statement</param> /// <param name="machine">StateMachine</param> /// <param name="model">SemanticModel</param> /// <param name="trace">TraceInfo</param> protected override void AnalyzeOwnershipInAssignment(GivenUpOwnershipSymbol givenUpSymbol, AssignmentExpressionSyntax assignment, Statement statement, StateMachine machine, SemanticModel model, TraceInfo trace) { var leftIdentifier = base.AnalysisContext.GetRootIdentifier(assignment.Left); ISymbol leftSymbol = model.GetSymbolInfo(leftIdentifier).Symbol; if (assignment.Right is IdentifierNameSyntax) { var rightIdentifier = base.AnalysisContext.GetRootIdentifier(assignment.Right); ISymbol rightSymbol = model.GetSymbolInfo(rightIdentifier).Symbol; if (statement.Summary.DataFlowAnalysis.FlowsIntoSymbol(rightSymbol, givenUpSymbol.ContainingSymbol, statement, givenUpSymbol.Statement)) { var type = model.GetTypeInfo(assignment.Right).Type; if (leftSymbol != null && leftSymbol.Kind == SymbolKind.Field && base.IsFieldAccessedInSuccessor(leftSymbol as IFieldSymbol, statement.Summary, machine) && !base.AnalysisContext.IsTypePassedByValueOrImmutable(type)) { TraceInfo newTrace = new TraceInfo(); newTrace.Merge(trace); newTrace.AddErrorTrace(statement.SyntaxNode); AnalysisErrorReporter.ReportGivenUpOwnershipFieldAssignment(newTrace, leftSymbol); } return; } } else if (assignment.Right is MemberAccessExpressionSyntax) { this.AnalyzeOwnershipInExpression(givenUpSymbol, assignment.Right, statement, machine, model, trace); } else if (assignment.Right is InvocationExpressionSyntax || assignment.Right is ObjectCreationExpressionSyntax) { trace.InsertCall(statement.Summary.Method, assignment.Right); base.AnalyzeOwnershipInCall(givenUpSymbol, assignment.Right, statement, machine, model, trace); } if (assignment.Left is MemberAccessExpressionSyntax) { ISymbol outerLeftMemberSymbol = model.GetSymbolInfo(assignment.Left).Symbol; if (!outerLeftMemberSymbol.Equals(leftSymbol) && statement.Summary.DataFlowAnalysis.FlowsIntoSymbol(givenUpSymbol.ContainingSymbol, leftSymbol, givenUpSymbol.Statement, statement)) { TraceInfo newTrace = new TraceInfo(); newTrace.Merge(trace); newTrace.AddErrorTrace(statement.SyntaxNode); AnalysisErrorReporter.ReportGivenUpOwnershipAccess(newTrace); } } }
/// <summary> /// Analyzes the ownership of the given-up symbol /// in the control-flow graph. /// </summary> /// <param name="givenUpSymbol">GivenUpOwnershipSymbol</param> /// <param name="machine">StateMachine</param> /// <param name="model">SemanticModel</param> /// <param name="trace">TraceInfo</param> protected override void AnalyzeOwnershipInControlFlowGraph(GivenUpOwnershipSymbol givenUpSymbol, StateMachine machine, SemanticModel model, TraceInfo trace) { var queue = new Queue <IControlFlowNode>(); queue.Enqueue(givenUpSymbol.Statement.ControlFlowNode); var visitedNodes = new HashSet <IControlFlowNode>(); visitedNodes.Add(givenUpSymbol.Statement.ControlFlowNode); bool repeatGivesUpNode = false; while (queue.Count > 0) { IControlFlowNode node = queue.Dequeue(); var statements = new List <Statement>(); if (!repeatGivesUpNode && node.Equals(givenUpSymbol.Statement.ControlFlowNode)) { statements.AddRange(node.Statements.SkipWhile( val => !val.Equals(givenUpSymbol.Statement))); } else if (repeatGivesUpNode && node.Equals(givenUpSymbol.Statement.ControlFlowNode)) { statements.AddRange(node.Statements.TakeWhile( val => !val.Equals(givenUpSymbol.Statement))); statements.Add(givenUpSymbol.Statement); } else { statements.AddRange(node.Statements); } foreach (var statement in statements) { base.AnalyzeOwnershipInStatement(givenUpSymbol, statement, machine, model, trace); } foreach (var successor in node.ISuccessors) { if (!repeatGivesUpNode && successor.Equals(givenUpSymbol.Statement.ControlFlowNode)) { repeatGivesUpNode = true; visitedNodes.Remove(givenUpSymbol.Statement.ControlFlowNode); } if (!visitedNodes.Contains(successor)) { queue.Enqueue(successor); visitedNodes.Add(successor); } } } }
/// <summary> /// Analyzes the ownership of the given-up symbol in the assignment expression. /// </summary> protected override void AnalyzeOwnershipInAssignment(GivenUpOwnershipSymbol givenUpSymbol, AssignmentExpressionSyntax assignment, Statement statement, StateMachine machine, SemanticModel model, TraceInfo trace) { IdentifierNameSyntax leftIdentifier = AnalysisContext.GetRootIdentifier(assignment.Left); ISymbol leftSymbol = model.GetSymbolInfo(leftIdentifier).Symbol; this.AnalyzeGivingUpFieldOwnership(givenUpSymbol, leftSymbol, statement, machine, trace); this.AnalyzeOwnershipInExpression(givenUpSymbol, assignment.Right, statement, machine, model, trace); }
/// <summary> /// Analyzes the ownership of the given-up symbol in the gives-up operation. /// </summary> protected override void AnalyzeOwnershipInGivesUpCall(GivenUpOwnershipSymbol givenUpSymbol, InvocationExpressionSyntax call, Statement statement, StateMachine machine, SemanticModel model, TraceInfo trace) { if (givenUpSymbol.Statement.Equals(statement) && givenUpSymbol.ContainingSymbol.Kind == SymbolKind.Field && this.IsFieldAccessedInSuccessor(givenUpSymbol.ContainingSymbol as IFieldSymbol, statement.Summary, machine)) { this.ErrorReporter.ReportGivenUpFieldOwnershipError(trace, givenUpSymbol.ContainingSymbol); } }
/// <summary> /// Analyzes the ownership of the given-up symbol in the variable declaration. /// </summary> protected override void AnalyzeOwnershipInLocalDeclaration(GivenUpOwnershipSymbol givenUpSymbol, VariableDeclarationSyntax varDecl, Statement statement, StateMachine machine, SemanticModel model, TraceInfo trace) { foreach (var variable in varDecl.Variables.Where(v => v.Initializer != null)) { ExpressionSyntax expr = variable.Initializer.Value; ISymbol leftSymbol = model.GetDeclaredSymbol(variable); this.AnalyzeGivingUpFieldOwnership(givenUpSymbol, leftSymbol, statement, machine, trace); this.AnalyzeOwnershipInExpression(givenUpSymbol, expr, statement, machine, model, trace); } }
/// <summary> /// Analyzes the ownership of the given-up symbol in the expression. /// </summary> private void AnalyzeOwnershipInExpression(GivenUpOwnershipSymbol givenUpSymbol, ExpressionSyntax expr, Statement statement, SemanticModel model, TraceInfo trace) { if (expr is MemberAccessExpressionSyntax) { var identifier = AnalysisContext.GetRootIdentifier(expr); ISymbol symbol = model.GetSymbolInfo(identifier).Symbol; if (statement.Summary.DataFlowAnalysis.FlowsIntoSymbol(symbol, givenUpSymbol.ContainingSymbol, statement, givenUpSymbol.Statement)) { TraceInfo newTrace = new TraceInfo(); newTrace.Merge(trace); newTrace.AddErrorTrace(statement.SyntaxNode); this.ErrorReporter.ReportGivenUpOwnershipAccess(newTrace); } } }
/// <summary> /// Analyzes the given-up ownership of fields in the expression. /// </summary> private void AnalyzeGivingUpFieldOwnership(GivenUpOwnershipSymbol givenUpSymbol, ISymbol symbol, Statement statement, StateMachine machine, TraceInfo trace) { if (!statement.Summary.DataFlowAnalysis.FlowsIntoSymbol(symbol, givenUpSymbol.ContainingSymbol, statement, givenUpSymbol.Statement)) { return; } if (symbol.Kind == SymbolKind.Field && this.IsFieldAccessedInSuccessor(symbol as IFieldSymbol, statement.Summary, machine)) { TraceInfo newTrace = new TraceInfo(); newTrace.Merge(trace); newTrace.AddErrorTrace(statement.SyntaxNode); this.ErrorReporter.ReportGivenUpFieldOwnershipError(newTrace, symbol); } }
/// <summary> /// Analyzes the ownership of the given-up symbol in the variable declaration. /// </summary> protected override void AnalyzeOwnershipInLocalDeclaration(GivenUpOwnershipSymbol givenUpSymbol, VariableDeclarationSyntax varDecl, Statement statement, StateMachine machine, SemanticModel model, TraceInfo trace) { foreach (var variable in varDecl.Variables.Where(v => v.Initializer != null)) { var expr = variable.Initializer.Value; if (expr is IdentifierNameSyntax || expr is MemberAccessExpressionSyntax) { this.AnalyzeOwnershipInExpression(givenUpSymbol, expr, statement, model, trace); } else if (expr is InvocationExpressionSyntax || expr is ObjectCreationExpressionSyntax) { trace.InsertCall(statement.Summary.Method, expr); this.AnalyzeOwnershipInCall(givenUpSymbol, expr, statement, machine, model, trace); } } }
/// <summary> /// Analyzes the ownership of the given-up symbol /// in the control-flow graph. /// </summary> protected abstract void AnalyzeOwnershipInControlFlowGraph(GivenUpOwnershipSymbol givenUpSymbol, StateMachine machine, SemanticModel model, TraceInfo trace);
/// <summary> /// Analyzes the ownership of the given-up symbol in the gives-up operation. /// </summary> protected abstract void AnalyzeOwnershipInGivesUpCall(GivenUpOwnershipSymbol givenUpSymbol, InvocationExpressionSyntax call, Statement statement, StateMachine machine, SemanticModel model, TraceInfo trace);
/// <summary> /// Analyzes the ownership of the given-up symbol in the candidate callee. /// </summary> protected abstract void AnalyzeOwnershipInCandidateCallee(GivenUpOwnershipSymbol givenUpSymbol, MethodSummary calleeSummary, ExpressionSyntax call, Statement statement, StateMachine machine, SemanticModel model, TraceInfo trace);
/// <summary> /// Analyzes the ownership of the given-up symbol in the assignment expression. /// </summary> protected abstract void AnalyzeOwnershipInAssignment(GivenUpOwnershipSymbol givenUpSymbol, AssignmentExpressionSyntax assignment, Statement statement, StateMachine machine, SemanticModel model, TraceInfo trace);
/// <summary> /// Analyzes the ownership of the given-up symbol in the variable declaration. /// </summary> protected abstract void AnalyzeOwnershipInLocalDeclaration(GivenUpOwnershipSymbol givenUpSymbol, VariableDeclarationSyntax varDecl, Statement statement, StateMachine machine, SemanticModel model, TraceInfo trace);
/// <summary> /// Analyzes the ownership of the given-up symbol /// in the gives-up operation. /// </summary> /// <param name="givenUpSymbol">GivenUpOwnershipSymbol</param> /// <param name="call">Gives-up call</param> /// <param name="statement">Statement</param> /// <param name="machine">StateMachine</param> /// <param name="model">SemanticModel</param> /// <param name="trace">TraceInfo</param> protected override void AnalyzeOwnershipInGivesUpCall(GivenUpOwnershipSymbol givenUpSymbol, InvocationExpressionSyntax call, Statement statement, StateMachine machine, SemanticModel model, TraceInfo trace) { if (statement.Equals(givenUpSymbol.Statement) && !statement.ControlFlowNode.IsSuccessorOf( givenUpSymbol.Statement.ControlFlowNode)) { return; } var opSymbol = model.GetSymbolInfo(call).Symbol; if ((!opSymbol.Name.Equals("Send") && !opSymbol.Name.Equals("CreateMachine")) || (opSymbol.Name.Equals("CreateMachine") && call.ArgumentList.Arguments.Count != 2)) { return; } ExpressionSyntax argExpr = call.ArgumentList.Arguments[1].Expression; var arguments = new List <ExpressionSyntax>(); if (argExpr is ObjectCreationExpressionSyntax) { var objCreation = argExpr as ObjectCreationExpressionSyntax; foreach (var arg in objCreation.ArgumentList.Arguments) { arguments.Add(arg.Expression); } } else if (argExpr is BinaryExpressionSyntax && argExpr.IsKind(SyntaxKind.AsExpression)) { var binExpr = argExpr as BinaryExpressionSyntax; if (binExpr.Left is IdentifierNameSyntax || binExpr.Left is MemberAccessExpressionSyntax) { arguments.Add(binExpr.Left); } else if (binExpr.Left is InvocationExpressionSyntax) { var invocation = binExpr.Left as InvocationExpressionSyntax; for (int i = 1; i < invocation.ArgumentList.Arguments.Count; i++) { arguments.Add(invocation.ArgumentList.Arguments[i].Expression); } } } else if (argExpr is IdentifierNameSyntax || argExpr is MemberAccessExpressionSyntax) { arguments.Add(argExpr); } var extractedArgs = base.ExtractArguments(arguments); foreach (var arg in extractedArgs) { IdentifierNameSyntax argIdentifier = base.AnalysisContext.GetRootIdentifier(arg); ITypeSymbol argType = model.GetTypeInfo(argIdentifier).Type; if (base.AnalysisContext.IsTypePassedByValueOrImmutable(argType)) { continue; } ISymbol argSymbol = model.GetSymbolInfo(argIdentifier).Symbol; if (statement.Summary.DataFlowAnalysis.FlowsIntoSymbol(argSymbol, givenUpSymbol.ContainingSymbol, statement, givenUpSymbol.Statement)) { AnalysisErrorReporter.ReportGivenUpOwnershipSending(trace, argSymbol); return; } } }
/// <summary> /// Analyzes the ownership of the given-up symbol /// in the candidate callee. /// </summary> /// <param name="givenUpSymbol">GivenUpOwnershipSymbol</param> /// <param name="calleeSummary">MethodSummary</param> /// <param name="call">ExpressionSyntax</param> /// <param name="statement">Statement</param> /// <param name="machine">StateMachine</param> /// <param name="model">SemanticModel</param> /// <param name="trace">TraceInfo</param> protected override void AnalyzeOwnershipInCandidateCallee(GivenUpOwnershipSymbol givenUpSymbol, MethodSummary calleeSummary, ExpressionSyntax call, Statement statement, StateMachine machine, SemanticModel model, TraceInfo trace) { if (statement.Equals(givenUpSymbol.Statement) && !statement.ControlFlowNode.IsSuccessorOf( givenUpSymbol.Statement.ControlFlowNode)) { return; } var invocation = call as InvocationExpressionSyntax; if (invocation != null) { this.AnalyzeOwnershipInExpression(givenUpSymbol, invocation.Expression, statement, machine, model, trace); } ArgumentListSyntax argumentList = base.AnalysisContext.GetArgumentList(call); if (argumentList != null) { for (int idx = 0; idx < argumentList.Arguments.Count; idx++) { var argType = model.GetTypeInfo(argumentList.Arguments[idx].Expression).Type; if (base.AnalysisContext.IsTypePassedByValueOrImmutable(argType)) { continue; } var argIdentifier = base.AnalysisContext.GetRootIdentifier( argumentList.Arguments[idx].Expression); ISymbol argSymbol = model.GetSymbolInfo(argIdentifier).Symbol; if (statement.Summary.DataFlowAnalysis.FlowsIntoSymbol(argSymbol, givenUpSymbol.ContainingSymbol, statement, givenUpSymbol.Statement)) { if (calleeSummary.SideEffectsInfo.ParameterAccesses.ContainsKey(idx)) { foreach (var access in calleeSummary.SideEffectsInfo.ParameterAccesses[idx]) { TraceInfo newTrace = new TraceInfo(); newTrace.Merge(trace); newTrace.AddErrorTrace(access.SyntaxNode); AnalysisErrorReporter.ReportGivenUpOwnershipAccess(newTrace); } } var fieldSymbols = calleeSummary.SideEffectsInfo.FieldFlowParamIndexes.Where( v => v.Value.Contains(idx)).Select(v => v.Key); foreach (var fieldSymbol in fieldSymbols) { if (base.IsFieldAccessedInSuccessor(fieldSymbol, statement.Summary, machine)) { AnalysisErrorReporter.ReportGivenUpOwnershipFieldAssignment(trace, fieldSymbol); } } if (calleeSummary.SideEffectsInfo.GivesUpOwnershipParamIndexes.Contains(idx)) { AnalysisErrorReporter.ReportGivenUpOwnershipSending(trace, argSymbol); } } } } foreach (var fieldAccess in calleeSummary.SideEffectsInfo.FieldAccesses) { foreach (var access in fieldAccess.Value) { if (statement.Summary.DataFlowAnalysis.FlowsIntoSymbol(givenUpSymbol.ContainingSymbol, fieldAccess.Key, givenUpSymbol.Statement, statement)) { TraceInfo newTrace = new TraceInfo(); newTrace.Merge(trace); newTrace.AddErrorTrace(access.SyntaxNode); AnalysisErrorReporter.ReportGivenUpOwnershipFieldAccess(newTrace, fieldAccess.Key); } } } }