Infer cannot find any issues when running in '/'

[btakeya]

Hi all,
I think Infer cannot find procedure, when running in '/'.
In other directories(eg. /root, /usr/local, and so on), it finds procedure successfully.

Test case:

• Running in '/root'

root@416329cd0be2:~# pwd
/root
root@416329cd0be2:~# infer -- gcc /root/a.c 
Starting analysis (Infer version v0.7.0)
Computing dependencies... 100%
Analyzing 1 cluster. 100%
Analyzed 1 procedure in 1 file

Found 1 issue

a.c:6: error: NULL_DEREFERENCE
  pointer i last assigned on line 5 could be null and is dereferenced at line 6, column 3
  4.   {
  5.     int *i = NULL;
  6. >   *i = 3;
  7.     printf("%d\n", *i);
  8.   

Summary of the reports:

  NULL_DEREFERENCE: 1

• Result in '/root':

root@416329cd0be2:~# cat /root/infer-out/proc_stats.json 
{ "files": 1, "procedures": 1, "lines": 10 }

• Running in '/'

root@416329cd0be2:~# cd /
root@416329cd0be2:/# infer -- gcc /root/a.c 
Starting analysis (Infer version v0.7.0)
Computing dependencies... 100%
Analyzing 0 clusters 100%
Analyzed 0 procedures in 1 file
No issues found

• Result in '/'

root@416329cd0be2:~# cat /infer-out/proc_stats.json 
{ "files": 1, "procedures": 0, "lines": 10 }

[jvillard]

Thanks for the report @btakeya, I managed to reproduce the issue locally, we'll look into it.

[btakeya]

this issue happens when running via docker (Infer version: v0.7.0)

[kstreee]

This error comes from DB.source_file_equal (Exe_env.get_source exe_env pname) source_file.

The exact bug point is the function DB.rel_source_file_from_abs_path.
When the function with "/" parameter DB.rel_source_file_from_abs_path "/" "/root/a.c", then it returns Relative "/root/a.c".

I will explain how this bug make Infer skip analyzing procedures when run Infer on "/".

When I run Infer on / directory, then the source_file type is 'Absolute'. However, (Exe_env.get_source exe_env pname) returns 'Relative' type value, because of DB. rel_source_file_from_abs_path returns 'Relative' type value.
Thus, it causes '0 active procedures' in created clusters, and analyzer does not analyze procedures in a source file.
I will explain how code set source_file as 'Absolute' type value, and set (Exe_env.get_source exe_env pname) as 'Relative' type value.

At first, the result of DB.source_file_to_string source_file and DB.source_file_to_string (Exe_env.get_source exe_env pname) is same string, as absolute path form string, when I run Infer on / directory
So I checked the reason of returning false, and the type of source_file is 'Absolute', and the type of (Exe_env.get_source exe_env pname) is 'Relative'.
It is natural that the type of source_file is 'Absolute', because of the variable comes from this line, (the source_file is set by a function ClusterMakefile.source_file_from_pname and the function calls the function DB.source_file_from_string).

However, type of the result of (Exe_env.get_source exe_env pname) is 'Relative', so I followed code to find an origin of the (Exe_env.get_source exe_env pname).
The value exe_env is set from this statements, and more specifically, this statement.
I traced more code to find specific values in exe_env, and I found load_from_file function which loads cg values from serialized file.

Thus I try to find call sites of the function store_to_file which is pair with load_from_file, and the call sites are following,

• in clang/cFrontend.ml.
• in java/jMain.ml.
• in llvm/lMain.ml.
• in harness/inhabit.ml.

As a result of this long code trip, I finally found a line which causes this bug, in function DB.rel_source_file_from_abs_path which is called in the above store_to_file call sites.
The call sites of store_to_file call the vulnerable function DB.rel_source_file_from_abs_path to prepare cg.
The prepared cg is stored using Cg.store_to_file function, and it is loaded by Cg.load_from_file function, and it makes DB.source_file_equal (Exe_env.get_source exe_env pname) source_file statement returns false, which is cause of this bug.

[kstreee]

Also I checked that same problem when run infer -- java /path-to-code/Hello.c on /, but other cases (llvm/lMain.ml, harness/inhabit.ml (?)) are not confirmed whether the function DB.rel_source_file_from_abs_path is called to prepare cg (or callgraph).

[jvillard]

fixed in a7e0044