[clang] Limit the depths of secialisations to avoid pathological cases

Summary: In unusual cases we can create very large procedures that then take too much memory to process. We should avoid this. Reviewed By: ngorogiannis Differential Revision: D50223700 fbshipit-source-id: f2186dc232fee643b08afec7b2d869a6f331e096
facebook · Oct 16, 2023 · d6a7bd6 · d6a7bd6
1 parent f1b1b70
commit d6a7bd6
Show file tree

Hide file tree

Showing 9 changed files with 57 additions and 16 deletions.
diff --git a/infer/man/man1/infer-analyze.txt b/infer/man/man1/infer-analyze.txt
@@ -665,6 +665,9 @@ LINEAGE OPTIONS
            type is the type of a variable whose value is within a statically
            known atom set. The width of the type is the cardinal of that atom
            set.
+
+       --specialized-proc-depth int
+           Maximal depth for the specialized procedures created.
 PULSE CHECKER OPTIONS
        --pulse-cut-to-one-path-procedures-pattern string
            Regex of methods for which pulse will only explore one path. Can

diff --git a/infer/man/man1/infer-full.txt b/infer/man/man1/infer-full.txt
@@ -1829,6 +1829,10 @@ OPTIONS
            Deactivates: print code excerpts around trace elements
            (Conversely: --source-preview)           See also infer-explore(1).
 
+       --specialized-proc-depth int
+           Maximal depth for the specialized procedures created.       
+    See also infer-analyze(1).
+
        --sqlite-cache-size int
            SQLite cache size in pages (if positive) or kB (if negative),
            follows formal of corresponding SQLite PRAGMA.           See also infer-analyze(1), infer-capture(1), and infer-run(1).

diff --git a/infer/man/man1/infer.txt b/infer/man/man1/infer.txt
@@ -1829,6 +1829,10 @@ OPTIONS
            Deactivates: print code excerpts around trace elements
            (Conversely: --source-preview)           See also infer-explore(1).
 
+       --specialized-proc-depth int
+           Maximal depth for the specialized procedures created.       
+    See also infer-analyze(1).
+
        --sqlite-cache-size int
            SQLite cache size in pages (if positive) or kB (if negative),
            follows formal of corresponding SQLite PRAGMA.           See also infer-analyze(1), infer-capture(1), and infer-run(1).

diff --git a/infer/src/IR/Procname.ml b/infer/src/IR/Procname.ml
@@ -1644,6 +1644,17 @@ let to_short_unique_name pname =
   DB.append_crc_cutoff proc_id
 
 
+let should_create_specialized_proc proc_name =
+  let rec should_create_specialized_proc i proc_name =
+    match proc_name with
+    | WithFunctionParameters (procname, _, _) ->
+        should_create_specialized_proc (i + 1) procname
+    | _ ->
+        i < Config.specialized_proc_depth
+  in
+  should_create_specialized_proc 0 proc_name
+
+
 let to_filename pname = to_short_unique_name pname |> Escape.escape_filename
 
 module SQLite = SqliteUtils.MarshalledDataNOTForComparison (struct

diff --git a/infer/src/IR/Procname.mli b/infer/src/IR/Procname.mli
@@ -554,4 +554,6 @@ val is_hack_sinit : t -> bool
 
 val has_hack_classname : t -> bool
 
+val should_create_specialized_proc : t -> bool
+
 module Normalizer : HashNormalizer.S with type t = t
diff --git a/infer/src/backend/CCallSpecializedWithClosures.ml b/infer/src/backend/CCallSpecializedWithClosures.ml
@@ -34,21 +34,24 @@ let replace_with_specialize_methods instr =
 
 
 let process proc_desc =
-  (* For each procdesc:
-     1. If we are a specialized procdesc:
-      1.1. Copy original procdesc
-      1.2. Update closures' uses
-     2. Update calls' closure arguments
-     3. Update calls with closures as arguments to specialized calls:
-      3.1. Create procdescs for specialized callees if they don't already exist
-     4. Update closure calls
-  *)
-  (* 1.
-      1.1. Create a specialized copy of [proc_desc]'s [orig_pdesc] (if it exists).
-      1.2. Specialize at instruction level: [foo(f)] when [f = closure] replaces every
-           use of [f] (calls and as argument) with the corresponding [closure] and its
-           captured variables. *)
-  ClosureSubstSpecializedMethod.process proc_desc ;
+  let proc_name = Procdesc.get_proc_name proc_desc in
+  if not (Procname.should_create_specialized_proc proc_name) then ()
+  else
+    (* For each procdesc:
+       1. If we are a specialized procdesc:
+        1.1. Copy original procdesc
+        1.2. Update closures' uses
+       2. Update calls' closure arguments
+       3. Update calls with closures as arguments to specialized calls:
+        3.1. Create procdescs for specialized callees if they don't already exist
+       4. Update closure calls
+    *)
+    (* 1.
+        1.1. Create a specialized copy of [proc_desc]'s [orig_pdesc] (if it exists).
+        1.2. Specialize at instruction level: [foo(f)] when [f = closure] replaces every
+             use of [f] (calls and as argument) with the corresponding [closure] and its
+             captured variables. *)
+    ClosureSubstSpecializedMethod.process proc_desc ;
   (* 2.
       Replace each indirect use of closure (as argument) with a direct use of closure.
      e.g.

diff --git a/infer/src/base/Config.ml b/infer/src/base/Config.ml
@@ -3013,6 +3013,12 @@ and shrink_analysis_db =
      database."
 
 
+and specialized_proc_depth =
+  CLOpt.mk_int ~long:"specialized-proc-depth" ~default:2
+    ~in_help:InferCommand.[(Analyze, manual_lineage)]
+    "Maximal depth for the specialized procedures created."
+
+
 and lineage_include_builtins =
   CLOpt.mk_bool
     ~deprecated:["-simple-lineage-include-builtins"]
@@ -4440,6 +4446,8 @@ and show_buckets = !print_buckets
 
 and shrink_analysis_db = !shrink_analysis_db
 
+and specialized_proc_depth = !specialized_proc_depth
+
 and lineage_include_builtins = !lineage_include_builtins
 
 and lineage_field_depth = !lineage_field_depth

diff --git a/infer/src/base/Config.mli b/infer/src/base/Config.mli
@@ -753,6 +753,8 @@ val show_buckets : bool
 
 val shrink_analysis_db : bool
 
+val specialized_proc_depth : int
+
 val lineage_include_builtins : bool
 
 val lineage_field_depth : int

diff --git a/infer/src/pulse/Pulse.ml b/infer/src/pulse/Pulse.ml
@@ -214,7 +214,11 @@ module PulseTransferFunctions = struct
            (if it was) in the end by [reset_need_closure_specialization] *)
         let astate = AbductiveDomain.unset_need_closure_specialization astate in
         let maybe_call_specialization callee_pname call_exp ((res, _, _) as call_res) =
-          if (not needed_closure_specialization) && need_closure_specialization res then (
+          if
+            (not needed_closure_specialization)
+            && need_closure_specialization res
+            && Procname.should_create_specialized_proc callee_pname
+          then (
             L.d_printfln "Trying to closure-specialize %a" Exp.pp call_exp ;
             match
               PulseClosureSpecialization.make_specialized_call_exp analysis_data
Original file line number	Diff line number	Diff line change
Expand Up		@@ -554,4 +554,6 @@ val is_hack_sinit : t -> bool

		val has_hack_classname : t -> bool

		val should_create_specialized_proc : t -> bool

		module Normalizer : HashNormalizer.S with type t = t