|
| 1 | +# Topl |
| 2 | + |
| 3 | +## What is it? |
| 4 | + |
| 5 | +Topl is an analysis framework, built on top of Infer, for statically finding violations of temporal properties. Many analyses can be encoded as temporal properties supported by Topl, such as taint analysis. As a simple example, suppose that we don't want a value returned by method `source()` to be sent as an argument to a method `sink()`. This can be specified as follows: |
| 6 | + |
| 7 | +``` |
| 8 | +property Taint |
| 9 | + prefix "Main" |
| 10 | + start -> start: * |
| 11 | + start -> tracking: source(Ret) => x := Ret |
| 12 | + tracking -> error: sink(Arg, VoidRet) when x == Arg |
| 13 | +``` |
| 14 | + |
| 15 | +This specifies an automaton called `Taint` that has three states (`start`, `tracking`, `error`). Two of those states (`start` and `error`) have special meaning; other states (`tracking`) can have any names. The first transition (`start → tracking`) is taken when a method called `source()` is called, and its return value is stored in a register called `x`; the second transition (`tracking → error`) is taken when a method called `sink()` is called, but only if its argument equals what was previously saved in register `x`. |
| 16 | +This property is violated in the following Java code: |
| 17 | + |
| 18 | +``` |
| 19 | +public class Main { |
| 20 | + static void f() { g(tito(source())); } |
| 21 | + static void g(Object x) { h(x); } |
| 22 | + static void h(Object x) { sink(x); } |
| 23 | + static Object tito(Object x) { return x; } |
| 24 | + static Object source() { return "dirty"; } |
| 25 | + static void sink(Object x) {} |
| 26 | +} |
| 27 | +``` |
| 28 | + |
| 29 | +Note that `source()` and `sink()` are not called from the same method, and that the “dirty” object is passed around a few times before finally reaching the sink. Assuming that the property is in a file `taint.topl` and the Java code in a file `Main.java`, you can invoke Infer with the following command: |
| 30 | + |
| 31 | +``` |
| 32 | +infer --topl --topl-properties taint.topl -- javac Main.java |
| 33 | +``` |
| 34 | + |
| 35 | +It will display the following error: |
| 36 | + |
| 37 | +``` |
| 38 | +Main.java:2: error: Topl Error |
| 39 | + property Taint reaches state error. |
| 40 | + 1. public class Main { |
| 41 | + 2. > static void f() { g(tito(source())); } |
| 42 | + 3. static void g(Object x) { h(x); } |
| 43 | + 4. static void h(Object x) { sink(x); } |
| 44 | +``` |
| 45 | + |
| 46 | +To get a full trace, use the command |
| 47 | + |
| 48 | +``` |
| 49 | +infer explore |
| 50 | +``` |
| 51 | + |
| 52 | +## Specifying Properties |
| 53 | + |
| 54 | +A property is a nondeterministic automaton that can remember values in registers. An execution that drives the automaton from the start state to the error state will make Infer report an issue, and the trace that it produces will indicate which parts of the program drive which transitions of the automaton. |
| 55 | + |
| 56 | +The general form of a property is the following: |
| 57 | + |
| 58 | +``` |
| 59 | +property *Name |
| 60 | +* message "Optional error message" // This line can be missing |
| 61 | + prefix "Prefix" // There can be zero, one, or more prefix declarations |
| 62 | + sourceState -> targetState: *Pattern*(Arg1,...,ArgN,Ret) when *Condition* => *Action* |
| 63 | +``` |
| 64 | + |
| 65 | +The property name and the optional error message are used for reporting issues. The prefix declarations are used to simplify Patterns. The core of the property is the list of transitions. |
| 66 | + |
| 67 | +Each transition has a source state and a target state. The special transition label * means that the transition is always taken. Typically, there is a transition |
| 68 | + |
| 69 | +``` |
| 70 | + start -> start: * |
| 71 | +``` |
| 72 | + |
| 73 | +meaning that the property can start anywhere, not just at the beginning of a method. |
| 74 | + |
| 75 | +Otherwise, the label on a transition contains: |
| 76 | + |
| 77 | +* a *Pattern*, which indicates what kind of instruction in the program drives this transition; |
| 78 | +* a list of transition variable bindings (above named Arg1, ..., but any identifier starting with uppercase letters works); |
| 79 | +* possibly a boolean Condition, which can refer to transition variables and to registers; |
| 80 | +* possibly and Action, which is a list sequence of assignments of the form *register* := *TransitionVariable* (registers do not need to be declared, and any identifier starting with a lowercase letter works). |
| 81 | + |
| 82 | +There are two types of patterns: |
| 83 | + |
| 84 | +* a regex that matches method names |
| 85 | + * if the regex uses non-letters (such as dots) it must be within double-quotes; otherwise, double quotes are optional |
| 86 | + * the prefix declarations are used to add potential prefixes to the regex. The combine regex is essentially “(prefix_regex_a | prefix_regex_b) transition_pattern_regex“ |
| 87 | + * for a method with n arguments, there must be n+1 transition variables to get a match. The first n transition variables get bound to the argument values, and the last transition variable gets bound to the return value. *This is true even for the case in which the return type is void*. |
| 88 | +* the special keyword **#ArrayWrite**. In that case, there should be two transition variables like “(Array, Index)” — Array gets bound to the array object, and Index gets bound to the index at which the write happens. |
| 89 | + |
| 90 | +For several examples, see https://github.com/facebook/infer/tree/master/infer/tests/codetoanalyze/java/topl |
| 91 | + |
| 92 | +## Limitations |
| 93 | + |
| 94 | +* By design, some problems may be missed. Topl is built on Pulse, which attempts to minimize false positives, at the cost of sometimes having false negatives. |
| 95 | +* Analysis time increases exponentially with the number of registers used in properties. |
| 96 | + * In theory, there should be no significant slowdown if registers belong to different properties, but the implementation is not yet optimized. |
| 97 | + * If there are many registers within the same property, then the slowdown is unavoidable (without some significant breakthrough). However, the maximum number of registers we ever used for one practical property was 3. |
0 commit comments