Presentation is loading. Please wait.

Presentation is loading. Please wait.

Aliases in a bug finding tool Benjamin Chelf Seth Hallem June 5 th, 2002.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Aliases in a bug finding tool Benjamin Chelf Seth Hallem June 5 th, 2002."— Presentation transcript:

1 Aliases in a bug finding tool Benjamin Chelf Seth Hallem June 5 th, 2002

2 Overview Observation Bug-finding tools can be sound or unsound What distinguishes the results between them? Goal Evaluate varying levels of precision and soundness of how they handle aliases. Hypothesis Sound analysis is not necessary to detect of the types of bugs currently found by state of the art tools.

3 Alias analysis in Metal No alias analysis in Metal What must be done to add it? When transitioning a variable to a new state, must transition anything that may alias it. Alias analysis must provide the potential aliases given a program point and context. Caveat: When transitioning aliases, Metal must also insert identity transition edges.

4 Target Alias Analyses Sound analyses from the literature: Steensgard, CLA, Wilson/Lam, Instantiation Constraints, One-Level Flow (Das) Unsound Analyses no analysis (Metal as is) non-conservative single-level/double-level

5 Non-conservative analysis Reverse standard assumptions Conservative: unless we can guarantee that two pointers are not aliased, they could be aliased Non-conservative: assume pointers are not aliased and add aliasing relationships that we can identify easily One-level: p = q  p, q are aliased assume all pointers are one-level Two-level: p = q  p, q, *p, *q are aliased assume all pointers are at most two-level

6 One-level Aliasing: Example Tracked aliasing: int main (void) { int *p, *q; p = q; // p and q are aliased. free (p); // p and q are both freed. } Missed aliasing: caught with two-level int main (void) { int **p, **q; p = q; // p and q are aliased. free (*p); // *p is freed, *q is not. }

7 One-level Aliasing: Example Tracked aliasing: int main (void) { int *p, *q; p = q; // p and q are aliased. free (p); // p and q are both freed. } punk q

8 One-level Aliasing: Example Tracked aliasing: punk q int main (void) { int *p, *q; p = q; // p and q are aliased. free (p); // p and q are both freed. }

9 One-level Aliasing: Example Tracked aliasing: pfreed q int main (void) { int *p, *q; p = q; // p and q are aliased. free (p); // p and q are both freed. }

10 One level algorithm: basics Initially, assign each program object (typed expression) a “fresh” alias node node holds state attached to that object assignment: left-hand side inherits alias node from the right-hand side function call: formals = actuals save alias set at call, restore at return track struct fields, pointer arithmetic

11 Optimizations Kill sets Flow insensitively track second-level assignments. Track another level Alias relationships can pass up. Where is the 90% boundary?

12 Evaluation of analysis Who and what to check Buggy, real systems code (varying sizes) Null pointers, free errors, lock and unlock, etc. Metrics Running time of analysis and extensions # of bugs / # of false positives Traditional alias analysis metrics Reasons for imprecision Want to know why we have a false positive/negative

13 Research costs Difficult parts Implementation of analyses Bug finding interface Error report inspection (wading through FPs) Good sourceof future research Categorize FPs for simple elimination

14 Related work Bug finding Metal RHS Heine / Lam Alias analyses CLA (Andersen’s) Steensgard Instantiation Constraints Wilson / Lam One level flow (Das)

Download ppt "Aliases in a bug finding tool Benjamin Chelf Seth Hallem June 5 th, 2002."

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
R O O T S Field-Sensitive Points-to-Analysis Eda GÜNGÖR

R O O T S Field-Sensitive Points-to-Analysis Eda GÜNGÖR
Ditto: Speeding Up Runtime Data Structure Invariant Checks AJ Shankar and Ras Bodik UC Berkeley.

Ditto: Speeding Up Runtime Data Structure Invariant Checks AJ Shankar and Ras Bodik UC Berkeley.
Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008

Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008
Intermediate Code Generation

Intermediate Code Generation
PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)

PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)
1 CS 201 Compiler Construction Lecture 3 Data Flow Analysis.

1 CS 201 Compiler Construction Lecture 3 Data Flow Analysis.
Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.

Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.
Architecture-dependent optimizations Functional units, delay slots and dependency analysis.

Architecture-dependent optimizations Functional units, delay slots and dependency analysis.
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.

Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
Demand-driven Alias Analysis Implementation Based on Open64 Xiaomi An

Demand-driven Alias Analysis Implementation Based on Open64 Xiaomi An
Rational XL C/C++ Compiler Development © 2007 IBM Corporation Identifying Aliasing Violations in Source Code A Points-to Analysis Approach Ettore Tiotto,

Rational XL C/C++ Compiler Development © 2007 IBM Corporation Identifying Aliasing Violations in Source Code A Points-to Analysis Approach Ettore Tiotto,
SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.

SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.
Flow-Insensitive Points-to Analysis with Term and Set Constraints Presentation by Kaleem Travis Patrick.

Flow-Insensitive Points-to Analysis with Term and Set Constraints Presentation by Kaleem Travis Patrick.
Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.

Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.
Thin Slicing Manu Sridharan, Stephen J. Fink, Rastislav Bodík.

Thin Slicing Manu Sridharan, Stephen J. Fink, Rastislav Bodík.
In Defense of Unsoundness Ben Livshits, Manu Sridharan, Yannis Smaragdakis, and Ondřej Lhoták.

In Defense of Unsoundness Ben Livshits, Manu Sridharan, Yannis Smaragdakis, and Ondřej Lhoták.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Checking and Inferring Local Non-Aliasing Alex AikenJeffrey S. Foster UC BerkeleyUMD College Park John KodumalTachio Terauchi UC Berkeley.

Checking and Inferring Local Non-Aliasing Alex AikenJeffrey S. Foster UC BerkeleyUMD College Park John KodumalTachio Terauchi UC Berkeley.

Similar presentations

Ads by Google