Aliases in a bug finding tool Benjamin Chelf Seth Hallem June 5 th, 2002.

Slides:

Advertisements

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Advertisements

R O O T S Field-Sensitive Points-to-Analysis Eda GÜNGÖR

Ditto: Speeding Up Runtime Data Structure Invariant Checks AJ Shankar and Ras Bodik UC Berkeley.

Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008

Intermediate Code Generation

PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)

1 CS 201 Compiler Construction Lecture 3 Data Flow Analysis.

Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.

Architecture-dependent optimizations Functional units, delay slots and dependency analysis.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.

Demand-driven Alias Analysis Implementation Based on Open64 Xiaomi An

Rational XL C/C++ Compiler Development © 2007 IBM Corporation Identifying Aliasing Violations in Source Code A Points-to Analysis Approach Ettore Tiotto,

SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.

Flow-Insensitive Points-to Analysis with Term and Set Constraints Presentation by Kaleem Travis Patrick.

Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.

Thin Slicing Manu Sridharan, Stephen J. Fink, Rastislav Bodík.

In Defense of Unsoundness Ben Livshits, Manu Sridharan, Yannis Smaragdakis, and Ondřej Lhoták.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Checking and Inferring Local Non-Aliasing Alex AikenJeffrey S. Foster UC BerkeleyUMD College Park John KodumalTachio Terauchi UC Berkeley.

Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.

Interprocedural analysis © Marcelo d’Amorim 2010.

Optimistic Bug Finding David Gupta and Junfeng Yang.

Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.

Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.

Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.

Control Flow Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.

Speeding Up Dataflow Analysis Using Flow- Insensitive Pointer Analysis Stephen Adams, Tom Ball, Manuvir Das Sorin Lerner, Mark Seigle Westley Weimer Microsoft.

1 Control Flow Analysis Mooly Sagiv Tel Aviv University Textbook Chapter 3

Refining Abstract Locations Tachio Terauchi Jeff Foster Alex Aiken.

Range Analysis. Intraprocedural Points-to Analysis Want to compute may-points-to information Lattice:

Intraprocedural Points-to Analysis Flow functions:

Overview of program analysis Mooly Sagiv html://

Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.

MULTIVIE W Checking System Rules Using System-Specific, Program-Written Compiler Extensions Paper: Dawson Engler, Benjamin Chelf, Andy Chou, and Seth Hallem.

Comparison Caller precisionCallee precisionCode bloat Inlining context-insensitive interproc Context sensitive interproc Specialization.

Reps Horwitz and Sagiv 95 (RHS) Another approach to context-sensitive interprocedural analysis Express the problem as a graph reachability query Works.

“A System and Language for Building System-Specific, Static Analyses” CMSC 631 – Fall 2003 Seth Hallem, Benjamin Chelf, Yichen Xie, and Dawson Engler (presented.

Using data groups to specify and check side effects K. Rustan M. Leino Microsoft Research Arnd Poetzsch-Heffter Universität Kaiserslautern Yunhong Zhou.

Program Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.

Overview of program analysis Mooly Sagiv html://

Pointer analysis. Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis Andersen and.

Symbolic Path Simulation in Path-Sensitive Dataflow Analysis Hari Hampapuram Jason Yue Yang Manuvir Das Center for Software Excellence (CSE) Microsoft.

C++ Programming: Program Design Including Data Structures, Fourth Edition Chapter 13: Pointers, Classes, Virtual Functions, and Abstract Classes.

C++ Programming: From Problem Analysis to Program Design, Fourth Edition Chapter 14: Pointers, Classes, Virtual Functions, and Abstract Classes.

Fast Points-to Analysis for Languages with Structured Types Michael Jung and Sorin A. Huss Integrated Circuits and Systems Lab. Department of Computer.

Testing Testing Techniques to Design Tests. Testing:Example Problem: Find a mode and its frequency given an ordered list (array) of with one or more integer.

Dataflow Analysis for Concurrent Programs using Datarace Detection Ravi Chugh, Jan W. Voung, Ranjit Jhala, Sorin Lerner LBA Reading Group Michelle Goodstein.

Points-To Analysis in Almost Linear Time Josh Bauman Jason Bartkowiak CSCI 3294 OCTOBER 9, 2001.

CS 343 presentation Concrete Type Inference Department of Computer Science Stanford University.

Simulated Pointers Limitations Of C++ Pointers May be used for internal data structures only. Data structure backup requires serialization and deserialization.

MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.

SOFTWARE TESTING LECTURE 9. OBSERVATIONS ABOUT TESTING “ Testing is the process of executing a program with the intention of finding errors. ” – Myers.

List Structures What is a list? A homogeneous collection of elements with a linear relationship between the elements linear relationship - each element.

PZ03CX Programming Language design and Implementation -4th Edition Copyright©Prentice Hall, PZ03CX - Language semantics Programming Language Design.

Phoenix Based Dynamic Slicing Debugging Tool Eric Cheng Lin Xu Matt Gruskin Ravi Ramaseshan Microsoft Phoenix Intern Team (Summer '06)

Manuel Fahndrich Jakob Rehof Manuvir Das

Optimistic Hybrid Analysis

YAHMD - Yet Another Heap Memory Debugger

Chapter 13: Pointers, Classes, Virtual Functions, and Abstract Classes

Amir Kamil and Katherine Yelick

High Coverage Detection of Input-Related Security Faults

Over-Approximating Boolean Programs with Unbounded Thread Creation

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.

Pointer analysis.

Amir Kamil and Katherine Yelick

A simple function.

Annotation-Assisted Lightweight Static Checking

Chapter 15 Debugging.

Pointer analysis John Rollinson & Kaiyuan Li

Presentation transcript:

Aliases in a bug finding tool Benjamin Chelf Seth Hallem June 5 th, 2002

Overview Observation Bug-finding tools can be sound or unsound What distinguishes the results between them? Goal Evaluate varying levels of precision and soundness of how they handle aliases. Hypothesis Sound analysis is not necessary to detect of the types of bugs currently found by state of the art tools.

Alias analysis in Metal No alias analysis in Metal What must be done to add it? When transitioning a variable to a new state, must transition anything that may alias it. Alias analysis must provide the potential aliases given a program point and context. Caveat: When transitioning aliases, Metal must also insert identity transition edges.

Target Alias Analyses Sound analyses from the literature: Steensgard, CLA, Wilson/Lam, Instantiation Constraints, One-Level Flow (Das) Unsound Analyses no analysis (Metal as is) non-conservative single-level/double-level

Non-conservative analysis Reverse standard assumptions Conservative: unless we can guarantee that two pointers are not aliased, they could be aliased Non-conservative: assume pointers are not aliased and add aliasing relationships that we can identify easily One-level: p = q  p, q are aliased assume all pointers are one-level Two-level: p = q  p, q, *p, *q are aliased assume all pointers are at most two-level

One-level Aliasing: Example Tracked aliasing: int main (void) { int *p, *q; p = q; // p and q are aliased. free (p); // p and q are both freed. } Missed aliasing: caught with two-level int main (void) { int **p, **q; p = q; // p and q are aliased. free (*p); // *p is freed, *q is not. }

One-level Aliasing: Example Tracked aliasing: int main (void) { int *p, *q; p = q; // p and q are aliased. free (p); // p and q are both freed. } punk q

One-level Aliasing: Example Tracked aliasing: punk q int main (void) { int *p, *q; p = q; // p and q are aliased. free (p); // p and q are both freed. }

One-level Aliasing: Example Tracked aliasing: pfreed q int main (void) { int *p, *q; p = q; // p and q are aliased. free (p); // p and q are both freed. }

One level algorithm: basics Initially, assign each program object (typed expression) a “fresh” alias node node holds state attached to that object assignment: left-hand side inherits alias node from the right-hand side function call: formals = actuals save alias set at call, restore at return track struct fields, pointer arithmetic

Optimizations Kill sets Flow insensitively track second-level assignments. Track another level Alias relationships can pass up. Where is the 90% boundary?

Evaluation of analysis Who and what to check Buggy, real systems code (varying sizes) Null pointers, free errors, lock and unlock, etc. Metrics Running time of analysis and extensions # of bugs / # of false positives Traditional alias analysis metrics Reasons for imprecision Want to know why we have a false positive/negative

Research costs Difficult parts Implementation of analyses Bug finding interface Error report inspection (wading through FPs) Good sourceof future research Categorize FPs for simple elimination

Related work Bug finding Metal RHS Heine / Lam Alias analyses CLA (Andersen’s) Steensgard Instantiation Constraints Wilson / Lam One level flow (Das)