Cross Translational Unit Analysis in Clang Static Analyzer: - - PowerPoint PPT Presentation

cross translational unit analysis in clang static
SMART_READER_LITE
LIVE PREVIEW

Cross Translational Unit Analysis in Clang Static Analyzer: - - PowerPoint PPT Presentation

Sep 24, 2023 189 likes •481 views

Cross Translational Unit Analysis in Clang Static Analyzer: Prototype and Measurements Gabor Horvath (xazax 1 ), Peter Szecsi (ps95 1 ), Zoltan Gera (gerazo 1 ) Daniel Krupp (daniel.krupp 2 ), Zoltan Porkolab (zoltan.porkolab 2 ) [1]

slide-1
SLIDE 1

Cross Translational Unit Analysis in Clang Static Analyzer: Prototype and Measurements

Gabor Horvath (xazax1), Peter Szecsi (ps951), Zoltan Gera (gerazo1) Daniel Krupp (daniel.krupp2), Zoltan Porkolab (zoltan.porkolab2)

[1] @caesar.elte.hu [2] @ericsson.com

slide-2
SLIDE 2

2

Outline

  • Motivation
  • Overview of the Cross T

ranslation Unit Analysis architecture

  • Evaluation on open source projects
  • Findings
  • Performance
  • Design questions
  • How to organize CTU related code
  • What to reanalyze, how to scale
  • Future work
slide-3
SLIDE 3

3

  • Find bugs without

running the code

  • Exploded Graph

Clang Static Analyzer – Symbolic Execution

void test(int b) { int a,c; switch (b){ case 1: a = b / 0; break; case 4: c = b - 4; a = b / c; break; } }

b: $b b: $b b: $b b: $b b: $b b: $b c: 0 b: $b c: 0

switch(b) default case 4 case 1 $b=[1,1] a = b/0; $b=[4,4] c = b-4; $b=[4,4] a = b/c;

slide-4
SLIDE 4

4

Motivation

void neg(int *x); void g(int *x) { if (*x > 0) neg(x); if (*x > 0) *x / 0; neg(NULL); } void neg(int *x) { *x = -(*x); }

A.cpp

B.cpp

*x is positive *x is unknown API misuse

  • We saw useful CTU results reported by closed

source analysis tools

  • Can we achieve the same using Clang SA?

False positive

slide-5
SLIDE 5

5

High Level Architecture

CTU Build

Analyzer

Analysis Results (PLISTS)

Global Call Graph Function Definiton Index

AST dumps

2nd Pass 1st Pass

Source Code & JSON Compilation Database

slide-6
SLIDE 6

6

Evaluation

  • Open source C projects:
  • OpenSSL, Curl, Vim, Memcached, ffmpeg,

PostgreSQL, ...

  • Full details at: http://cc.inf.elte.hu
  • Improvements needed for C++ support
  • Metrics:
  • Number of new bugs reported
  • Number of lost bug reports
  • Quality of new bug reports
  • Analysis time
  • Peak memory usage (per process)
slide-7
SLIDE 7

7

slide-8
SLIDE 8

8

slide-9
SLIDE 9

9

slide-10
SLIDE 10

10

Evaluation – Bug Reports

  • 2.4X average, 2.1X median, 5X peak

Curl FFMPEG Memcached TMUX VIM

100 200 300 400 500 600

Baseline CTU Lost

slide-11
SLIDE 11

11

Bug Path Length of Bug Reports

  • The reason for false positives was never the CTU

ffmpeg Curl Memchached Vim

2 4 6 8 10 12 14 16 18 20

Baseline median CTU median New reports’ median

slide-12
SLIDE 12

12

FFMPEG - Quality of New Bug Reports

  • True positive example:

http://cc.inf.elte.hu:8080/#baseline=177&newch eck=178&report=17539

  • One Definition Rule violation found

core.CallAndMessage core.DivideZero core.NonNullParamChecker core.NullDereference core.UndefinedBinaryOpera- torResult core.uninitialized.Assign core.uninitialized.Branch unix.Malloc

slide-13
SLIDE 13

13

slide-14
SLIDE 14

14

slide-15
SLIDE 15

15

Same bug multiple times?

void neg(int *x); void g(int *x) { ... neg(NULL); ... } void h(int *x) { ... neg(NULL); ... } void neg(int *x) { *x = -(*x); }

A.cpp

B.cpp

slide-16
SLIDE 16

16

Evaluation – Analysis time

  • 2.5X average, 2.1X median, 6.4X peak

Curl ffmpeg Memcached NGINX OpenSSL PostgreSQL Redis TinyXML2 tmux Vim

0 s 100 s 200 s 300 s 400 s 500 s 600 s 700 s 800 s 900 s 1000 s

Baseline CTU

slide-17
SLIDE 17

17

Evaluation - Memory

  • 2.3X average, 2.3X median, 5.5X peak
  • AST dumps consume disk space temporarily
  • ~40GB for LLVM

Curl ffmpeg Memcached NGINX OpenSSL PostgreSQL Redis TinyXML2 tmux Vim

0 MB 100 MB 200 MB 300 MB 400 MB 500 MB 600 MB 700 MB

Baseline CTU

slide-18
SLIDE 18

18

Current Implementation

  • Artem Dergachev, Aleksei Sidorin, et al.
  • Prototype: both for naive CTU and summary based

interprocedural analysis, based on Clang 3.4

  • http://lists.llvm.org/pipermail/cfe-dev/2015-October/

045730.html

  • Improved version contributed by Ericsson, only

contains the CTU part, ready for review

  • https://reviews.llvm.org/D30691
  • Patch is relatively small, CTU off by default
  • No changes required to checker

implementations

slide-19
SLIDE 19

19

Order of the Analysis of Functions

A.cpp B.cpp

void f(int x); void g(int x) { f(x); } void h(int x) { g(x); } void i(int x) { } void f(int x) { i(x); }

h() g() f() i() f() i()

slide-20
SLIDE 20

20

Incrementality

void f(int *x); void g(int *x) { f(NULL); } void f(int *x) { *x = -(*x); }

A.cpp

B.cpp

slide-21
SLIDE 21

21

Incrementality

void f(int *x); void g(int *x) { f(NULL); } void f(int *x) { *x = -(*x); if (x == 0) return; }

A.cpp

B.cpp

  • We need to reanalyze A.cpp too
slide-22
SLIDE 22

22

AST Importer

  • Import (merge) one AST into another
  • Can import one function/type a time
  • Caches the results to avoid multiple imports
  • Used by LLDB
  • Not a mature component of Clang yet
slide-23
SLIDE 23

23

AST Importer

  • Issues with importing source locations from macros
  • Suboptimal results for C++ projects
  • We concentrated on C projects
  • Fixed C related bugs in the importer
  • The analysis can find AST Importer bugs
  • Running analysis on the imported AST can trigger

asserts

  • Found invariant violations on imported AST that
  • therwise very challenging to write a test for
slide-24
SLIDE 24

24

Coverage

  • Increased for some files
  • Functions evaluated in more contexts
  • Decreased for others
  • Analysis budget runs out due to DFS
  • Prune more infeasible paths
  • More issues reported implies stops
  • Small overall decrease

void external(int x); void g(int x) { external(x); x / 0; }

() / x

slide-25
SLIDE 25

25

Coverage

  • Increased for some files
  • Functions evaluated in more contexts
  • Decreased for others
  • Analysis budget runs out due to DFS
  • Prune more infeasible paths
  • More issues reported implies stops
  • Small overall decrease

void external(int x); void g(int x) { external(x); x / 0; } Might exhaust budget

()

slide-26
SLIDE 26

26

Getting Started

  • Run CTU on your project if interested in additional

results

  • Run both CTU and non-CTU to get maximal

coverage

  • Give us feedback about the quality of reports
  • Analysis errors
  • True positives
  • False positives
  • CodeChecker supports viewing CTU results!
  • https://github.com/Ericsson/codechecker
slide-27
SLIDE 27

27

Future Work

  • Extend the C++ support of ASTImporter
  • New strategies to build an exploded graph with

good shape?

  • Tune default budget for CTU
  • Incremental CTU analysis
  • Make the binary AST dumps smaller
  • Grouping of bug paths in viewers (CodeChecker,

XCode, ...)

slide-28
SLIDE 28

28

Summary

  • Improved the CTU prototype
  • Evaluated the results on open source projects
  • CTU found many new potential bugs
  • Analysis time scales well with CPUs
  • Bug/time, bug/memory ratio is good
  • Coverage, quality of reports satisfying
  • Works well for C programs
  • Improvements needed for C++
  • Prepared a patch for upstreaming
slide-29
SLIDE 29

29

Thank you! Questions?