Crystalizing Sophisticated Code Analyses - - PowerPoint PPT Presentation

Crystalizing Sophisticated Code Analyses

Installation

• !
• "
• #
• $%%"&!!&%%'%(%

$%%&!!&%%" )

Crystal

• '!"
• *'
• *
• (
• "

$%%&!!&%%" +

• "
• ""
• "
• ,"
• -./$
• #"

Crystal in the classroom

• "0(!"
• $"*1!"
• *$&&12
• *
• .#"

"

$%%&!!&%%" 3

"

• .'#"

Crystal in research

• 4!#"

"

• "3""
• +#55*67815579155*679

$%%&!!&%%" :

• "
• !
• .!&!;

Demonstration

• ,"
• !
• "
• <!"
• <"

$%%&!!&%%" =

• <"
• <"!

Register and Run

• !;
• 0'"
• ,,""
• <!>""

!&>

$%%&!!&%%" ?

• *<@<!A
• 0'!
• <BC"

"&

Steps for making an analysis

• ,"
• <!"
• "

$%%&!!&%%" 8

• #"

Use an AST walker

• .2"'"&
• D

$%%&!!&%%" 9

• D
• "
• !"#$%&

'

Everything running?

• ;
• "E
• "@0""

$%%&!!&%%" F7

• (
• ."
• *'

Steps for making an analysis

• ,"
• <!"
• *'

$%%&!!&%%" FF

• #"

Abstract interpretation concepts

• 6
• #!#
• !
• !*

$%%&!!&%%" F)

• 4!"

!

• .'!
• !

• 6
• #!#
• !
• !*

Abstract interpretation concepts

$%%&!!&%%" F+

• 4!"

!

• .'!
• !

Lattice review

• "E
• 0!
• (#>"
• $%%&!!&%%"

F3

• ⊥

a b ⊥

Transfer function review

• G
• !σ
• !!σ2

$%%&!!&%%" F:

• ƒinstr1σ Hσ2
• 0'"

A simple null analysis

σ "! #

• ƒx = null1σ H

σIxNULLJ

• ƒx = y1σ H

σ σ

MAYBE_NULL NOT_NULL NULL ⊥

$%%&!!&%%" F=

• 0#
• #
• 6$

'"

• σIxσy J
• ƒx = new C()1σ H

σIxNOT_NULLJ

• ƒx = y.m(z1,3,zn)1σ H

σIyNOT_NULLJ

• "11&

⊥

The lattice

• 111"#
• "##""
• '"#"1'

$%%&!!&%%" F?

• '"#"1'
• 6
• .6
• "#

NullLatticeElement { , , , ; }

The lattice

• ()
• )
• *

$%%&!!&%%" F8

• +,-.,+/
• 6#
• #6616
• 6;616
• 6"6

Setting up the flow analysis

• "!"#>
• +(0

$%%&!!&%%" F9

• +(0
• ,"K !65
• 2"
• .2

"

Transfer functions

1

• L$'!
• $'!
• "!!$'!!

$%%&!!&%%" )7

• "!!$'!!
• '%'

'

You now have a Crystal flow analysis

• 23
• D12;!!
• $
• "$#
• $%%&!!&%%"

)F

• .2
• ""

!

Why Three Address Code

• '#*
• 4
• #>
• "'

$%%&!!&%%" ))

• "'
• *#

"

Relevant packages

• '!"
• *
• *

$%%&!!&%%" )+

• *"

Steps for making an analysis

• ,"
• <!"
• *'
• "

$%%&!!&%%" )3

• #"

Annotations

• L
• 4'

$%%&!!&%%" ):

• 4'
• ;""
• 0'##!"E

@Target({ElementType., ElementType.}) NonNull {}

Annotations

'

• ,
• #*
• !
• L!!

$%%&!!&%%" )=

• L!!
• 56(
• #
• M"NLL
• !">
• N,->HH"BH#/

Annotations

• '
• 56(

$%%&!!&%%" )?

• 56(
• M"NLL
• '

Steps for making an analysis

• ,"
• <!"
• *'
• "

$%%&!!&%%" )8

• ()'

Branchsensitivity

• '!'!

!!

• *">

!

• 2

>>

(x != ) { //hey, it’s safe //to use x in here! } {

$%%&!!&%%" )9

>>

• 6##

!

• "

(

{ //but it’s an //error in here! }

On paper3

• L#"

ƒx == y1σ Hσ

• "

ƒx == y1σ H σx OMAYBE_NULL

$%%&!!&%%" +7

σx OMAYBE_NULL σIyσx J σy OMAYBE_NULL σIxσy J

• σ
• *#ƒ0x == y1σ

Branching example

foo()

(foo()) { ; } { ; } ;

a b true false

$%%&!!&%%" +F

; foo()

c

Branching example, with exceptions

foo()

{ (foo()) { ; } { ; } ;

a b d true false MyException

$%%&!!&%%" +)

; } (MyException exp) { ; } ; foo() MyException;

c e

Types of labels

• %
• 11P$1&
• 0#
• "QQ1O1HH1&
• >
• 0>

$%%&!!&%%" ++

• 0>
• D"
• *
• ,
• L

Changing to branchsensitive analyses

F& ,#*D )& !!

LE transfer(TACInstruction instr, LE value)

⇓

IResult<LE> transfer(TACInstruction instr,

$%%&!!&%%" +3

+& .,< 1"#

List<ILabel> labels, LE value) value;

⇓

LabeledSingleResult.(value, labels);

Using the branches

• '

(

• >HH"
• >BH"

$%%&!!&%%" +:

• ,(7(

'

• "#
• !
• #!#

Crystal Static Analysis Framework

• D"
• "
• ,"
• D

$%%&!!&%%" +=

• 8'(
• 3"
• ("2