Developing the Clang Static Analyzer Artem Dergachev, Apple Clang - - PowerPoint PPT Presentation

developing the clang static analyzer
SMART_READER_LITE
LIVE PREVIEW

Developing the Clang Static Analyzer Artem Dergachev, Apple Clang - - PowerPoint PPT Presentation

Apr 03, 2023 234 likes •545 views

Developing the Clang Static Analyzer Artem Dergachev, Apple Clang Static Analyzer Finds bugs at compile time by inspecting your source code Bugs it finds are more sophisticated than warnings or Clang-Tidy Clang Static Analyzer 1

slide-1
SLIDE 1

Developing the Clang Static Analyzer

Artem Dergachev, Apple

slide-2
SLIDE 2

Clang Static Analyzer

  • Finds bugs at compile time – by inspecting your source code
  • Bugs it finds are more sophisticated than warnings or Clang-Tidy
slide-3
SLIDE 3

1 int foo(int x) { 2 int y = x; 3 if (y == 0) 4 return 24 / x; 5 return 0; 6 }

Clang Static Analyzer

slide-4
SLIDE 4

Clang Static Analyzer

  • Natural!
  • Mimics normal program execution
  • Easy to understand why it “thinks” there is a bug
  • Takes all source code information into account
  • Explains bugs in terms of the source code
slide-5
SLIDE 5

Clang Static Analyzer

  • Natural!
  • Researchy!
  • Deals with a lot of open problems
  • People publish articles,

defend BS/MS/Ph.D. theses on it

  • Fully Open Source – lives in Clang repo
slide-6
SLIDE 6

Clang Static Analyzer

  • Natural!
  • Researchy!
  • Practical!
  • Used in industry
  • Shipped with IDEs
  • Finds bugs in your code before your users do!
slide-7
SLIDE 7

Clang Static Analyzer

  • Natural!
  • Researchy!
  • Practical!
  • Extensible!
  • Finds over 50 kinds of bugs!
  • Memory leaks
  • Null dereferences
  • Use-after-free
  • Use-after-move
  • “Building a Checker in 24 hours” – LLVM DevMtg 2012

https://youtu.be/kdxlsP5QVPw

slide-8
SLIDE 8

Clang Static Analyzer

  • Natural!
  • Researchy!
  • Practical!
  • Extensible!

🎄 Spooky! 🎄 Symbolic Execution 🎄 Dead, Undead, Zombie and Schrödinger Symbols,

The Reaper

🎄 Body Farms

slide-9
SLIDE 9

Clang Static Analyzer

  • Natural!
  • Researchy!
  • Practical!
  • Extensible!

🎄 Spooky!

  • Exciting!
slide-10
SLIDE 10

Plan For Today!

  • Algorithms and Data Structures of the Static Analyzer
  • How to Fix a Static Analyzer Bug in 24 minutes
slide-11
SLIDE 11

Plain Source Code Abstract Syntax Tree Control Flow Graph Exploded Graph Path Diagnostics

Algorithms and Data Structures of the Static Analyzer

slide-12
SLIDE 12

AST: How Compiler Sees Your Code

x + y + z

  • Nodes: statements, declarations, types – annotated and cross-referenced
  • Edges: “is-part-of” relation

x x + y y x + y + z z

slide-13
SLIDE 13

AST: How Compiler Sees Your Code

x ? y : z x y x ? y : z z

  • Nodes: statements, declarations, types – annotated and cross-referenced
  • Edges: “is-part-of” relation
slide-14
SLIDE 14

CFG: Order in which Statements are Executed

  • Nodes: usually AST statements
  • Edges: “executed-after” relation

x + y + z x + y y x z x x + y y x + y + z z

1 2 3 4 5 3 4 5 1 2

slide-15
SLIDE 15
  • Nodes: usually AST statements
  • Edges: “executed-after” relation

x y x ? y : z z x ? y : z y x z

1 2? 2?

CFG: Order in which Statements are Executed

slide-16
SLIDE 16

Program Points

Stmt1 Stmt2 Point Stmt Point1 Point2

slide-17
SLIDE 17

Exploded Graph: Paths Through CFG

  • Nodes: (Point, State) pairs
  • Program Point: A point between statements (usually)
  • Program State: A record of effects of statements evaluated so far
  • Edges: An edge from (Point1, State1) to (Point2, State2) means that

the statement between Point1 and Point2 updates State1 to State2

slide-18
SLIDE 18

Node1 Node2

Exploded Graph Edges

State1 State2 Stmt Point1 Point2 Edge12

slide-19
SLIDE 19

Effects of Assignments: Store

Program State:
 Nothing Yet! Program State:
 Store: x -> 7 Statement: x = 7

slide-20
SLIDE 20

Values of Expressions: Environment

Program State:
 Store:
 x -> 7 Program State:
 Store: x -> 7 Exprs: x + 5 -> 12 Statement: x + 5;

slide-21
SLIDE 21

Focus on One Operation at a Time

Program State:
 Exprs: x + 5 -> 12 Program State: Exprs: (x + 5) / 2 -> 6 Statement: (x + 5) / 2;

slide-22
SLIDE 22

What If It’s Not In The Store?

Program State:
 Nothing Yet! Program State:
 Exprs: x -> reg_$0<int x> Statement: x;

// example: int foo(int x) { return x; }

slide-23
SLIDE 23

Path Explosion!

Effects of Branches: Constraints

Program State:
 Exprs: x -> reg_$0<int x> Statement: if (x > 5) … Program State:
 Ranges: reg_$0<int x> <= 5 Program State:
 Ranges: reg_$0<int x> > 5

slide-24
SLIDE 24

Symbolic Execution Recipe

  • Just execute the program as you normally would
  • Don’t know the value? – Denote it with a symbol
  • Branch depends on a symbol? – Split up, record constraints
  • Don’t explore paths on which constraints contradict each other
slide-25
SLIDE 25
slide-26
SLIDE 26

Demo: How to Fix a Static Analyzer Bug in 24 minutes!

slide-27
SLIDE 27
slide-28
SLIDE 28

Summary!

  • Static Analyzer finds bugs by exploring sequences of events

that may occur during the execution of the program.

  • You can understand and study the internal logic of the static analyzer

by looking at exploded graph dumps and setting conditional breaks

  • n individual nodes.
  • Sometimes these graphs are huge, so you should use

utils/analyzer/exploded-graph-rewriter.py

with various flags to extract useful information from the dump.

  • See clang-analyzer.llvm.org for more information!
slide-29
SLIDE 29