in the clang static
play

in the Clang Static Analyzer dm Balogh adam.balogh@ericsson.com - PowerPoint PPT Presentation

Dec 10, 2022 •132 likes •428 views

Statistics Based Checkers in the Clang Static Analyzer dm Balogh adam.balogh@ericsson.com Euro LLVM 2019, Brussels, Belgium Ericsson 2019-04-08 Ericsson Internal | 2018-02-21 The Problem Huge legacy code with weak documentation

  1. Statistics Based Checkers in the Clang Static Analyzer Ádám Balogh adam.balogh@ericsson.com Euro LLVM 2019, Brussels, Belgium Ericsson 2019-04-08 Ericsson Internal | 2018-02-21

  2. The Problem — Huge legacy code with weak documentation Ericsson Internal | 2018-02-21

  3. The Problem — Huge legacy code with weak documentation X.h int may_return_return_negative(); // no body available Ericsson Internal | 2018-02-21

  4. The Problem — Huge legacy code with weak documentation X.h int may_return_return_negative(); // no body available — Many calls for may_return_negative() , return value is checked for negative in e.g. 98% of the calls Ericsson Internal | 2018-02-21

  5. The Problem — Huge legacy code with weak documentation X.h int may_return_return_negative(); // no body available — Many calls for may_return_negative() , return value is checked for negative in e.g. 98% of the calls Y1.c int i = may_return_return_negative(); if (i < 0) return; v[i]; // OK. Ericsson Internal | 2018-02-21

  6. The Problem — Huge legacy code with weak documentation X.h int may_return_return_negative(); // no body available — Many calls for may_return_negative() , return value is checked for negative in e.g. 98% of the calls Y1.c Y2.c int i = may_return_return_negative(); int i = may_return_return_negative(); if (i < 0) if (i < 0) return; return; v[i]; // OK. v[i]; // OK. Ericsson Internal | 2018-02-21

  7. The Problem — Huge legacy code with weak documentation X.h int may_return_return_negative(); // no body available — Many calls for may_return_negative() , return value is checked for negative in e.g. 98% of the calls Y1.c Y2.c int i = may_return_return_negative(); Y3.c int i = may_return_return_negative(); if (i < 0) int i = may_return_return_negative(); if (i < 0) return; if (i < 0) return; v[i]; // OK. return; v[i]; // OK. v[i]; // OK. Ericsson Internal | 2018-02-21

  8. The Problem — Huge legacy code with weak documentation X.h int may_return_return_negative(); // no body available — Many calls for may_return_negative() , return value is checked for negative in e.g. 98% of the calls Y1.c Y2.c int i = may_return_return_negative(); Y3.c int i = may_return_return_negative(); Y4.c if (i < 0) int i = may_return_return_negative(); if (i < 0) int i = may_return_return_negative(); return; if (i < 0) return; if (i < 0) v[i]; // OK. return; v[i]; // OK. return; v[i]; // OK. v[i]; // OK. Ericsson Internal | 2018-02-21

  9. The Problem — Huge legacy code with weak documentation X.h int may_return_return_negative(); // no body available — Many calls for may_return_negative() , return value is checked for negative in e.g. 98% of the calls Y1.c Y2.c int i = may_return_return_negative(); Y3.c Yn.c int i = may_return_return_negative(); Y4.c if (i < 0) int i = may_return_return_negative(); int i = may_return_return_negative(); if (i < 0) int i = may_return_return_negative(); return; if (i < 0) v[i]; // error: negative indexing return; if (i < 0) v[i]; // OK. return; v[i]; // OK. return; v[i]; // OK. v[i]; // OK. Ericsson Internal | 2018-02-21

  10. The Problem — Huge legacy code with weak documentation X.h int may_return_return_negative(); // no body available — Many calls for may_return_negative() , return value is checked for negative in e.g. 98% of the calls Y1.c Y2.c int i = may_return_return_negative(); Y3.c Yn.c int i = may_return_return_negative(); Y4.c if (i < 0) int i = may_return_return_negative(); int i = may_return_return_negative(); if (i < 0) int i = may_return_return_negative(); return; if (i < 0) v[i]; // error: negative indexing return; if (i < 0) v[i]; // OK. return; v[i]; // OK. return; v[i]; // OK. v[i]; // OK. — Goal: detect the 2% where the negativeness of the return value is not checked Ericsson Internal | 2018-02-21

  11. What do we check? Ignored Return Value Find calls where the return value is ignored but it should not Ignored.c fread (data, …); // data may be garbage // if read failed Ericsson Internal | 2018-02-21

  12. What do we check? Ignored Return Value Special Return Value Find calls where the return value is Negative Integers ignored but it should not Find calls where the integer return value is not checked for negative but it should Ignored.c fread (data, …); // data may be garbage // if read failed NegRet.c int i = ret_neg(); v[i]; // error Ericsson Internal | 2018-02-21

  13. What do we check? Ignored Return Value Special Return Value Find calls where the return value is Negative Integers Null Pointers ignored but it should not Find calls where the integer Find calls where the pointer return value is not checked for return value is not checked for negative but it should null pointer but it should Ignored.c fread (data, …); // data may be garbage // if read failed NegRet.c NullRet.c int i = ret_neg(); T *t = ret_null(); v[i]; // error t->field; // error Ericsson Internal | 2018-02-21

  14. What do we check? Ignored Return Value Special Return Value Find calls where the return value is Negative Integers Null Pointers ignored but it should not Find calls where the integer Find calls where the pointer return value is not checked for return value is not checked for negative but it should null pointer but it should Ignored.c fread (data, …); // data may be garbage // if read failed NegRet.c NullRet.c int i = ret_neg(); T *t = ret_null(); v[i]; // error t->field; // error Other “special” values may be added Ericsson Internal | 2018-02-21

  15. How does it work? X.c Y.cpp X.c Y.cpp X.c Y.cpp *.c *.cpp Ericsson Internal | 2018-02-21

  16. How does it work? X.c Y.cpp X.c Y.cpp X.c Y.cpp *.c *.cpp clang *.yaml SA *.yaml Phase 1: Collect statistics Ericsson Internal | 2018-02-21

  17. How does it work? X.c Y.cpp X.c Y.cpp X.c Y.cpp *.c *.cpp clang clang *.yaml SA *.yaml SA Phase 1: Collect statistics Phase 2: Analyze Ericsson Internal | 2018-02-21

  18. How does it work? X.c Y.cpp X.c Y.cpp X.c Y.cpp *.c *.cpp clang clang *.yaml SA *.yaml SA Phase 1: Collect statistics Phase 2: Analyze — Threshold and minimum required number of calls configurable (default: 85% and 10 calls) Ericsson Internal | 2018-02-21

  19. How does it work? X.c Y.cpp X.c Y.cpp X.c Y.cpp *.c *.cpp clang clang *.yaml SA *.yaml SA Phase 1: Collect statistics Phase 2: Analyze — Threshold and minimum required number of calls configurable (default: 85% and 10 calls) — CodeChecker support exists, open sourcing planned Ericsson Internal | 2018-02-21

  20. Checking for Special Return Values — No warnings, just state split Ericsson Internal | 2018-02-21

  21. Checking for Special Return Values — No warnings, just state split int i = may_return_negative(); Ericsson Internal | 2018-02-21

  22. Checking for Special Return Values — No warnings, just state split int i = may_return_negative(); i : [INT_MIN..-1] i: [0..INT_MAX] Ericsson Internal | 2018-02-21

  23. Checking for Special Return Values — No warnings, just state split int i = may_return_negative(); i : [INT_MIN..-1] i: [0..INT_MAX] x = v[i]; //Error! x = v[i]; //OK. Ericsson Internal | 2018-02-21

  24. Checking for Special Return Values — No warnings, just state split int i = may_return_negative(); i : [INT_MIN..-1] i: [0..INT_MAX] Reported by negative array ← indexing checker! x = v[i]; //Error! x = v[i]; //OK. Ericsson Internal | 2018-02-21

  25. Checking for Special Return Values — No warnings, just state split int i = may_return_negative(); i : [INT_MIN..-1] i: [0..INT_MAX] Reported by negative array ← indexing checker! x = v[i]; //Error! x = v[i]; //OK. — Performance impact: low because special return value branch terminates quickly — Either by early exit or because of error Ericsson Internal | 2018-02-21

  26. Future Work — False Positives: The possible return values often depend from the arguments Ericsson Internal | 2018-02-21

  27. Future Work — False Positives: The possible return values often depend from the arguments — Solution: Take the parameters also into consideration Ericsson Internal | 2018-02-21

  28. Thank You! adam.balogh@ericsson.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Developing the Clang Static Analyzer Artem Dergachev, Apple Clang Static Analyzer Finds bugs

Developing the Clang Static Analyzer Artem Dergachev, Apple Clang Static Analyzer Finds bugs

Developing the Clang Static Analyzer Artem Dergachev, Apple Clang Static Analyzer Finds bugs at compile time by inspecting your source code Bugs it finds are more sophisticated than warnings or Clang-Tidy Clang Static Analyzer 1

544 views • 29 slides
Faster, Stronger C++ Analysis with the Clang Static Analyzer George Karpenkov, Apple Artem

Faster, Stronger C++ Analysis with the Clang Static Analyzer George Karpenkov, Apple Artem

Faster, Stronger C++ Analysis with the Clang Static Analyzer George Karpenkov, Apple Artem Dergachev, Apple Agenda Introduction to Clang Static Analyzer Using coverage-based iteration order Improved C++ constructor and destructor

789 views • 40 slides
Using the Clang Static Analyzer Vince Bridgers About this tutorial Soup to nuts

Using the Clang Static Analyzer Vince Bridgers About this tutorial Soup to nuts

Using the Clang Static Analyzer Vince Bridgers About this tutorial Soup to nuts Small amount of theory to a practical example Why Static Analysis? Static Analysis in Continuous Integration What is Cross Translation Unit

480 views • 34 slides
Summary-based inter-unit analysis for Clang Static Analyzer Aleksei Sidorin 2016-11-01 . S

Summary-based inter-unit analysis for Clang Static Analyzer Aleksei Sidorin 2016-11-01 . S

Summary-based inter-unit analysis for Clang Static Analyzer Aleksei Sidorin 2016-11-01 . S amsung R &amp;D Institute, R ussia 1 . . . . . Clang Static Analyzer Source-based analysis of high-level programming languages (C, C++,

631 views • 27 slides
A checker for dangling string pointers in C++ in the Clang Static Analyzer Rka Kovcs

A checker for dangling string pointers in C++ in the Clang Static Analyzer Rka Kovcs

A checker for dangling string pointers in C++ in the Clang Static Analyzer Rka Kovcs Mentors: Artem Dergachev Etvs Lornd University, Budapest, Hungary Gbor Horvth rekanikolett@gmail.com Real-world example return

257 views • 9 slides
The Penultimate Challenge: Bug report construction in the Clang Static Analyzer Kristf Umann

The Penultimate Challenge: Bug report construction in the Clang Static Analyzer Kristf Umann

The Penultimate Challenge: Bug report construction in the Clang Static Analyzer Kristf Umann dkszelethus@gmail.com Etvs Lornd University, Budapest Ericsson Hungary 2019. oct. 22. 2/38 Clear, precise bug reports are important One of

1.91k views • 175 slides
Resolving the almost decade old checker dependency issue in the Clang Static Analyzer Kristf

Resolving the almost decade old checker dependency issue in the Clang Static Analyzer Kristf

. . . . . . . . . . . . . . . . Resolving the almost decade old checker dependency issue in the Clang Static Analyzer Kristf Umann dkszelethus@gmail.com Etvs Lornd University, Budapest Ericsson Hungary . . . . . .

603 views • 15 slides
MPI-Checker Static Analysis for MPI Alexander Droste, Michael Kuhn, Thomas Ludwig November

MPI-Checker Static Analysis for MPI Alexander Droste, Michael Kuhn, Thomas Ludwig November

MPI-Checker Static Analysis for MPI Alexander Droste, Michael Kuhn, Thomas Ludwig November 15, 2015 Motivation Clang Static Analyzer MPI-Checker Limitations Evaluation Future Work Motivation 2 / 39 Motivation Clang Static Analyzer

535 views • 41 slides
Cross Translational Unit Analysis in Clang Static Analyzer: Prototype and Measurements Gabor

Cross Translational Unit Analysis in Clang Static Analyzer: Prototype and Measurements Gabor

Cross Translational Unit Analysis in Clang Static Analyzer: Prototype and Measurements Gabor Horvath (xazax 1 ), Peter Szecsi (ps95 1 ), Zoltan Gera (gerazo 1 ) Daniel Krupp (daniel.krupp 2 ), Zoltan Porkolab (zoltan.porkolab 2 ) [1]

480 views • 29 slides
An update on Clang-based C++ Tooling Manuel Klimek Daniel Jasper Tomorrowland (from Euro LLVM

An update on Clang-based C++ Tooling Manuel Klimek Daniel Jasper Tomorrowland (from Euro LLVM

An update on Clang-based C++ Tooling Manuel Klimek Daniel Jasper Tomorrowland (from Euro LLVM DevMeeting 2012) Tools Editor integration clang-format Emacs clang-lint Vim clang-rename Eclipse

122 views • 8 slides
Life of an instruction in Clang / LLVM Francis Visoiu Mistrih - francis@lse.epita.fr 1 / 20

Life of an instruction in Clang / LLVM Francis Visoiu Mistrih - francis@lse.epita.fr 1 / 20

Life of an instruction in Clang / LLVM Francis Visoiu Mistrih - francis@lse.epita.fr 1 / 20 Clang foo.c - C int foo(int a, int b) { return a + b; } 2 / 20 Clang AST clang-check -ast-dump foo.c TranslationUnitDecl 0x29eaa20

225 views • 20 slides
Improving code reuse in clang tools with clangmetatool Daniel Ruoso druoso@bloomberg.net

Improving code reuse in clang tools with clangmetatool Daniel Ruoso druoso@bloomberg.net

Improving code reuse in clang tools with clangmetatool Daniel Ruoso druoso@bloomberg.net Bloomberg October 17, 2018 Static Analysis and Automated Refactoring at Bloomberg Static Analysis and Automated Refactoring at Bloomberg

1.13k views • 44 slides
The Clang AST A Tutorial by Manuel Klimek You'll learn: 1. The basic structure of the Clang AST

The Clang AST A Tutorial by Manuel Klimek You'll learn: 1. The basic structure of the Clang AST

The Clang AST A Tutorial by Manuel Klimek You'll learn: 1. The basic structure of the Clang AST 2. How to navigate the AST 3. Tools to understand the AST 4. Interfaces to code against the AST (Tooling, AST matchers, etc) The Structure of the

602 views • 44 slides
Bringing Clang and LLVM to Visual C++ users Reid Kleckner Google C++ devs demand a good

Bringing Clang and LLVM to Visual C++ users Reid Kleckner Google C++ devs demand a good

Bringing Clang and LLVM to Visual C++ users Reid Kleckner Google C++ devs demand a good toolchain Fast build times Powerful optimizations: LTO, etc Helpful diagnostics Static analyzers Dynamic instrumentation tools: the

920 views • 45 slides
clang-format Automatic formatting for C++ (Daniel Jasper - djasper@google.com) Why? A

clang-format Automatic formatting for C++ (Daniel Jasper - djasper@google.com) Why? A

clang-format Automatic formatting for C++ (Daniel Jasper - djasper@google.com) Why? A consistent coding style is important Formatting is tedious Clang's source files contain ~25% whitespace characters Sema::NameClassification

511 views • 24 slides
Switching a Linux distributions main toolchain to LLVM/Clang Bernhard Bero

Switching a Linux distributions main toolchain to LLVM/Clang Bernhard Bero

Switching a Linux distributions main toolchain to LLVM/Clang Bernhard Bero Rosenkrnzer, OpenMandriva/LinDev EuroLLVM 2019 When and why did we do it? Made the decision and started the transition around the time of the clang 3.5

204 views • 18 slides
Pipeline Front-End (Instruction Fetch &amp; Branch Prediction) Nima Honarmand Spring 2018 :: CSE

Pipeline Front-End (Instruction Fetch &amp; Branch Prediction) Nima Honarmand Spring 2018 :: CSE

Spring 2018 :: CSE 502 Pipeline Front-End (Instruction Fetch &amp; Branch Prediction) Nima Honarmand Spring 2018 :: CSE 502 Big Picture Spring 2018 :: CSE 502 Fetch Rate is an ILP Upper Bound Instruction fetch limits performance To

932 views • 62 slides
MIPS Instruction Formats 6 bits 5 bits 5 bits 5 bits 5 bits 6 bits for instance,

MIPS Instruction Formats 6 bits 5 bits 5 bits 5 bits 5 bits 6 bits for instance,

MIPS Instruction Formats 6 bits 5 bits 5 bits 5 bits 5 bits 6 bits for instance, add r1, r2, r3 has - 000000 00010 00011 00001 00000 100000 opcode (OP) tells the machine which format 1 VAX Instruction Formats (x86

431 views • 20 slides
Predicated instructions, SIMD [SW04] P. Sanders and S. Winkel. Super Scalar Sample Sort . 12th

Predicated instructions, SIMD [SW04] P. Sanders and S. Winkel. Super Scalar Sample Sort . 12th

Special instructions: Predicated instructions, SIMD [SW04] P. Sanders and S. Winkel. Super Scalar Sample Sort . 12th Annual European Symposium on Algorithms (ESA), LNCS 3221, 784-796, 2004. [SGL09] Benjamin Schlegel, Rainer Gemulla, Wolfgang

658 views • 4 slides
Hazards Introduction Pipelining up until now has been ideal In real life, though, we

Hazards Introduction Pipelining up until now has been ideal In real life, though, we

Hazards Introduction Pipelining up until now has been ideal In real life, though, we might not be able to fill the pipeline because of hazards: Data hazards . For example, the result of an operation is needed before it is

413 views • 6 slides
Office of IT Schedule 70 Program Cheryl Thornton, Director, IT Hardware Contract Division Hassan

Office of IT Schedule 70 Program Cheryl Thornton, Director, IT Hardware Contract Division Hassan

Office of IT Schedule 70 Program Cheryl Thornton, Director, IT Hardware Contract Division Hassan Harris, Contracting Officer, IT Schedule 70 Programs Bruce Caughman, Contracting Specialist, IT Schedule 70 Programs U.S. General Services

315 views • 20 slides
From Factorial Designs to Hilbert Schemes Lorenzo Robbiano Universit di Genova Dipartimento di

From Factorial Designs to Hilbert Schemes Lorenzo Robbiano Universit di Genova Dipartimento di

From Factorial Designs to Hilbert Schemes Lorenzo Robbiano Universit di Genova Dipartimento di Matematica Lorenzo Robbiano (Universit di Genova) Factorial Designs and Hilbert Schemes Genova, June 2015 1 / 31 Abstract This talk is meant

1.81k views • 118 slides
Branch and Bound Marco Chiarandini Department of Mathematics &amp; Computer Science University

Branch and Bound Marco Chiarandini Department of Mathematics &amp; Computer Science University

DM545/DM871 Linear and Integer Programming Lecture 13 Branch and Bound Marco Chiarandini Department of Mathematics &amp; Computer Science University of Southern Denmark Outline 1. Branch and Bound 2 Outline 1. Branch and Bound 5 Branch

892 views • 24 slides
FREE IF : HOW TO OMIT INACTIVE BRANCHES AND IMPLEMENT S-UNIVERSAL GARBLED CIRCUIT ALMOST FOR

FREE IF : HOW TO OMIT INACTIVE BRANCHES AND IMPLEMENT S-UNIVERSAL GARBLED CIRCUIT ALMOST FOR

FREE IF : HOW TO OMIT INACTIVE BRANCHES AND IMPLEMENT S-UNIVERSAL GARBLED CIRCUIT ALMOST FOR FREE V L A D KO L E S N I KO V G E O R G I A T E C H HIGH-LEVEL OVERVIEW OF THE RESULT f 1 (x,y) f 2 (x,y) f 3 (x,y) f 30 (x,y) c Sel In GC,

559 views • 18 slides

More recommend