1 / 16

Lsa

Daejun Park, ROPAS, SNU Lightweight Static Analysis for Buffer Overrun Errors of C programs. Lsa. Example, pointer analysis. int foo () { int arr[10]; int ret; ret = bar(arr, 10) return arr[ret]; } int bar (int *p, int x) { int i; i = 0; while 1 (i < x) { p[i] = i;

milly
Download Presentation

Lsa

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Daejun Park, ROPAS, SNU Lightweight Static Analysis for Buffer Overrun Errors of C programs Lsa

  2. Example, pointer analysis int foo () { int arr[10]; int ret; ret = bar(arr, 10) return arr[ret]; } int bar (int *p, int x) { int i; i = 0; while1 (i < x) { p[i] = i; i = i + 1; } p[i] = i; return i; } R(0) = {lret} P(lp) = {l0} R(1) = {li,l0} R(0) = {li,l0}

  3. Example, summary of bar lp -> (l0,f,s), l0 -> p, lx -> x int bar (int *p, int x) { int i; i = 0; while1 (i < x) { p[i] = i; i = i + 1; } p[i] = i; return i; } lp -> (l0,f,s), l0 -> p, lx -> x li -> 0 lp -> (l0,f,s), l0 -> p, lx -> x li -> 0 l0 -> p U 0 li -> 1 f + 0 < s

  4. Example, summary of bar lp -> (l0,f,s), l0 -> p, lx -> x int bar (int *p, int x) { int i; i = 0; while1 (i < x) { p[i] = i; i = i + 1; } p[i] = i; return i; } lp -> (l0,f,s), l0 -> p, lx -> x li -> 0 lp -> (l0,f,s), lx -> x l0 -> T, li -> T, li -> x - 1 f + (x – 1) < s lp -> (l0,f,s), lx -> x l0 -> T li -> x - 1 + 1 lp -> (l0,f,s), lx -> x l0 -> T li -> x - 1 + 1 lr -> x - 1 + 1 f + (x – 1 + 1) < s

  5. Example, summary of bar(cont) lp -> (l0,f,s) l0 -> p lx -> x int bar (int *p, int x) { int i; i = 0; while1 (i < x) { p[i] = i; i = i + 1; } p[i] = i; return i; } f + 0 < s summary f + (x – 1) < s f + (x – 1 + 1) < s lr -> x - 1 + 1 l0 -> T

  6. Example, summary of foo I larr -> (l’arr, 0, 10) int foo () { int arr[10]; int ret; ret = bar(arr, 10) return arr[ret]; } larr -> (l’arr, 0, 10) lret -> 10 - 1 + 1 l’arr -> T lr -> T 0 + 10 < 10 lp -> (l0,f,s) l0 -> p lx -> x lr -> x - 1 + 1 l0 -> T f + 0 < s f + (x - 1) < s f + (x - 1 + 1) < s lp -> (l’arr,0,10) l’arr -> ㅗ lx -> 10 lr -> 10 - 1 + 1 l’arr -> T 0 + 0 < 10 0 + (10 - 1) < 10 0 + (10 - 1 + 1) < 10

  7. Example, summary of foo I larr -> (l’arr, 0, 10) int foo () { int arr[10]; int ret; ret = bar(arr, 10) return arr[ret]; } larr -> (l’arr, 0, 10) lret -> 10 - 1 + 1 l’arr -> T lr -> T 0 + 10 < 10 lp -> (l0,f,s) l0 -> p lx -> x lr -> x - 1 + 1 l0 -> T f + 0 < s f + (x - 1) < s f + (x - 1 + 1) < s lp -> (l’arr,0,10) l’arr -> ㅗ lx -> 10 lr -> 10 - 1 + 1 l’arr -> T 0 + 0 < 10 0 + (10 - 1) < 10 0 + (10 - 1 + 1) < 10

  8. Example, summary of foo II larr -> (l’arr, 0, 10) bar ((l’arr,0,10), 10) lr -> ret l’arr -> arr int foo () { int arr[10]; int ret; ret = bar(arr, 10) return arr[ret]; } larr -> (l’arr, 0, 10) lret -> ret l’arr -> arr lr -> arr 0 + ret < 10 lp -> (l0,f,s) l0 -> p lx -> x lr -> x - 1 + 1 l0 -> T f + 0 < s f + (x - 1) < s f + (x - 1 + 1) < s lp -> (l’arr,0,10) l’arr -> ㅗ lx -> 10 lr -> 10 - 1 + 1 l’arr -> T 0 + 0 < 10 0 + (10 - 1) < 10 0 + (10 - 1 + 1) < 10

  9. Example, summary of foo II larr -> (l’arr, 0, 10) bar ((l’arr,0,10), 10) lr -> ret l’arr -> arr int foo () { int arr[10]; int ret; ret = bar(arr, 10) return arr[ret]; } 10 larr -> (l’arr, 0, 10) lret -> ret l’arr -> arr lr -> arr T 10 T 0 + ret < 10 T 10 lp -> (l0,f,s) l0 -> p lx -> x lr -> x - 1 + 1 l0 -> T f + 0 < s f + (x - 1) < s f + (x - 1 + 1) < s lp -> (l’arr,0,10) l’arr -> ㅗ lx -> 10 lr -> 10 - 1 + 1 l’arr -> T 0 + 0 < 10 0 + (10 - 1) < 10 0 + (10 - 1 + 1) < 10

  10. Design decisions • inter-procedural analysis • function summary • return-value & side-effects over parameters • global static array • complex loop vs. simple loop • symbolic constant expression • bounded abstraction

  11. Inter-procedural analysis • separated analysis • using function summary • return-value dependent on parameters • side-effect loaded with parameters of pointer type • cutting recursive call chain • generating and solving constraints for non-summarized functions

  12. Global static array • global array initialized with constant expression • elements of global static array are not aggregated • assumption: global static array is not modified in whole program • used as constant value

  13. Complex vs. simple loop • loop satisfying following conditions is simple • for (i = c; i < c; i++) { stmt } • ‘stmt’ does not modify ‘i’ • narrowing only simple loop • low-cost widening using point-to analysis

  14. Symbolic constant expression • using scalar-variable as constant • comparison between SCEs • mostly, n < n+1 • values of parameters are set to arbitrary scalar-variable • return value and side-effects of non-summarized function are same • generating constraints over SCEs

  15. Bounded abstraction • abstraction for set • restricting number of elements of set • for location and SCE

  16. References • L. Andersen, “Program Analysis and Specialization for the C Programming Language”, Ph.D. thesis, DIKU report 94/19, 1994 • N. Heintze and O. Tardieu, “Ultra-fast Aliasing Analysis using CLA: A Million Lines of C Code in a Second”, PLDI, 2001

More Related