1 / 17

Airac Static Analyzer for Automatic Verification of Array Index Ranges in C Programs

Airac Static Analyzer for Automatic Verification of Array Index Ranges in C Programs. 이광근 프로그래밍 연구실 서울대. 1/21/2005 @ Samsung SW Center. Contents. Overview what + enabling technology internal architecture Performance for Samsung sw ’ s, linux kernels, GNU sw ’ s strength and weakness

sitara
Download Presentation

Airac Static Analyzer for Automatic Verification of Array Index Ranges in C Programs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AiracStatic Analyzer for Automatic Verification of Array Index Ranges in C Programs 이광근 프로그래밍 연구실 서울대 1/21/2005 @ Samsung SW Center

  2. Contents • Overview • what + enabling technology • internal architecture • Performance • for Samsung sw’s, linux kernels, GNU sw’s • strength and weakness • Airac in global competition • Demo • Plan & Discussion

  3. Airac: introduction • statically detects all the array index overruns in C programs int *c = (int *)malloc(sizeof(int)*10); c[i] = 1; c[i+ f()] = 1; c[*k + (*g)()] = 1; x = c; x[1] = 1; y = c + f(); y[*(y+1)] = 1; z->a = c; (z->a)[i] = 1; • “statically”: no test runs • “all”: complete, no un-noticed overruns • “C”: full set of typeful ANSI C • C pointers(array, procedure) • C controls(procedure, return, break, goto) • intra- and inter-procedural • variable of type t must remain as such

  4. Airac: internals (1/2) x1 = F1(x1,…,xN) x2 = F2(x1,…,xN) … xN = FN(x1,…,xN) C files Solver: fixpoint engine accelerator refiner tuner C’ pgm report generation

  5. Airac: internals (2/2) • Deployed every possible technique to temper Airac to be “realistic” in the cost-accuracy balance. • for analysis accuracy • flow-sensitive analysis, context pruning, polyvariant analysis, static loop unrolling, narrowing • for analysis speed • widening, selective join, stack obviation, wait-at-join • new techniques are invented

  6. Airac: performance (1/3) False alarms: regretable but inevitable. Still a great help: consider 435 vs 800,000! Analyzer stupidity ~ FalseAlarms/Alarms * Alarms/LOC

  7. Airac: performance (2/3)

  8. Airac: performance (3/3)

  9. Airac vs Swat (1/3)

  10. Airac vs Swat(2/3) Airac Bugs Coverity

  11. Airac vs Swat (3/3)

  12. Airac: scalability

  13. Demo • killers for Swat • Samsung EsWin osInputQueue.c • GNU tar-1.13/rmt.c

  14. Airac: distinguished • one of a few real-world static analyzer in support of full ANSI C • v.s. world-class powers on static analysis: • Astree(France), PolySpace(France), AbsInt(Germany): sound (don’t have yet) • Coverity(USA): not complete, ad-hoc. Beaten by Airac. • all in the static analysis research community: • I know what they (can) do. • If I hadn’t known, they may be people of either shallow technology or the “disruptive technology” • big surprise to conventional compiler people (“data-flow-analysis” people): “how did you handle pointers, aliases, inter-procedural things, and etc.?” They don’t understand Airac technology because their framework is weak.

  15. Airac: room to improve • cost • speed: ~50loc/sec with a big variance • big memory footprint: ~4GB in analyzing 10Kloc GNU sw • accuracy • false alarms: unavoidable, not that stupid • wise report-generation needed • identified research problems • static analysis linker • alarm explanation generator • alarm-repairing analyzer framework • analyzer visualization: see what happens

  16. Plan: proposal • Equip SWC with the Airac family of analyzers for detecting • other common and/or critical bugs • hard memory bugs: memory leaks and dangling pointers • sw-specific bugs (e.g. “x must be 0 here”) • Dispatch the Airac family Samsung-wide

  17. Hope to enjoy Airac and beyond. 감사합니다

More Related