1 / 20

Mairac Static Analyzer for Detecting Memory Leak & Null Dereference Errors in C Programs

Mairac Static Analyzer for Detecting Memory Leak & Null Dereference Errors in C Programs. Programming Research Laboratory Seoul National University 4/14/2006 @ SamsungSWC. Outline. Mairac’s Overview memory leak & null dereference technology & approach Mairac’s Performance

urban
Download Presentation

Mairac Static Analyzer for Detecting Memory Leak & Null Dereference Errors in C Programs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MairacStaticAnalyzer for Detecting Memory Leak & Null Dereference Errorsin C Programs Programming Research LaboratorySeoul National University 4/14/2006 @ SamsungSWC

  2. Outline • Mairac’s Overview • memory leak & null dereference • technology & approach • Mairac’s Performance • for Samsung SWs & public SWs • comparison with Coverity.com’s Prevent • Next Steps • tool for company-wide dispatch • our plan Programming Research Laboratory

  3. Mairac Detects Two Fatal Bugs (f l+ l-) (f l+) (f (g l+)l ) (f (g l+)ll-) (f l+ l(g l-)) (f l+ l(g) l-) (f l+ l(g)) • memory leak • no (untimely) memory recycle • null dereference • access to recycled memory • Challenges • full ANSI C • C’s pointers as 1st-class data • C’s arbitrary flows • separate files • cost vs accuracy Programming Research Laboratory

  4. Mairac’s Technology & Approach • semantic-based • abstract interpretation • ftn (malloc’d locs, freed locs) • based on Airac’s engine • compromise • no guarantee to detect all • stick to formal approach: no heuristics • detect more; reduce falses • goal: “be better than Prevent” Programming Research Laboratory

  5. Mairac’s Performance • Samsung SWs + public SWs: 530K loc Mairac Prevent 201 530 True False 89 8 45 786+223 Programming Research Laboratory

  6. Mairac’s Performance: Memory Leak Detection Samsung SW: AnyPlay, EasySetup, MOREX, TFS4 ~ 300K LOC ~ 36 hours @ P4.3GHz + 3GB Mairac Prevent 154 73 True False 56 4 6 151 Programming Research Laboratory

  7. Mairac’s Performance: Null Dereference Detection Samsung SW: AnyPlay, EasySetup, MOREX, TFS4 ~ 300K LOC ~ 36 hours @ P4.3GHz + 3GB Mairac Prevent 241 43 True False 6 4 16 241 Programming Research Laboratory

  8. Mairac’s Performance: Memory Leak Detection Public SW: OpenSSH, Net-SNMP ~ 230K LOC ~ 55 hours @ P4.3GHz + 3GB Mairac Prevent 43 42 True False 26 0 11 216+ 223 Programming Research Laboratory

  9. Mairac’s Performance: Null Dereference Detection Public SW: OpenSSH, Net-SNMP ~ 230K LOC ~ 55 hours @ P4.3GHz + 3GB Mairac Prevent 92 43 True False 1 0 12 178 Programming Research Laboratory

  10. What About False Alarms? Our Solution Ahead • Ranking alarms: random forest method • until 50% of true shown, 0.32% of false mixed • until 22.6% of true shown, no false mixed Mairac: 310 trues, 4 falses Prevent: 290 trues, 53 falses Mairac: until 140 trues seen, no false mixed “An Empirical Study on Classification Methods for Alarms from a Bug-Finding Static C Analayzer”, Kwangkeun Yi, Yongdai Kim, Jaehwang Kim, Hosik Choi, Jaeho Shin Technical Memo ROPAS-2006-28, April, 2006, http://ropas.snu.ac.kr/memo/ (submited for publication) Programming Research Laboratory

  11. Performance for Samsung SWs Programming Research Laboratory

  12. Performance for Public SWs Programming Research Laboratory

  13. Because of One C Hack • Mairac generates “many” false alarms • Easy to remove &(((T *) 0)->field) // field-offset computation is in our intermediate language &((* 0).field) // null dereference Programming Research Laboratory

  14. Qualititive Comparison (1/3) • Clear zone: cases that we know why • only Mairac can detect • only Prevent can detect • Grey zone: cases that we don’t know yet why • only Mairac can detect • only Prevent can detect Programming Research Laboratory

  15. Qualititive Comparsion (2/3) • Only Mairac can detect • errors with pointers stored in structure fields • use without null-check of malloc t.name = malloc(10); … f(t.name); … //free in f return; //no leak t.name = malloc(10); … return; //memory leak p = malloc(n); … *(p+1) = 1; //null deref p = malloc(n); … if (p==NULL) return; *(p+1) = 1; //ok Programming Research Laboratory

  16. Qualititive Comparison (3/3) • Only Prevent can detect • conditional free • heuristics-based P = malloc(n); if(c) free(p); if(!c) return; // memory leak if (p != NULL) { … }; … p->field // likely null deref Programming Research Laboratory

  17. Mairac’s Performance Summary + Mairac detects more true bugs than Prevent • more likely to find relevant bugs - Mairac “lies” more than Prevent • we have 2 promising ideas - Mairac is slower than Prevent • we have 3 promising ideas Programming Research Laboratory

  18. Next Steps (1/2) for company-wide dispatch • False alarm reduction • ranking alarms: random forest method • accuracy improvement: flow-sensitive, context-sensitive • Analysis Cost Reduction • source reduction: pre-slicing • redundancy removal: modular analysis • no wait for completion: interim alarming • User interface • alarm explanation • source traversal interface Programming Research Laboratory

  19. Next Steps (2/2)for company-wide dispatch • All those new improvements • A SQA tool for • buffer overrun/underrun • memory leak • null dereference • uninitialized access • Alliance: Samsung SWC + SNU Ropas Programming Research Laboratory

  20. Thank you. Programming Research Laboratory

More Related