Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting Memory Errors using Compile Time Techniques Nurit Dor Mooly Sagiv Tel-Aviv University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Detecting Memory Errors using Compile Time Techniques Nurit Dor Mooly Sagiv Tel-Aviv University."— Presentation transcript:

1

2 Detecting Memory Errors using Compile Time Techniques Nurit Dor Mooly Sagiv Tel-Aviv University

3 Memory errors u Hard to detect –point of failure is not point of error –difficult to reproduce –Depends on the system’s architecture u Many result from pointer misuse u Other types: out of bound reference

4 Reference beyond duration int * g() {int i; return &i; } main() {int *p; p = g(); *p = 5; }

5 Dereference of NULL pointers main() {list *p,*q,*r; p = (list *) malloc(sizeof(list));... q = p->next; /* q = NULL */ r = q->next;/* <== error */ }

6 Usage of dead storage main() {int *x,*z; x = (int *)malloc(sizeof(int)); free(x); z = (int *)malloc(sizeof(int)); if (x==z) printf(“ unexpected equality”); } usage of deallocated storage

7 Dereference of NULL pointers typedef struct element { int value; struct element *next; } Elements bool search(int value, Elements *c) { Elements *elem; for ( elem = c; c != NULL;elem = elem->next;) if (elem->val == value) return TRUE; return FALSE NULL dereference

8 Dereference of NULL pointers typedef struct element { int value; struct element *next; } Elements bool search(int value, Elements *c) { Elements *elem; for ( elem = c; elem != NULL;elem = elem->next;) if (elem->val == value) return TRUE; return FALSE

9 Memory leakage Elements* reverse(Elements *c) { Elements *h,*g; h = NULL; while (c!= NULL) { g = c->next; h = c; c->next = h; c = g; } return h; leakage of address pointed-by h

10 Memory leakage Elements* reverse(Elements *c) { Elements *h,*g; h = NULL; while (c!= NULL) { g = c->next; c->next = h; h = c; c = g; } return h;

11 Cleanness u Rules that a program must obey u Does not depend on a program’s specification u Precondition rules for each statement type u Some cleanness rules are integrated into the programming language: –Type checking –Array bound accesses –Java dereference u Other cleanness rules are programmer responsibility

12 Run-Time vs. Static Property Run-Time Conservative Static Manual runs  Depends on test cases  Assures against bugs  Interferes production  False alarms  Scales for large programs ??

13 Innovation of this research u Theoretical –Define memory cleanness for a subset of C programs –Study techniques needed for a conservative static tool –Invent a new shape analysis algorithm u Empirical –Implementation –comparison to other techniques

14 Program analysis u Static techniques for computing approximations of the possible run-time states u Used mainly in compilers u Areas: –Data flow –Control flow –Type analysis …

15 Shape graph u Example u Characteristics –finite representation –“sharing” of run-time locations by: “pointed-to by” and “reachable from” variables 12357 1113 c elem c NULL

16 Shape analysis u Initialization - empty shape graph u Iteratively apply every program statement and condition u Stop when no more shape graphs can be derived

17 Cleanness checking via shape analysis u Compute a set of possible shape graphs before every program statement u Check cleanness condition of every statement against any possible shape graph u Cleanness conditions are generated in a syntax directed fashion u Report violations with the “witness” shape graph

18 Abstract interpretation state  ’ Operational semantics statement s abstract representation  state  concretization Abstract semantics statement s abstract representation  ’ abstraction

19 Dereference of NULL pointers typedef struct element { int value; struct element *next; } Elements bool search(int value, Elements *c) { Elements *elem; for ( elem = c; c != NULL;elem = elem->next;) if (elem->val == value) return TRUE; return FALSE NULL dereference

20 Example c elem c c elem= elem  next NULL

21 c elem NULL  c c elem   elem= elem  next

22 c NULL c elem   c NULL c elem c NULL elem   X

23 c NULL c elem c NULL elem   X c c NULL elem NULL  X c elem 

24 Motivation u Conservative static analysis for cleanness checking u Use existing pointer-analysis techniques u Minimal false alarms u Which information is needed? u Is user input necessary?

25 Differences from SRW98 u NULL node u Stack variables Important for statements like p=&a u Each shape-node is represented by –stack variable (unique) –pointed-to by variables –reachable variables u Set of graphs instead of one combined graph

26 Sample Checks u Statement type – p = q – p = q ->sel – p->sel = q u Cleanness Rules –Unintilized pointer –Unallocated pointer –Usage of dead storage –Dereference of NULL –Memory leakage (failure to release unreachable heap space)

27 Simple Statements p = q u Dynamic (Run-time) condition –q must be initialized (allocated or NULL) –q not pointing to a released address –address held in p is reachable from a different variable u Shape Graph (static) condition –q must point to a node or to the NULL –q not pointing to a “freed” node –node pointed-by p is reachable from a different variable

28 Simple statement - example p = q;  X (q is uninitialized) q r q  q X (node was freed) X (memory leakage) p q p

29 Dereference Statement i = p ->val u Dynamic (Run-time) condition p must not be NULL u Shape Graph (static) condition p must point to a non NULL node

30 Dereference statement - example i = p  val p p  X (p not allocated)

31 Core techniques u Flow sensitivity u Interpret conditions u Must alias p = malloc; q = p; …. p = malloc; free(p); *q = 5; if (p!=NULL) *p = 5; p=NULL; q=&p; *q=&i; *p=5;

32 Core techniques - more u Relations between variables –Example: current = first  prev = NULL u Data Shape -Example: acyclic lists NULL terminating tree

33 Implementation u PAG (Program Analysis Generator) –C front-end –Supply transfer functions and abstract representation u Input –C program under restrictions »no recursion »no pointer arithmetic or casting u Output –graphical presentation of shape graphs –list of potential cleanness violations

34 Points-To analysis u Program analysis that computes information regarding the pointers in the program u Point-to pairs (p,a) p = &a;  “ p points-to a” u Heap treatment (p,heap l ): l: p= malloc(...)  “ p points-to heap l - heap address allocate at this statement”

35 Empirical results sec / leakage false alarms Program Shape Analysis Points-to search.c0.02/00.01/5 null_deref.c 0.03/00.02/5 delete.c0.05/00.01/7 del_all.c0.02/00.01/6 insert.c 0.02/00.03/7 merge.c2.08/00.01/8 reverse.c0.03/00.01/7 fumble.c0.04/00.02/6 rotate.c0.01/00.01/5 swap.c0.01/00.01/5

36 Empirical results sec / reference+dereference false alarms Program Shape Analysis Points-to search.c0.02/0 0.01/0 null_deref.c 0.03/0 0.02/0 delete.c0.05/0 0.01/0 del_all.c0.02/0 0.01/4 insert.c 0.02/0 merge.c2.08/0 0.01/5 reverse.c0.03/0 0.01/0 fumble.c0.04/0 0.02/0 rotate.c0.01/0 0.01/1 swap.c0.01/0 0.03/1

37 False alarms u Infeasible paths –Sedgewick_tree treeinsert(int v ){ Tree *f,*p; p = root; f = p; while (p != NULL) { f = p; if (v key) p = p->l; else p = p->r; } p = MALLOC; p->key = v; p->r = NULL; p->l = NULL; if (v key) f->l = p; else f->r = p;}

38 False alarms u Abstraction not precise enough –acyclic lists –trees u Infeasible paths

39 Advantage u Detection of non trivial bugs u Easy to use: –Minimal false alarms (No false alarms on many linked list programs) –Minimal user interactions (No annotations) –Graphical output of control-flow graph and shape graphs u Significantly faster than verification tools

40 Challenges u Scaling for large programs –Annotations –Cheaper preprocessing –Better interprocedural analysis –Other programming languages –Ignore unlikely cases - losing conservative u Other data structures (trees, cyclic lists) u Applications that can benefit from this

41 Other Accomplishments u Locating array memory leaks in Java (Ran Shaham) u A parametric algorithm for shape analysis (Sagiv, Reps, Wilhelm 99) u An algorithm for analyzing mobile code (Nielson, Nielson, Sagiv 99) u A generic “yacc-like” tool for program analysis (Tal Lev-Ami)

42 Ongoing work u Interprocedural shape analysis (Noam Rinetskey) u Hardware support for cleanness checking (Roi Amir) u Slicing programs (Eran Yahav)

43 Previous work u Run-Time tools –check cleanness on a given input –detect errors found on a given input –Examples: Safe-C, Purify u Static checking tools –check cleanness on all possible inputs (compile-time) –can detect all potential errors (but may decide to ignore some) –Examples: LCLint, Extended Static Checking

Download ppt "Detecting Memory Errors using Compile Time Techniques Nurit Dor Mooly Sagiv Tel-Aviv University."

Similar presentations

Abstract Interpretation Part II

Abstract Interpretation Part II
Introduction to Memory Management. 2 General Structure of Run-Time Memory.

Introduction to Memory Management. 2 General Structure of Run-Time Memory.
Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.

Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Interprocedural Shape Analysis for Recursive Programs Noam Rinetzky Mooly Sagiv.

Interprocedural Shape Analysis for Recursive Programs Noam Rinetzky Mooly Sagiv.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.

Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
Analysis of programs with pointers. Simple example What are the dependences in this program? Problem: just looking at variable names will not give you.

Analysis of programs with pointers. Simple example What are the dependences in this program? Problem: just looking at variable names will not give you.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.

3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.

SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.
Names and Bindings.

Names and Bindings.
C Programming : Elementary Data Structures 2009/04/22 Jaemin

C Programming : Elementary Data Structures 2009/04/22 Jaemin
Memory allocation CSE 2451 Matt Boggus. sizeof The sizeof unary operator will return the number of bytes reserved for a variable or data type. Determine:

Memory allocation CSE 2451 Matt Boggus. sizeof The sizeof unary operator will return the number of bytes reserved for a variable or data type. Determine:
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Chapter 8 Runtime Support. How program structures are implemented in a computer memory? The evolution of programming language design has led to the creation.

Chapter 8 Runtime Support. How program structures are implemented in a computer memory? The evolution of programming language design has led to the creation.
Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.

Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.
Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.

Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc06.html.

Program analysis Mooly Sagiv html://
1 Motivation Dynamically allocated storage and pointers are an essential programming tools –Object oriented –Modularity –Data structure But –Error prone.

1 Motivation Dynamically allocated storage and pointers are an essential programming tools –Object oriented –Modularity –Data structure But –Error prone.
Speeding Up Dataflow Analysis Using Flow- Insensitive Pointer Analysis Stephen Adams, Tom Ball, Manuvir Das Sorin Lerner, Mark Seigle Westley Weimer Microsoft.

Speeding Up Dataflow Analysis Using Flow- Insensitive Pointer Analysis Stephen Adams, Tom Ball, Manuvir Das Sorin Lerner, Mark Seigle Westley Weimer Microsoft.

Similar presentations

Ads by Google