-
Notifications
You must be signed in to change notification settings - Fork 0
/
abstract.tex
197 lines (160 loc) · 6.93 KB
/
abstract.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
\documentclass[sigconf]{acmart}
\usepackage{booktabs} % For formal tables
\usepackage{listings}
\usepackage{parcolumns}
\usepackage{graphicx}
\usepackage{subcaption}
\usepackage{xcolor}
\usepackage{pgfplots}
\usepackage{tikz}
\usepgfplotslibrary{units}
\usetikzlibrary{arrows, positioning}
\usetikzlibrary{shapes}
\setlength{\abovecaptionskip}{2pt plus 2pt minus 2pt}
\setlength{\belowcaptionskip}{2pt plus 2pt minus 2pt}
\setlength{\textfloatsep}{2pt}
\setlength{\dbltextfloatsep}{2pt}
\setlength{\intextsep}{2pt}
\lstset{language=C++,
basicstyle=\footnotesize\ttfamily,
keywordstyle=\color{blue}\ttfamily,
stringstyle=\color{red}\ttfamily,
commentstyle=\color{green!40!black}\ttfamily,
morecomment=[l][\color{magenta}]{\#}
}
% Define bar chart colors
%
\definecolor{bblue}{HTML}{4F81BD}
\definecolor{rred}{HTML}{C0504D}
\definecolor{ggreen}{HTML}{9BBB59}
\definecolor{ppurple}{HTML}{9F4C7C}
\newcommand{\cL}{{\cal L}}
\settopmatter{printacmref=false}
% Copyright
\setcopyright{none}
%\setcopyright{acmcopyright}
%\setcopyright{acmlicensed}
%\setcopyright{rightsretained}
%\setcopyright{usgov}
%\setcopyright{usgovmixed}
%\setcopyright{cagov}
%\setcopyright{cagovmixed}
% DOI
%\acmDOI{10.475/123_4}
% ISBN
%\acmISBN{123-4567-24-567/08/06}
%Conference
%\acmConference[ICSE 2018]{40th International Conference on Software Engineering}{May-June 2018}{Gothenburg, Sweden}
%#\acmYear{2018}
%\copyrightyear{2018}
%\acmPrice{15.00}
\renewcommand\footnotetextcopyrightpermission[1]{} % removes footnote with conference information in first column
\pagestyle{plain} % removes running headers
\title{Cross Translation Unit Analysis in Clang Static Analyzer: Qualitative Evaluation on C/C++ projects}
\author{G\'abor Horv\'ath}
\email{xazax@caesar.elte.hu}
\author{P\'eter Sz\'ecsi}
\email{ps95@caesar.elte.hu}
\author{Zolt\'an Gera}
\email{gerazo@caesar.elte.hu}
\affiliation{%
\institution{E\"otv\"os Lor\'and University, Department of Programming Languages and Compilers}
\streetaddress{P\'azm\'any P\'eter st. 1/C.}
\city{Budapest}
\country{Hungary}
}
\author{D\'aniel Krupp}
\affiliation{%
\institution{Ericsson Ltd.}
\streetaddress{Magyar Tud\'osok k\"or\'utja 11.}
\city{Budapest}
\country{Hungary}
}
\email{daniel.krupp@ericsson.com}
\begin{document}
\maketitle
% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{Abstract}
Today Clang Static Analyzer can perform inter-procedural analysis by ''inlining''
the callee into the caller's context. This means that the full
calling context is passed when analyzing the callee and
then the assumptions about the returned value is passed back to the caller.
This works well for function calls within a
translation unit (TU), but when the symbolic execution reaches a function that
is implemented in another TU, the analyzer engine
skips the analysis of the called function definition. In particular,
assumptions about memory regions reachable from the arguments
(through pointers, references) get invalidated,
and the return value of the function will be unknown.
Losing information this way may lead to false positive
and false negative findings.
The Cross Translation Unit (CTU) feature allows the analysis of callees
even if the definition of the function is external to the currently
analyzed TU. This allows detection of bugs in library functions stemming
from incorrect usage (e.g. a library assumes that the user will free a memory
block allocated by the library), and allows for more precise analysis
of the caller in general if a TU external function is invoked
(by not losing assumptions).
Without CTU analysis we cannot find the divison by zero error in the following
code snippet. Moreover, we loose information about the value of variable
\texttt{x}.
\noindent\begin{minipage}{.48\columnwidth}
\begin{lstlisting}[caption=A.cpp,frame=tlrb]{Name}
void f(int *x);
void g() {
int x = 42;
f(&x);
// No knowledge about
// the value of x here.
}
\end{lstlisting}
\end{minipage}\hfill
\begin{minipage}{.48\columnwidth}
\begin{lstlisting}[caption=B.cpp,frame=tlrb]{Name}
int f(int *x) {
// Potential division by
// zero.
return 5 / (*x - 42);
}
\end{lstlisting}
\end{minipage}
We implemented the Cross Translation Unit analysis feature for Clang SA
(based on the prototype by A. Sidorin, et al.~\cite{artemctu}) and evaluated
its performance on various open source projects.
G\'abor Horv\'ath presented our results at EuroLLVM 2017 \cite{eurollvm17}.
Since then we have improved the CTU prototype considerably:
\begin{itemize}
\item Improved the handling of C++ source code by submitting several patches
to the ASTImporter library.
\item Addressed community review comments and introduced a new CrossTU library into Clang.
\item Added CTU analysis feature to scan-build-py and\\ CodeChecker tools.
\end{itemize}
In the previous talk, we were focusing on how CTU is implemented and how the
analysis performance compares to the baseline. In this poster, however, we will
explore the quality of reports.
In the CTU analysis mode we usually find 1.5-2 times more potential bugs.
It is of paramount importance to see what are the quality of these reports.
We will examine in detail the following:
\begin{itemize}
\item Identify new true positive and false positive findings.
\item Examine the disappeared findings in detail. Have we lost true positive findings
due to potential coverage loss, or we lost some false positives due
to more precise analysis?
\item What is the distribution of the path length of the new findings? Reports
with too long (longer than ~15) steps are very hard to understand for a programmer.
\item Evaluate CTU with a new path exploration strategy: prioritize unexplored coverage first \cite{karpenkov}.
\item We evaluate how coverage changes in CTU mode using the different path exploration strategies.
\end{itemize}
Our CTU patch is currently under review by the Clang Static Analyzer community
and very close to acceptance: \cite{patch}
We maintain a more feature-complete version at \cite{ericsson-ctu}.
% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{thebibliography}{9}
\bibitem{patch} Support for naive cross translational unit analysis \url{https://reviews.llvm.org/D30691}
\bibitem{ericsson-ctu} Ericsson CTU Clang fork \url{https://github.com/Ericsson/clang}.
\bibitem{artemctu} Artem Dergachev, Aleksei Sidorin: \emph{Cross TU Analysis for Clang 3.4}
\url{http://lists.llvm.org/pipermail/cfe-dev/2015-October/045730.html}
\bibitem{karpenkov} George Karpenkov, Exploration strategy prioritizing unexplored coverage first\url{https://reviews.llvm.org/D42775}
\bibitem{eurollvm17} G\'abor Horva\'th, D\'aniel Krupp, Zolt\'an Gera, P\'eter Sz\'ecsi, Cross Translational Unit Analysis in Clang Static Analyzer: Prototype and Measurements, EuroLLVM2017
\end{thebibliography}
\end{document}