[cfe-dev] Soundness in clang SA
Artem Dergachev via cfe-dev
cfe-dev at lists.llvm.org
Fri Aug 24 16:12:49 PDT 2018
On 8/24/18 5:31 AM, Siddharth Shankar Swain wrote:
> Thanks for the detailed explanation. So is changing the analysis
> technique from path sensitive (symbolic execution) analysis to some
> other technique bring in the soundness property ?
Yup, depending on the technique.
And that wouldn't be Analyzer-specific anymore.
> Thanks,
> Siddharth
>
> On Sat, Aug 18, 2018 at 1:27 AM, Artem Dergachev <noqnoqneo at gmail.com
> <mailto:noqnoqneo at gmail.com>> wrote:
>
> Nope, at least not with the "path-sensitive" (symbolic execution)
> engine. Which is the whole point of using the Analyzer, as
> compared to writing an arbitrary tool by exploring the AST
> yourself. Depends on what you want to check, of course, something
> really trivial should be possible.
>
> While we do care about false positives a lot, there are some
> decisions within the Analyzer's core that prevent perfect
> soundness from happening but are still considered to be good
> because they greatly boost our ability to find any bugs at all and
> at the same time simplify development dramatically.
>
> One of the most common unsound assumptions that the Analyzer makes
> is that in a program that looks like this: "if (x) { ... } if (y)
> { ... }", where 'x' and 'y' are completely unrelated to each
> other, the Analyzer would explore all four paths (i.e., (x is true
> or false) times (y is true or false)) as if it's sure that they
> are feasible. This is not only unsound on its own, but it
> amplifies other inaccuracies in modeling (eg., if function body is
> unavailable for analysis, destroying information when such
> function is called would lead not only to false negatives but to
> false positives as well). But these false positives are relatively
> easy to suppress (eg., by adding some sort of assert(x || !y),
> which is in most cases anyway a good thing to document), and the
> primary benefit of this simplification is that checkers no longer
> need to implement a "merge" function for the information that they
> track in the program state: they only need to update their state
> by modeling effect of every non-control-flow event in the program.
> With ~100 checkers already written, limiting them to only simple
> operations on the program state helps dramatically.
>
> Additionally, the Analyzer's understanding of the language is not
> perfect. We're constantly working on this, but languages like C++
> are *huge*. We have a separation of responsibilities between core
> and checkers that allow us to write most transfer functions once
> within the core and have checkers simply consume the results of
> the modeling (checkers may still want to model their own
> metadata), but covering all AST nodes and their interactions is
> still, well, harder than writing a CodeGen. Any bugs in core
> transfer functions will prevent you from doing a sound analysis,
> and making sure all such bugs are fixed is probably much more work
> than whatever you plan to accomplish here.
>
> On the non-technical side, it is always up to a developer of the
> program to decide what is a genuine bug. For example, there are a
> lot of projects on which a memory leak is not considered to be a
> bug. Or if an application is not security-critical, a null pointer
> dereference we find may be on such an unlikely path that the
> developer will only be annoyed to know about it and never really
> appreciate the report. And the Analyzer doesn't even guarantee
> that it'd find anything that's more severe than a dead code: after
> all, the only reason symbolic execution works is "state splits are
> justified because otherwise it's dead code".
>
> Last but not least, there's also the "Clang CFG" thing, which the
> Analyzer uses (and some compiler warnings also use), but it's not
> used for compilation (LLVM CFG is used instead) and it's not
> entirely accurate (especially for C++, though it's getting
> better). Clang CFG is usable for creating usable data flow
> analyses which you can make as sound as the CFG is accurate.
> There's a collection of such analyses in lib/Analysis. The
> Analyzer uses some of them internally and we're very happy with
> them most of the time. At the same time, there's no fancy
> framework for creating custom data flow analyses, like there is
> for the Analyzer's checkers; you'll have to write all transfer
> functions yourself. So if all you want is a ready-made CFG for C,
> you should have a look at that.
>
>
> On 8/17/18 4:35 AM, Siddharth Shankar Swain via cfe-dev wrote:
>> Hi all,
>>
>> Is it possible to develop a checker or some feature in clang SA
>> which will only have perfect soundness property ( if we don't
>> care about completness property ) i.e if the analyzer says X is
>> a genuine bug then X is really a genuine bug. Whatever bug it
>> reports are all genuine but it doesn't report all genuine bugs.
>> Please guide.
>>
>> Thanks,
>> Siddharth
>>
>> _______________________________________________
>> cfe-dev mailing list
>> cfe-dev at lists.llvm.org <mailto:cfe-dev at lists.llvm.org>
>> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev <http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20180824/f7388068/attachment.html>
More information about the cfe-dev
mailing list