Conditional correlation analysis for safe region based memory management l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 35

Conditional Correlation Analysis for Safe Region-based Memory Management PowerPoint PPT Presentation


  • 78 Views
  • Uploaded on
  • Presentation posted in: General

Conditional Correlation Analysis for Safe Region-based Memory Management. Xi Wang, Zhilei Xu , Xuezheng Liu, Zhenyu Guo, Xiaoge Wang, Zheng Zhang Microsoft Research Asia, Tsinghua University PLDI, June 9 th 2008, Tucson. Region-based Memory Management.

Download Presentation

Conditional Correlation Analysis for Safe Region-based Memory Management

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Conditional correlation analysis for safe region based memory management l.jpg

Conditional Correlation AnalysisforSafe Region-based Memory Management

Xi Wang, Zhilei Xu, Xuezheng Liu,

Zhenyu Guo, Xiaoge Wang, Zheng Zhang

Microsoft Research Asia, Tsinghua University

PLDI, June 9th2008, Tucson


Region based memory management l.jpg

Region-based Memory Management

  • Memory Region (a.k.a. Pool) is widely used

    • Apache web server

    • SVN(subversion) version control system

    • RC compiler


Region usage l.jpg

Region Usage

  • Allocate objects in regions

  • A region Owns objects

  • Destroy a region, delete all objects it owns

r = region_create();

a = region_alloc(r);

b = region_alloc(r);

c = region_alloc(r);

region_destroy(r);

r

Ownership relation

a

b

c


Subregion l.jpg

Subregion

  • One region can be Subregion of its parent

  • Detroy a parent, destroy all its subregions

    • Parent lives longer than sub

x

Subregion relation

y = region_create(x);

z = region_create(x);

w = region_create(y);

region_destroy(x);

y

z

Subregion relation

w


Dangling pointer between regions l.jpg

Dangling pointer between regions

  • Object can Access object in another region

  • When pointee’s region get destroyed earlier, pointer become dangling

make(r, table)

{

iterator = region_alloc(r);

iterator.f = table;

}

iterator

parent

foo(parent)

{

sub = region_create(parent);

table = region_alloc(sub);

iterater = make(parent, table);

region_destroy(sub);

}

Dangling

pointer

Access

relation

table

sub


Harmful really exists in svn l.jpg

Harmful & Really exists (in svn…)

  • Further Deref. -- crash

  • No Deref. -- Pointer lives longer than necessary & cause memory waste

make(r, table)

{

iterator = region_alloc(r);

iterator.f = table;

}

iterator

parent

foo(parent)

{

sub = region_create(parent);

table = region_alloc(sub);

iterater = make(parent, table);

region_destroy(sub);

}

Dangling

pointer

table

sub


The problem is not easy l.jpg

The problem is not easy

  • Correlated Relations

    • Ownership: Object - Region

    • Subregion: Region - Region

    • Access: Object - Object

  • Existing solution to safe region usage

    • reference counting


Solution regionwiz l.jpg

Solution: RegionWiz

  • To verify

    Object P mayaccess object Q, P’s owner region must be descendant of Q’s owner region.

    (consistent conditional correlation)

  • Static analysis to infer the ownership, subregion & access relations

  • Verify correlation, find dangling pointers

  • Context-sensitive, heap cloning


Highlights l.jpg

Highlights

  • Conditional correlation analysis framework for safe region usage

  • Context-sensitive analysis with heap cloning

  • Found bugs in real-world applications written in C (100+KLOC)

    • 12 dangling pointers in 6 software packages

    • 13 false alarms

  • Case study & experience


Framework l.jpg

Framework

program info

into DB tables

Source Code

Context

Clone

Compiler plug-in (Phoenix in VC)

Context-sensitive program info

Ownership

Subregion

Access relations

Relation Computation (datalog)

Correlation Analysis

(datalog)

Dangling pointer Report

Post processing


Extract program information l.jpg

Extract Program Information

program info

into DB tables

Source Code

Context

Clone

Compiler plug-in (Phoenix in VC)

Context-sensitive program info

Ownership

Subregion

Access relations

Relation Computation (datalog)

Correlation Analysis

(datalog)

Dangling pointer Report

Post processing


Extract program information12 l.jpg

Extract Program Information

  • Extract program information into DB tables

  • Following analysis can be datalog inference

  • Example

    • Call(foo, make)

    • Call(make , region_alloc)

foo( parent )

{

make(…)

}

make( r , table )

{

region_alloc(…)

}


Context cloning l.jpg

Context Cloning

program info

into DB tables

Source Code

Context

Clone

Compiler plug-in (Phoenix in VC)

Context-sensitive program info

Ownership

Subregion

Access relations

Relation Computation (datalog)

Correlation Analysis

(datalog)

Dangling pointer Report

Post processing


Context cloning14 l.jpg

Context Cloning

make(r, table)

{

iterator = region_alloc(r);

iterator.f = table;

}

foo

bar

foo(parent)

{

sub = region_create(parent);

table = region_alloc(sub);

iterater = make(parent, table);

region_destroy(sub);

}

make

bar(parent)

{

table = region_alloc(parent);

iterater = make(parent, table);

}

ralloc


Context cloning15 l.jpg

Context Cloning

make(r, table)

{

iterator = region_alloc(r);

iterator.f = table;

}

foo

(1)

bar

(1)

foo(parent)

{

sub = region_create(parent);

table = region_alloc(sub);

iterater = make(parent, table);

region_destroy(sub);

}

make

(1)

make

make

make

(2)

bar(parent)

{

table = region_alloc(parent);

iterater = make(parent, table);

}

ralloc

(1)

ralloc

(2)

ralloc

ralloc

ralloc

ralloc

ralloc

(3)

ralloc

(4)

Heap Cloning(Specialization)


Context cloning16 l.jpg

Context Cloning

make(r, table)

{

iterator = region_alloc(r);

iterator.f = table;

}

foo

(1)

bar

(1)

make

(1)

make

(2)

foo(parent)

{

sub = region_create(parent);

table = region_alloc(sub);

iterater = make(parent, table);

region_destroy(sub);

}

ralloc

(1)

ralloc

(2)

ralloc

(3)

ralloc

(4)

iterator(1)

iterator

(2)

bar(parent)

{

table = region_alloc(parent);

iterater = make(parent, table);

}

table

(1)

table

(2)


Program information cloned l.jpg

Program Information -- Cloned

  • From now on program information tables are decorated with context information

  • Example

    • Call(bar - 1, make - 2)

    • Call(bar - 1 , region_alloc - 4)

    • Call(make - 2 , region_alloc - 3)

bar

(1)

make

(2)

ralloc

(3)

ralloc

(4)


Relation computation l.jpg

Relation Computation

program info

into DB tables

Source Code

Context

Clone

Compiler plug-in (Phoenix in VC)

Context-sensitive program info

Ownership

Subregion

Access relations

Relation Computation (datalog)

Correlation Analysis

(datalog)

Dangling pointer Report

Post processing


Relation computation using datalog l.jpg

Relation computation using datalog

  • Datalogrules

    • How new relations can be computed from existing relations

  • Basic Rules for regions

    NewRegion( context ) :- Call( _ , “region_alloc” – context)

    NewObject( context ) :- Call( _ , “region_alloc” – context)

  • Context- & Field- sensitive Points-to analysis in ~20 rules


Compute the needed relations l.jpg

Compute the needed relations

  • Access(P , Q) :-

    Object P points-to Q through whatever field.

  • Own(Rgn , Obj) :-

    region_alloc(r) called, return value assigned to v,

    r points-to Rgn, v points-to Obj.

  • Subregion(Sub , Parent) :-

    region_create(u) called, return value assigned to v,

    v points-to Sub, u points-to Parent.

    Descendant(Des , Ans) :- Des=Ans , NewRegion(Des), NewRegion(Ans).

    Descendant(Des , Ans) :- Descendant(Des , r), Subregion(r, Ans).


Framework21 l.jpg

Framework

program info

into DB tables

Source Code

Context

Clone

Compiler plug-in (Phoenix in VC)

Context-sensitive program info

Ownership

Subregion

Access relations

Relation Computation (datalog)

Correlation Analysis

(datalog)

Dangling pointer Report

Post processing


Detect unsafe usage l.jpg

Detect unsafe usage

  • Rule for detecting dangling pointer:

    PaccessQ; region1ownP; region2ownQ;

    not ( region1 is a descendant of region2 ).

     Warning(P , Q)

  • Report Warning(P , Q) when there is some, or report that the correlation is consistent

  • Heuristics to filter out very unlikely warnings, reduce the total warnings


Framework23 l.jpg

Framework

program info

into DB tables

Source Code

Context

Clone

Compiler plug-in (Phoenix in VC)

Context-sensitive program info

Ownership

Subregion

Access relations

Relation Computation (datalog)

Correlation Analysis

(datalog)

Dangling pointer Report

Post processing


Experiment l.jpg

Experiment

  • Conducted on Intel Xeon 2.0GHz / 32G RAM

  • Latest stable version applications tested

    • RCCRC Compiler

    • Apache 2.2.6HTTP web server & utilities

    • freeswitch 1.0b1Telephony platform shell

    • jxta-c 2.5.2P2P framework shell

    • lklftpdFTP server

    • SVN (subversion) 1.4.5Version control system


  • Bugs found l.jpg

    Bugs found

    use APR

    ~ 200KLOC

    not count in


    Time consumption relation sizes l.jpg

    Time consumption & relation sizes

    • Current context: full call-path

    • Future work: better context definition

    They blow up because of

    Context cloning!

    Unacceptable!

    <1h

    acceptable


    Case study 1 svn l.jpg

    Case study – 1 (svn)

    • Region structure should be consistent with program logic

      • Iterator vs. Hash table

      • Request vs. Connection

    • RegionWiz can effectively find this kind of bugs

    iterator

    parent

    Dangling

    pointer

    table

    sub


    Case study 2 rcc l.jpg

    Case study – 2 (rcc)

    • r1 and r2 are totally independent

    • Destroying r2 earlier will cause dangling pointer

    config

    r1

    name

    r2


    Case study 2 rcc29 l.jpg

    Case study – 2 (rcc)

    • r1 and r2 are totally independent

    • Destroying r2 earlier will cause dangling pointer

    • To use immutable string, it’s better to make a private copy in pointer’s own region

    config

    r1

    copy of name

    name

    r2


    Case study 3 svn l.jpg

    Case study – 3 (svn)

    • Temporary unsafe usage

    • Often involves branches

    • Path-sensitivity

    • Dangerous as code evolves

    • Re-organize code to avoid even temporary unsafe usage

    svn_do_open(……)

    {

    lock = region_alloc(parent);

    if (Conditon) {

    hash = region_alloc(sub);

    lock.f = hash;

    }

    ……

    if (Condition) {

    lock.f = NULL ;

    }

    region_destroy(sub);

    }


    Related work l.jpg

    Related work

    • Language support for regions

      • Reap [OOPSLA '2002], Cyclone [PLDI '2002], RC [PLDI '2001], Ownership types[PLDI '2003]

    • Correlation Analysis

      • Locksmith [PLDI '2006], Chord [PLDI '2006, POPL '2007]

    • Context-sensitive Analysis

      • bddbddb [PLDI '2004, PODS '2005]


    Conclusion l.jpg

    Conclusion

    • Use memory regions safely is not trivial

    • RegionWiz can detect dangling pointers between regions through static conditional correlation analysis

    • RegionWiz is efficient to find real bugs in real applications & improve safety of region-based memory management

    • We believe the correlation analysis framework can solve other problems


    Thank you l.jpg

    Thank you!

    Q/A


    Heuristics l.jpg

    Heuristics

    • For Warning(Pointer, Pointee)

    • Pointer’s type mismatch with pointee’s type – less possible

    • Pointer & pointee never allocated from the same region under some context – more possible

    • Examined 205 lower-ranked warnings, all but one are really false alarms


    Limitations l.jpg

    Limitations

    • Function pointer – standard inter-procedural propagation of function pointer values, but only propagate through variables & parameters, not through heap objects

    • Pointer arithmetic (variable as array index) not supported, just ignored

    • Limited thread support, no support for Asynchronous event, Callbacks, etc.

    • Heuristics bring unsoundness


  • Login