Conditional correlation analysis for safe region based memory management
Download
1 / 35

Conditional Correlation Analysis for Safe Region-based Memory Management - PowerPoint PPT Presentation


  • 109 Views
  • Uploaded on

Conditional Correlation Analysis for Safe Region-based Memory Management. Xi Wang, Zhilei Xu , Xuezheng Liu, Zhenyu Guo, Xiaoge Wang, Zheng Zhang Microsoft Research Asia, Tsinghua University PLDI, June 9 th 2008, Tucson. Region-based Memory Management.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Conditional Correlation Analysis for Safe Region-based Memory Management' - viola


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Conditional correlation analysis for safe region based memory management l.jpg

Conditional Correlation AnalysisforSafe Region-based Memory Management

Xi Wang, Zhilei Xu, Xuezheng Liu,

Zhenyu Guo, Xiaoge Wang, Zheng Zhang

Microsoft Research Asia, Tsinghua University

PLDI, June 9th2008, Tucson


Region based memory management l.jpg
Region-based Memory Management

  • Memory Region (a.k.a. Pool) is widely used

    • Apache web server

    • SVN(subversion) version control system

    • RC compiler


Region usage l.jpg
Region Usage

  • Allocate objects in regions

  • A region Owns objects

  • Destroy a region, delete all objects it owns

r = region_create();

a = region_alloc(r);

b = region_alloc(r);

c = region_alloc(r);

region_destroy(r);

r

Ownership relation

a

b

c


Subregion l.jpg
Subregion

  • One region can be Subregion of its parent

  • Detroy a parent, destroy all its subregions

    • Parent lives longer than sub

x

Subregion relation

y = region_create(x);

z = region_create(x);

w = region_create(y);

region_destroy(x);

y

z

Subregion relation

w


Dangling pointer between regions l.jpg
Dangling pointer between regions

  • Object can Access object in another region

  • When pointee’s region get destroyed earlier, pointer become dangling

make(r, table)

{

iterator = region_alloc(r);

iterator.f = table;

}

iterator

parent

foo(parent)

{

sub = region_create(parent);

table = region_alloc(sub);

iterater = make(parent, table);

region_destroy(sub);

}

Dangling

pointer

Access

relation

table

sub


Harmful really exists in svn l.jpg
Harmful & Really exists (in svn…)

  • Further Deref. -- crash

  • No Deref. -- Pointer lives longer than necessary & cause memory waste

make(r, table)

{

iterator = region_alloc(r);

iterator.f = table;

}

iterator

parent

foo(parent)

{

sub = region_create(parent);

table = region_alloc(sub);

iterater = make(parent, table);

region_destroy(sub);

}

Dangling

pointer

table

sub


The problem is not easy l.jpg
The problem is not easy

  • Correlated Relations

    • Ownership : Object - Region

    • Subregion : Region - Region

    • Access : Object - Object

  • Existing solution to safe region usage

    • reference counting


Solution regionwiz l.jpg
Solution: RegionWiz

  • To verify

    Object P mayaccess object Q, P’s owner region must be descendant of Q’s owner region.

    (consistent conditional correlation)

  • Static analysis to infer the ownership, subregion & access relations

  • Verify correlation, find dangling pointers

  • Context-sensitive, heap cloning


Highlights l.jpg
Highlights

  • Conditional correlation analysis framework for safe region usage

  • Context-sensitive analysis with heap cloning

  • Found bugs in real-world applications written in C (100+KLOC)

    • 12 dangling pointers in 6 software packages

    • 13 false alarms

  • Case study & experience


Framework l.jpg
Framework

program info

into DB tables

Source Code

Context

Clone

Compiler plug-in (Phoenix in VC)

Context-sensitive program info

Ownership

Subregion

Access relations

Relation Computation (datalog)

Correlation Analysis

(datalog)

Dangling pointer Report

Post processing


Extract program information l.jpg
Extract Program Information

program info

into DB tables

Source Code

Context

Clone

Compiler plug-in (Phoenix in VC)

Context-sensitive program info

Ownership

Subregion

Access relations

Relation Computation (datalog)

Correlation Analysis

(datalog)

Dangling pointer Report

Post processing


Extract program information12 l.jpg
Extract Program Information

  • Extract program information into DB tables

  • Following analysis can be datalog inference

  • Example

    • Call(foo, make)

    • Call(make , region_alloc)

foo( parent )

{

make(…)

}

make( r , table )

{

region_alloc(…)

}


Context cloning l.jpg
Context Cloning

program info

into DB tables

Source Code

Context

Clone

Compiler plug-in (Phoenix in VC)

Context-sensitive program info

Ownership

Subregion

Access relations

Relation Computation (datalog)

Correlation Analysis

(datalog)

Dangling pointer Report

Post processing


Context cloning14 l.jpg
Context Cloning

make(r, table)

{

iterator = region_alloc(r);

iterator.f = table;

}

foo

bar

foo(parent)

{

sub = region_create(parent);

table = region_alloc(sub);

iterater = make(parent, table);

region_destroy(sub);

}

make

bar(parent)

{

table = region_alloc(parent);

iterater = make(parent, table);

}

ralloc


Context cloning15 l.jpg
Context Cloning

make(r, table)

{

iterator = region_alloc(r);

iterator.f = table;

}

foo

(1)

bar

(1)

foo(parent)

{

sub = region_create(parent);

table = region_alloc(sub);

iterater = make(parent, table);

region_destroy(sub);

}

make

(1)

make

make

make

(2)

bar(parent)

{

table = region_alloc(parent);

iterater = make(parent, table);

}

ralloc

(1)

ralloc

(2)

ralloc

ralloc

ralloc

ralloc

ralloc

(3)

ralloc

(4)

Heap Cloning(Specialization)


Context cloning16 l.jpg
Context Cloning

make(r, table)

{

iterator = region_alloc(r);

iterator.f = table;

}

foo

(1)

bar

(1)

make

(1)

make

(2)

foo(parent)

{

sub = region_create(parent);

table = region_alloc(sub);

iterater = make(parent, table);

region_destroy(sub);

}

ralloc

(1)

ralloc

(2)

ralloc

(3)

ralloc

(4)

iterator(1)

iterator

(2)

bar(parent)

{

table = region_alloc(parent);

iterater = make(parent, table);

}

table

(1)

table

(2)


Program information cloned l.jpg
Program Information -- Cloned

  • From now on program information tables are decorated with context information

  • Example

    • Call(bar - 1, make - 2)

    • Call(bar - 1 , region_alloc - 4)

    • Call(make - 2 , region_alloc - 3)

bar

(1)

make

(2)

ralloc

(3)

ralloc

(4)


Relation computation l.jpg
Relation Computation

program info

into DB tables

Source Code

Context

Clone

Compiler plug-in (Phoenix in VC)

Context-sensitive program info

Ownership

Subregion

Access relations

Relation Computation (datalog)

Correlation Analysis

(datalog)

Dangling pointer Report

Post processing


Relation computation using datalog l.jpg
Relation computation using datalog

  • Datalogrules

    • How new relations can be computed from existing relations

  • Basic Rules for regions

    NewRegion( context ) :- Call( _ , “region_alloc” – context)

    NewObject( context ) :- Call( _ , “region_alloc” – context)

  • Context- & Field- sensitive Points-to analysis in ~20 rules


Compute the needed relations l.jpg
Compute the needed relations

  • Access(P , Q) :-

    Object P points-to Q through whatever field.

  • Own(Rgn , Obj) :-

    region_alloc(r) called, return value assigned to v,

    r points-to Rgn, v points-to Obj.

  • Subregion(Sub , Parent) :-

    region_create(u) called, return value assigned to v,

    v points-to Sub, u points-to Parent.

    Descendant(Des , Ans) :- Des=Ans , NewRegion(Des), NewRegion(Ans).

    Descendant(Des , Ans) :- Descendant(Des , r), Subregion(r, Ans).


Framework21 l.jpg
Framework

program info

into DB tables

Source Code

Context

Clone

Compiler plug-in (Phoenix in VC)

Context-sensitive program info

Ownership

Subregion

Access relations

Relation Computation (datalog)

Correlation Analysis

(datalog)

Dangling pointer Report

Post processing


Detect unsafe usage l.jpg
Detect unsafe usage

  • Rule for detecting dangling pointer:

    PaccessQ; region1ownP; region2ownQ;

    not ( region1 is a descendant of region2 ).

     Warning(P , Q)

  • Report Warning(P , Q) when there is some, or report that the correlation is consistent

  • Heuristics to filter out very unlikely warnings, reduce the total warnings


Framework23 l.jpg
Framework

program info

into DB tables

Source Code

Context

Clone

Compiler plug-in (Phoenix in VC)

Context-sensitive program info

Ownership

Subregion

Access relations

Relation Computation (datalog)

Correlation Analysis

(datalog)

Dangling pointer Report

Post processing


Experiment l.jpg
Experiment

  • Conducted on Intel Xeon 2.0GHz / 32G RAM

  • Latest stable version applications tested

    • RCC RC Compiler

    • Apache 2.2.6 HTTP web server & utilities

    • freeswitch 1.0b1 Telephony platform shell

    • jxta-c 2.5.2 P2P framework shell

    • lklftpd FTP server

    • SVN (subversion) 1.4.5 Version control system


  • Bugs found l.jpg
    Bugs found

    use APR

    ~ 200KLOC

    not count in


    Time consumption relation sizes l.jpg
    Time consumption & relation sizes

    • Current context: full call-path

    • Future work: better context definition

    They blow up because of

    Context cloning!

    Unacceptable!

    <1h

    acceptable


    Case study 1 svn l.jpg
    Case study – 1 (svn)

    • Region structure should be consistent with program logic

      • Iterator vs. Hash table

      • Request vs. Connection

    • RegionWiz can effectively find this kind of bugs

    iterator

    parent

    Dangling

    pointer

    table

    sub


    Case study 2 rcc l.jpg
    Case study – 2 (rcc)

    • r1 and r2 are totally independent

    • Destroying r2 earlier will cause dangling pointer

    config

    r1

    name

    r2


    Case study 2 rcc29 l.jpg
    Case study – 2 (rcc)

    • r1 and r2 are totally independent

    • Destroying r2 earlier will cause dangling pointer

    • To use immutable string, it’s better to make a private copy in pointer’s own region

    config

    r1

    copy of name

    name

    r2


    Case study 3 svn l.jpg
    Case study – 3 (svn)

    • Temporary unsafe usage

    • Often involves branches

    • Path-sensitivity

    • Dangerous as code evolves

    • Re-organize code to avoid even temporary unsafe usage

    svn_do_open(……)

    {

    lock = region_alloc(parent);

    if (Conditon) {

    hash = region_alloc(sub);

    lock.f = hash;

    }

    ……

    if (Condition) {

    lock.f = NULL ;

    }

    region_destroy(sub);

    }


    Related work l.jpg
    Related work

    • Language support for regions

      • Reap [OOPSLA '2002], Cyclone [PLDI '2002], RC [PLDI '2001], Ownership types[PLDI '2003]

    • Correlation Analysis

      • Locksmith [PLDI '2006], Chord [PLDI '2006, POPL '2007]

    • Context-sensitive Analysis

      • bddbddb [PLDI '2004, PODS '2005]


    Conclusion l.jpg
    Conclusion

    • Use memory regions safely is not trivial

    • RegionWiz can detect dangling pointers between regions through static conditional correlation analysis

    • RegionWiz is efficient to find real bugs in real applications & improve safety of region-based memory management

    • We believe the correlation analysis framework can solve other problems



    Heuristics l.jpg
    Heuristics

    • For Warning(Pointer, Pointee)

    • Pointer’s type mismatch with pointee’s type – less possible

    • Pointer & pointee never allocated from the same region under some context – more possible

    • Examined 205 lower-ranked warnings, all but one are really false alarms


    Limitations l.jpg
    Limitations

    • Function pointer – standard inter-procedural propagation of function pointer values, but only propagate through variables & parameters, not through heap objects

    • Pointer arithmetic (variable as array index) not supported, just ignored

    • Limited thread support, no support for Asynchronous event, Callbacks, etc.

    • Heuristics bring unsoundness


    ad