Download
1 / 17
170 likes | 279 Views
The AiracStatic Analyzer is an advanced tool designed for the automatic detection of array index overruns in C programs. Developed by a research team at Seoul National University, it leverages sophisticated static analysis techniques to ensure complete and accurate verification without executing the code. Airac demonstrates distinct strengths over competitors, delivering substantial reductions in false alarms and providing a robust analysis of ANSI C programs. This presentation covers its internal architecture, performance highlights, and future plans for deployment across Samsung software projects.
E N D
AiracStatic Analyzer for Automatic Verification of Array Index Ranges in C Programs 이광근 프로그래밍 연구실 서울대 1/21/2005 @ Samsung SW Center
Contents • Overview • what + enabling technology • internal architecture • Performance • for Samsung sw’s, linux kernels, GNU sw’s • strength and weakness • Airac in global competition • Demo • Plan & Discussion
Airac: introduction • statically detects all the array index overruns in C programs int *c = (int *)malloc(sizeof(int)*10); c[i] = 1; c[i+ f()] = 1; c[*k + (*g)()] = 1; x = c; x[1] = 1; y = c + f(); y[*(y+1)] = 1; z->a = c; (z->a)[i] = 1; • “statically”: no test runs • “all”: complete, no un-noticed overruns • “C”: full set of typeful ANSI C • C pointers(array, procedure) • C controls(procedure, return, break, goto) • intra- and inter-procedural • variable of type t must remain as such
Airac: internals (1/2) x1 = F1(x1,…,xN) x2 = F2(x1,…,xN) … xN = FN(x1,…,xN) C files Solver: fixpoint engine accelerator refiner tuner C’ pgm report generation
Airac: internals (2/2) • Deployed every possible technique to temper Airac to be “realistic” in the cost-accuracy balance. • for analysis accuracy • flow-sensitive analysis, context pruning, polyvariant analysis, static loop unrolling, narrowing • for analysis speed • widening, selective join, stack obviation, wait-at-join • new techniques are invented
Airac: performance (1/3) False alarms: regretable but inevitable. Still a great help: consider 435 vs 800,000! Analyzer stupidity ~ FalseAlarms/Alarms * Alarms/LOC
Airac vs Swat(2/3) Airac Bugs Coverity
Demo • killers for Swat • Samsung EsWin osInputQueue.c • GNU tar-1.13/rmt.c
Airac: distinguished • one of a few real-world static analyzer in support of full ANSI C • v.s. world-class powers on static analysis: • Astree(France), PolySpace(France), AbsInt(Germany): sound (don’t have yet) • Coverity(USA): not complete, ad-hoc. Beaten by Airac. • all in the static analysis research community: • I know what they (can) do. • If I hadn’t known, they may be people of either shallow technology or the “disruptive technology” • big surprise to conventional compiler people (“data-flow-analysis” people): “how did you handle pointers, aliases, inter-procedural things, and etc.?” They don’t understand Airac technology because their framework is weak.
Airac: room to improve • cost • speed: ~50loc/sec with a big variance • big memory footprint: ~4GB in analyzing 10Kloc GNU sw • accuracy • false alarms: unavoidable, not that stupid • wise report-generation needed • identified research problems • static analysis linker • alarm explanation generator • alarm-repairing analyzer framework • analyzer visualization: see what happens
Plan: proposal • Equip SWC with the Airac family of analyzers for detecting • other common and/or critical bugs • hard memory bugs: memory leaks and dangling pointers • sw-specific bugs (e.g. “x must be 0 here”) • Dispatch the Airac family Samsung-wide
