corehard_by, profile picture
Uploaded bycorehard_by
PPTX, PDF140 views

Update on C++ Core Guidelines Lifetime Analysis. Gábor Horváth. CoreHard Spring 2019

The document provides an update on the C++ core guidelines' lifetime safety analysis in Clang, discussing motivation, implementation details, and evaluations of static and dynamic tools to combat memory errors prevalent in C++. It explores lifetime analysis methodologies, highlights challenges with false positives, and emphasizes the importance of contextual information for accurate analysis. The conclusions suggest that enhancements in type categorization and flow-sensitive analysis can improve the robustness of the system while keeping performance overhead low.

Download to read offline
Update on the C++ Core Guidelines’ Lifetime Safety analysis in Clang Gábor Horváth xazax.hun@gmail.com 1
Agenda • Motivation • Whirlwind tour of lifetime analysis • See the following talks for details: • https://youtu.be/80BZxujhY38?t=1096 • https://youtu.be/sjnp3P9x5jA • Highlight some implementation details • Evaluation • Upstreaming • Conclusions 2
Motivation • Microsoft: 70 percent of security patches are fixing memory errors • https://youtu.be/PjbGojjnBZQ • C++ has many sources of errors: • Manual memory management, temporary objects, Pointer-like objects, … • Dynamic tools • Few false positives, not every arch is supported, coverage is important • Static tools • Arch independent, the earlier a bug is found the cheaper the fix • Works without good test coverage 3
Motivation #2 int *p; { int x; p = &x; } *p = 5; string_view sv; { string s{“CoreHard"}; sv = s; } sv[0] = ‘c’; Many static tools warn for the left snippet but not for the right, even though they are fundamentally similar. 4
Motivation #3 int *p = &getIntByValue(); std::string_view sv = "test"s; 5
A Tour of Herb’s Lifetime Analysis • Intends to catch common errors (not a verification tool) • Classify types into categories • Owners: never dangle, implementation assumed to be correct • Pointers: might dangle, tracking points-to sets • Aggregates: handled member-wise • Values: everything else • Analysis is function local • Two implementations • We implemented it in a Clang fork • Kyle Reed and Neil MacIntosh implemented the MSVC version 6
A Tour of Herb’s Lifetime Analysis #2 • Flow-sensitive analysis • We only need annotations for misclassifications (rare) • Maps each Pointer at each program point to a points-to set • Elements of a points-to set: • Null • Invalid • Static (lives longer than the pointer or we cannot reason about it) • Local variable/parameter • Aggregate member • Owned memory of an Owner 7
A Tour of Herb’s Lifetime Analysis #3 • https://cppx.godbolt.org/z/IdGRsT 8
A Tour of Herb’s Lifetime Analysis #4 9 vector v1{…}; vector v2{…}; auto it = v1.begin(); if (cond) it = v2.begin(); if (cond2) v2.push_back(…); *it = …; // warning
Implementation 10
Analysis Within a Basic Block • Basic blocks contain subexprs in an eval order, no AST traversal required • End of full expression is not marked (apart from DeclStmt) • When to invalidate Pointers to temporaries? • Modified the CFG to include ExprWithCleanup AST nodes • Clang Static Analyzer is another user 11 int x; int *p = &x; int *q = p; 2: x 3: &[B1.2] 4: int *p = &x; 5: p 6: [B1.5] (LValToRVal) 7: int *q = p; 2: {x} 3: {x} 4: pset(p)={x} 5: {p} 6: {x} 7: pset(q)={x}
Analysis Within a Basic Block • Basic blocks contain subexprs in an eval order, no AST traversal required • End of full expression is not marked (apart from DeclStmt) • When to invalidate Pointers to temporaries? • Modified the CFG to include ExprWithCleanup AST nodes • Clang Static Analyzer is another user 12 int x; int *p = &x; int *q = p; 2: x 3: &[B1.2] 4: int *p = &x; 5: p 6: [B1.5] (LValToRVal) 7: int *q = p; 2: {x} 3: {x} 4: pset(p)={x} 5: {p} 6: {x} 7: pset(q)={x}
Analysis Within a Basic Block • Basic blocks contain subexprs in an eval order, no AST traversal required • End of full expression is not marked (apart from DeclStmt) • When to invalidate Pointers to temporaries? • Modified the CFG to include ExprWithCleanup AST nodes • Clang Static Analyzer is another user 13 int x; int *p = &x; int *q = p; 2: x 3: &[B1.2] 4: int *p = &x; 5: p 6: [B1.5] (LValToRVal) 7: int *q = p; 2: {x} 3: {x} 4: pset(p)={x} 5: {p} 6: {x} 7: pset(q)={x}
Analysis Within a Basic Block • Basic blocks contain subexprs in an eval order, no AST traversal required • End of full expression is not marked (apart from DeclStmt) • When to invalidate Pointers to temporaries? • Modified the CFG to include ExprWithCleanup AST nodes • Clang Static Analyzer is another user 14 int x; int *p = &x; int *q = p; 2: x 3: &[B1.2] 4: int *p = &x; 5: p 6: [B1.5] (LValToRVal) 7: int *q = p; 2: {x} 3: {x} 4: pset(p)={x} 5: {p} 6: {x} 7: pset(q)={x}
Analysis Within a Basic Block • Basic blocks contain subexprs in an eval order, no AST traversal required • End of full expression is not marked (apart from DeclStmt) • When to invalidate Pointers to temporaries? • Modified the CFG to include ExprWithCleanup AST nodes • Clang Static Analyzer is another user 15 int x; int *p = &x; int *q = p; 2: x 3: &[B1.2] 4: int *p = &x; 5: p 6: [B1.5] (LValToRVal) 7: int *q = p; 2: {x} 3: {x} 4: pset(p)={x} 5: {p} 6: {x} 7: pset(q)={x}
Analysis Within a Basic Block • Basic blocks contain subexprs in an eval order, no AST traversal required • End of full expression is not marked (apart from DeclStmt) • When to invalidate Pointers to temporaries? • Modified the CFG to include ExprWithCleanup AST nodes • Clang Static Analyzer is another user 16 int x; int *p = &x; int *q = p; 2: x 3: &[B1.2] 4: int *p = &x; 5: p 6: [B1.5] (LValToRVal) 7: int *q = p; 2: {x} 3: {x} 4: pset(p)={x} 5: {p} 6: {x} 7: pset(q)={x}
Analysis Within a Basic Block • Basic blocks contain subexprs in an eval order, no AST traversal required • End of full expression is not marked (apart from DeclStmt) • When to invalidate Pointers to temporaries? • Modified the CFG to include ExprWithCleanup AST nodes • Clang Static Analyzer is another user 17 int x; int *p = &x; int *q = p; 2: x 3: &[B1.2] 4: int *p = &x; 5: p 6: [B1.5] (LValToRVal) 7: int *q = p; 2: {x} 3: {x} 4: pset(p)={x} 5: {p} 6: {x} 7: pset(q)={x}
Analysis Within a Basic Block • Basic blocks contain subexprs in an eval order, no AST traversal required • End of full expression is not marked (apart from DeclStmt) • When to invalidate Pointers to temporaries? • Modified the CFG to include ExprWithCleanup AST nodes • Clang Static Analyzer is another user 18 int x; int *p = &x; int *q = p; 2: x 3: &[B1.2] 4: int *p = &x; 5: p 6: [B1.5] (LValToRVal) 7: int *q = p; 2: {x} 3: {x} 4: pset(p)={x} 5: {p} 6: {x} 7: pset(q)={x}
Analysis Within a Basic Block • Basic blocks contain subexprs in an eval order, no AST traversal required • End of full expression is not marked (apart from DeclStmt) • When to invalidate Pointers to temporaries? • Modified the CFG to include ExprWithCleanup AST nodes • Clang Static Analyzer is another user 19 int x; int *p = &x; int *q = p; 2: x 3: &[B1.2] 4: int *p = &x; 5: p 6: [B1.5] (LValToRVal) 7: int *q = p; 2: {x} 3: {x} 4: pset(p)={x} 5: {p} 6: {x} 7: pset(q)={x}
Analysis on the CFG Level – Merging Points-to Sets int* p; // pset(p) = {(invalid)} if (cond) { p = &i; // pset(p) = {i} } else { p = nullptr; // pset(p) = {(null)} } // pset(p) = {i, (null)} • Calculate points-to sets within each basic block • Merge incoming points-to sets on basic block entry • Fixed-point iteration • Loops 20
Analysis on the CFG Level – Dealing with Forks void f(int* a) { // pset(a) = {(null), *a) if (a) { // pset(a) = {*a} } else { // pset(a) = {(null)} } // pset(a) = {(null), *a) } {0, *a} 0*a a = 0a != 0 a != 0 a = 0 {0, *a} 21
Tracking Null Pointers – Logical operators if (a && b) { *a; } *a; if (a) { if (b) { *a; // OK } } *a; // warning a b *a *a b = 0a = 0 a != 0 a != 0 b != 0 a != 0 b != 0 22
Tracking Null Pointers – The Role of noreturn (a && b)? … : noreturn(); *a; a b … *a b = 0 a = 0 a != 0 a != 0 b != 0 a != 0 b != 0 noreturn 23
Tracking Null Pointers – Merging Too Early bool c = a && b; c ? … : noreturn(); *a; // false positive a b b = 0 a = 0 a != 0 a != 0 b != 0 c … noreturn *a c = 0c != 0 24
Tracking Null Pointers – Challenges with Assertions void f(int* a, int *b) { assert(a && b); *b; } a b b = 0 a = 0 a != 0 a != 0 b != 0 void f(int* a, int *b) { (bool)(a && b)? … : noreturn(); *b; // false positive } cast *b noreturn 25
Summary of Flow-Sensitive Lifetime Analysis • The performance overhead of the prototype is less than 10% of -fsyntax-only • 3 sources of false positives: • Infeasible paths • Miscategorizations • Function modelling 26
Lifetime analysis for the rest of us 27
Typical Lifetime Issues reference_wrapper<int> data() { int i = 3; return {i}; } 28 return o->name().c_str();auto add(int a) { return [&a](int b) { return a + b; }; } string_view sv = "test"s; S& V = *get();
29
Goal: Enable a Subset of Lifetime Warnings with No False Positives Clang warnings exist for: 30 Let’s generalize them! int *data() { int i = 3; return &i; } new initializer_list<int>{1, 2, 3}; struct Y { int *p; Y(int i) : p(&i) {} };
Evaluation of the Statement Local Analysis • No false positives or true positives for LLVM and Clang head • Few FPs if we categorize every user defined type • FPs could be fixed with annotating llvm::ValueHandleBase • Sample of 22 lifetime related fixes • Faulty commits passed the reviews • 11 would have been caught before breaking the bots • 1 false negative due to Path not being automatically categorized as owner • 3 are missed due to assignments not being checked • Less than 1% performance overhead 31
What is the Issue Here? • Contextual information is required to catch the problem 32 StringRef Prefix = is_abs(dir) ? SysRoot : ""; • Faulty: • Fixed: StringRef Prefix = is_abs(dir) ? StringRef(SysRoot) : "";
Other True Positive Findings • cplusplus.InnerPointer check of the Clang Static Analyzer found 3 true positives in Ceph, Facebook’s RocksDB, GPGME • GSoC 2018 project by Réka Kovács • Problems were reported and fixed promptly • The true positives were all statement local problems • The same true positives can also be found with our statement-local analysis • How many true positives would we expect from the original warnings? 33
Plans for upstreaming • Annotations • Other analyses can start to adopt to type • Generalize warnings • On by default for STL and explicitly annotated types • Type category inference is controversial • Plans for a tool that inserts inferred annotations • Add flow sensitive analysis • First handle function calls conservatively • Add further annotations • Infer annotations for functions • Implement use-after-move checks, add exception support 34
Conclusions • Herb’s analysis is useful for new projects, not always applicable to old • Type categories are useful for other analyses • Generalizing Clang warnings • Generalizing CSA checks • Generalizing Tidy checks • Generalized warnings has low performance impact, all sources of false positives can be addressed • Infeasible paths → statement local analysis • Miscategorization → only trigger for STL and annotated types • Function modelling → only rely on known functions 35
Thank you! 36 • Clang implementation • https://github.com/mgehre/clang • Lifetime paper • https://herbsutter.com/2018/09/20/lifetime-profile-v1-0-posted/ • MSVC implementation • https://devblogs.microsoft.com/cppblog/lifetime-profile-update-in-visual- studio-2019-preview-2/

More Related Content

PDF
VHdl lab report
byJinesh Kb
 
PDF
Les race conditions, nos très chères amies
byPierre Laporte
 
PPTX
Clone Refactoring with Lambda Expressions
byNikolaos Tsantalis
 
PDF
VHDL CODE
byVeer Singh shakya
 
PDF
EXTENT-2016: Industry Practices of Advanced Program Analysis
byIosif Itkin
 
PDF
nosymbols - defcon russia 20
byDefconRussia
 
PDF
Programs of VHDL
byRkrishna Mishra
 
PPTX
Triton and Symbolic execution on GDB@DEF CON China
byWei-Bo Chen
 
VHdl lab report
byJinesh Kb
 
Les race conditions, nos très chères amies
byPierre Laporte
 
Clone Refactoring with Lambda Expressions
byNikolaos Tsantalis
 
VHDL CODE
byVeer Singh shakya
 
EXTENT-2016: Industry Practices of Advanced Program Analysis
byIosif Itkin
 
nosymbols - defcon russia 20
byDefconRussia
 
Programs of VHDL
byRkrishna Mishra
 
Triton and Symbolic execution on GDB@DEF CON China
byWei-Bo Chen
 

What's hot

PDF
Practical file
byrajeevkr35
 
PDF
Vhdl lab manual
byMukul Mohal
 
PDF
Address/Thread/Memory Sanitizer
byPlatonov Sergey
 
PPTX
What has to be paid attention when reviewing code of the library you develop
byAndrey Karpov
 
PDF
Runtime Code Generation and Data Management for Heterogeneous Computing in Java
byJuan Fumero
 
PPTX
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
byDefconRussia
 
PPT
Georgy Nosenko - An introduction to the use SMT solvers for software security
byDefconRussia
 
PDF
04 sequentialbasics 1
byPoornima Prasad
 
PDF
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
byMiguel Arroyo
 
PPTX
02 Java Language And OOP PART II
byHari Christian
 
PPTX
Дмитрий Демчук. Кроссплатформенный краш-репорт
bySergey Platonov
 
PPTX
Weakpass - defcon russia 23
byDefconRussia
 
PDF
Конверсия управляемых языков в неуправляемые
byPlatonov Sergey
 
PPTX
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
byDefconRussia
 
PDF
Java Generics - by Example
byGanesh Samarthyam
 
PPTX
Static Code Analysis for Projects, Built on Unreal Engine
byAndrey Karpov
 
PPTX
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017
byAndrey Karpov
 
PDF
How Triton can help to reverse virtual machine based software protections
byJonathan Salwan
 
PPT
Fpga 04-verilog-programming
byMalik Tauqir Hasan
 
DOCX
Dsd prac1
byhardik211991
 
Practical file
byrajeevkr35
 
Vhdl lab manual
byMukul Mohal
 
Address/Thread/Memory Sanitizer
byPlatonov Sergey
 
What has to be paid attention when reviewing code of the library you develop
byAndrey Karpov
 
Runtime Code Generation and Data Management for Heterogeneous Computing in Java
byJuan Fumero
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
byDefconRussia
 
Georgy Nosenko - An introduction to the use SMT solvers for software security
byDefconRussia
 
04 sequentialbasics 1
byPoornima Prasad
 
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
byMiguel Arroyo
 
02 Java Language And OOP PART II
byHari Christian
 
Дмитрий Демчук. Кроссплатформенный краш-репорт
bySergey Platonov
 
Weakpass - defcon russia 23
byDefconRussia
 
Конверсия управляемых языков в неуправляемые
byPlatonov Sergey
 
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
byDefconRussia
 
Java Generics - by Example
byGanesh Samarthyam
 
Static Code Analysis for Projects, Built on Unreal Engine
byAndrey Karpov
 
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017
byAndrey Karpov
 
How Triton can help to reverse virtual machine based software protections
byJonathan Salwan
 
Fpga 04-verilog-programming
byMalik Tauqir Hasan
 
Dsd prac1
byhardik211991
 

Similar to Update on C++ Core Guidelines Lifetime Analysis. Gábor Horváth. CoreHard Spring 2019

PDF
Checking PVS-Studio with Clang
byAndrey Karpov
 
PDF
Finding bugs in the code of LLVM project with the help of PVS-Studio
byPVS-Studio
 
PDF
Technologies used in the PVS-Studio code analyzer for finding bugs and potent...
byAndrey Karpov
 
PDF
A Unicorn Seeking Extraterrestrial Life: Analyzing SETI@home's Source Code
byPVS-Studio
 
PPTX
Detection of errors and potential vulnerabilities in C and C++ code using the...
byAndrey Karpov
 
PDF
Static Code Analysis and Cppcheck
byZachary Blair
 
PPTX
How Data Flow analysis works in a static code analyzer
byAndrey Karpov
 
PDF
Stale pointers are the new black - white paper
byVincenzo Iozzo
 
PDF
Static analysis should be used regularly
byPVS-Studio
 
PPTX
What static analyzers can do that programmers and testers cannot
byAndrey Karpov
 
PDF
How to find 56 potential vulnerabilities in FreeBSD code in one evening
byPVS-Studio
 
PPTX
Story of static code analyzer development
byAndrey Karpov
 
PDF
Checking Clang 11 with PVS-Studio
byAndrey Karpov
 
PPT
5_StaticAnalysisPREfast.pptaaaaaaaaaaaaa
byJooPedroLopes42
 
PDF
An Experiment with Checking the glibc Library
byAndrey Karpov
 
PDF
Linux version of PVS-Studio couldn't help checking CodeLite
byPVS-Studio
 
PDF
Asterisk: PVS-Studio Takes Up Telephony
byAndrey Karpov
 
PDF
Analyzing Firebird 3.0
byEkaterina Milovidova
 
PDF
Analyzing Firebird 3.0
byPVS-Studio
 
PDF
Linux Kernel, tested by the Linux-version of PVS-Studio
byPVS-Studio
 
Checking PVS-Studio with Clang
byAndrey Karpov
 
Finding bugs in the code of LLVM project with the help of PVS-Studio
byPVS-Studio
 
Technologies used in the PVS-Studio code analyzer for finding bugs and potent...
byAndrey Karpov
 
A Unicorn Seeking Extraterrestrial Life: Analyzing SETI@home's Source Code
byPVS-Studio
 
Detection of errors and potential vulnerabilities in C and C++ code using the...
byAndrey Karpov
 
Static Code Analysis and Cppcheck
byZachary Blair
 
How Data Flow analysis works in a static code analyzer
byAndrey Karpov
 
Stale pointers are the new black - white paper
byVincenzo Iozzo
 
Static analysis should be used regularly
byPVS-Studio
 
What static analyzers can do that programmers and testers cannot
byAndrey Karpov
 
How to find 56 potential vulnerabilities in FreeBSD code in one evening
byPVS-Studio
 
Story of static code analyzer development
byAndrey Karpov
 
Checking Clang 11 with PVS-Studio
byAndrey Karpov
 
5_StaticAnalysisPREfast.pptaaaaaaaaaaaaa
byJooPedroLopes42
 
An Experiment with Checking the glibc Library
byAndrey Karpov
 
Linux version of PVS-Studio couldn't help checking CodeLite
byPVS-Studio
 
Asterisk: PVS-Studio Takes Up Telephony
byAndrey Karpov
 
Analyzing Firebird 3.0
byEkaterina Milovidova
 
Analyzing Firebird 3.0
byPVS-Studio
 
Linux Kernel, tested by the Linux-version of PVS-Studio
byPVS-Studio
 

More from corehard_by

PPTX
C++ CoreHard Autumn 2018. Создание пакетов для открытых библиотек через conan...
bycorehard_by
 
PPTX
C++ CoreHard Autumn 2018. Что должен знать каждый C++ программист или Как про...
bycorehard_by
 
PDF
C++ CoreHard Autumn 2018. Actors vs CSP vs Tasks vs ... - Евгений Охотников
bycorehard_by
 
PPTX
C++ CoreHard Autumn 2018. Знай свое "железо": иерархия памяти - Александр Титов
bycorehard_by
 
PPTX
C++ CoreHard Autumn 2018. Информационная безопасность и разработка ПО - Евген...
bycorehard_by
 
PPTX
C++ CoreHard Autumn 2018. Заглядываем под капот «Поясов по C++» - Илья Шишков
bycorehard_by
 
PPTX
C++ CoreHard Autumn 2018. Ускорение сборки C++ проектов, способы и последстви...
bycorehard_by
 
PPTX
C++ CoreHard Autumn 2018. Метаклассы: воплощаем мечты в реальность - Сергей С...
bycorehard_by
 
PPTX
C++ CoreHard Autumn 2018. Что не умеет оптимизировать компилятор - Александр ...
bycorehard_by
 
PPTX
C++ CoreHard Autumn 2018. Кодогенерация C++ кроссплатформенно. Продолжение - ...
bycorehard_by
 
PDF
C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...
bycorehard_by
 
PPTX
C++ CoreHard Autumn 2018. Обработка списков на C++ в функциональном стиле - В...
bycorehard_by
 
PPTX
C++ Corehard Autumn 2018. Обучаем на Python, применяем на C++ - Павел Филонов
bycorehard_by
 
PDF
C++ CoreHard Autumn 2018. Asynchronous programming with ranges - Ivan Čukić
bycorehard_by
 
PDF
C++ CoreHard Autumn 2018. Debug C++ Without Running - Anastasia Kazakova
bycorehard_by
 
PDF
C++ CoreHard Autumn 2018. Полезный constexpr - Антон Полухин
bycorehard_by
 
PDF
C++ CoreHard Autumn 2018. Text Formatting For a Future Range-Based Standard L...
bycorehard_by
 
PPTX
Исключительная модель памяти. Алексей Ткаченко ➠ CoreHard Autumn 2019
bycorehard_by
 
PDF
Как помочь и как помешать компилятору. Андрей Олейников ➠ CoreHard Autumn 2019
bycorehard_by
 
PDF
Автоматизируй это. Кирилл Тихонов ➠ CoreHard Autumn 2019
bycorehard_by
 
C++ CoreHard Autumn 2018. Создание пакетов для открытых библиотек через conan...
bycorehard_by
 
C++ CoreHard Autumn 2018. Что должен знать каждый C++ программист или Как про...
bycorehard_by
 
C++ CoreHard Autumn 2018. Actors vs CSP vs Tasks vs ... - Евгений Охотников
bycorehard_by
 
C++ CoreHard Autumn 2018. Знай свое "железо": иерархия памяти - Александр Титов
bycorehard_by
 
C++ CoreHard Autumn 2018. Информационная безопасность и разработка ПО - Евген...
bycorehard_by
 
C++ CoreHard Autumn 2018. Заглядываем под капот «Поясов по C++» - Илья Шишков
bycorehard_by
 
C++ CoreHard Autumn 2018. Ускорение сборки C++ проектов, способы и последстви...
bycorehard_by
 
C++ CoreHard Autumn 2018. Метаклассы: воплощаем мечты в реальность - Сергей С...
bycorehard_by
 
C++ CoreHard Autumn 2018. Что не умеет оптимизировать компилятор - Александр ...
bycorehard_by
 
C++ CoreHard Autumn 2018. Кодогенерация C++ кроссплатформенно. Продолжение - ...
bycorehard_by
 
C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...
bycorehard_by
 
C++ CoreHard Autumn 2018. Обработка списков на C++ в функциональном стиле - В...
bycorehard_by
 
C++ Corehard Autumn 2018. Обучаем на Python, применяем на C++ - Павел Филонов
bycorehard_by
 
C++ CoreHard Autumn 2018. Asynchronous programming with ranges - Ivan Čukić
bycorehard_by
 
C++ CoreHard Autumn 2018. Debug C++ Without Running - Anastasia Kazakova
bycorehard_by
 
C++ CoreHard Autumn 2018. Полезный constexpr - Антон Полухин
bycorehard_by
 
C++ CoreHard Autumn 2018. Text Formatting For a Future Range-Based Standard L...
bycorehard_by
 
Исключительная модель памяти. Алексей Ткаченко ➠ CoreHard Autumn 2019
bycorehard_by
 
Как помочь и как помешать компилятору. Андрей Олейников ➠ CoreHard Autumn 2019
bycorehard_by
 
Автоматизируй это. Кирилл Тихонов ➠ CoreHard Autumn 2019
bycorehard_by
 

Recently uploaded

DOCX
Formula 3 - MACO using general limit.docx
byMarkus Janssen
 
PDF
Transcript: Ready, set, go: Pre-fall sales trends and data-driven insights - ...
byBookNet Canada
 
PDF
Airtable Building Semantic Search with Milvus
byZilliz
 
DOCX
Formula 1 - APIC general MACO calculation.docx
byMarkus Janssen
 
PPTX
Stop Worrying, Start Wiring: Azure Serverless for the AI Era
byMuralidharan Deenathayalan
 
PDF
Top 11 Sites to Buy Verified GitHub Accounts in 2025
byBuy GitHub Accounts Looking for a verified GitHub account?
 
PDF
Top Features of Effective Executive BI Dashboards for Business Success.pdf
bybullseye enagegement
 
PDF
AWS Community Day Indonesia 2025 - Attack the Cloud Before Attackers Do Build...
byMuhammad Yuga Nugraha
 
PPTX
Autonomous Convoy Routing via Drone Swarms and Multi-Modal Threat Detection
byIvan Ruchkin
 
PDF
The End of the Missed Call - How AI Recaptures Lost Leads and Secures ROI
byiovox
 
PDF
n8n - Next Generation Workflow Automation with Open Source
byDaisuke Masuda
 
PPTX
Strategic Briefing - Supply-Chain and Autonomous AI Convergence - October-18-...
bySergio De Gregorio
 
PPTX
Artificial Intelligence lecture slides.pptx
bymaimelabernard6
 
PDF
Top-10-Cloud-Service-Companies-in-2025-Market-Leaders-and-Innovators.pdf
byArtjoker Software Development Company
 
PPTX
Taming Time in PHP: Best Practices and Gotchas at Longhorn PHP 2025
byScott Keck-Warren
 
PPTX
Flutter for Beginners widgets types.pptx
byKongu Engineering College, Perundurai, Erode
 
PDF
Igalia and WebKit: Status update and plans (2025)
byIgalia
 
PDF
Immer vorne mit dabei sein - Roaming leicht gemacht
bypanagenda
 
PPTX
Session 6 Specialized AI Associate Series: The GenAI Experience in UiPath Doc...
byDianaGray10
 
PDF
Transcript: Embedding sustainability: Tips for ebook and print production - T...
byBookNet Canada
 
Formula 3 - MACO using general limit.docx
byMarkus Janssen
 
Transcript: Ready, set, go: Pre-fall sales trends and data-driven insights - ...
byBookNet Canada
 
Airtable Building Semantic Search with Milvus
byZilliz
 
Formula 1 - APIC general MACO calculation.docx
byMarkus Janssen
 
Stop Worrying, Start Wiring: Azure Serverless for the AI Era
byMuralidharan Deenathayalan
 
Top 11 Sites to Buy Verified GitHub Accounts in 2025
byBuy GitHub Accounts Looking for a verified GitHub account?
 
Top Features of Effective Executive BI Dashboards for Business Success.pdf
bybullseye enagegement
 
AWS Community Day Indonesia 2025 - Attack the Cloud Before Attackers Do Build...
byMuhammad Yuga Nugraha
 
Autonomous Convoy Routing via Drone Swarms and Multi-Modal Threat Detection
byIvan Ruchkin
 
The End of the Missed Call - How AI Recaptures Lost Leads and Secures ROI
byiovox
 
n8n - Next Generation Workflow Automation with Open Source
byDaisuke Masuda
 
Strategic Briefing - Supply-Chain and Autonomous AI Convergence - October-18-...
bySergio De Gregorio
 
Artificial Intelligence lecture slides.pptx
bymaimelabernard6
 
Top-10-Cloud-Service-Companies-in-2025-Market-Leaders-and-Innovators.pdf
byArtjoker Software Development Company
 
Taming Time in PHP: Best Practices and Gotchas at Longhorn PHP 2025
byScott Keck-Warren
 
Flutter for Beginners widgets types.pptx
byKongu Engineering College, Perundurai, Erode
 
Igalia and WebKit: Status update and plans (2025)
byIgalia
 
Immer vorne mit dabei sein - Roaming leicht gemacht
bypanagenda
 
Session 6 Specialized AI Associate Series: The GenAI Experience in UiPath Doc...
byDianaGray10
 
Transcript: Embedding sustainability: Tips for ebook and print production - T...
byBookNet Canada
 

Update on C++ Core Guidelines Lifetime Analysis. Gábor Horváth. CoreHard Spring 2019

  • 1.
    Update on theC++ Core Guidelines’ Lifetime Safety analysis in Clang Gábor Horváth [email protected] 1
  • 2.
    Agenda • Motivation • Whirlwindtour of lifetime analysis • See the following talks for details: • https://youtu.be/80BZxujhY38?t=1096 • https://youtu.be/sjnp3P9x5jA • Highlight some implementation details • Evaluation • Upstreaming • Conclusions 2
  • 3.
    Motivation • Microsoft: 70percent of security patches are fixing memory errors • https://youtu.be/PjbGojjnBZQ • C++ has many sources of errors: • Manual memory management, temporary objects, Pointer-like objects, … • Dynamic tools • Few false positives, not every arch is supported, coverage is important • Static tools • Arch independent, the earlier a bug is found the cheaper the fix • Works without good test coverage 3
  • 4.
    Motivation #2 int *p; { intx; p = &x; } *p = 5; string_view sv; { string s{“CoreHard"}; sv = s; } sv[0] = ‘c’; Many static tools warn for the left snippet but not for the right, even though they are fundamentally similar. 4
  • 5.
    Motivation #3 int *p= &getIntByValue(); std::string_view sv = "test"s; 5
  • 6.
    A Tour ofHerb’s Lifetime Analysis • Intends to catch common errors (not a verification tool) • Classify types into categories • Owners: never dangle, implementation assumed to be correct • Pointers: might dangle, tracking points-to sets • Aggregates: handled member-wise • Values: everything else • Analysis is function local • Two implementations • We implemented it in a Clang fork • Kyle Reed and Neil MacIntosh implemented the MSVC version 6
  • 7.
    A Tour ofHerb’s Lifetime Analysis #2 • Flow-sensitive analysis • We only need annotations for misclassifications (rare) • Maps each Pointer at each program point to a points-to set • Elements of a points-to set: • Null • Invalid • Static (lives longer than the pointer or we cannot reason about it) • Local variable/parameter • Aggregate member • Owned memory of an Owner 7
  • 8.
    A Tour ofHerb’s Lifetime Analysis #3 • https://cppx.godbolt.org/z/IdGRsT 8
  • 9.
    A Tour ofHerb’s Lifetime Analysis #4 9 vector v1{…}; vector v2{…}; auto it = v1.begin(); if (cond) it = v2.begin(); if (cond2) v2.push_back(…); *it = …; // warning
  • 10.
  • 11.
    Analysis Within a BasicBlock • Basic blocks contain subexprs in an eval order, no AST traversal required • End of full expression is not marked (apart from DeclStmt) • When to invalidate Pointers to temporaries? • Modified the CFG to include ExprWithCleanup AST nodes • Clang Static Analyzer is another user 11 int x; int *p = &x; int *q = p; 2: x 3: &[B1.2] 4: int *p = &x; 5: p 6: [B1.5] (LValToRVal) 7: int *q = p; 2: {x} 3: {x} 4: pset(p)={x} 5: {p} 6: {x} 7: pset(q)={x}
  • 12.
    Analysis Within a BasicBlock • Basic blocks contain subexprs in an eval order, no AST traversal required • End of full expression is not marked (apart from DeclStmt) • When to invalidate Pointers to temporaries? • Modified the CFG to include ExprWithCleanup AST nodes • Clang Static Analyzer is another user 12 int x; int *p = &x; int *q = p; 2: x 3: &[B1.2] 4: int *p = &x; 5: p 6: [B1.5] (LValToRVal) 7: int *q = p; 2: {x} 3: {x} 4: pset(p)={x} 5: {p} 6: {x} 7: pset(q)={x}
  • 13.
    Analysis Within a BasicBlock • Basic blocks contain subexprs in an eval order, no AST traversal required • End of full expression is not marked (apart from DeclStmt) • When to invalidate Pointers to temporaries? • Modified the CFG to include ExprWithCleanup AST nodes • Clang Static Analyzer is another user 13 int x; int *p = &x; int *q = p; 2: x 3: &[B1.2] 4: int *p = &x; 5: p 6: [B1.5] (LValToRVal) 7: int *q = p; 2: {x} 3: {x} 4: pset(p)={x} 5: {p} 6: {x} 7: pset(q)={x}
  • 14.
    Analysis Within a BasicBlock • Basic blocks contain subexprs in an eval order, no AST traversal required • End of full expression is not marked (apart from DeclStmt) • When to invalidate Pointers to temporaries? • Modified the CFG to include ExprWithCleanup AST nodes • Clang Static Analyzer is another user 14 int x; int *p = &x; int *q = p; 2: x 3: &[B1.2] 4: int *p = &x; 5: p 6: [B1.5] (LValToRVal) 7: int *q = p; 2: {x} 3: {x} 4: pset(p)={x} 5: {p} 6: {x} 7: pset(q)={x}
  • 15.
    Analysis Within a BasicBlock • Basic blocks contain subexprs in an eval order, no AST traversal required • End of full expression is not marked (apart from DeclStmt) • When to invalidate Pointers to temporaries? • Modified the CFG to include ExprWithCleanup AST nodes • Clang Static Analyzer is another user 15 int x; int *p = &x; int *q = p; 2: x 3: &[B1.2] 4: int *p = &x; 5: p 6: [B1.5] (LValToRVal) 7: int *q = p; 2: {x} 3: {x} 4: pset(p)={x} 5: {p} 6: {x} 7: pset(q)={x}
  • 16.
    Analysis Within a BasicBlock • Basic blocks contain subexprs in an eval order, no AST traversal required • End of full expression is not marked (apart from DeclStmt) • When to invalidate Pointers to temporaries? • Modified the CFG to include ExprWithCleanup AST nodes • Clang Static Analyzer is another user 16 int x; int *p = &x; int *q = p; 2: x 3: &[B1.2] 4: int *p = &x; 5: p 6: [B1.5] (LValToRVal) 7: int *q = p; 2: {x} 3: {x} 4: pset(p)={x} 5: {p} 6: {x} 7: pset(q)={x}
  • 17.
    Analysis Within a BasicBlock • Basic blocks contain subexprs in an eval order, no AST traversal required • End of full expression is not marked (apart from DeclStmt) • When to invalidate Pointers to temporaries? • Modified the CFG to include ExprWithCleanup AST nodes • Clang Static Analyzer is another user 17 int x; int *p = &x; int *q = p; 2: x 3: &[B1.2] 4: int *p = &x; 5: p 6: [B1.5] (LValToRVal) 7: int *q = p; 2: {x} 3: {x} 4: pset(p)={x} 5: {p} 6: {x} 7: pset(q)={x}
  • 18.
    Analysis Within a BasicBlock • Basic blocks contain subexprs in an eval order, no AST traversal required • End of full expression is not marked (apart from DeclStmt) • When to invalidate Pointers to temporaries? • Modified the CFG to include ExprWithCleanup AST nodes • Clang Static Analyzer is another user 18 int x; int *p = &x; int *q = p; 2: x 3: &[B1.2] 4: int *p = &x; 5: p 6: [B1.5] (LValToRVal) 7: int *q = p; 2: {x} 3: {x} 4: pset(p)={x} 5: {p} 6: {x} 7: pset(q)={x}
  • 19.
    Analysis Within a BasicBlock • Basic blocks contain subexprs in an eval order, no AST traversal required • End of full expression is not marked (apart from DeclStmt) • When to invalidate Pointers to temporaries? • Modified the CFG to include ExprWithCleanup AST nodes • Clang Static Analyzer is another user 19 int x; int *p = &x; int *q = p; 2: x 3: &[B1.2] 4: int *p = &x; 5: p 6: [B1.5] (LValToRVal) 7: int *q = p; 2: {x} 3: {x} 4: pset(p)={x} 5: {p} 6: {x} 7: pset(q)={x}
  • 20.
    Analysis on theCFG Level – Merging Points-to Sets int* p; // pset(p) = {(invalid)} if (cond) { p = &i; // pset(p) = {i} } else { p = nullptr; // pset(p) = {(null)} } // pset(p) = {i, (null)} • Calculate points-to sets within each basic block • Merge incoming points-to sets on basic block entry • Fixed-point iteration • Loops 20
  • 21.
    Analysis on theCFG Level – Dealing with Forks void f(int* a) { // pset(a) = {(null), *a) if (a) { // pset(a) = {*a} } else { // pset(a) = {(null)} } // pset(a) = {(null), *a) } {0, *a} 0*a a = 0a != 0 a != 0 a = 0 {0, *a} 21
  • 22.
    Tracking Null Pointers– Logical operators if (a && b) { *a; } *a; if (a) { if (b) { *a; // OK } } *a; // warning a b *a *a b = 0a = 0 a != 0 a != 0 b != 0 a != 0 b != 0 22
  • 23.
    Tracking Null Pointers– The Role of noreturn (a && b)? … : noreturn(); *a; a b … *a b = 0 a = 0 a != 0 a != 0 b != 0 a != 0 b != 0 noreturn 23
  • 24.
    Tracking Null Pointers– Merging Too Early bool c = a && b; c ? … : noreturn(); *a; // false positive a b b = 0 a = 0 a != 0 a != 0 b != 0 c … noreturn *a c = 0c != 0 24
  • 25.
    Tracking Null Pointers– Challenges with Assertions void f(int* a, int *b) { assert(a && b); *b; } a b b = 0 a = 0 a != 0 a != 0 b != 0 void f(int* a, int *b) { (bool)(a && b)? … : noreturn(); *b; // false positive } cast *b noreturn 25
  • 26.
    Summary of Flow-SensitiveLifetime Analysis • The performance overhead of the prototype is less than 10% of -fsyntax-only • 3 sources of false positives: • Infeasible paths • Miscategorizations • Function modelling 26
  • 27.
    Lifetime analysis forthe rest of us 27
  • 28.
    Typical Lifetime Issues reference_wrapper<int>data() { int i = 3; return {i}; } 28 return o->name().c_str();auto add(int a) { return [&a](int b) { return a + b; }; } string_view sv = "test"s; S& V = *get();
  • 29.
  • 30.
    Goal: Enable aSubset of Lifetime Warnings with No False Positives Clang warnings exist for: 30 Let’s generalize them! int *data() { int i = 3; return &i; } new initializer_list<int>{1, 2, 3}; struct Y { int *p; Y(int i) : p(&i) {} };
  • 31.
    Evaluation of theStatement Local Analysis • No false positives or true positives for LLVM and Clang head • Few FPs if we categorize every user defined type • FPs could be fixed with annotating llvm::ValueHandleBase • Sample of 22 lifetime related fixes • Faulty commits passed the reviews • 11 would have been caught before breaking the bots • 1 false negative due to Path not being automatically categorized as owner • 3 are missed due to assignments not being checked • Less than 1% performance overhead 31
  • 32.
    What is theIssue Here? • Contextual information is required to catch the problem 32 StringRef Prefix = is_abs(dir) ? SysRoot : ""; • Faulty: • Fixed: StringRef Prefix = is_abs(dir) ? StringRef(SysRoot) : "";
  • 33.
    Other True PositiveFindings • cplusplus.InnerPointer check of the Clang Static Analyzer found 3 true positives in Ceph, Facebook’s RocksDB, GPGME • GSoC 2018 project by Réka Kovács • Problems were reported and fixed promptly • The true positives were all statement local problems • The same true positives can also be found with our statement-local analysis • How many true positives would we expect from the original warnings? 33
  • 34.
    Plans for upstreaming •Annotations • Other analyses can start to adopt to type • Generalize warnings • On by default for STL and explicitly annotated types • Type category inference is controversial • Plans for a tool that inserts inferred annotations • Add flow sensitive analysis • First handle function calls conservatively • Add further annotations • Infer annotations for functions • Implement use-after-move checks, add exception support 34
  • 35.
    Conclusions • Herb’s analysisis useful for new projects, not always applicable to old • Type categories are useful for other analyses • Generalizing Clang warnings • Generalizing CSA checks • Generalizing Tidy checks • Generalized warnings has low performance impact, all sources of false positives can be addressed • Infeasible paths → statement local analysis • Miscategorization → only trigger for STL and annotated types • Function modelling → only rely on known functions 35
  • 36.
    Thank you! 36 • Clangimplementation • https://github.com/mgehre/clang • Lifetime paper • https://herbsutter.com/2018/09/20/lifetime-profile-v1-0-posted/ • MSVC implementation • https://devblogs.microsoft.com/cppblog/lifetime-profile-update-in-visual- studio-2019-preview-2/

Editor's Notes

  • #34 During development you catch more issues