From: Shengyu Huang <kumom.huang@gmail.com>
To: David Malcolm <dmalcolm@redhat.com>
Cc: Pierrick Philippe <pierrick.philippe@irisa.fr>, gcc@gcc.gnu.org
Subject: Re: [Static Analyzer] Loop handling - False positive for malloc-sm
Date: Tue, 21 Mar 2023 11:01:41 +0100 [thread overview]
Message-ID: <89A3402E-023E-4EEC-A921-E9E31EC9C5B1@gmail.com> (raw)
In-Reply-To: <3b77234afb96947c9694d375b43b3096cbd45467.camel@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 2113 bytes --]
Hi Dave,
> I implemented my own approach, with a "widening_svalue" subclass of
> symbolic value. This is widening in the Abstract Interpretation sense,
> (as opposed to the bitwise operations sense): if I see multiple values
> on successive iterations, the widening_svalue tries to simulate that we
> know the start value and the direction the variable is moving in.
I guess you are using interval domain? I haven’t played with abstract interpretation a lot, but I think the polyhedra domain is the more popular domain used (but more difficult to implement ofc). In a course project I did before, I remember switching to polyhedra domain from the interval domain allowed me to prove the properties I wanted to prove.
Also, are you using the same approach maybe to detect nontermination of loops? Maybe when you find out you have to widen the variable range to (minus) infinity?
>
> This doesn't work well; arguably I should rewrite it, perhaps with an
> iterator_svalue, though I'm not sure how it ought to work. Some ideas:
>
> * reuse gcc's existing SSA-based loop analysis, which I believe can
> identify SSA names that are iterator variables, figure out their
> bounds, and their per-iteration increments, etc.
>
> * rework the program_point or supergraph code to have a notion of "1st
> iteration of loop", "2nd iteration of loop", "subsequent iterations",
> or similar, so that the analyzer can explore those cases differently
> (on the assumption that such iterations hopefully catch the most
> interesting bugs)
I haven’t thought about how to do this properly in gcc, but maybe we can infer loop invariants (or even allow users to annotate loop invariants…but I guess it would change a lot of things outside the scope of current analyzer) that can help us do multiple checks for a loop. I have only seen this strategy used on the source level before, and I don’t know how difficult it will be to implement it on gimple…There is a paper I haven’t had the time to read but maybe you will find interesting: https://arxiv.org/pdf/1407.5286.pdf
Best,
Shengyu
next prev parent reply other threads:[~2023-03-21 10:01 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-20 12:28 Pierrick Philippe
2023-03-20 23:30 ` David Malcolm
2023-03-21 8:21 ` Pierrick Philippe
2023-03-22 18:19 ` David Malcolm
2023-03-23 8:06 ` Pierrick Philippe
2023-03-21 10:01 ` Shengyu Huang [this message]
2023-03-22 18:34 ` David Malcolm
2023-03-21 10:12 ` Shengyu Huang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=89A3402E-023E-4EEC-A921-E9E31EC9C5B1@gmail.com \
--to=kumom.huang@gmail.com \
--cc=dmalcolm@redhat.com \
--cc=gcc@gcc.gnu.org \
--cc=pierrick.philippe@irisa.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).