Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Track written lvalues per function and use this information in Base.combine #553

Closed
jerhard opened this issue Jan 20, 2022 · 1 comment · Fixed by #952
Closed

Track written lvalues per function and use this information in Base.combine #553

jerhard opened this issue Jan 20, 2022 · 1 comment · Fixed by #952
Assignees
@FelixKrayer
Labels
precision student-job
Milestone
v2.2.0

Comments

@jerhard
Copy link
Member

jerhard commented Jan 20, 2022
edited
Loading

Problem: Precision loss in combine with partial contexts

When analyzing functions with partial contexts, the final state of a function f thus can contain abstract values joined over multiple calls sites with different states. At a call site of f, the combine will take the abstract values of shared memory locations, e.g. globals, from the final state of f, which may be imprecise due to partial contexts. This causes an unnecessary lose in precision when it is clear that f does not write to these memory locations.

Proposed Solution

Introduce an analysis that should track for each function (with its context) an overapproximation of the lvalues it may write to or modify via passing them to other functions. When encountering a function call, the Base analysis should query this analysis about the written lvalues. Only for these, the abstract values of the callee need to be used.

Remarks

This is probably will bring a higher benefit in a setting without earlyglobs compared to a setting with earlyglobs, as more shared memory locations (in particular globals) are kept in the local state.
@michael-schwarz
Copy link
Member

michael-schwarz commented Nov 12, 2022
edited
Loading

@FelixKrayer is working on this for his Bachelor's thesis, I just forgot we had an issue for this.

Some details from the internal topic tracker:

[BA] Combatting Precision Loss From Partial Contexts in the Static Analyzer Goblint
Taint Analysis & More precise partical contexts:

  • for each function keep track of the set of variables it may have written
  • Use this in other analyses (in particular in the Base analysis) to only use the values of the callee for those lvals that are possible written

@FelixKrayer FelixKrayer mentioned this issue Dec 20, 2022
Merged
@michael-schwarz michael-schwarz linked a pull request Dec 21, 2022 that will close this issue
Taint analysis to improve the precision loss of partial contexts #952
Merged
@sim642 sim642 added this to the v2.2.0 milestone Apr 5, 2023
@sim642 sim642 mentioned this issue Sep 13, 2023
Closed
sim642 added a commit to sim642/opam-repository that referenced this issue Sep 13, 2023
@sim642
[new release] goblint (2.2.0)
eb80bce 
CHANGES:

* Add `setjmp`/`longjmp` analysis (goblint/analyzer#887, goblint/analyzer#970, goblint/analyzer#1015, goblint/analyzer#1019).
* Refactor race analysis to lazy distribution (goblint/analyzer#1084, goblint/analyzer#1089, goblint/analyzer#1136, goblint/analyzer#1016).
* Add thread-unsafe library function call analysis (goblint/analyzer#723, goblint/analyzer#1082).
* Add mutex type analysis and mutex API analysis (goblint/analyzer#800, goblint/analyzer#839, goblint/analyzer#1073).
* Add interval set domain and string literals domain (goblint/analyzer#901, goblint/analyzer#966, goblint/analyzer#994, goblint/analyzer#1048).
* Add affine equalities analysis (goblint/analyzer#592).
* Add use-after-free analysis (goblint/analyzer#1050, goblint/analyzer#1114).
* Add dead code elimination transformation (goblint/analyzer#850, goblint/analyzer#979).
* Add taint analysis for partial contexts (goblint/analyzer#553, goblint/analyzer#952).
* Add YAML witness validation via unassume (goblint/analyzer#796, goblint/analyzer#977, goblint/analyzer#1044, goblint/analyzer#1045, goblint/analyzer#1124).
* Add incremental analysis rename detection (goblint/analyzer#774, goblint/analyzer#777).
* Fix address sets unsoundness (goblint/analyzer#822, goblint/analyzer#967, goblint/analyzer#564, goblint/analyzer#1032, goblint/analyzer#998, goblint/analyzer#1031).
* Fix thread escape analysis unsoundness (goblint/analyzer#939, goblint/analyzer#984, goblint/analyzer#1074, goblint/analyzer#1078).
* Fix many incremental analysis issues (goblint/analyzer#627, goblint/analyzer#836, goblint/analyzer#835, goblint/analyzer#841, goblint/analyzer#932, goblint/analyzer#678, goblint/analyzer#942, goblint/analyzer#949, goblint/analyzer#950, goblint/analyzer#957, goblint/analyzer#955, goblint/analyzer#954, goblint/analyzer#960, goblint/analyzer#959, goblint/analyzer#1004, goblint/analyzer#558, goblint/analyzer#1010, goblint/analyzer#1091).
* Fix server mode for abstract debugging (goblint/analyzer#983, goblint/analyzer#990, goblint/analyzer#997, goblint/analyzer#1000, goblint/analyzer#1001, goblint/analyzer#1013, goblint/analyzer#1018, goblint/analyzer#1017, goblint/analyzer#1026, goblint/analyzer#1027).
* Add documentation for configuration JSON schema and OCaml API (goblint/analyzer#999, goblint/analyzer#1054, goblint/analyzer#1055, goblint/analyzer#1053).
* Add many library function specifications (goblint/analyzer#962, goblint/analyzer#996, goblint/analyzer#1028, goblint/analyzer#1079, goblint/analyzer#1121, goblint/analyzer#1135, goblint/analyzer#1138).
* Add OCaml 5.0 support (goblint/analyzer#1003, goblint/analyzer#945, goblint/analyzer#1162).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@FelixKrayer FelixKrayer

Labels
precision student-job
Projects
None yet
Milestone
v2.2.0
Development

Successfully merging a pull request may close this issue.

Taint analysis to improve the precision loss of partial contexts FelixKrayer/analyzer
4 participants
@sim642 @jerhard @michael-schwarz @FelixKrayer