practical memory leak detector based on parameterized
play

Practical Memory Leak Detector Based on Parameterized Procedural - PowerPoint PPT Presentation

Practical Memory Leak Detector Based on Parameterized Procedural Summaries Yungbum Jung, Kwangkeun Yi { dreameye, kwang } @ropas.snu.ac.kr Programming Research Lab. Seoul National University Korea June 8, 2008 International Symposium on


  1. Practical Memory Leak Detector Based on Parameterized Procedural Summaries Yungbum Jung, Kwangkeun Yi { dreameye, kwang } @ropas.snu.ac.kr Programming Research Lab. Seoul National University Korea June 8, 2008 International Symposium on Memory Management

  2. Introduction Estimating Memory-Effects Procedural Summary Experiment Results Unsound Decisions Conclusion Leaks Detected Leaks on Exception p1 = malloc(); if(p1 == NULL) return 0; p2 = malloc(); if(p2 == NULL) return 0; ret Omission in Freeing Procedure VB texture Proxy1D s = allocS(); PB Proxy2D ... Proxy3D freeS(s); shared return; Default1D DisplayList Default2D TextObjectList Default3D TextObjects next Programming Research Lab. Seoul National University, Korea 2

  3. Introduction Estimating Memory-Effects Procedural Summary Experiment Results Unsound Decisions Conclusion Analysis Overview Static analysis for detecting memory leaks • Procedural Summaries 1. Summarizing callee procedures in reverse topological order of static call graph • How to analyze a procedure without knowing the input memory? • What can be memory leak related behaviours? 2. Instantiation at the call sites: context-sensitivity • Unsound Decisions for cost-accuracy balance • Reducing costs • Improving accuracy Programming Research Lab. Seoul National University, Korea 3

  4. Introduction Estimating Memory-Effects Procedural Summary Experiment Results Unsound Decisions Conclusion Analysis Overview Static analysis for detecting memory leaks • Procedural Summaries 1. Summarizing callee procedures in reverse topological order of static call graph • How to analyze a procedure without knowing the input memory? Access Path • What can be memory leak related behaviours? 8 Summary Categories 2. Instantiation at the call sites: context-sensitivity • Unsound Decisions for cost-accuracy balance • Reducing costs • Improving accuracy Programming Research Lab. Seoul National University, Korea 4

  5. Introduction Estimating Memory-Effects Procedural Summary Experiment Results Unsound Decisions Conclusion Memory Leaks A procedure leaks a heap memory whenever • the memory is allocated while the procedure active • the memory is neither recycled nor visible after return Detecting memory leaks needs three information • allocated addresses int *p = malloc(); • aliases between addresses int *x = p; • freed addresses free(x); Programming Research Lab. Seoul National University, Korea 5

  6. Introduction Estimating Memory-Effects Procedural Summary Experiment Results Unsound Decisions Conclusion Exploring Unknown Input Memory We collect three information without knowing the input memory 1. Only locations accessed by the procedure are important 2. C procedures access the input memory through either arguments or global variables 3. We can determine the “access path” with which those locations are accessed ( arg i | ret | global )( * | .f ) ∗ Programming Research Lab. Seoul National University, Korea 6

  7. Introduction Estimating Memory-Effects Procedural Summary Experiment Results Unsound Decisions Conclusion Example of Explorations Exploring Unknown Memory List * next(List *head) { List * cur = head->next; free(head); return cur; } Programming Research Lab. Seoul National University, Korea 7

  8. Introduction Estimating Memory-Effects Procedural Summary Experiment Results Unsound Decisions Conclusion Example of Explorations Exploring Unknown Memory List * next(List *head) { �→ head α List * cur = head->next; α .next �→ β free(head); �→ cur β return cur; } Symbolic addresses α and β represent some addresses that already existed before the procedure is called = α arg * β = arg *.next Programming Research Lab. Seoul National University, Korea 8

  9. Introduction Estimating Memory-Effects Procedural Summary Experiment Results Unsound Decisions Conclusion Example of Explorations Exploring Unknown Memory List * next(List *head) { head �→ α List * cur = head->next; α .next �→ β free(head); cur �→ β return cur; } The symbolic address α is freed � Alloc, Free � = � ∅ , { α }� Programming Research Lab. Seoul National University, Korea 9

  10. Introduction Estimating Memory-Effects Procedural Summary Experiment Results Unsound Decisions Conclusion Example of Explorations Exploring Unknown Memory List * next(List *head) { �→ head α List * cur = head->next; α .next �→ β free(head); cur �→ β return cur; �→ β ret } Return address ret contains return value Programming Research Lab. Seoul National University, Korea 10

  11. Introduction Estimating Memory-Effects Procedural Summary Experiment Results Unsound Decisions Conclusion Example of Explorations Exploring Unknown Memory List * next(List *head) { �→ head α List * cur = head->next; α .next �→ β free(head); �→ cur β return cur; ret �→ β } This procedure • frees α accessed from the argument with arg* • returns β accessed from the argument with arg*.next Programming Research Lab. Seoul National University, Korea 11

  12. Introduction Estimating Memory-Effects Procedural Summary Experiment Results Unsound Decisions Conclusion Memory Leak Related Behaviours How can procedures affect leak detections? No Effects Effects void local() { int *foo(int *p) { int *p = malloc(); free(p); free(p); return malloc(); } } The foo procedure frees an address pointed to by the argument and returns an allocated address Programming Research Lab. Seoul National University, Korea 12

  13. Introduction Estimating Memory-Effects Procedural Summary Experiment Results Unsound Decisions Conclusion Memory Leak Related Behaviours? Procedure fcall calls the function pointer High-order Effects of Procedure void fcall(int *a, void (*fp)(int *)) { fp(a); } p = malloc(); no leak! fcall(p, free); We can not summarize all memory leak related behaviours Programming Research Lab. Seoul National University, Korea 13

  14. Introduction Estimating Memory-Effects Procedural Summary Experiment Results Unsound Decisions Conclusion 8 Summary Categories • To detect more leaks • To avoid false positives • To capture interprocedural aliasing free global argument return allocation - - Alloc2Arg Alloc2Ret global - - Glob2Arg Glob2Ret argument Arg2Free Arg2Glob Arg2Arg Arg2Ret Programming Research Lab. Seoul National University, Korea 14

  15. Introduction Estimating Memory-Effects Procedural Summary Experiment Results Unsound Decisions Conclusion Examples of Summary Categories(1/2) Allocation - Alloc2Arg, Alloc2Ret List *f(int **p) { * * arg List *cur = malloc(); cur->next = malloc(); *p = malloc(); next * return cur; ret } existed before the procedure is called done by the procedure Programming Research Lab. Seoul National University, Korea 15

  16. Introduction Estimating Memory-Effects Procedural Summary Experiment Results Unsound Decisions Conclusion Examples of Summary Categories(2/2) Free & Globalization - Arg2Free, Glob2Ret * Node gNode; arg Node *g(int *p) { free(p); return &gNode; * ret global } Programming Research Lab. Seoul National University, Korea 16

  17. Introduction Estimating Memory-Effects Procedural Summary Experiment Results Unsound Decisions Conclusion Examples of Summary Categories(2/2) Free & Globalization - Arg2Free, Glob2Ret * Node gNode; arg Node *g(int *p) { free(p); return &gNode; * ret global } No Leaks void f() { Node *node; int *p = malloc(); node = g(p); node->next = malloc(); } Programming Research Lab. Seoul National University, Korea 17

  18. Introduction Estimating Memory-Effects Procedural Summary Experiment Results Unsound Decisions Conclusion Summarization from Memory From List *next(List *head) { �→ head α List *cur = head->next; α .next �→ β free(head); �→ cur β return cur; ret �→ β } To * Arg2Free α = arg * arg = β arg *.next next Arg2Ret β = ret * * ret Programming Research Lab. Seoul National University, Korea 18

  19. Introduction Estimating Memory-Effects Procedural Summary Experiment Results Unsound Decisions Conclusion Summary Instantiation * foo(Node *x, Node *y) { arg1 free(y->next); * next free(x); arg2 } Node *a = malloc(); �→ ℓ 1 a Node *b = a; �→ b ℓ 1 a->next = malloc(); ℓ 1 .next �→ ℓ 2 foo(a,b); Programming Research Lab. Seoul National University, Korea 19

  20. Introduction Estimating Memory-Effects Procedural Summary Experiment Results Unsound Decisions Conclusion Summary Instantiation * foo(Node *x, Node *y) { arg1 free(y->next); free(x); * next arg2 } Node *a = malloc(); �→ a ℓ 1 Node *b = a; �→ ℓ 1 b a->next = malloc(); ℓ 1 .next �→ ℓ 2 foo(a,b); Parameterized addresses are instantiated * a � 1 * next b � 1 � 2 Programming Research Lab. Seoul National University, Korea 20

Recommend


More recommend