Mercurial > hg > CbC > CbC_llvm
diff docs/StackSafetyAnalysis.rst @ 147:c2174574ed3a
LLVM 10
| author | Shinji KONO <kono@ie.u-ryukyu.ac.jp> |
|---|---|
| date | Wed, 14 Aug 2019 16:55:33 +0900 |
| parents | |
| children |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/docs/StackSafetyAnalysis.rst Wed Aug 14 16:55:33 2019 +0900 @@ -0,0 +1,56 @@ +================================== +Stack Safety Analysis +================================== + + +Introduction +============ + +The Stack Safety Analysis determines if stack allocated variables can be +considered 'safe' from memory access bugs. + +The primary purpose of the analysis is to be used by sanitizers to avoid +unnecessary instrumentation of 'safe' variables. SafeStack is going to be the +first user. + +'safe' variables can be defined as variables that can not be used out-of-scope +(e.g. use-after-return) or accessed out of bounds. In the future it can be +extended to track other variable properties. E.g. we plan to extend +implementation with a check to make sure that variable is always initialized +before every read to optimize use-of-uninitialized-memory checks. + +How it works +============ + +The analysis is implemented in two stages: + +The intra-procedural, or 'local', stage performs a depth-first search inside +functions to collect all uses of each alloca, including loads/stores and uses as +arguments functions. After this stage we know which parts of the alloca are used +by functions itself but we don't know what happens after it is passed as +an argument to another function. + +The inter-procedural, or 'global', stage, resolves what happens to allocas after +they are passed as function arguments. This stage performs a depth-first search +on function calls inside a single module and propagates allocas usage through +functions calls. + +When used with ThinLTO, the global stage performs a whole program analysis over +the Module Summary Index. + +Testing +======= + +The analysis is covered with lit tests. + +We expect that users can tolerate false classification of variables as +'unsafe' when in-fact it's 'safe'. This may lead to inefficient code. However, we +can't accept false 'safe' classification which may cause sanitizers to miss actual +bugs in instrumented code. To avoid that we want additional validation tool. + +AddressSanitizer may help with this validation. We can instrument all variables +as usual but additionally store stack-safe information in the +``ASanStackVariableDescription``. Then if AddressSanitizer detects a bug on +a 'safe' variable we can produce an additional report to let the user know that +probably Stack Safety Analysis failed and we should check for a bug in the +compiler.