Skip to content
This repository has been archived by the owner on Mar 30, 2021. It is now read-only.

Home

Jump to bottom
Gábor Horváth edited this page Aug 10, 2017 · 76 revisions

Clang Cross Translational Unit Analysis

Compilation: What LLVM commit to use?

Branch ctu-clang5 -> LLVM commit b20d324de517c95e5cb01e88f78855b3d0e10d51

Branch ctu-master -> LLVM commit 00708415fb45c18f9871def78647dd555c253e0b

Branch ctu-os -> LLVM commit 7dab9bfe3016988a518ea5868cbf0457d335a356

If you want to use clang-tools-extra:

Branch ctu-clang5 -> CTE commit 619d067acc7165aed1bb8ff86f9579ec666777fa

Branch ctu-master -> CTE commit ea1b4cd563843284e8d20f132d63b6e85deadf70

Branch ctu-os -> CTE commit cdfb024e2f69e1466479278579623167799bca5f

Motivation

The goal of this project is to improve clang static analyzer to be able to detect bugs that span multiple translation units (TU).

Today Clang SA can perform (context-sensitive) inter-procedural analysis by ''inlining'' the called function into the callers context. This means that function parameters (including all constraints) are passed to the called function and the return value of the function is passed back to the caller. This works well for function calls within a translation unit, but when the symbolic execution reaches a function that is implemented in another TU, the analyzer engine handles it as ''unknown''.

Approach

In this project we are working on a method which enables CTU analysis by inlining external function definitions using clang's existing ASTImporter(see http://clang.llvm.org/doxygen/classclang_1_1ASTImporter.html) functionality.

2-pass analysis

To perform the analysis we need to run clang on the whole source code two times.

1st pass: We generate the AST binary (using the clang -cc1 -emit-pch http://clang.llvm.org/docs/PCHInternals.html) of each TU into a temporary directory called preanalyze-dir. We collect the mangled name and location of all externally linkable functions into a text file (externalFnMap.txt).

2nd pass: We run the Clang Static Analysis for all translation units, and when during inlining an externally defined function is reached, we lookup the definition of that function in the corresponding ast file (based on the info in externalFnMap.txt) and import the function definition into the caller's context using the ASTImpoter library.

Results

We have run comparative analysis on several open source projects: openssl, ffmpeg, git, xerces, tmux, etc. We found several additional bugs compared to the non-xtu analysis case.

http://cc.elte.hu/

Credits

This work is based on earlier work of Aleksei Sidorin , Artem Dergachev et al. See http://lists.llvm.org/pipermail/cfe-dev/2015-October/045730.html

Clone this wiki locally