Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Next goals of lockbud #58

Open
1 of 9 tasks
BurtonQin opened this issue Jul 3, 2024 · 5 comments
Open
1 of 9 tasks

Next goals of lockbud #58

BurtonQin opened this issue Jul 3, 2024 · 5 comments
Assignees
@BurtonQin
Labels
enhancement New feature or request

Comments

@BurtonQin
Copy link
Owner

BurtonQin commented Jul 3, 2024
edited
Loading

  • Migrate to rustc_smir for API stability between different versions of rust compilers.
  • Support updated versions of Rust compilers.
  • More complete documents on how lockbud works and how to develop it.
  • Improve bug reports.
  • More test cases.
  • Improve accuracy of detectors and reduce false positives.
  • Support more bug patterns.
  • Accommodate detection algorithms from other Rust static checkers.
  • Develop a vscode plugin to help visualize bugs.
@BurtonQin BurtonQin added the enhancement New feature or request label Jul 3, 2024
@BurtonQin BurtonQin self-assigned this Jul 3, 2024
@chenyan2002
Copy link

Interesting project! I was wondering have you tried to use the Rust analyzer for static analysis. Their libraries are all on crates-io, e.g., https://docs.rs/ra_ap_hir/latest/ra_ap_hir/, so no nightly rustc is required. The only problem I see is that the start up time can be long, because their state cannot be serialized unless we build the analyzer as a server similar to LSP.

BurtonQin added a commit that referenced this issue Sep 1, 2024
@BurtonQin
fix: enable checking of raw ptr escaping to return values or params (#58
774ee22 
)
@BurtonQin
Copy link
Owner Author

A precise points-to analysis lib is the key to the success of a static checker like lockbud. The current points-to analysis implementation of lockbud is mostly intraproc and mainly uses type and fn sig info for interproc handling. This imprecise and unsound design is limited by the Rust compiler's immature support for the rust analysis at the time of launching lockbud project. With the development of StableMIR and other efforts to improve the ability of MIR analysis, many brilliant tools emerged. kani and RAP are two great examples. They both implement their own points-to analysis.

https://github.com/model-checking/kani/blob/main/kani-compiler/src/kani_middle/points_to/points_to_analysis.rs#L49-L49

kani: interprocedural, field-insensitive, MIR and StableMIR, intrinsics covered, sound, easy to understand.

https://github.com/Artisan-Lab/RAP/blob/main/rap/src/analysis/core/alias/mop.rs

RAP: interprocedural, field-sensitive, MIR, intrinsics not covered, a little convoluted.

I am learning from kani, StableMIR and RAP. I plan to start re-designing the current points-to analysis of lockbud before Sep. 15.

BurtonQin added a commit that referenced this issue Sep 11, 2024
@BurtonQin
fix missing UAF for pointing to const (#58)
944af9e
@BurtonQin
Copy link
Owner Author

BurtonQin commented Sep 11, 2024
edited
Loading

Interesting project! I was wondering have you tried to use the Rust analyzer for static analysis. Their libraries are all on crates-io, e.g., https://docs.rs/ra_ap_hir/latest/ra_ap_hir/, so no nightly rustc is required. The only problem I see is that the start up time can be long, because their state cannot be serialized unless we build the analyzer as a server similar to LSP.

ra_ap_hir is one of the rust-analyzer's crates. To my knowledge, rust-analyzer only works on HIR and only rust compiler can generate MIR. Unfortunately, lockbud only works on MIR for now. I know Stable MIR is on the way. if it becomes mature, lockbud can work on stable rustc.

@BurtonQin
Copy link
Owner Author

A precise points-to analysis lib is the key to the success of a static checker like lockbud. The current points-to analysis implementation of lockbud is mostly intraproc and mainly uses type and fn sig info for interproc handling. This imprecise and unsound design is limited by the Rust compiler's immature support for the rust analysis at the time of launching lockbud project. With the development of StableMIR and other efforts to improve the ability of MIR analysis, many brilliant tools emerged. kani and RAP are two great examples. They both implement their own points-to analysis.

https://github.com/model-checking/kani/blob/main/kani-compiler/src/kani_middle/points_to/points_to_analysis.rs#L49-L49

kani: interprocedural, field-insensitive, MIR and StableMIR, intrinsics covered, sound, easy to understand.

https://github.com/Artisan-Lab/RAP/blob/main/rap/src/analysis/core/alias/mop.rs

RAP: interprocedural, field-sensitive, MIR, intrinsics not covered, a little convoluted.

I am learning from kani, StableMIR and RAP. I plan to start re-designing the current points-to analysis of lockbud before Sep. 15.

I found a context-sensitive points-to analysis framework for Rust called RUPTA. Trying to replace the current pts of lockbud with RUPTA.
https://github.com/rustanlys/rupta

@BurtonQin
Copy link
Owner Author

https://arxiv.org/pdf/2401.01114
This paper nicely explains the design principle of the deadlock detector of lockbud.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@BurtonQin BurtonQin

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chenyan2002 @BurtonQin