Handle escaping of locals (after thread-creation/via globals) soundly

[jerhard]

Goblint does not handle the case when a local variable escapes to another thread after the thread has been started.
A local may become reachable for a thread after the thread has been created, e.g. if the ego-thread stores its address in an object reachable from the parameters passed to the created thread.

The following is an example where this happens:

analyzer/tests/regression/37-escape/01-local-in-pthread.c

Lines 9 to 29 in 4be9ab0

	void *foo(void* p){
	sleep(2);
	int* ip = *((int**) p);
	printf("ip is %d\n", *ip);
	*ip = 42;
	return NULL;
	}
	int main(){
	int x = 0;
	int *xp = &x;
	int** ptr = &xp;
	int x2 = 35;
	pthread_t thread;
	pthread_create(&thread, NULL, foo, ptr);
	*ptr = &x2;
	sleep(4); // to make sure that we actually fail the assert when running.
	assert(x2 == 35); // UNKNOWN!
	pthread_join(thread, NULL);
	return 0;
	}

[michael-schwarz]

There is another related issue: Escaping locals via globals. This is perhaps a bit less surprising than things escaping after the thread was already started:

analyzer/tests/regression/37-escape/02-local-in-global.c

Lines 4 to 20 in 9be146c

	int* gptr;
	void *foo(void* p){
	*gptr = 17;
	return NULL;
	}
	int main(){
	int x = 0;
	gptr = &x;
	pthread_t thread;
	pthread_create(&thread, NULL, foo, NULL);
	sleep(3);
	assert(x == 0); // UNKNOWN!
	pthread_join(thread, NULL);
	return 0;
	}

[sim642]

The simplicity of our escape analysis has always surprised me, now I know why.

I guess the fix would be that writing addresses to effectively globals (global variables or escaped variables) should also escape them?

[michael-schwarz]

I guess the fix would be that writing addresses to effectively globals (global variables or escaped variables) should also escape them?

Yes, I think the general idea would be to consider possibly global things tainted and then the address of a variable flowing to a tainted variable also taints that variable. Maybe a good student topic?

[michael-schwarz]

And maybe one also wants to warn in such cases? It is mostly undesirable in actual software IMO to be passing around references to things of automatic storage duration.

[sim642]

Maybe a good student topic?

Is there much to it though? Sounds like one just needs to implement assign in escape via reachable and ctx.local, no?

And maybe one also wants to warn in such cases? It is mostly undesirable in actual software IMO to be passing around references to things of automatic storage duration.

I think this general storage duration escaping is a separate thing anyway. Because locals escaping into child threads is completely desirable behavior (if they weren't local, then there would be no need to pass them as arguments). The correctness of this possibly depends on joining back the thread before the escaped local goes out of scope (and that thread not having escaped it further somewhere).

[sim642]

Is there much to it though? Sounds like one just needs to implement assign in escape via reachable and ctx.local, no?

Hmm, I tried it now and it's not as local as I thought it might be. Implementing assign in such way will add x2 to the escaped set for the main thread, but the escaped set in the other thread was passed in via threadenter earlier and that didn't contain x2 yet. So x2 will be read as a global in main, but it will not be written as a global in the other thread.

So it looks like there might be a need for some global escape information after all. Of course the easiest would be just a boolean domain for each varinfo. But that loses the flow-sensitivity of escaping that we currently try to have. Although I wonder how useful that is at all.