Modification via pointers to locals in recursive functions

[michael-schwarz]

After some discussion at GobCon yesterday, we were able to come up with an example where locals "escape" to recursive calls.

analyzer/tests/regression/01-cpa/50-escaping-recursion.c

Lines 1 to 33 in 2569701

	int rec(int i,int* ptr) {
	int top;
	int x = 17;
	if(i == 0) {
	rec(5,&x);
	// Recursive call may have modified x
	assert(x == 17); //UNKNOWN!
	} else {
	x = 31;
	// ptr points to the outer x, it is unaffected by this assignment
	// and should be 17
	assert(*ptr == 31); //UNKNOWN!
	if(top) {
	ptr = &x;
	}
	// ptr may now point to both the inner and the outer x
	*ptr = 12;
	assert(*ptr == 12); //UNKNOWN!
	assert(x == 12); //UNKNOWN!
	}
	return 0;
	}
	int main() {
	int t;
	rec(0,&t);
	return 0;
	}

• The program has one call to f(0,&t).
  • This call recursively calls f(5,&x) passing a reference to its local x (Let us call this variable x0 for convenience).
    • The call to f(5,&x) then sets its x (x5) to 31. The following *ptr has &x and this is understood to refer to x5, where x0 would be correct
    • After the nondeterministic branch ptr may point to x0 and x5
    • The assignment modifies one, meaning that the asserts should be unknown
    • The call returns, having potentially modified x of its caller (x0)
  • After f(5,&x) returns x (x0) may have the values 17 or 12, the assert should fail.

@jerhard and I discussed how one could fix this: Our conclusion was to modify the enter such that ptr would point to a different copy of x (the one from the caller). In combine, one would then take the value of this outer copy in the return state of the function as the new value for the local x. This ought to be enough, as one can only refer to the outer copies of variables via pointers, and references to the variable directly refer to the instance in the current stackframe.

[michael-schwarz]

Related to #246 in a way, but I would think at the core, these are separate issues.

[sim642]

I don't think this is as "easy" as just creating an auxiliary varinfo for passing the outer reachable variable into the call. Everything reachable from the arguments (through address sets, structs, unions, arrays) is forwarded to the callee and there might be multiple levels of indirection (including cycles). So the normal varinfo must be substituted with the outer varinfo in all the passed abstract values as well.

Moreover, these varinfos synthesized by base could confuse other analyses, e.g. when they query base for address sets that end up containing them. For example, the pointer you're passing is to a mutex, which the callee then locks and holds in its local lockset. If it's a wrapper for locking, such that the callee doesn't also unlock it, then its return state's lockset contains that synthetic lock. If you then unlock it directly outside, then you'd be trying to unlock something that's not in the lockset even. Suddenly the mutex analysis also needs to be able to undo the transformation of base.

[sim642]

Also, is one outer copy enough? The recursive function could have multiple pointer arguments referring to the local one level up and two levels up, which are different instances. So it may write to the two-levels-up-outer. If there's a single outer variable for all the possible previous levels combined, then combine cannot just take the returned outer and use it for its own local, but must also keep the returned outer such that it can return that another level up.

Why anyone would write such code is of course beyond me, but it's technically possible.

[michael-schwarz]

Also, is one outer copy enough?

No, but also one does not want to keep all these outers apart. @jerhard and I had the idea that as soon as I find a reference to the outer version of a global in the arguments (i.e. this special outer thing made on the first call somehow propagated into another call of the same function), one marks this copy as multiple or something and does weak updates.

So in the body the logic would be:

• I get passed a parameter that contains a pointer to a local x of the same function -> replace it with x_outer and mark x_outer as normal
• I get passed a parameter that contains a pointer to a local x_outer of the same function -> Mark x_outer as multiple

[sim642]

This is just more evidence that we need to stop using straight varinfos for everything and instead abstract them to be able to add metadata as needed. But I don't know if we'll ever see that day...

[michael-schwarz]

But I don't know if we'll ever see that day...

Probably the same day that all variables have reasonable names 😉

[michael-schwarz]

It apparently is not as uncommon as one would hope. I wrote some code to detect when a local of the callee is reachable via the things passed to it by the caller, and this is the case in 23 of our regression tests.

23 tests failed: ["06/14 list_entry_rc", "09/01 list_rc", "09/03 list2_rc", "09/05 ptra_rc", "09/07 kernel_list_rc", "09/10 arraylist_rc", "09/12 arraycollapse_rc", "09/14 kernel_foreach_rc", "09/16 arrayloop_rc", "09/18 nested_rc", "09/20 arrayloop2_rc", "09/23 evilcollapse_rc", "09/26 alloc_region_rc", "09/35 list2_rc-offsets-thread", "28/81 list_racing", "28/82 list_racefree", "28/83 list2_racing1", "28/84 list2_racing2", "28/86 lists_racing", "28/90 arrayloop2_racing", "28/92 evilcollapse_racing", "28/94 alloc_region_racing", "29/20 char_generic_nvram"]

[sim642]

Closed by #310.