Create a static analysis script for detecting reentrancy on a function

NEW
Assigned to

Status

()

Core
Rewriting and Analysis
P3
normal
8 years ago
a year ago

People

(Reporter: Ehsan, Assigned: vasundhara)

Tracking

(Blocks: 1 bug)

Trunk
x86
Mac OS X
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

It would be very useful to have a static analysis tool which can detect reentrancies on a specified function (or a method) in a single-threaded world, barring cases which include js or code that we have no control over on the stack.  Ideally, such a tool would be able to show a stack trace which leads to a reentrant function call.

Ehren kindly accepted to write such a tool, so I'm assigning this to him.

Updated

8 years ago
Blocks: 430328

Comment 1

8 years ago
Created attachment 424063 [details]
script

Here's my first attempt. Keep in mind that this will not detect reentries via function pointer calls.

Also for calls of the form |Base* b = new Derived(); b->foo();|, the base method is registered as the callee. It's straightforward to account for this case but I was wondering if I'm on the right track so far.

I could also see about uploading the sqlite database generated by Callgraph if you don't want to go through the build process.

(I put usage instructions in the comments btw)
Blocks: 221820
(Assignee)

Comment 2

8 years ago
I am a student from SJCE,Mysore,India and I would like to take up this bug.
vasundhara: Ehren has attached a script here, which seems like a first step at least.  Feel free to use it as a basis for your work and see if you can come up with something better.

Comment 4

8 years ago
Vasundhara,

You're definitely welcome to take up the work here, but I'll just give a description of what I've done and what more could be done.

As I understand it, reentrancy in this context means you have a number of functions such that eg foo calls bar, bar calls baz, and baz calls foo.

To detect this situation will require a post-processing analysis after compilation which is made pretty easy by dwitte's callgraph which you can read about here: https://developer.mozilla.org/en/Callgraph

My script, using callgraph, will just tell you if a given function is reentrant, which I believe is equivalent to finding if the function (a node in the graph) lies within a cycle. It prints the cycle if this is the case.

It would also be possible to find all cycles in the graph (find all reentrant functions) but I'm not sure if this would be particularly useful here.
Assignee: ehren.m → vasusomayaji
(Assignee)

Comment 5

7 years ago
Created attachment 446193 [details]
Warns by displaying the function names that are reentrant.

Warns by displaying the function names that are reentrant.
Attachment #446193 - Flags: feedback?

Comment 6

7 years ago
What output does this produce when run on the Mozilla codebase?
(Assignee)

Comment 7

7 years ago
The script displays the name of the functions that are reentrant.It does not show the stack trace.For example,find->detect,detect->solve,solve->find(),the script produces the output at the end as below:
Warning:find() Reentrancy is detected here
Warning:detect() Reentrancy is detected here
Warning:solve() Reentrancy is detected here

I will attach the output the script generates when run on Mozilla codebase shortly.
(Assignee)

Comment 8

7 years ago
The script I have attached here does not make use of Callgraph.
Attachment #446193 - Flags: feedback?
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.