Skip to content

Analyze unsafe code reachability#4037

Merged
tautschnig merged 6 commits intomodel-checking:mainfrom
carolynzech:transitive-scan
Apr 24, 2025
Merged

Analyze unsafe code reachability#4037
tautschnig merged 6 commits intomodel-checking:mainfrom
carolynzech:transitive-scan

Conversation

@carolynzech
Copy link
Contributor

@carolynzech carolynzech commented Apr 21, 2025

Continuation of #3546.

From @celinval in #3546:

Add call graph analysis to scanner in order to find the distance between functions in a crate and unsafe functions.

For that, we build the crate call graph and collect the unsafe functions. After that, do reverse BFS traversal from the unsafe functions and store the distance to other functions. The result is stored in a new csv file.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses.

celinval and others added 4 commits April 21, 2025 11:05
@celinval
Analyze unsafe code reachability
61269de 
Add callgraph analysis to scanner in order to find the distance between
functions in a crate and unsafe functions.

For that, we build the crate call graph and collect the unsafe
functions. After that, do reverse BFS traversal from the unsafe
functions and store the distance to other functions.
The result is stored in a new csv file.
Address PR comments
65778ec
rust-lang/rust#139455 removed support for extern intrinsics
749fa1e
remove unused FnStats field
87ce0d6
@carolynzech carolynzech requested a review from a team as a code owner April 21, 2025 16:01
@tautschnig
Copy link
Member

tautschnig commented Apr 22, 2025

Add call graph analysis to scanner in order to find the distance between functions in a crate and unsafe functions.

For that, we build the crate call graph and collect the unsafe functions. After that, do reverse BFS traversal from the unsafe functions and store the distance to other functions. The result is stored in a new csv file.

What does this distance metric tell us?

More generally: what is the goal of the new analysis? And what else can we maybe do with it? I vaguely recall that I wanted to build upon this PR to find all functions that transitively involve loops, but now I'm not entirely sure this is the right place.

@carolynzech
Copy link
Contributor Author

carolynzech commented Apr 22, 2025
edited
Loading

What does this distance metric tell us?
More generally: what is the goal of the new analysis? And what else can we maybe do with it?

On my local machine, I added a filter to the queue initialization here to filter out unsafe functions and safe abstractions as roots of the tree. By starting only from safe functions and performing the analysis, we can compute how many safe functions with transitive unsafe dependencies there are.

This is useful for the standard library, where 71% of the functions appear safe in that they don't contain any unsafe blocks, but after performing this analysis, we can see that 52% of these "safe" functions end up calling into unsafe somewhere in their call chain.

@celinval
Copy link
Contributor

celinval commented Apr 22, 2025

Just for some context, initially I implemented this analysis to find out the percentage of safe functions that may lead to an unsafe operation. The distance is not as relevant, but it's something we get for free.

@tautschnig tautschnig added this pull request to the merge queue Apr 24, 2025
Merged via the queue into model-checking:main with commit 5a8febb Apr 24, 2025
26 checks passed
@carolynzech carolynzech deleted the transitive-scan branch May 13, 2025 00:15
@carolynzech carolynzech mentioned this pull request May 28, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tautschnig tautschnig tautschnig approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@carolynzech @tautschnig @celinval