Bug Hunting and Static Analysis

Similar documents
CS2141 Software Development using C/C++ Debugging

Debugging with gdb and valgrind

CSE 374 Programming Concepts & Tools

Recitation: C Review. TA s 20 Feb 2017

CS354 gdb Tutorial Written by Chris Feilbach

18-642: Code Style for Compilers

CSE 374 Programming Concepts & Tools. Brandon Myers Winter 2015 Lecture 11 gdb and Debugging (Thanks to Hal Perkins)

Using Static Code Analysis to Find Bugs Before They Become Failures

Undefined Behaviour in C

Debugging and Profiling

Debugging. Erwan Demairy Dream

TI2725-C, C programming lab, course

ECE 471 Embedded Systems Lecture 22

CSCI-243 Exam 2 Review February 22, 2015 Presented by the RIT Computer Science Community

Recitation: Cache Lab & C

Low level security. Andrew Ruef

Embedded Software TI2726 B. 3. C tools. Koen Langendoen. Embedded Software Group

Secure Programming. An introduction to Splint. Informatics and Mathematical Modelling Technical University of Denmark E

Class Information ANNOUCEMENTS

18-642: Code Style for Compilers

Scientific Programming in C IX. Debugging

Programming Tips for CS758/858

CptS 360 (System Programming) Unit 4: Debugging

System Assertions. Andreas Zeller

Dynamic Storage Allocation

1.1 For Fun and Profit. 1.2 Common Techniques. My Preferred Techniques

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING

Simple Overflow. #include <stdio.h> int main(void){ unsigned int num = 0xffffffff;

12. Debugging. Overview. COMP1917: Computing 1. Developing Programs. The Programming Cycle. Programming cycle. Do-it-yourself debugging

Verification & Validation of Open Source

Important From Last Time

Guidelines for Writing C Code

New features in AddressSanitizer. LLVM developer meeting Nov 7, 2013 Alexey Samsonov, Kostya Serebryany

EL2310 Scientific Programming

Important From Last Time

CSCI-243 Exam 1 Review February 22, 2015 Presented by the RIT Computer Science Community

CSCI-1200 Data Structures Spring 2016 Lecture 6 Pointers & Dynamic Memory

Coding Tools. (Lectures on High-performance Computing for Economists VI) Jesús Fernández-Villaverde 1 and Pablo Guerrón 2 March 25, 2018

DEBUGGING: DYNAMIC PROGRAM ANALYSIS

Creating a String Data Type in C

CSE 15L Winter Midterm :) Review

Project #1: Tracing, System Calls, and Processes

Red Hat Developer Tools

Jlint status of version 3.0

valgrind overview: runtime memory checker and a bit more What can we do with it?

Page 1. Today. Important From Last Time. Is the assembly code right? Is the assembly code right? Which compiler is right?

CS 31: Intro to Systems Pointers and Memory. Kevin Webb Swarthmore College October 2, 2018

An introduction to checkpointing. for scientific applications

Program Analysis Tools

CMSC 341 Lecture 2 Dynamic Memory and Pointers

System Administration and Network Security

Debugging (Part 2) 1

Reviewing gcc, make, gdb, and Linux Editors 1

Oracle Developer Studio Code Analyzer

Static Program Analysis Part 1 the TIP language

CS61, Fall 2012 Section 2 Notes

Is code in your project sane enough?

UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages

o Code, executable, and process o Main memory vs. virtual memory

Improving Linux development with better tools

CSCI0330 Intro Computer Systems Doeppner. Lab 02 - Tools Lab. Due: Sunday, September 23, 2018 at 6:00 PM. 1 Introduction 0.

CS61 Scribe Notes Lecture 18 11/6/14 Fork, Advanced Virtual Memory

Red Hat Developer Tools 2.1

Lecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni.

Data and File Structures Laboratory

CS 11 C track: lecture 5

CSci 4061 Introduction to Operating Systems. Programs in C/Unix

CSC209 Review. Yeah! We made it!

Intermediate Programming, Spring 2017*

Static Analysis of a Linux Distribution

Identifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교

CS 31: Intro to Systems Pointers and Memory. Martin Gagne Swarthmore College February 16, 2016

System Assertions. Your Submissions. Oral Exams FEBRUARY FEBRUARY FEBRUARY

Testing and Debugging

Computer Labs: Debugging

Memory and C/C++ modules

Outline. Computer programming. Debugging. What is it. Debugging. Hints. Debugging

A Novel Approach to Explain the Detection of Memory Errors and Execution on Different Application Using Dr Memory.

Lecture 14. No in-class files today. Homework 7 (due on Wednesday) and Project 3 (due in 10 days) posted. Questions?

CSE 303: Concepts and Tools for Software Development

Exercise Session 6 Computer Architecture and Systems Programming

Analysis Tool Project

Trends in Open Source Security. FOSDEM 2013 Florian Weimer Red Hat Product Security Team

Making things work as expected

Static Analysis in C/C++ code with Polyspace

Limitations of the stack

My malloc: mylloc and mhysa. Johan Montelius HT2016

Section 1: Tools. Contents CS162. January 19, Make More details about Make Git Commands to know... 3

Recitation #12 Malloc Lab - Part 2. November 14th, 2017

Use Dynamic Analysis Tools on Linux

CSC209: Software tools. Unix files and directories permissions utilities/commands Shell programming quoting wild cards files

CSC209: Software tools. Unix files and directories permissions utilities/commands Shell programming quoting wild cards files. Compiler vs.

Debugging with TotalView

Lecture 07 Debugging Programs with GDB

Dr. Memory MEMORY DEBUGGER FOR WINDOWS AND LINUX WGM #47 GUSTAVO ROVELO MARCH 1 ST, 2012

Java Internals. Frank Yellin Tim Lindholm JavaSoft

RED HAT DEVELOPER TOOLSET Build, Run, & Analyze Applications On Multiple Versions of Red Hat Enterprise Linux

Martin Kruliš, v

Red Hat Developer Tools

Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation TDDC90: Software Security

Transcription:

Bug Hunting and Red Hat Ondřej Vašík <ovasik@redhat.com> and Petr Müller <pmuller@redhat.com> 2011-02-11 Abstract Basic overview of common error patterns in C/C++, few words about defensive programming and tools for dynamic analysis. In second part we will cover what static analysis is, which tools could be used.

Common Errors in C/C++ Programs Agenda 1 Common Errors in C/C++ Programs 2 How to Prevent a Failure in Production? 3 4 Why and how?

Common Errors in C/C++ Programs Common Errors in C/C++ Programs dereference of a dangling pointer or NULL pointer invalid or double free() buffer overflow resource leak (memory, file descriptor, etc.) use of uninitialized value... dead code synchronisation problems

How to Prevent a Failure in Production? Agenda 1 Common Errors in C/C++ Programs 2 How to Prevent a Failure in Production? 3 4 Why and how?

How to Prevent a Failure in Production? How to Prevent a Failure in Production? defensive programming regression tests, valgrind, etc. Fedora users ABRT... static analysis

How to Prevent a Failure in Production? Defensive Programming use compiler protection mechanisms -D FORTIFY SOURCE=2 stack-protector, PIE/PIC, RELRO, ExecShield don t ignore warnings (-Wall -Wextra) never trust anyone, never assume anything memory boundaries check return codes/error codes use descriptors respect uid/gids, don t over escalate privileges asserts www.akkadia.org/drepper/defprogramming.pdf

How to Prevent a Failure in Production? Testing Levels: unit code piece testing, usually developer integration testing interface between parts system testing the whole stuff together Purpose: performance measurements of resource usage regression finding new bugs after a change load/stress reliability/robustness/scalability The theory ain t clear and unified, so we could argue whole day...

How to Prevent a Failure in Production? How can you help testing Of course But also Run test suites and investigate results Submit testcases with your patches where applicable Use easy measures when you test, like MALLOC PERTURB Drepper, Ulrich: MALLOC PERTURB : http://udrepper.livejournal.com/11429.html

How to Prevent a Failure in Production? Dynamic Analysis valgrind systemtap oprofile strace ltrace gdb

How to Prevent a Failure in Production? valgrind very powerful suite for debugging/profiling, not just for checking resource leaks(memory, descriptors,...) Usage: easy-to-use tool for searching for memory leaks with detailed log output locates exact place of allocating memory which is not freed How?: it is highly recommended to have debuginfo packages for libraries used by the binary you are checking highest impact have resource leaks in applications running for long time (e.g. daemons) or in applications working with a lot of data (long time run) simple usage to gather a lot of information is: valgrind -v --leak-check=full <binary> <arguments> 2>myvalgrind.log

How to Prevent a Failure in Production? strace, ltrace monitoring utilities showing system/library calls executed by program and signals/exitcodes it received Usage: revealing a place of hanging (e.g. waiting for I/O, timeout) revealing syscalls/library functions called by program, their parameters and exit codes Benefits: for experienced maintainer a lot of information about the program run, he could analyze where the problem occured and fix the issue no need for debuginfos, a lot of informations gathered in one log file How?: just run program under strace(or ltrace): strace./whatever 2>mystrace or attach strace(or ltrace) to existing process: strace -p PID 2>mystrace

How to Prevent a Failure in Production? oprofile, gdb, systemtap useful dynamic tools covered by other talks on DevConf2011 oprofile: powerful tool for profiling, finding most called functions covered by parallel workshop by Ivana Hutařová Vařeková gdb: well known debugging tool covered on Saturday 13:20 in D3 by Jan Kratochvíl SystemTap: system-wide probe/trace tool covered today 15:00 in B007 by Petr Müller

Agenda 1 Common Errors in C/C++ Programs 2 How to Prevent a Failure in Production? 3 4 Why and how?

Already done by the compiler (various warnings) Dynamic vs. static analysis Problem with boundaries: dependencies, libraries False positives

Techniques Error patterns (missing break, etc.) Enhanced type checking Attributes, annotations Model checking Abstract interpretation

Techniques Examples (1/2) FORWARD NULL If a pointer is checked against NULL, it should be checked before the pointer is first dereferenced. RESOURCE LEAK The last handle of a resource (a piece of allocated memory, file descriptor, mutex, etc.) is definitely lost at some point in the program before the resource is released. USE AFTER FREE The program logic allows to access (dereference, free,... ) an already freed memory. Common mistake in error handling code of libraries.

Techniques Examples (2/2) CHECKED RETURN If the return value of a particular function is checked in the vast majority of calls of the function, then the return value should likely be always checked. DEAD CODE If a certain part of source code can never be reached during execution of the program, it usually implies that the program does not do what the programmer intended to do. http://www-2.cs.cmu.edu/ aldrich/courses/654-sp09/tools/cure-coverity-06.pdf

Example of a Fixed Code Defect a hidden bug in the curl project found by static analysis http://github.com/bagder/curl/compare/62ef465...7aea2d5 diff --git a/lib/rtsp.c b/lib/rtsp.c --- a/lib/rtsp.c +++ b/lib/rtsp.c @@ -709,7 +709,7 @@ while(*start && ISSPACE(*start)) start++; - if(!start) { + if(!*start) { failf(data, "Got a blank Session ID"); } else if(data->set.str[string RTSP SESSION ID]) {

Tools sparse Clang Static Analyzer Coverity gcc plug-ins FindBugs (for our Java friends) Splint (and lints in general) gazillion more, but of various usefulness

sparse Tiny project, c.c.a. 30 000 lines of code Able to analyze the whole Linux kernel make CC=cgcc Provided also as a library, which is available on Fedora Checks mostly useful for kernel (mixing user and kernel space pointers)

clang Static Analyzer LLVM frontend 1 scan-build./configure... 2 scan-build make 3 scan-view

Coverity enterprise tool, not freely available often used to analyse free software static analysis + abstract interpretation modular, various checkers (including the examples above) advanced statistical methods for elimination of false positives

Coverity Examples of Fixed Bugs abrt missing check of a return value buffer overflow memory leak use of uninitialized value https://bugzilla.redhat.com/628716 attr memory leak double free logical error http://lists.gnu.org/archive/html/acl-devel/2010-06/msg00000.html

Coverity Examples of Fixed Bugs libucil 3 resource leak http://launchpadlibrarian.net/57222837/0001-libucil-fix-some-memory-leaks.patch libunicap 8 memory error OOM state handling http://launchpadlibrarian.net/58529876/0002-libunicap-fix-various-memory-errors.patch libunicapgtk invalid use of a local variable https://bugs.launchpad.net/unicap/+bug/656232

gcc plug-ins Easy to use (just add a flag to CFLAGS) No parsing errors No unrecognized gcc options One intermediate code used for both analysis and building Universal gcc plug-ins (DragonEgg, Dehydra, Treehydra,...) You can write custom gcc plug-ins

FindBugs Finding bugs in Java Works over bytecode Designed to avoid false positives

Splint Works with C programs Traditional lint-like tool Additionally, it works with annotations

There are more, but Lots of tools are capable, as there is scientific community around. The catches are: Scientists tend to use obscure languages (OCaml, F#) Scientists tend to publish the unfinished business and move on But sometimes: Companies hire scientists for the job (Intel, MS) Scientists try to get rich (Coverity, Monoidics)

Why and how? Agenda 1 Common Errors in C/C++ Programs 2 How to Prevent a Failure in Production? 3 4 Why and how?

Why and how? Why? In our opinion: OS projects: many changes, no or small control Unwanted side-effects quite likely Tests are fine, but slow and you need resources Tests may pass even if program is broken FV tools are usually quite fast False positives not much an issue: just changes can be watched

Why and how? How to use the tools? Package them in Fedora Use them Tie them into build processes Improve them Any ideas?...

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback