Verifying source code

Similar documents
Static Analysis in C/C++ code with Polyspace

[ANALYSIS ASSIGNMENT 10]

WHITE PAPER. 10 Reasons to Use Static Analysis for Embedded Software Development

Intro to Proving Absence of Errors in C/C++ Code

From Design to Production

Verification and Test with Model-Based Design

Simulink 모델과 C/C++ 코드에대한매스웍스의정형검증툴소개 The MathWorks, Inc. 1

SOFTWARE QUALITY OBJECTIVES FOR SOURCE CODE

Important From Last Time

Verification and Validation of Models for Embedded Software Development Prashant Hegde MathWorks India Pvt. Ltd.

Weiss Chapter 1 terminology (parenthesized numbers are page numbers)

Verification Using Static Analysis

A Short Summary of Javali

Developing AUTOSAR Compliant Embedded Software Senior Application Engineer Sang-Ho Yoon

Outline. Java Models for variables Types and type checking, type safety Interpretation vs. compilation. Reasoning about code. CSCI 2600 Spring

Leveraging Formal Methods Based Software Verification to Prove Code Quality & Achieve MISRA compliance

Static Program Analysis Part 1 the TIP language

Jay Abraham 1 MathWorks, Natick, MA, 01760

All code must follow best practices. Part (but not all) of this is adhering to the following guidelines:

Full file at

18-642: Code Style for Compilers

COMP6700/2140 Data and Types

CS260 Intro to Java & Android 03.Java Language Basics

Program Correctness and Efficiency. Chapter 2

MISRA-C. Subset of the C language for critical systems

Static program checking and verification

Static Analysis of C++ Projects with CodeSonar

18-642: Code Style for Compilers

Mobile Computing Professor Pushpendra Singh Indraprastha Institute of Information Technology Delhi Java Basics Lecture 02

Model-Based Design for High Integrity Software Development Mike Anthony Senior Application Engineer The MathWorks, Inc.

Contents. Figures. Tables. Examples. Foreword. Preface. 1 Basics of Java Programming 1. xix. xxi. xxiii. xxvii. xxix

Page 1. Stuff. Last Time. Today. Safety-Critical Systems MISRA-C. Terminology. Interrupts Inline assembly Intrinsics

BASIC COMPUTATION. public static void main(string [] args) Fundamentals of Computer Science I

CS 376b Computer Vision

Leveraging Formal Methods for Verifying Models and Embedded Code Prashant Mathapati Application Engineering Group

Implementation and Verification Daniel MARTINS Application Engineer MathWorks

3. Java - Language Constructs I

Programming Language Basics

Using Static Code Analysis to Find Bugs Before They Become Failures

Verification and Validation of High-Integrity Systems

Principles of Software Construction: Objects, Design, and Concurrency (Part 2: Designing (Sub )Systems)

Verification & Validation of Open Source

CS5000: Foundations of Programming. Mingon Kang, PhD Computer Science, Kennesaw State University

CMSC 132: Object-Oriented Programming II. Effective Java. Department of Computer Science University of Maryland, College Park

CE221 Programming in C++ Part 1 Introduction

Guidelines for Writing C Code

Short Notes of CS201

G52PGP. Lecture oo3 Java (A real object oriented language)

Topics Covered Thus Far CMSC 330: Organization of Programming Languages

Introduction to Java

Analysis Tool Project

Static Analysis methods and tools An industrial study. Pär Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU

CS201 - Introduction to Programming Glossary By

CSCI 2101 Java Style Guide

Program Verification. Aarti Gupta

Java Language Basics: Introduction To Java, Basic Features, Java Virtual Machine Concepts, Primitive Data Type And Variables, Java Operators,

Outline. Overview. Control statements. Classes and methods. history and advantage how to: program, compile and execute 8 data types 3 types of errors

Lecture 15 Software Testing

Review Chapters 1 to 4. Instructor: Scott Kristjanson CMPT 125/125 SFU Burnaby, Fall 2013

Java Primer 1: Types, Classes and Operators

ABSTRACT INTERPRETATION

Introduction to Visual Basic and Visual C++ Introduction to Java. JDK Editions. Overview. Lesson 13. Overview

Examining the Code. [Reading assignment: Chapter 6, pp ]

Introduction to Java

Operational Semantics. One-Slide Summary. Lecture Outline

CS11 Java. Fall Lecture 1

Tester vs. Controller. Elementary Programming. Learning Outcomes. Compile Time vs. Run Time

Increasing Design Confidence Model and Code Verification

data_type variable_name = value; Here value is optional because in java, you can declare the variable first and then later assign the value to it.

12/22/11. Java How to Program, 9/e. Help you get started with Eclipse and NetBeans integrated development environments.

Elementary Programming

CS6202: Advanced Topics in Programming Languages and Systems Lecture 0 : Overview

CSE331 Spring 2015, Final Examination June 8, 2015

Understanding Undefined Behavior

Chapter 1 INTRODUCTION SYS-ED/ COMPUTER EDUCATION TECHNIQUES, INC.

Testing. ECE/CS 5780/6780: Embedded System Design. Why is testing so hard? Why do testing?

Topics Covered Thus Far. CMSC 330: Organization of Programming Languages. Language Features Covered Thus Far. Programming Languages Revisited

Course Outline. Introduction to java

BIT Java Programming. Sem 1 Session 2011/12. Chapter 2 JAVA. basic

Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues

H212 Introduction to Software Systems Honors

State of Practice. Automatic Verification of Embedded Control Software with ASTRÉE and beyond

Entry Point of Execution: the main Method. Elementary Programming. Learning Outcomes. Development Process

Program Fundamentals

PIC 20A The Basics of Java

Exam 1 Prep. Dr. Demetrios Glinos University of Central Florida. COP3330 Object Oriented Programming

Objectives. Chapter 19. Verification vs. validation. Topics covered. Static and dynamic verification. The V&V process

CS558 Programming Languages

Java is an objet-oriented programming language providing features that support

Sri Vidya College of Engineering & Technology

Assumptions. History

Using Type Annotations to Improve Your Code

Lexical Considerations

CMSC 330: Organization of Programming Languages

And Parallelism. Parallelism in Prolog. OR Parallelism

EINDHOVEN UNIVERSITY OF TECHNOLOGY

CS558 Programming Languages

정형기법을활용한 AUTOSAR SWC 의구현확인및정적분석

GB Programming Challenges

Introduction to Programming Using Java (98-388)

Transcription:

Software and Systems Verification (VIMIMA01) Verifying source code Akos Hajdu, Istvan Majzik, Zoltan Micskei Budapest University of Technology and Economics Fault Tolerant Systems Research Group Budapest University of Technology and Economics Department of Measurement and Information Systems 1

Overview (1) Main topics of the course o V&V techniques, Critical systems Static techniques (2) o Verifying specifications o Verifying source code Dynamic techniques: Testing (7) o Developer testing, Test design techniques o Testing process and levels, Test generation, Automation System-level verification (3) o Verifying architecture, Dependability analysis o Runtime verification 2

Motivation bad example 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 public class Class1 { public decimal Calculate(decimal amount, int type, int years) { decimal result = 0; decimal disc = (years > 5)? (decimal)5/100 : (decimal)years/100; if (type == 1) result = amount; else if (type == 2) { result = (amount - (0.1m * amount)) - disc * (amount - (0.1m * amount)); } else if (type == 3) { result = (0.7m * amount) - disc * (0.7m * amount); } else if (type == 4) { result = (amount - (0.5m * amount)) - disc * (amount - (0.5m * amount)); } return result; } } http://www.codeproject.com/articles/1083348/csharp-bad-practices-learn-how-to-make-a-good-code 3

Properties of a good source code Syntactically correct Compiler Good quality o Readable, reusable, maintainable Coding guidelines Free of bugs Static analysis, testing Adheres to the specification Code review, testing 4

CODING GUIDELINES 5

Learning outcomes List some domain, platform and organization specific coding guidelines and some of their typical categories and elements (K1) Apply manual code review on a small unit of code (~50-100 LOC) using common review criteria (K3) 6

Performed by humans Manual code review o Typically other team members o Usually based on some structured checklist o Similar to review techniques for specification (prev. lecture) Tools can help o GitHub pull request o Gerrit: web based code review 7

Coding guidelines introduction Set of rules giving recommendations on o Style: formatting, naming, structure o Programming practices: constructs, architecture Main categories o Industry/domain specific Automotive, railway, o Platform specific C, C++, C#, Java, o Organization specific Google, CERN, 8

Industry specific: MISRA C Motor Industry Software Reliability Association Focus on safety, security, reliability, portability 143 rules + 16 directives Tools: SonarQube, Coverity, Examples o RHS of && and operators shall not contain side effects o Test against zero should be made explicit for non-booleans o Body of if, else, while, do, for shall always be enclosed in braces 9

Platform specific:.net Framework Design Guidelines (C#) o Focus on framework and API development Categories o Naming, type design, member design, extensibility, exceptions, usage, common design patterns o Do, Consider, Avoid, Do not Tool: StyleCop https://msdn.microsoft.com/en-us/library/ms229042(v=vs.110).aspx 10

Examples Platform specific:.net o DO NOT provide abstractions unless they are tested by developing several concrete implementations and APIs consuming the abstractions. o CONSIDER making base classes abstract even if they don t contain any abstract members. This clearly communicates to the users that the class is designed solely to be inherited from. o DO use the same name for constructor parameters and a property if the constructor parameters are used to simply set the property. https://msdn.microsoft.com/en-us/library/ms229042(v=vs.110).aspx 11

Organization specific: Google Java Style Guide Focus on hard-and-fast rules, avoids advices Categories o Source file basics o Source file structure o Formatting o Naming o Programming practices o Javadoc https://google.github.io/styleguide/javaguide.html 12

Examples Organization specific: Google o Never make your code less readable simply out of fear that some programs might not handle non-ascii characters properly. If that should happen, those programs are broken and they must be fixed. o In Google Style special prefixes or suffixes, like those seen in the examples name_, mname, s_name and kname, are not used. o When a reference to a static class member must be qualified, it is qualified with that class's name, not with a reference or expression of that class's type. o Local variable names are written in lowercamelcase. https://google.github.io/styleguide/javaguide.html 13

Organization specific: CERN ROOT: data analysis tool/framework for high energy physics (C++) Categories o Naming o Exceptions o Namespaces o Comments o Source layout Tool: Artistic Style (astyle) https://root.cern/coding-conventions 14

Examples Organization specific: CERN o Avoid the use of raw C types like int, long, float, double when using data that might be written to disk. o For naming conventions we follow the Taligent rules. Types begin with a capital letter (Boolean), base classes begin with T (TContainerView), members begin with f (fviewlist), o Each header file has the following layout: Module identification line, Author line, Copyright notice, Multiple inclusion protection macro, Headers file includes, Forward declarations, Actual class definition. https://root.cern/coding-conventions 15

Coding guidelines summary How to enforce o Base functionality in many IDEs o External tools o Tool integrated in the workflow Important o Always use a common guideline o As a minimum, common IDE formatter settings Can usually be committed to version control as a settings file 16

Coding guidelines summary Which one is the best? Which one to select? In many cases it is already determined o By the industry, platform or organization o Consistency with the current code base Sometimes it can be determined o There may be no single best one They can be even inconsistent with each other Combination is possible o Do not reinvent the wheel Makes it harder for new developers 17

STATIC ANALYSIS 18

Static analysis example 1 2 3 4 5 6 7 8 9 10 11 12 13 14 public class Sample { public static void main(string[] args) { String str = null; try { Scanner scanner = new Scanner("file.txt"); } } str = scanner.nextline(); scanner.close(); } catch (Exception e) { System.out.println("Error opening file!"); } str.replace(" ", ""); System.out.println(str); Scanner not closed in case of exception str may be null str immutable 19

Learning outcomes List some bugs that can be detected with static analysis (K1) Use a static analysis tool to find bugs and mistakes in a non-trivial code base (~100-1000 LOC) (K3) 20

Static analysis introduction Definition: analysis of software without execution o Usually automated tools o Human analysis (code review) Pattern-based o Basic static properties with error patterns (mostly) E.g., ignored return value, unused variable o FindBugs, SonarQube, Coverity Interpretation-based o Dynamic properties E.g., null pointer dereference, index out of bounds o Infer, PolySpace 21

FindBugs (Java) Large and extensible set of rules Command line, GUI, Eclipse plug-in Examples o Bad practice: random object created and used only once o Correctness: bitwise add of signed byte value o Vulnerability: expose inner static state by storing mutable object into a static field o Multithreading: synchronization on Boolean could lead to deadlock o Performance: invoke tostring() on a string o Security: hardcoded constant database password o Dodgy: useless assignment in return statement http://findbugs.sourceforge.net/ 22

FindBugs (Java) 23

SonarQube Code quality management platform 20+ programming languages (Java, C, C++, C#, ) Features o Examines coding standards, duplicated code, test coverage, code complexity, potential bugs and vulnerabilities, technical debt o Produces reports, evolution graphs o Integrates with external tools: IDEs, CI tools, http://www.sonarqube.org/ 24

SonarQube 25

SonarQube 26

Coverity Static analyzer of the Synopsys suite C, C++, C#, Java, JavaScript Used by CERN, NASA, Examples: resource leaks, null pointers, uninitialized data, concurrency issues, Coverity Scan: free service for open source projects o Integrated with GitHub and Travis CI http://www.synopsys.com/software/coverity/pages/default.aspx https://scan.coverity.com/ 27

Using static analysis tools efficiently Integrate to build process o Perform check before/after each commit o Generate reports, send e-mails Use from the start of a project o Too many problems would discourage developers Configure the tools o Filter based on severity or category o Add custom rules 28

Using static analysis tools efficiently Review the results carefully o False positives and false negatives are possible False positive o No errors found does not mean correct software False negative o An error found may not cause a real failure o Ignore rule / one occurrence Always explain why it is not an error 29

Advantages of static analysis Analyzing software without execution o Analysis before software is executable or input is present o Execution may be expensive Find subtle errors o Interesting even for expert programmers Automatic process o Integrated into development process 30

DYNAMIC PROPERTIES WITH STATIC ANALYSIS 31

Learning outcomes Explain the main concept of abstract interpretation (K2) 32

Dynamic properties Motivation: detect run time failures without executing the software o Examples: null pointer, index out of bounds, uninitialized data, arithmetic error, overflow, dead code, Can be performed by control-flow and data-flow analysis o Calculate interval for each variable o Propagate intervals based on control-flow 33

Example 0: k=ioread32(); 1: i=2; 2: j=k+5; 3: while (i<10) { 4: i=i+1; 5: j=j+3; 6: } 7: // end of loop 8: k=k/(i-j); Division by zero? For what k? 34

Example Possible (i,j,k) values X0={(0,0,k) k [-2 31,2 31-1]} X1={(2,j,k) (i,j,k) X0} X2={(i,k+5,k) (i,j,k) X1} X3= X2 X6 X4={(i+1,j,k) (i,j,k) X3, i<10} X5={(i,j+3,k) (i,j,k) X4} X6= X5 X7={(i,j,k) (i,j,k) X3, i=10} X8={(i,j,k/(i-j)) (i,j,k) X7} 0: k=ioread32(); 1: i=2; 2: j=k+5; 3: while (i<10) { 4: i=i+1; 5: j=j+3; 6: } 7: // end of loop 8: k=k/(i-j); 35

Example X0={(0,0,k) k [-2 31,2 31-1]} X0={(0,0,k) k [-2 31,2 31-1]} X1={(2,j,k) (i,j,k) X0} X1={(2,0,k) k [-2 31, 2 31-1]} X2={(i,k+5,k) (i,j,k) X1} X2={(2,k+5,k) k [-2 31, 2 31-1]} X3= X2 X6 X3={(i,j,k) k [-2 31, 2 31-1], i [2,10], j=k+3i-1} X4={(i+1,j,k) (i,j,k) X3, i<10} X4={(i,j,k) k [-2 31, 2 31-1], i [3,10], j=k+3i-4} 0: k=ioread32(); 1: i=2; 2: j=k+5; 3: while (i<10) { 4: i=i+1; 5: j=j+3; 6: } 7: // end of loop 8: k=k/(i-j); Loop invariant: j=k+5+3(i-2) 36

Example X5={(i,j+3,k) (i,j,k) X4} X5={(i,j,k) k [-2 31, 2 31-1], i [3,10], j=k+3i-1} X6= X5 X6=X5 X7={(i,j,k) (i,j,k) X3, i=10} X7={(10,j,k) k [-2 31, 2 31-1], j=k+29} X8={(i,j,k/(i-j)) (i,j,k) X7} X8={(10,j,k/(i-j)) k [-2 31, 2 31-1], j=k+29} Error at X8, if i-j=0 0: k=ioread32(); 1: i=2; 2: j=k+5; 3: while (i<10) { 4: i=i+1; 5: j=j+3; 6: } 7: // end of loop 8: k=k/(i-j); Since i=10, this can happen if k=-19 X8 error ={(10,10,-19)} 37

Analyzing dynamic properties Based on analyzing control-flow and data-flow o Operations with intervals and constraints o Loops: determine loop invariants Calculating loop invariants o Undecidable in general o Approximations are required Abstraction: over-approximate intervals o All errors are detected o False negatives (errors) are possible Can be treated as a hint for further analysis 38

Abstraction illustrated x(t) Real error Error zone Error zone Possible trajectories of variable x during execution Abstraction False negative (error) 39 t Source: Patrick Cousot VMCAI 05

Infer Static analysis tool by Facebook o Focus on mobile development o Users: Facebook, Instagram, Oculus, Spotify, WhatsApp, Android and Java o Null pointers, resource leaks, context leak ios and Objective-C o Null pointers, memory leaks, resource leaks http://fbinfer.com/ 40

Infer 41

PolySpace Static analysis tool by MathWorks for C/C++ Bug Finder o Run time errors, concurrency issues, vulnerabilities o Coding guidelines Code prover o Can prove absence of overflow, division by zero, index out of bounds o Color codes: safe, definite error, unproven, unreachable http://www.mathworks.com/products/polyspace/ 42

More subtle errors Difficulty Verifying source code summary Coding guidelines o Industry, platform, organization specific Static analysis tools o Analyze software without execution Dynamic properties with static analysis o Abstract interpretation 43

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback