DEBUGGING: STATIC ANALYSIS

Similar documents
Static Slicing. Software Maintenance

slicing An example of slicing Consider the following example:

Verification & Validation of Open Source

Slicing. Rupesh Nasre. CS6843 Program Analysis IIT Madras Jan 2016

DEBUGGING: DYNAMIC PROGRAM ANALYSIS

Static Program Analysis Part 1 the TIP language

DEBUGGING: OBSERVING AND TRACKING

Conditioned Slicing. David Jong-hoon An. May 23, Abstract

Static Analysis of C++ Projects with CodeSonar

CS 31: Intro to Systems Pointers and Memory. Kevin Webb Swarthmore College October 2, 2018

Static Analysis and Dataflow Analysis

[0569] p 0318 garbage

Numbers: positional notation. CS61C Machine Structures. Faux Midterm Review Jaein Jeong Cheng Tien Ee. www-inst.eecs.berkeley.

Applications. Slicing. Program with Multiple Functionality. Outline. Definition. Program with Single Functionality

CS61, Fall 2012 Section 2 Notes

Procedures and Stacks

Outline. A C++ Linked Structure Class A C++ Linked List C++ Linked Dynamic Memory Errors In-class work. 1 Chapter 11: C++ Linked Structures

CSCI-243 Exam 1 Review February 22, 2015 Presented by the RIT Computer Science Community

Debugging Program Slicing

Intermediate Programming, Spring 2017*

Pointers. Memory. void foo() { }//return

Objectives. Chapter 19. Verification vs. validation. Topics covered. Static and dynamic verification. The V&V process

Ricardo Rocha. Department of Computer Science Faculty of Sciences University of Porto

CS 31: Intro to Systems Pointers and Memory. Martin Gagne Swarthmore College February 16, 2016

EL2310 Scientific Programming

Announcements. assign0 due tonight. Labs start this week. No late submissions. Very helpful for assign1

Manual Allocation. CS 1622: Garbage Collection. Example 1. Memory Leaks. Example 3. Example 2 11/26/2012. Jonathan Misurda

CS2141 Software Development using C/C++ Debugging

6. Control Statements II

From Java to C. Thanks to Randal E. Bryant and David R. O'Hallaron (Carnegie-Mellon University) for providing the basis for these slides

A Capacity: 10 Usage: 4 Data:

Q1: /8 Q2: /30 Q3: /30 Q4: /32. Total: /100

Outline. Lecture 1 C primer What we will cover. If-statements and blocks in Python and C. Operators in Python and C

Object-Oriented Programming for Scientific Computing

C Pointers. Abdelghani Bellaachia, CSCI 1121 Page: 1

COMP 303 Computer Architecture Lecture 3. Comp 303 Computer Architecture

Program Analysis. CSCE Lecture 16-03/03/2016

Introduction A Tiny Example Language Type Analysis Static Analysis 2009

PRINCIPLES OF OPERATING SYSTEMS

Static Analysis in C/C++ code with Polyspace

Understanding Pointers

Using Static Code Analysis to Find Bugs Before They Become Failures

CSCI 171 Chapter Outlines

a data type is Types

C Review. MaxMSP Developers Workshop Summer 2009 CNMAT

CSC 1600 Memory Layout for Unix Processes"

Outline. Computer programming. Debugging. What is it. Debugging. Hints. Debugging

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Lecture Notes on Memory Layout

APS105. Malloc and 2D Arrays. Textbook Chapters 6.4, Datatype Size

Compiling Code, Procedures and Stacks

Superscalar Processors Ch 14

Superscalar Processing (5) Superscalar Processors Ch 14. New dependency for superscalar case? (8) Output Dependency?

System Assertions. Andreas Zeller

Tour of common optimizations

A brief introduction to C programming for Java programmers

Lab Exam 1 D [1 mark] Give an example of a sample input which would make the function

Memory (Stack and Heap)

CS 61C: Great Ideas in Computer Architecture C Memory Management, Usage Models

ch = argv[i][++j]; /* why does ++j but j++ does not? */

C Programming SYLLABUS COVERAGE SYLLABUS IN DETAILS

6. Operatoren. 7. Safe Programming: Assertions. Table of Operators. Table of Operators - Explanations. Tabular overview of all relevant operators

Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation TDDC90: Software Security

Decision Making -Branching. Class Incharge: S. Sasirekha

MEMORY MANAGEMENT TEST-CASE GENERATION OF C PROGRAMS USING BOUNDED MODEL CHECKING

Pointers, Dynamic Data, and Reference Types

Putting Static Analysis to Work for Verification

Chapter 2 (Dynamic variable (i.e. pointer), Static variable)

Structures and Pointers

CS 241 Data Organization Binary Trees

Lecture 14 Notes. Brent Edmunds

Software Model Checking. Xiangyu Zhang

M1-R4: Programing and Problem Solving using C (JAN 2019)

Superscalar Processors Ch 13. Superscalar Processing (5) Computer Organization II 10/10/2001. New dependency for superscalar case? (8) Name dependency

Midterm Exam Nov 8th, COMS W3157 Advanced Programming Columbia University Fall Instructor: Jae Woo Lee.

CS 2505 Computer Organization I Test 1. Do not start the test until instructed to do so!

CS377P Programming for Performance Single Thread Performance Out-of-order Superscalar Pipelines

Stanford University Computer Science Department CS 295 midterm. May 14, (45 points) (30 points) total

What the CPU Sees Basic Flow Control Conditional Flow Control Structured Flow Control Functions and Scope. C Flow Control.

Lecture 8 Dynamic Memory Allocation

B.V. Patel Institute of Business Management, Computer & Information Technology, Uka Tarsadia University

CSCI-1200 Data Structures Spring 2016 Lecture 6 Pointers & Dynamic Memory

Subject: PROBLEM SOLVING THROUGH C Time: 3 Hours Max. Marks: 100

Research on the Static Analysis Method of the Localization Embedded Platform Software Code Zhijie Gaoa, Ling Lu, Wen Jiao

ESC101N: Fundamentals of Computing End-sem st semester

Programming Language Implementation

TI2725-C, C programming lab, course

CS201- Introduction to Programming Current Quizzes

Kurt Schmidt. October 30, 2018

Hardening LLVM with Random Testing

Stephen McLaughlin. From Uncertainty to Belief: Inferring the Specification Within

Class Information ANNOUCEMENTS

Advanced Pointer Topics

18-642: Code Style for Compilers

Motivation. Both human- and computer-generated programs sometimes contain data-flow anomalies.

System Assertions. Your Submissions. Oral Exams FEBRUARY FEBRUARY FEBRUARY

Dynamic Allocation in C

Heap Arrays and Linked Lists. Steven R. Bagley

Qualifying Exam in Programming Languages and Compilers

18-642: Code Style for Compilers

Transcription:

DEBUGGING: STATIC ANALYSIS WS 2017/2018 Martina Seidl Institute for Formal Models and Verification

Deduction Techniques (1/2) basic idea: reasoning from abstract program to concrete program runs (program is not executed) 10 x = read ();... 20 y = 0;... 30 x = y;.. 40 print ("x = " + x); question: what is the value of variable x in line 40 and why? 1/26

Deduction Techniques (2/2) approach: identification of statements that could have caused the failure focus on relevant statements identification of statements that could not have caused the failure ignore irrelevant statements identification of possible origins of the failure narrow down search space more effective debugging 2/26

Interplay of Statements effects of statements: contribution to information flow write: change a program state control: determine next executed statement affected statements: involvement in information flow read: continue with changed program state execution: effect only manifests on execution dependencies between statements: control dependence data dependence 3/26

Data Dependence / Control Dependence data dependence: Statement B is data dependent on statement A if A write some variable x that is read by B there is at least one path in the control flow graph from A to B in which x is not overwritten by some other statement control dependence: Statement B is control dependent on statement A if B s execution is potentially controlled by A visualization in program-dependence graph analysis which statements influence which statements 4/26

Control Flow Graph A control flow graph is a representation of all paths that might be traversed through a program during its execution. elements of a control flow graph node: program statement edge: control flow special node: entry/exit node basic blocks: nodes that follow each other 5/26

Control Flow Patterns patterns for control structures: composing structure of a program 6/26

Complications When Reasoning about Programs jumps and gotos unconditional transfer of control indirect jumps jump address is stored in a variable dynamic dispatch method overwriting in object-oriented languages exceptions transfer of control to calling function 7/26

Example: Fibonacci Numbers Implementation with Defect 0 int fib (int n) { 1 int f; 2 int f0 = 1; 3 int f1 = 1; int main () { int n = 9; 4 while (n > 1) { 5 n = n - 1; 6 f = f0 + f1; 7 f0 = f1; 8 f1 = f; } 9 return f; } } while (n > 0) { printf("fib(%d)=%d\n", n, fib(n)); n = n - 1; } return 0; problem: fib (1) 8/26

Example: Effects 9/26

Example: Control Flow Graph 0 int fib (int n) { 1 int f; 2 int f0 = 1; 3 int f1 = 1; 4 while (n > 1) { 5 n = n - 1; 6 f = f0 + f1; 7 f0 = f1; 8 f1 = f; } 9 return f; } 10/26

Example: Control Flow Graph 0 int fib (int n) { 1 int f; 2 int f0 = 1; 3 int f1 = 1; 4 while (n > 1) { 5 n = n - 1; 6 f = f0 + f1; 7 f0 = f1; 8 f1 = f; } 9 return f; } 10/26

Example: Control Flow Graph 0 int fib (int n) { 1 int f; 2 int f0 = 1; 3 int f1 = 1; 4 while (n > 1) { 5 n = n - 1; 6 f = f0 + f1; 7 f0 = f1; 8 f1 = f; } 9 return f; } 10/26

Program Slicing problem: program computes wrong value for variable z at line 1024, but the statement at line 1024 is correct. Why? automaticly find defect with program slicing A program slice is a reduced program that preserves the original program s behavior for a given set of variables at a chosen point in a program. basic idea: focus on relevant statements and filter irrelevant ones narrow down infection sites 11/26

Static Slicing example: original program slice w.r.t. (4, {z}) 1 x = 2; 1 x = 2; 2 y = x + 2; 2 3 z = x + 1 ; 3 z = x + 1; 4 4 what happened? deletion of statements projection of program semantics was preserved 12/26

Static Slicing: (Informal) Definition A static slicing criterion of a program P is a pair (s, V ), where s is a statement in P and V is a subset of the variables in P. A slice S of a program P on a slicing criterion (s, V ) is a program such that S is obtained by deleting statements from P P s behavior on variables V is preserved in s note: no algorithm to find state-minimal slices (finding minimal slices is equivalent to solve the Halting problem!) 13/26

Forward Slicing given a statement A, the forward slice contains all statements whose read variables or execution could be influenced by A S F (A) = {B A + B} not included statements cannot be affected by A 14/26

Backward Slicing Given a statement B, the backward slice contains all statements that could influence the read variables or execution of B S B (B) = {B A + B} often all statements between A and B are included 15/26

Multiple Slices example: two slices (addition, multiplication) backward slice of addition backward slice of multiplication backward slice of addition and multiplication int main () { int a, b, sum, mul; sum = 0; mul = 1; a = read (); b = read (); while (a <= b) { sum = sum + a; mul = mul * a; a = a + 1; } write (sum); write (mul); } 16/26

Backbone statements that occur in both slices useful for focusing on common behavior a = read (); b = read (); while (a <= b) { a = a + 1; 17/26

Dice sum = 0; only the difference between two slices useful for focusing on differing behavior sum = sum + a; write (sum); 18/26

Chop intersection between a forward and a backward slice useful for determining how statement A (originating the forward slice) influences statement B (originating the backward slice) 19/26

Code Smells A code smell is a surface indication that usually corresponds to a deeper problem in the system (M. Fowler) examples: use of uninitialized variables unused values unreachable code memory leaks interface misuse null pointers 20/26

Example: Uninitialized Variables example 1: $ gcc -Wall -O -o fibo fibo.c fibo.c: In function `fib': fibo.c:7: warning: `f' might be used uninitialized in this function example 2 (false positive): int go; switch (color) { case RED: case AMBER: go = 0; break; case GREEN: go = 1; break; } if (go) {... } 21/26

Unused Variable / Unreachable Code unused variable: variable that is never read in the dependency graph, no other statement is data dependent on the write of such a variable unreachable code: code that is never executed example: if (w >= 0) printf ("w is non-negative\n"); else if (w > 0) printf ("w is positive\n"); 22/26

Memory Leaks / Null Pointers 1 int *readbuf (int size) { 2 int *p = malloc (size * sizeof(int)); 3 for (int i = 0; i < size; i++) { 4 p[i] = readint (); 5 if (p[i] == 0) 6 return 0; // end-of-file 7 } 8 return p; 9 } problems: line 2: return value of malloc is NULL no memory is allocated lines 5 and 6: function is left without reference to p p cannot be released 23/26

Interface Missuse memory is not the only resource that must be explicitly deallocated when no longer in use, e.g., streams, sockets, locks, devices,... indication in control flow graph: path from stream opening to statement where stream reference is lost without closing stream example: void readfile() { int fp = open(file); int size = readint(file); if (size <= 0) return;... close(fp); } 24/26

Defect Patterns class implements Cloneable but does not define or use clone method method might ignore exception null pointer dereference in method class defines equal(); should it be equals()? method may fail to close database resource method may fail to close stream method ignores return value unread field unused field unwritten field 25/26

Limits of Static Analysis many false positives many questions are undecidable (Halting problem) many imprecisions indirect access, e.g., a [i] depends on i pointers functions object orientation, concurrency further risks code mismatch abstracting away the execution environment imprecision 26/26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback