Verification Using Static Analysis

Similar documents
Verification and Validation

Objectives. Chapter 19. Verification vs. validation. Topics covered. Static and dynamic verification. The V&V process

Ian Sommerville 2006 Software Engineering, 8th edition. Chapter 22 Slide 1

ΗΜΥ 317 Τεχνολογία Υπολογισμού

Verification and Validation

Ingegneria del Software II academic year: Course Web-site: [

Part 5. Verification and Validation

Lecture 9. Verification and Validation. Assuring that a software system meets a user's needs. Tutorial Questions. Verification and Validation

RELIABLE SOFTWARE SYSTEMS

Using Static Code Analysis to Find Bugs Before They Become Failures

Verification and Validation

Verification and Validation

Examining the Code. [Reading assignment: Chapter 6, pp ]

Testing. ECE/CS 5780/6780: Embedded System Design. Why is testing so hard? Why do testing?

Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues

Static Analysis in C/C++ code with Polyspace

Computer aided verification

CSE 403: Software Engineering, Fall courses.cs.washington.edu/courses/cse403/16au/ Static Analysis. Emina Torlak

Verifying source code

High Performance Computing MPI and C-Language Seminars 2009

Agenda. Address vs. Value Consider memory to be a single huge array. Review. Pointer Syntax. Pointers 9/9/12

Static Analysis of C++ Projects with CodeSonar

Two s Complement Review. Two s Complement Review. Agenda. Agenda 6/21/2011

G52CPP C++ Programming Lecture 3. Dr Jason Atkin

HW1 due Monday by 9:30am Assignment online, submission details to come

CMPT 115. C tutorial for students who took 111 in Java. University of Saskatchewan. Mark G. Eramian, Ian McQuillan CMPT 115 1/32

Static and dynamic Testing

CE221 Programming in C++ Part 1 Introduction

Verification and Validation. Assuring that a software system meets a user s needs. Verification vs Validation. The V & V Process

CAE-SCRUB for Incorporating Static Analysis into Peer Reviews

An Introduction to Systematic Software Testing. Robert France CSU

Fall 2017 CISC124 9/16/2017

Finding the Static Analysis Sweet Spot

Lecture 2: C Programm

Analysis Tool Project

Verification and Validation. Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 22 Slide 1

Plan for Today. Safe Programming Languages. What is a secure programming language?

CS61C : Machine Structures

Agenda. Peer Instruction Question 1. Peer Instruction Answer 1. Peer Instruction Question 2 6/22/2011

Chapter 11, Testing. Using UML, Patterns, and Java. Object-Oriented Software Engineering

CS61C : Machine Structures

CS2141 Software Development using C/C++ Debugging

The SPIN Model Checker

Materials covered in this lecture are: A. Completing Ch. 2 Objectives: Example of 6 steps (RCMACT) for solving a problem.

C-Programming. CSC209: Software Tools and Systems Programming. Paul Vrbik. University of Toronto Mississauga

CS 220: Introduction to Parallel Computing. Arrays. Lecture 4

CS61C : Machine Structures

Lecture 3: C Programm

Verification and Validation

Object-Oriented Programming in Java

More C Pointer Dangers

Compiler Construction

CS61C : Machine Structures

XFindBugs: extended FindBugs for AspectJ

CS61C Machine Structures. Lecture 3 Introduction to the C Programming Language. 1/23/2006 John Wawrzynek. www-inst.eecs.berkeley.

Review! * follows a pointer to its value! & gets the address of a variable! Pearce, Summer 2010 UCB! ! int x = 1000; Pearce, Summer 2010 UCB!

CS61C Machine Structures. Lecture 4 C Pointers and Arrays. 1/25/2006 John Wawrzynek. www-inst.eecs.berkeley.edu/~cs61c/

Lecture 05 I/O statements Printf, Scanf Simple statements, Compound statements

Physics 2660: Fundamentals of Scientific Computing. Lecture 3 Instructor: Prof. Chris Neu

Formal Methods for Software Development

Static Code Analysis to Find Bugs. Wright.edu CS7140 Spring 2013 (Slides collected from many sources)

Intro to C: Pointers and Arrays

Bugs in software. Using Static Analysis to Find Bugs. David Hovemeyer

CS Programming In C

Processor. Lecture #2 Number Rep & Intro to C classic components of all computers Control Datapath Memory Input Output

The Java Language Implementation

Hacking in C. Pointers. Radboud University, Nijmegen, The Netherlands. Spring 2019

Chapter 11 Introduction to Programming in C

Chapter 11 Introduction to Programming in C

CS 61C: Great Ideas in Computer Architecture C Pointers. Instructors: Vladimir Stojanovic & Nicholas Weaver

Global Optimization. Lecture Outline. Global flow analysis. Global constant propagation. Liveness analysis. Local Optimization. Global Optimization

Number Review. Lecture #3 More C intro, C Strings, Arrays, & Malloc Variables. Clarification about counting down

Verification and Test with Model-Based Design

Chapter 11 Introduction to Programming in C

TTh 9.25 AM AM Strain 322

Management. Software Quality. Dr. Stefan Wagner Technische Universität München. Garching 28 May 2010

Testing, code coverage and static analysis. COSC345 Software Engineering

CSci 4061 Introduction to Operating Systems. Programs in C/Unix

Announcements. assign0 due tonight. Labs start this week. No late submissions. Very helpful for assign1

CSE 303 Lecture 8. Intro to C programming

Lecture 4: Outline. Arrays. I. Pointers II. III. Pointer arithmetic IV. Strings

CS 6371: Advanced Programming Languages

Lecture 15 Software Testing

Kurt Schmidt. October 30, 2018

CS61C : Machine Structures

CS61C : Machine Structures

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING LECTURE 12, FALL 2012

Lecture 14. No in-class files today. Homework 7 (due on Wednesday) and Project 3 (due in 10 days) posted. Questions?

ECEN 449 Microprocessor System Design. Review of C Programming. Texas A&M University

Functions in C C Programming and Software Tools

EC 413 Computer Organization

Topics in Software Testing

CS111: PROGRAMMING LANGUAGE II

Applications of Formal Verification

Compiler Construction

Applications of Formal Verification

Programming in C S c o t t S c h r e m m e r

Chapter 11 Introduction to Programming in C

School of Computer & Communication Sciences École Polytechnique Fédérale de Lausanne

DEBUGGING: STATIC ANALYSIS

Transcription:

Verification Using Static Analysis Outline Today we will discuss static analysis and how it differs from dynamic analysis We will also look at the different types of static analysis including: Control flow analysis, data use analysis, interface analysis, information flow analysis, and path analysis We will look at three specific static analyzers: LINT, FindBugs and CodeSurfer Path Inspector Finally, we will discuss a case study of the SCRUB tool at NASA JPL CSCI 3060U Lecture 18 Slide 1

Static vs. Dynamic Analysis Dynamic Analysis involves execution the program and observing the outcomes. e.g., Testing Static Analysis involves examining a program without executing it. e.g., Code Inspection CSCI 3060U Lecture 18 Slide 2

Automated Static Analyzers What are Static Analyzers? Code inspection techniques that we have looked at involve examining the source code by hand. Static analyzers are tools that can be used during inspection to help identify problems in the code automatically. Static analyzers typically work best with language that lack strict type rules (such as C). Languages such as Java have removed language features that cause errors (e.g., all variables must be initialized). CSCI 3060U Lecture 18 Slide 3

Automated Static Analyzers Static Analyzer Process Static analyzers have 3 basic steps: Scan source code Perform an automated analysis of the code Report any faults and/or anomalies CSCI 3060U Lecture 18 Slide 4

Different types of static analysis checks Fault class Data faults Control faults Input/output faults Interface faults Storage management faults Static analysis check Variables used before initialisation Variables declared but never used Variables assigned twice but never used between assignments Possible array bound violations Undeclared variables Unreachable code Unconditional branches into loops Variables output twice with no intervening assignment Parameter type mismatches Parameter number mismatches Non-usage of the results of functions Uncalled functions and procedures Unassigned pointers Pointer arithmetic Source: Sommerville, Software Engineering, 7 th Edition, Addison-Wesley 2004. Lecture 18 Slide 5

How do static analyzers find Types of Analysis faults? Data use analysis: identify variable use such as variables used but not initialized, declared but not used, etc. (finds Data faults, Input/Output faults, Storage management faults) Control flow analysis: identify unreachable code, exit/entry points, loops. (finds Control faults) Interface analysis: checks consistency of declaration/use of procedures/routines. (finds Interface faults) Information flow analysis: identifies variables dependencies (e.g. input/output dependencies) but not faults. Path analysis: identifies all possible paths through the control flow graph. CSCI 3060U Lecture 18 Slide 6

A Static Analysis Tool LINT One example of a static analyzer is LINT LINT works on C code and is typically found on Linux/Unix systems. We will now consider a small example using LINT. More details: http://www.unix.com/man-page/freebsd/1/lint There is also a version of LINT for Java called Jlint http://jlint.sourceforge.net/ CSCI 3060U Lecture 18 Slide 7

A Static Analysis Tool LINT Example 138% more lint_ex.c #include <stdio.h> printarray (Anarray) int Anarray; { printf( %d,anarray); } main () { int Anarray[5]; int i; char c; printarray (Anarray, i, c); printarray (Anarray) ; } 139% cc lint_ex.c Code compiled with no errors Code compiles correctly but is it correct? Lecture 18 Slide 8

A Static Analysis Tool LINT Example 138% more lint_ex.c #include <stdio.h> printarray (Anarray) int Anarray; { printf( %d,anarray); } main () { int Anarray[5]; int i; char c; printarray (Anarray, i, c); printarray (Anarray) ; } 139% cc lint_ex.c 140% lint lint_ex.c lint_ex.c(10): warning: c may be used before set lint_ex.c(10): warning: i may be used before set printarray: variable # of args. lint_ex.c(4) :: lint_ex.c(10) LINT is run on compiled code c, i not initialized before use Inconsistent use of first arg printarray, arg. 1 used inconsistently lint_ex.c(4) :: lint_ex.c(10) printarray, arg. 1 used inconsistently lint_ex.c(4) :: lint_ex.c(11) printf returns value which is always ignored Function value is never used Source: Sommerville, Software Engineering, 7 th Edition, Addison-Wesley 2004. Lecture 18 Slide 9

Another Static Analysis Tool FindBugs An open source static analysis bug detection tool Available at http://findbugs.sourceforge.net/ Analyzes Java bytecode Identifies bug patterns detected in the bytecode A bug pattern is a code pattern that often results in a bug Since FindBugs detects bug patterns and not actual bugs it can produce false positives (e.g., bug patterns that are not really bugs). CSCI 3060U Lecture 18 Slide 10

Another Static Analysis Tool FindBugs Bug Patterns A complete list of the bug patterns identified in FindBugs is available at: http://findbugs.sourceforge.net/bugdescriptions.html The bug patterns are classified into the following categories: Bad practice Correctness Internationalization Malicious code vulnerability Multithreaded correctness Performance Security Dodgy CSCI 3060U Lecture 18 Slide 11

Another Static Analysis Tool Example Bug Patterns Bad Practice Pattern: Method may fail to close stream (OS_OPEN_STREAM) Reports if an input/output stream is not closed Possible outcome: file descriptor leak Dodgy Pattern: Redundant nullcheck of value known to be non-null (RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VA LUE) Reports an unnecessary check that will most likely not lead to incorrect behavior CSCI 3060U Lecture 18 Slide 12

(Yet) Another Static Analysis Tool CodeSurfer Path Inspector The CodeSurfer Path Inspector extension is a static analysis tool developed by GrammaTech (http://www.grammatech.com) that analyzes a C program with respect to a sequencing property. For example: A call to function X does not occur globally Statement Y occurs after Statement Z Path Inspector will determine if a sequencing property is true or false. If it is false the program will produce a counter-example (i.e. an execution path that shows the property cannot be true). CSCI 3060U Lecture 18 Slide 13

Case Study: Static Analysis at NASA s Jet Propulsion Lab Jet Propulsion Lab (JPL) http://www.jpl.nasa.gov/index.cfm Case study details based on keynote seminar by Gerard Holzmann at OOPSLA titled Scrub & Spin: Stealth Use of Formal Methods in Software Development http://larslab.jpl.nasa.gov/people/gh.html CSCI 3060U Lecture 18 Slide 14

Case Study: Static Analysis at NASA s Jet Propulsion Lab The tool collects all the mechanically produced error reports, but also peers and code reviewers can enter queries on the code as well by clicking on the line number Human-generated input gets collected by the same tool in a uniform interface. During a code review, the module developer is asked to respond to each report and close them out. If there's a disagreement, then there's a second cycle of review. - Gerard Holzmann, SD Times CSCI 3060U Lecture 18 Slide 15

Case Study: Static Analysis at NASA s Jet Propulsion Lab SCRUB = Source Code Review User Browser NOTE: In addition to static analysis tools, SCRUB also uses formal analysis tools (next class). Examples of tools used by SCRUB are Codesonar, Coverity, gcc, uno etc. CSCI 3060U Lecture 18 Slide 16

Case Study: Static Analysis at NASA s Jet Propulsion Lab SCRUB Interface Source: http://spinroot.com/gerard/pdf/scrubpaper_rev.pdf CSCI 3060U Lecture 18 Slide 17

Case Study: Static Analysis at NASA s Jet Propulsion Lab Scrub & Spin: Stealth Use of Formal Methods in Software Development keynote available on ACM Digital Library: http://dl.acm.org.uproxy.library.dcuoit.ca/citation.cfm?id=1639950.1705499&coll=dl&dl=acm&cfid=70536916&c FTOKEN=76245316 CSCI 3060U Lecture 18 Slide 18

Case Study: Static Analysis at NASA s Jet Propulsion Lab For class watch 29:28 to 42:04 Scrub & Spin: Stealth Use of Formal Methods in Software Development keynote available on ACM Digital Library: http://dl.acm.org.uproxy.library.dcuoit.ca/citation.cfm?id=1639950.1705499&coll=dl&dl=acm&cfid=70536916&c FTOKEN=76245316 CSCI 3060U Lecture 18 Slide 19

Case Study: Static Analysis at NASA s Jet Propulsion Lab Use of SCRUB on 227,041 loc in the first year (60 different code reviews) Source: http://spinroot.com/gerard/pdf/scrubpaper_rev.pdf CSCI 3060U Lecture 18 Slide 20

Verification Using Static Analysis Static Analysis Automatic static analyzers are complementary to both testing and code inspection Analyzer use different types of analysis to find and report possible faults Readings G.J. Holzmann. Scrub: a tool for code reviews. Innovations in Systems and Software Engineering, 2010, Vol. 6, Nr. 4, pp. 311-318. http://spinroot.com/gerard/pdf/scrubpaper_rev.pdf References This lecture was partially based on Section 22.3 in Sommerville s Software Engineering book CSCI 3060U Lecture 18 Slide 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback