Download Static Analysis - Guide to Programming Languages - Lecture Notes | CMSC 433 and more Exams Programming Languages in PDF only on Docsity!
Improving Software Quality
with Static Analysis
William Pugh
Professor, Univ. of Maryland
http://www.cs.umd.edu/~pugh
4
Static Analysis
- Analyzes your program without executing it
- Doesn’t depend on having good test cases
- Generally, doesn’t know what your software is supposed to do
- Looks for violations of reasonable programming
- Shouldn’t throw NPE
- Shouldn’t allow SQL injection
- Not a replacement for testing
- Very good at finding problems on untested paths
- But many defects can’t be found with static analysis
Can You Find The Bug?
if (listeners == null) listeners.remove(listener);
- JDK1.6.0, b105, sun.awt.x11.XMSelection
Why Do Bugs Occur?
- Nobody is perfect
- Common types of errors:
- Misunderstood language features, API methods
- Typos (using wrong boolean operator, forgetting parentheses or brackets, etc.)
- Misunderstood class or method invariants
- Everyone makes syntax errors, but the compiler catches them
- What about bugs one step removed from a syntax error?
Bug Patterns
- Some big, broad and common patterns
- Dereferencing a null pointer
- An impossible checked cast
- Methods whose return value should not be ignored
- Lots of small, specific bug patterns, that together find lots of bugs
- Every Programming Puzzler
- Every chapter in^ Effective Java
- Many postings to http://thedailywtf.com/
Analysis Techniques
- Local pattern matching
- If you invoke^ String.toLowerCase() , don’t ignore the return value
- Intraprocedural dataflow analysis
- Null pointer, type cast errors
- Interprocedural method summaries
- This method always dereferences its parameter
- Context sensitive interprocedural analysis
- Interprocedural flow of untrusted data
- SQL injection, cross site scripting Whatever you need to find the bugs
Double Check Against
JDK1.6.0-b
- Found 5 infinite recursive loops
- Including one written by Joshua Bloch
public String foundType() {
return this.foundType();
- Smart people make dumb mistakes
- 27 across all versions of JDK, 40+ in Google’s Java code
- Embrace and fix your dumb mistakes
Finding Null Pointer Bugs
with FindBugs
FindBugs looks for a statement or branch that, if executed, guarantees a null pointer exception
Either a null pointer exception could be thrown, or the program contains a statement/branch that can’t be executed
Could look for exceptions that only occur on a path
e.g., if the condition on line 29 is true and the condition on line 38 is false, then a NPE will be thrown
but would need to worry about whether that path is feasible
Examples of null pointer bugs //com.sun.corba.se.impl.naming.cosnaming.NamingContextImpl if (name != null || name.length > 0) //com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser if (part == null | part.equals("")) // sun.awt.x11.ScrollPanePeer if (g != null) paintScrollBars(g,colors); g.dispose(); simple ones
Redundant Check For Null
Checking a value to see if it is null
When it can't possibly be null // java.awt.image.LoopupOp, lines 236- public final WritableRaster filter( Raster src, WritableRaster dst) { int dstLength = dst.getNumBands(); // Create a new destination Raster, // if needed if (dst == null) dst = createCompatibleDestRaster(src); Also known as a reverse null dereference error
Bad Method Invocation
- Methods whose return value shouldn't be ignored
- Strings are immutable, so functions like^ trim() and toLowerCase() return new String
- Dumb/useless methods
- Invoking^ toString^ or equals on an array
- Lots of specific rules about particular API methods
- Hard to memorize, easy to get wrong
Examples of bad method
calls
// com.sun.rowset.CachedRowSetImpl if (type == Types.DECIMAL || type == Types.NUMERIC) ((java.math.BigDecimal)x).setScale(scale); // com.sun.xml.internal.txw2.output.XMLWriter try { ... } catch (IOException e) { new SAXException("Server side Exception:" + e); }
Lots of Little Bug Patterns
- checking if^ d ==^ Double.NaN
- Bit shifting an^ int^ by a value greater than 31
bits
- Every Puzzler this year
- more than half for most years
When Bad Code Isn't A Bug
- Static analysis tools will sometimes find ugly,
nasty code
- that can't cause your application to misbehave
- Cleaning this up is a good thing
- makes the code easier to understand and
maintain
- But for ugly code already in production
- sometimes you just don't want to touch it
- We've found more cases like this than we
expected