Static Analysis - Guide to Programming Languages - Lecture Notes | CMSC 433, Exams of Programming Languages

Material Type: Exam; Professor: Pugh; Class: PROG LANG TECH & PDGMS; Subject: Computer Science; University: University of Maryland; Term: Fall 2007;

Typology: Exams

Pre 2010

Uploaded on 07/30/2009

koofers-user-7nh-1
koofers-user-7nh-1 🇺🇸

9 documents

1 / 31

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Improving Software Quality
with Static Analysis
William Pugh
Professor, Univ. of Maryland
http://www.cs.umd.edu/~pugh
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f

Partial preview of the text

Download Static Analysis - Guide to Programming Languages - Lecture Notes | CMSC 433 and more Exams Programming Languages in PDF only on Docsity!

Improving Software Quality

with Static Analysis

William Pugh

Professor, Univ. of Maryland

http://www.cs.umd.edu/~pugh

4

Static Analysis

  • Analyzes your program without executing it
  • Doesn’t depend on having good test cases
    • or even any test cases
  • Generally, doesn’t know what your software is supposed to do
    • Looks for violations of reasonable programming
      • Shouldn’t throw NPE
      • Shouldn’t allow SQL injection
  • Not a replacement for testing
    • Very good at finding problems on untested paths
    • But many defects can’t be found with static analysis

Can You Find The Bug?

if (listeners == null) listeners.remove(listener);

  • JDK1.6.0, b105, sun.awt.x11.XMSelection
    • lines 243-

Why Do Bugs Occur?

  • Nobody is perfect
  • Common types of errors:
    • Misunderstood language features, API methods
    • Typos (using wrong boolean operator, forgetting parentheses or brackets, etc.)
    • Misunderstood class or method invariants
  • Everyone makes syntax errors, but the compiler catches them
    • What about bugs one step removed from a syntax error?

Bug Patterns

  • Some big, broad and common patterns
    • Dereferencing a null pointer
    • An impossible checked cast
    • Methods whose return value should not be ignored
  • Lots of small, specific bug patterns, that together find lots of bugs
    • Every Programming Puzzler
    • Every chapter in^ Effective Java
    • Many postings to http://thedailywtf.com/

Analysis Techniques

  • Local pattern matching
    • If you invoke^ String.toLowerCase() , don’t ignore the return value
  • Intraprocedural dataflow analysis
    • Null pointer, type cast errors
  • Interprocedural method summaries
    • This method always dereferences its parameter
  • Context sensitive interprocedural analysis
    • Interprocedural flow of untrusted data
      • SQL injection, cross site scripting Whatever you need to find the bugs

Double Check Against

JDK1.6.0-b

  • Found 5 infinite recursive loops
  • Including one written by Joshua Bloch

public String foundType() {

return this.foundType();

  • Smart people make dumb mistakes
    • 27 across all versions of JDK, 40+ in Google’s Java code
  • Embrace and fix your dumb mistakes

Finding Null Pointer Bugs

with FindBugs

FindBugs looks for a statement or branch that, if executed, guarantees a null pointer exception

Either a null pointer exception could be thrown, or the program contains a statement/branch that can’t be executed

Could look for exceptions that only occur on a path

e.g., if the condition on line 29 is true and the condition on line 38 is false, then a NPE will be thrown

but would need to worry about whether that path is feasible

Examples of null pointer bugs //com.sun.corba.se.impl.naming.cosnaming.NamingContextImpl if (name != null || name.length > 0) //com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser if (part == null | part.equals("")) // sun.awt.x11.ScrollPanePeer if (g != null) paintScrollBars(g,colors); g.dispose(); simple ones

Redundant Check For Null

Checking a value to see if it is null

When it can't possibly be null // java.awt.image.LoopupOp, lines 236- public final WritableRaster filter( Raster src, WritableRaster dst) { int dstLength = dst.getNumBands(); // Create a new destination Raster, // if needed if (dst == null) dst = createCompatibleDestRaster(src); Also known as a reverse null dereference error

Bad Method Invocation

  • Methods whose return value shouldn't be ignored
    • Strings are immutable, so functions like^ trim() and toLowerCase() return new String
  • Dumb/useless methods
    • Invoking^ toString^ or equals on an array
  • Lots of specific rules about particular API methods
    • Hard to memorize, easy to get wrong

Examples of bad method

calls

// com.sun.rowset.CachedRowSetImpl if (type == Types.DECIMAL || type == Types.NUMERIC) ((java.math.BigDecimal)x).setScale(scale); // com.sun.xml.internal.txw2.output.XMLWriter try { ... } catch (IOException e) { new SAXException("Server side Exception:" + e); }

Lots of Little Bug Patterns

  • checking if^ d ==^ Double.NaN
  • Bit shifting an^ int^ by a value greater than 31

bits

  • Every Puzzler this year
    • more than half for most years

When Bad Code Isn't A Bug

  • Static analysis tools will sometimes find ugly,

nasty code

  • that can't cause your application to misbehave
  • Cleaning this up is a good thing
  • makes the code easier to understand and

maintain

  • But for ugly code already in production
    • sometimes you just don't want to touch it
  • We've found more cases like this than we

expected