DEBUGGING: STATIC ANALYSISfmv.jku.at/dbg/dbg5.pdf · Limits of Static Analysis many false positives...
Transcript of DEBUGGING: STATIC ANALYSISfmv.jku.at/dbg/dbg5.pdf · Limits of Static Analysis many false positives...
![Page 1: DEBUGGING: STATIC ANALYSISfmv.jku.at/dbg/dbg5.pdf · Limits of Static Analysis many false positives many questions are undecidable (Halting problem) many imprecisions indirect access,](https://reader035.fdocuments.us/reader035/viewer/2022062605/5fdbccc9400b7f6a3c41b75e/html5/thumbnails/1.jpg)
DEBUGGING: STATICANALYSISWS 2018/2019
Martina SeidlInstitute for Formal Models and Verification
![Page 2: DEBUGGING: STATIC ANALYSISfmv.jku.at/dbg/dbg5.pdf · Limits of Static Analysis many false positives many questions are undecidable (Halting problem) many imprecisions indirect access,](https://reader035.fdocuments.us/reader035/viewer/2022062605/5fdbccc9400b7f6a3c41b75e/html5/thumbnails/2.jpg)
Deduction Techniques (1/2)
basic idea: reasoning from abstract program to concreteprogram runs (program is not executed)
10 x = read ();
...
20 y = 0;
...
30 x = y;
..
40 print ("x = " + x);
question: what is the value of variable x in line 40 and why?
1/27
![Page 3: DEBUGGING: STATIC ANALYSISfmv.jku.at/dbg/dbg5.pdf · Limits of Static Analysis many false positives many questions are undecidable (Halting problem) many imprecisions indirect access,](https://reader035.fdocuments.us/reader035/viewer/2022062605/5fdbccc9400b7f6a3c41b75e/html5/thumbnails/3.jpg)
Deduction Techniques (2/2)
approach:
� identification of statements that could have caused thefailure⇒ focus on relevant statements
� identification of statements that could not have caused thefailure⇒ ignore irrelevant statements
⇒ identification of possible origins of the failure
⇒ narrow down search space
⇒ more effective debugging
2/27
![Page 4: DEBUGGING: STATIC ANALYSISfmv.jku.at/dbg/dbg5.pdf · Limits of Static Analysis many false positives many questions are undecidable (Halting problem) many imprecisions indirect access,](https://reader035.fdocuments.us/reader035/viewer/2022062605/5fdbccc9400b7f6a3c41b75e/html5/thumbnails/4.jpg)
Interplay of Statements
� effects of statements: contribution to information flow� write: change a program state� control: determine next executed statement
� affected statements: involvement in information flow� read: continue with changed program state� execution: effect only manifests on execution
dependencies between statements:
� control dependence
� data dependence
3/27
![Page 5: DEBUGGING: STATIC ANALYSISfmv.jku.at/dbg/dbg5.pdf · Limits of Static Analysis many false positives many questions are undecidable (Halting problem) many imprecisions indirect access,](https://reader035.fdocuments.us/reader035/viewer/2022062605/5fdbccc9400b7f6a3c41b75e/html5/thumbnails/5.jpg)
Control Flow Graph
A control flow graph is a representation of all paths thatmight be traversed through a program duringits execution.
elements of a control flow graph
� node: program statement
� edge: control flow
� special node: entry/exit node
� basic blocks: nodes that follow each other
4/27
![Page 6: DEBUGGING: STATIC ANALYSISfmv.jku.at/dbg/dbg5.pdf · Limits of Static Analysis many false positives many questions are undecidable (Halting problem) many imprecisions indirect access,](https://reader035.fdocuments.us/reader035/viewer/2022062605/5fdbccc9400b7f6a3c41b75e/html5/thumbnails/6.jpg)
Control Flow Patterns
patterns for control structures: composing structure of aprogram
5/27
![Page 7: DEBUGGING: STATIC ANALYSISfmv.jku.at/dbg/dbg5.pdf · Limits of Static Analysis many false positives many questions are undecidable (Halting problem) many imprecisions indirect access,](https://reader035.fdocuments.us/reader035/viewer/2022062605/5fdbccc9400b7f6a3c41b75e/html5/thumbnails/7.jpg)
Complications When Reasoning aboutPrograms
� jumps and gotosunconditional transfer of control
� indirect jumpsjump address is stored in a variable
� dynamic dispatchmethod overwriting in object-oriented languages
� exceptionstransfer of control to calling function
6/27
![Page 8: DEBUGGING: STATIC ANALYSISfmv.jku.at/dbg/dbg5.pdf · Limits of Static Analysis many false positives many questions are undecidable (Halting problem) many imprecisions indirect access,](https://reader035.fdocuments.us/reader035/viewer/2022062605/5fdbccc9400b7f6a3c41b75e/html5/thumbnails/8.jpg)
Example: Fibonacci NumbersImplementation with Defect
0 int fib (int n) {
1 int f;
2 int f0 = 1;
3 int f1 = 1;
4 while (n > 1) {
5 n = n - 1;
6 f = f0 + f1;
7 f0 = f1;
8 f1 = f;
}
9 return f;
}
int main () {
int n = 9;
while (n > 0) {
printf("fib(%d)=%d\n",
n, fib(n));
n = n - 1;
}
return 0;
}
problem: fib (1)
7/27
![Page 9: DEBUGGING: STATIC ANALYSISfmv.jku.at/dbg/dbg5.pdf · Limits of Static Analysis many false positives many questions are undecidable (Halting problem) many imprecisions indirect access,](https://reader035.fdocuments.us/reader035/viewer/2022062605/5fdbccc9400b7f6a3c41b75e/html5/thumbnails/9.jpg)
Example: Control Flow Graph
0 int fib (int n) {
1 int f;
2 int f0 = 1;
3 int f1 = 1;
4 while (n > 1) {
5 n = n - 1;
6 f = f0 + f1;
7 f0 = f1;
8 f1 = f;
}
9 return f;
}
8/27
![Page 10: DEBUGGING: STATIC ANALYSISfmv.jku.at/dbg/dbg5.pdf · Limits of Static Analysis many false positives many questions are undecidable (Halting problem) many imprecisions indirect access,](https://reader035.fdocuments.us/reader035/viewer/2022062605/5fdbccc9400b7f6a3c41b75e/html5/thumbnails/10.jpg)
Example: Effects
9/27
![Page 11: DEBUGGING: STATIC ANALYSISfmv.jku.at/dbg/dbg5.pdf · Limits of Static Analysis many false positives many questions are undecidable (Halting problem) many imprecisions indirect access,](https://reader035.fdocuments.us/reader035/viewer/2022062605/5fdbccc9400b7f6a3c41b75e/html5/thumbnails/11.jpg)
Data Dependence / Control Dependence
data dependence: Statement B is data dependent onstatement A if
� A write some variable x that is read by B
� there is at least one path in the control flow graph from A
to B in which x is not overwritten by some other statement
control dependence: Statement B is control dependent onstatement A if
� B’s execution is potentially controlled by A
⇒ visualization in program-dependence graph
⇒ analysis which statements influence which statements
10/27
![Page 12: DEBUGGING: STATIC ANALYSISfmv.jku.at/dbg/dbg5.pdf · Limits of Static Analysis many false positives many questions are undecidable (Halting problem) many imprecisions indirect access,](https://reader035.fdocuments.us/reader035/viewer/2022062605/5fdbccc9400b7f6a3c41b75e/html5/thumbnails/12.jpg)
Example: Control Flow Graph
0 int fib (int n) {
1 int f;
2 int f0 = 1;
3 int f1 = 1;
4 while (n > 1) {
5 n = n - 1;
6 f = f0 + f1;
7 f0 = f1;
8 f1 = f;
}
9 return f;
}
11/27
![Page 13: DEBUGGING: STATIC ANALYSISfmv.jku.at/dbg/dbg5.pdf · Limits of Static Analysis many false positives many questions are undecidable (Halting problem) many imprecisions indirect access,](https://reader035.fdocuments.us/reader035/viewer/2022062605/5fdbccc9400b7f6a3c41b75e/html5/thumbnails/13.jpg)
Example: Control Flow Graph
0 int fib (int n) {
1 int f;
2 int f0 = 1;
3 int f1 = 1;
4 while (n > 1) {
5 n = n - 1;
6 f = f0 + f1;
7 f0 = f1;
8 f1 = f;
}
9 return f;
}
11/27
![Page 14: DEBUGGING: STATIC ANALYSISfmv.jku.at/dbg/dbg5.pdf · Limits of Static Analysis many false positives many questions are undecidable (Halting problem) many imprecisions indirect access,](https://reader035.fdocuments.us/reader035/viewer/2022062605/5fdbccc9400b7f6a3c41b75e/html5/thumbnails/14.jpg)
Program Slicing
problem: program computes wrong value for variable z at line1024, but the statement at line 1024 is correct. Why?
⇒ automaticly find defect with program slicing
A program slice is a reduced program that preserves theoriginal program’s behavior for a given set of variables ata chosen point in a program.
basic idea:
� focus on relevant statements and filter irrelevant ones� narrow down infection sites
12/27
![Page 15: DEBUGGING: STATIC ANALYSISfmv.jku.at/dbg/dbg5.pdf · Limits of Static Analysis many false positives many questions are undecidable (Halting problem) many imprecisions indirect access,](https://reader035.fdocuments.us/reader035/viewer/2022062605/5fdbccc9400b7f6a3c41b75e/html5/thumbnails/15.jpg)
Static Slicing
example:
original program slice w.r.t. (4, {z})
1 x = 2; 1 x = 2;
2 y = x + 2; 2
3 z = x + 1 ; 3 z = x + 1;
4 4
what happened?
� deletion of statements
� projection of program semantics was preserved
13/27
![Page 16: DEBUGGING: STATIC ANALYSISfmv.jku.at/dbg/dbg5.pdf · Limits of Static Analysis many false positives many questions are undecidable (Halting problem) many imprecisions indirect access,](https://reader035.fdocuments.us/reader035/viewer/2022062605/5fdbccc9400b7f6a3c41b75e/html5/thumbnails/16.jpg)
Static Slicing: (Informal) Definition
A static slicing criterion of a program P is a pair (s, V ), wheres is a statement in P and V is a subset of the variables in P .
A slice S of a program P on a slicing criterion (s, V ) is aprogram such that
� S is obtained by deleting statements from P
� P ’s behavior on variables V is preserved in s
note: no algorithm to find state-minimal slices(finding minimal slices is equivalent to solve the Haltingproblem!)
14/27
![Page 17: DEBUGGING: STATIC ANALYSISfmv.jku.at/dbg/dbg5.pdf · Limits of Static Analysis many false positives many questions are undecidable (Halting problem) many imprecisions indirect access,](https://reader035.fdocuments.us/reader035/viewer/2022062605/5fdbccc9400b7f6a3c41b75e/html5/thumbnails/17.jpg)
Forward Slicing
� given a statement A, theforward slice contains allstatements whose readvariables or executioncould be influenced by A
� SF (A) = {B | A +−→ B}� not included statements
cannot be affected by A
15/27
![Page 18: DEBUGGING: STATIC ANALYSISfmv.jku.at/dbg/dbg5.pdf · Limits of Static Analysis many false positives many questions are undecidable (Halting problem) many imprecisions indirect access,](https://reader035.fdocuments.us/reader035/viewer/2022062605/5fdbccc9400b7f6a3c41b75e/html5/thumbnails/18.jpg)
Backward Slicing
� Given a statement B, thebackward slice containsall statements that couldinfluence the readvariables or execution of B
� SB(B) = {B | A +−→ B}� often all statements
between A and B areincluded
16/27
![Page 19: DEBUGGING: STATIC ANALYSISfmv.jku.at/dbg/dbg5.pdf · Limits of Static Analysis many false positives many questions are undecidable (Halting problem) many imprecisions indirect access,](https://reader035.fdocuments.us/reader035/viewer/2022062605/5fdbccc9400b7f6a3c41b75e/html5/thumbnails/19.jpg)
Multiple Slices
� example: two slices(addition, multiplication)
� backward slice ofaddition
� backward slice ofmultiplication
� backward slice of additionand multiplication
int main () {
int a, b, sum, mul;
sum = 0;
mul = 1;
a = read ();
b = read ();
while (a <= b) {
sum = sum + a;
mul = mul * a;
a = a + 1;
}
write (sum);
write (mul);
}
17/27
![Page 20: DEBUGGING: STATIC ANALYSISfmv.jku.at/dbg/dbg5.pdf · Limits of Static Analysis many false positives many questions are undecidable (Halting problem) many imprecisions indirect access,](https://reader035.fdocuments.us/reader035/viewer/2022062605/5fdbccc9400b7f6a3c41b75e/html5/thumbnails/20.jpg)
Backbone
� statements that occur inboth slices
� useful for focusing oncommon behavior
a = read ();
b = read ();
while (a <= b) {
a = a + 1;
18/27
![Page 21: DEBUGGING: STATIC ANALYSISfmv.jku.at/dbg/dbg5.pdf · Limits of Static Analysis many false positives many questions are undecidable (Halting problem) many imprecisions indirect access,](https://reader035.fdocuments.us/reader035/viewer/2022062605/5fdbccc9400b7f6a3c41b75e/html5/thumbnails/21.jpg)
Dice
� only the differencebetween two slices
� useful for focusing ondiffering behavior
sum = 0;
sum = sum + a;
write (sum);
19/27
![Page 22: DEBUGGING: STATIC ANALYSISfmv.jku.at/dbg/dbg5.pdf · Limits of Static Analysis many false positives many questions are undecidable (Halting problem) many imprecisions indirect access,](https://reader035.fdocuments.us/reader035/viewer/2022062605/5fdbccc9400b7f6a3c41b75e/html5/thumbnails/22.jpg)
Chop
� intersection between aforward and a backwardslice
� useful for determining howstatement A (originatingthe forward slice)influences statement B(originating the backwardslice)
20/27
![Page 23: DEBUGGING: STATIC ANALYSISfmv.jku.at/dbg/dbg5.pdf · Limits of Static Analysis many false positives many questions are undecidable (Halting problem) many imprecisions indirect access,](https://reader035.fdocuments.us/reader035/viewer/2022062605/5fdbccc9400b7f6a3c41b75e/html5/thumbnails/23.jpg)
Code Smells
A code smell is a surface indication that usually corre-sponds to a deeper problem in the system (M. Fowler)
examples:
� use of uninitialized variables
� unused values
� unreachable code
� memory leaks
� interface misuse
� null pointers
21/27
![Page 24: DEBUGGING: STATIC ANALYSISfmv.jku.at/dbg/dbg5.pdf · Limits of Static Analysis many false positives many questions are undecidable (Halting problem) many imprecisions indirect access,](https://reader035.fdocuments.us/reader035/viewer/2022062605/5fdbccc9400b7f6a3c41b75e/html5/thumbnails/24.jpg)
Example: Uninitialized Variables
example 1:
$ gcc -Wall -O -o fibo fibo.c
fibo.c: In function `fib':
fibo.c:7: warning: `f' might be used uninitialized in this function
example 2 (false positive):
int go;
switch (color) {
case RED:
case AMBER:
go = 0; break;
case GREEN:
go = 1; break;
}
if (go) { ... }
22/27
![Page 25: DEBUGGING: STATIC ANALYSISfmv.jku.at/dbg/dbg5.pdf · Limits of Static Analysis many false positives many questions are undecidable (Halting problem) many imprecisions indirect access,](https://reader035.fdocuments.us/reader035/viewer/2022062605/5fdbccc9400b7f6a3c41b75e/html5/thumbnails/25.jpg)
Unused Variable / Unreachable Code
unused variable: variable that is never read
in the dependency graph, no other statement is data dependenton the write of such a variable
unreachable code: code that is never executed
example:
if (w >= 0)
printf ("w is non-negative\n");
else if (w > 0)
printf ("w is positive\n");
23/27
![Page 26: DEBUGGING: STATIC ANALYSISfmv.jku.at/dbg/dbg5.pdf · Limits of Static Analysis many false positives many questions are undecidable (Halting problem) many imprecisions indirect access,](https://reader035.fdocuments.us/reader035/viewer/2022062605/5fdbccc9400b7f6a3c41b75e/html5/thumbnails/26.jpg)
Memory Leaks / Null Pointers
1 int *readbuf (int size) {
2 int *p = malloc (size * sizeof(int));
3 for (int i = 0; i < size; i++) {
4 p[i] = readint ();
5 if (p[i] == 0)
6 return 0; // end-of-file
7 }
8 return p;
9 }
problems:
� line 2: return value of malloc is NULL⇒ no memory is allocated
� lines 5 and 6: function is left without reference to p
⇒ p cannot be released
24/27
![Page 27: DEBUGGING: STATIC ANALYSISfmv.jku.at/dbg/dbg5.pdf · Limits of Static Analysis many false positives many questions are undecidable (Halting problem) many imprecisions indirect access,](https://reader035.fdocuments.us/reader035/viewer/2022062605/5fdbccc9400b7f6a3c41b75e/html5/thumbnails/27.jpg)
Interface Missuse
� memory is not the only resource that must be explicitlydeallocated when no longer in use, e.g., streams, sockets,locks, devices, ...
� indication in control flow graph: path from stream openingto statement where stream reference is lost without closingstream
example:
void readfile() {
int fp = open(file);
int size = readint(file);
if (size <= 0)
return;
...
close(fp);
}
25/27
![Page 28: DEBUGGING: STATIC ANALYSISfmv.jku.at/dbg/dbg5.pdf · Limits of Static Analysis many false positives many questions are undecidable (Halting problem) many imprecisions indirect access,](https://reader035.fdocuments.us/reader035/viewer/2022062605/5fdbccc9400b7f6a3c41b75e/html5/thumbnails/28.jpg)
Defect Patterns
� method might ignore exception
� null pointer dereference in method
� class defines equal(); should it be equals()?
� method may fail to close database resource
� method may fail to close stream
� method ignores return value
� unread field
� unused field
� unwritten field
26/27
![Page 29: DEBUGGING: STATIC ANALYSISfmv.jku.at/dbg/dbg5.pdf · Limits of Static Analysis many false positives many questions are undecidable (Halting problem) many imprecisions indirect access,](https://reader035.fdocuments.us/reader035/viewer/2022062605/5fdbccc9400b7f6a3c41b75e/html5/thumbnails/29.jpg)
Limits of Static Analysis
� many false positives
� many questions are undecidable (Halting problem)� many imprecisions
� indirect access, e.g., a [i] depends on i
� pointers� functions� object orientation, concurrency
� further risks� code mismatch� abstracting away the execution environment� imprecision
27/27