Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Program Analysis Too Loopy? Set the Loops Aside Eric Larson September 25, 2011 Seattle University.

Published byGwenda Park Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Program Analysis Too Loopy? Set the Loops Aside Eric Larson September 25, 2011 Seattle University."— Presentation transcript:

1 1 Program Analysis Too Loopy? Set the Loops Aside Eric Larson September 25, 2011 Seattle University

2 Loops are Important! Virtually every program has loops. 2

3 3 Path Based Analysis Many bug detection / testing techniques involve traversing different paths within a unit (often a function).  Symbolic execution  Test generation A key issue: Loops introduce a large, possibly infinite, number of paths. A BC D G EF

4 How to Handle Loops? Restrict the number of iterations in the loop to some small subset.  May miss bugs that only surface on a particular number of iterations. Restrict the analysis time: stop analysis after n paths or x seconds.  The traversal order of paths is important to make sure all regions of the code are exercised. Compute loop post-conditions. Detect and handle loops that meet particular pattern(s). 4

5 Interprocedural Summaries PREfix* uses symbolic execution to find common C/C++ coding mistakes. For function calls:  The called function is analyzed first.  A model or summary is created that captures the functionality of the called function.  The model replaces the function call eliminating the need for interprocedural path analysis. Can a similar approach be used for loops? 5 *Bush, Pincus, and Sielaff. A static analyzer for finding dynamic programming errors. Software – Practice and Experience. 2000.

6 Research Study Explores … Explores:  The number of paths in each loop.  The number of paths if loops are analyzed separately.  An analysis of how often loops contained certain constructs or properties. Analyzed 15 different C programs containing 1,091 loops. Implemented using an extension to GrammaTech’s CodeSurfer. 6

7 Number of Paths in Each Loop 7 Program Most Paths in Loop Number of Paths 12-1011-100101-10001001 -10k> 10k bc 11954435100 betaftpd 375102000 diff3 58129174300 find 39620243300 flex 46470746300 ft 412110000 ghttpd 231192000 gzip 198878211100 indent 30,352,14058379212 ks 3619142000 othello 1211870100 space 16423244100 sudoku 10,36819317101 thttpd 5,76830445420 yacr2 39246658400 TOTAL30,352,140 501492682433 45.9%45.1%6.2%2.2%0.3%

8 Analyzing Loops Separately 8 Program Paths (loops traversed at most once) Paths (loops analyzed separately) Total Outside Loops Inside Loops bc 949,34656,96556,487478 betaftpd 45,69242,31542,209106 diff3 572,71840,96639,7351,231 find 1,966,7701,804,3701,803,439931 flex 7.40E+117.22E+11 1,398 ft 10,59452648145 ghttpd 9,6791,1561,07581 gzip 3.05E+102.37E+09 873 indent 9.82E+178.38E+11 30,421,708 ks 24,45215347106 othello 13,38213,20113,034167 space 6,2272,0111,676335 sudoku 1.94E+0921,21610,09911,117 thttpd 2.84E+123.48E+10 10,345 yacr2 2,249,0483,1041,5751,529

9 Loop Characteristics Loop breakdown:  Array traversals48.7%  Data structure traversals14.8%  Sentinel loops4.5%  Input sentinel loops2.7%  Other29.3% Hard to analyze constructs:  24.2% of loops contained an alternate exit (beyond the normal stopping condition).  57.6% of loops contained a function call. 9

10 Conclusion Most loops have very few paths. Separating loops from complex functions does not reduce complexity.  Most complex functions have complexity both inside and outside loops. Future Work:  Analyze loops in different languages such as C++ or Java.  Implement symbolic execution where loops are analyzed separately. 10

11 Questions? 11

12 Discussion The handling of loops is not given full treatment in many software bug detection research papers. More broadly, is a function an appropriate unit of analysis in symbolic execution (and other forms of program analysis)? 12

Download ppt "1 Program Analysis Too Loopy? Set the Loops Aside Eric Larson September 25, 2011 Seattle University."

Similar presentations

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol.

Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol.
SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.

SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.
Chapter 1. The Phases of Software Development. Data Structure 2 Chapter outline  Objectives  Use Javadoc to write a method’s complete specification.

Chapter 1. The Phases of Software Development. Data Structure 2 Chapter outline  Objectives  Use Javadoc to write a method’s complete specification.
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
An Object-Oriented Approach to Programming Logic and Design

An Object-Oriented Approach to Programming Logic and Design
CS0004: Introduction to Programming Repetition – Do Loops.

CS0004: Introduction to Programming Repetition – Do Loops.
In Defense of Unsoundness Ben Livshits, Manu Sridharan, Yannis Smaragdakis, and Ondřej Lhoták.

In Defense of Unsoundness Ben Livshits, Manu Sridharan, Yannis Smaragdakis, and Ondřej Lhoták.
Repeating Structures Do While Loops. Do While Loop While loops have a test condition before the loop –This means that java will test the condition before.

Repeating Structures Do While Loops. Do While Loop While loops have a test condition before the loop –This means that java will test the condition before.
Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.

Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.
1 Software Testing and Quality Assurance Lecture 41 – Software Quality Assurance.

1 Software Testing and Quality Assurance Lecture 41 – Software Quality Assurance.
Chapter 2: Algorithm Discovery and Design

Chapter 2: Algorithm Discovery and Design
Chapter 1 Software Development. Copyright © 2005 Pearson Addison-Wesley. All rights reserved. 1-2 Chapter Objectives Discuss the goals of software development.

Chapter 1 Software Development. Copyright © 2005 Pearson Addison-Wesley. All rights reserved. 1-2 Chapter Objectives Discuss the goals of software development.
IMSE Week 18 White Box or Structural Testing Reading:Sommerville (4th edition) ch 22 orPressman (4th edition) ch 16.

IMSE Week 18 White Box or Structural Testing Reading:Sommerville (4th edition) ch 22 orPressman (4th edition) ch 16.
Michael Ernst, page 1 Improving Test Suites via Operational Abstraction Michael Ernst MIT Lab for Computer Science Joint.

Michael Ernst, page 1 Improving Test Suites via Operational Abstraction Michael Ernst MIT Lab for Computer Science Joint.
ECE122 L17: Method Development and Testing April 5, 2007 ECE 122 Engineering Problem Solving with Java Lecture 17 Method Development and Testing.

ECE122 L17: Method Development and Testing April 5, 2007 ECE 122 Engineering Problem Solving with Java Lecture 17 Method Development and Testing.
Chapter 2: Algorithm Discovery and Design

Chapter 2: Algorithm Discovery and Design
Pointer analysis. Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis Andersen and.

Pointer analysis. Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis Andersen and.
Scalable and Flexible Static Analysis of Flight-Critical Software Guillaume P. Brat Arnaud J. Venet Carnegie.

Scalable and Flexible Static Analysis of Flight-Critical Software Guillaume P. Brat Arnaud J. Venet Carnegie.

Similar presentations

Ads by Google