Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lightweight Verification of Array Indexing

Published byHadi Jayadi Modified over 6 years ago

Similar presentations

Presentation on theme: "Lightweight Verification of Array Indexing"— Presentation transcript:

1 Lightweight Verification of Array Indexing
Martin Kellogg*, Vlastimil Dort**, Suzanne Millstein*, Michael D. Ernst* * University of Washington, Seattle ** Charles University, Prague

2 The problem: unsafe array indexing
In unsafe languages (C): buffer overflow! In managed languages (Java, C#, etc.): exception, program crashes

3 The state of the art Strength of guarantees Practical for developers

4 The state of the art Coq KeY Clousot Strength of guarantees
Practical for developers

5 The state of the art Coq KeY Clousot Strength of guarantees Coverity
FindBugs Practical for developers

6 The Index Checker (this talk)
The state of the art Coq KeY Clousot The Index Checker (this talk) Strength of guarantees Coverity FindBugs Practical for developers

7 Problems with complex analyses
false positives annotation burden complex analyses are hard to predict

8 Problems with complex analyses
false positives bounds checking is hard → complex analysis complex analysis → harder to implement harder to implement → more false positives annotation burden complex analyses are hard to predict

9 Problems with complex analyses
false positives bounds checking is hard → complex analysis complex analysis → harder to implement harder to implement → more false positives annotation burden complex analysis → complex annotations complex analyses are hard to predict

10 Problems with complex analyses
false positives bounds checking is hard → complex analysis complex analysis → harder to implement harder to implement → more false positives annotation burden complex analysis → complex annotations complex analyses are hard to predict

11 Fundamental problem is complex analyses!
Insight: Fundamental problem is complex analyses!

12 Cooperating simple analyses
Solve all three problems:

13 Cooperating simple analyses
Solve all three problems: simpler implementation → fewer false positives

14 Cooperating simple analyses
Solve all three problems: simpler implementation → fewer false positives simpler abstractions → easier to write annotations

15 Cooperating simple analyses
Solve all three problems: simpler implementation → fewer false positives simpler abstractions → easier to write annotations simpler analysis → simpler to predict

16 Proving an array access safe
T[] a = …; int i = …; ... a[i] ... We need to show that: i is an index for a

17 Proving an array access safe
T[] a = …; int i = …; ... a[i] ... We need to show that: i is an index for a i ≥ 0 i < a.length Point out that splitting this up is one of the key insights into actually doing reasonable type inference. Reasoning about both causes state explosion.

18 Proving an array access safe
T[] a = …; int i = …; ... a[i] ... We need to show that: i is an index for a i ≥ A lower bound on i i < a.length An upper bound on i Point out that splitting this up is one of the key insights into actually doing reasonable type inference. Reasoning about both causes state explosion.

19 A type system for lower bounds
@LowerBoundUnknown int i i ≥ -1 @GTENegativeOne int i i ≥ 0 @NonNegative int i i ≥ 1 @Positive int i

20 A type system for lower bounds
@LowerBoundUnknown int i i ≥ -1 @GTENegativeOne int i i ≥ 0 @NonNegative int i i ≥ 1 @Positive int i Note that this is a benefit of the approach – the

21 A type system for upper bounds
if (i >= 0 && i < a.length) { a[i] = ... }

22 A type system for upper bounds
if (i >= 0 && i < a.length) { a[i] = ... } i < a.length @LTLengthOf(“a”) int i

23 Type systems Linear inequalities i < j Minimum lengths
a.length > 10 Negative indices | i | < a.length Lower bounds i ≥ 0 Equal lengths a.length = b.length Upper bounds i < a.length

24 Type systems Linear inequalities i < j Minimum lengths
a.length > 10 Negative indices | i | < a.length Lower bounds i ≥ 0 Equal lengths a.length = b.length Upper bounds i < a.length

25 A type system for minimum array lengths
if (a.length >= 3) { a[2] = ...; }

26 A type system for minimum array lengths
if (a.length >= 3) { a[2] = ...; } a.length ≥ i [] a

27 Evaluation Three case studies: Google Guava (two packages) JFreeChart
plume-lib Comparison to existing tools: FindBugs, KeY, Clousot Note that plume-lib is quite well-tested (1/6th of LoC are tests)

28 Case Studies Guava JFreeChart plume-lib Total Lines of code 10,694
94,233 14,586 119,503 Bugs found 5 64 20 89 Annotations 510 2,938 241 3,689 False positives 138 386 43 567 Java casts 222 2,740 219 3,181 A couple of things to point out on this slide: false positive rate is WAY lower than Java’s existing type system; annotation burden is reasonable (~1 anno / 32 loc); about 1/7 of warnings are true positives (low, but not outrageous in production code).

29 Comparison to other tools: confirmed bugs
Approach Types Bug finder Verif. w/ solver Abs. interpret. Tool Index Checker FindBugs KeY Clousot True Positives False Negatives Time (100k LoC) Not sure how to present this info….

30 Comparison to other tools: confirmed bugs
Approach Types Bug finder Verif. w/ solver Abs. interpret. Tool Index Checker FindBugs KeY Clousot True Positives False Negatives Time (100k LoC) ~10 minutes ~1 minute cannot scale ~200 minutes Not sure how to present this info….

31 Comparison to other tools: confirmed bugs
Approach Types Bug finder Verif. w/ solver Abs. interpret. Tool Index Checker FindBugs KeY Clousot True Positives 18/18 0/18 9/18 16/18 False Negatives 1/18 2/18 Time (100k LoC) ~10 minutes ~1 minute cannot scale ~200 minutes Not sure how to present this info….

32 Using the Index Checker
Distributed with Checker Framework

33 Contributions A methodology: simple, cooperative type systems
An analysis: abstractions for array indexing An implementation and evaluation for Java Verifying the absence of array bounds errors in real codebases (and finding bugs in the process!)

Download ppt "Lightweight Verification of Array Indexing"

Similar presentations

Why Have The OSGi Specifications Been Based On Java Technology ? By Peter Kriens, CEO aQute OSGi Technology Officer www.aQute.se.

Why Have The OSGi Specifications Been Based On Java Technology ? By Peter Kriens, CEO aQute OSGi Technology Officer
Static Analysis for Security

Static Analysis for Security
De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.

De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.

Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Identity and Equality Based on material by Michael Ernst, University of Washington.

Identity and Equality Based on material by Michael Ernst, University of Washington.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.

A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Preventing bugs with pluggable type checking Michael D. Ernst University of Washington Object x)

Preventing bugs with pluggable type checking Michael D. Ernst University of Washington Object x)
Recap from last time Saw several examples of optimizations –Constant folding –Constant Prop –Copy Prop –Common Sub-expression Elim –Partial Redundancy.

Recap from last time Saw several examples of optimizations –Constant folding –Constant Prop –Copy Prop –Common Sub-expression Elim –Partial Redundancy.
1 8. Safe Query Languages Safe program – its semantics can be at least partially computed on any valid database input. Safety is tied to program verification,

1 8. Safe Query Languages Safe program – its semantics can be at least partially computed on any valid database input. Safety is tied to program verification,
Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.

Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.
1 A Modular Checker for Multithreaded Programs Cormac Flanagan HP Systems Research Center Joint work with Shaz Qadeer Sanjit A. Seshia.

1 A Modular Checker for Multithreaded Programs Cormac Flanagan HP Systems Research Center Joint work with Shaz Qadeer Sanjit A. Seshia.
CS527: (Advanced) Topics in Software Engineering Overview of Software Quality Assurance Tao Xie ©D. Marinov, T. Xie.

CS527: (Advanced) Topics in Software Engineering Overview of Software Quality Assurance Tao Xie ©D. Marinov, T. Xie.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.

Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
Cs3102: Theory of Computation Class 18: Proving Undecidability Spring 2010 University of Virginia David Evans.

Cs3102: Theory of Computation Class 18: Proving Undecidability Spring 2010 University of Virginia David Evans.
Types for Programs and Proofs Lecture 1. What are types? int, float, char, …, arrays types of procedures, functions, references, records, objects,...

Types for Programs and Proofs Lecture 1. What are types? int, float, char, …, arrays types of procedures, functions, references, records, objects,...
Chapter 3 (Part 3): Mathematical Reasoning, Induction & Recursion  Recursive Algorithms (3.5)  Program Correctness (3.6)

Chapter 3 (Part 3): Mathematical Reasoning, Induction & Recursion  Recursive Algorithms (3.5)  Program Correctness (3.6)
© by Kenneth H. Rosen, Discrete Mathematics & its Applications, Sixth Edition, Mc Graw-Hill, 2007 Chapter 4 (Part 3): Mathematical Reasoning, Induction.

© by Kenneth H. Rosen, Discrete Mathematics & its Applications, Sixth Edition, Mc Graw-Hill, 2007 Chapter 4 (Part 3): Mathematical Reasoning, Induction.

Similar presentations

Ads by Google