Download presentation
Presentation is loading. Please wait.
1
Evaluating and Tuning a Static Analysis to Find Null Pointer Bugs David Hovemeyer, Jaime Spacco, and William Pugh Presented by Nathaniel Ayewah CMSC838P 11/16/2006
2
Why Simple Programmers make simple mistakes // org.eclipse.jdt.internal.ui.compare.JavaStructureDiffViewer Control c = getControl(); if (c == null && c.isDisposed()) return; Low False Positive Rate Cannot find all bugs
3
Findbugs
4
INPUTPROCESSINGOUTPUT Set of “.class” files containing byte-code Configurations Bug Pattern Code Source Line Number Descriptive Message Detectors
5
Findbugs DetectorsPROCESSING Independent of each other May share some resources GOAL: Low false positives Each detector is driven by a set of heuristics Know Your Bug Patterns
6
OutputHIGH SEVERE RISK OF PROGRAM FAILURE MEDIUM ELEVATED RISK OF PROGRAM FAILURE LOW LOW RISK OF PROGRAM FAILURE Source: US Department of Program Security
7
Findbugs Detectors PROCESSING Null Pointer Analysis
8
PROCESSING Forward intra-procedural Build Control Flow graph for each method Data-flow Frame Method parmeter, local variable, or stack operand Null NonNull Slot
9
Simple Analysis Detector foo = null; foo.execute(); Dereferencing Null Detector foo = new Detector(…); foo.execute(); Dereferencing NonNull HIGH SEVERE RISK OF PROGRAM FAILURE
10
If only it were that simple… Is a method’s parameter null? void foo(Object obj) { int x = obj.hashcode(); … } Infeasible Paths
11
Guard indirectly connected to null check boolean b; if (p != null) b = true; else b = false; if (b) p.f()
12
Infeasible Paths Assertions p = null;... // throws exception if p null: checkAssertion(p != null); p.f(); // safe
13
Infeasible Paths Checked Exceptions that are never thrown Foo dup = null; try { dup = super.clone(); } catch (CloneNotSupportedException e) { // Can’t happen } dup.contents =...
14
Solution NullNonNullNull and NonNull are not enough No Kaboom NonNull Checked NonNull NonNull NCPNull-E NSP-ENull NSP if (b) { A } else { B } C ?
15
Solution Dereferencing a variable that has value Null, NSP, … Null-E NSP-ENull NSP … HIGH SEVERE RISK OF PROGRAM FAILURE MEDIUM ELEVATED RISK OF PROGRAM FAILURE LOW LOW RISK OF PROGRAM FAILURE MEDIUM ELEVATED RISK OF PROGRAM FAILURE
16
Solution Choosing a value for a variable after each statement: Statement Value of p p = null Null p = this NonNull p = new... NonNull p = "string" NonNull p = Foo.class NonNull p = q.x NCP p = a[i] NCP p = f() NCP
17
Solution: Infeasible Paths p = null; Null p = new … NonNull NSP Null NCP
18
Solution: Infeasible Paths Null or NSP checkAssertion(p != null) NCP p.f()
19
Solution: Infeasible Paths try { } catch(Exception e) { } NullNSP Null-ENSP-E
20
Comparing a Value to null foo.execute(); if (foo != null) {... } Comparing No-Kaboom to null HIGH SEVERE RISK OF PROGRAM FAILURE
21
Comparing a value to null Detector foo = null; if (foo != null) { foo.execute(); } Comparing Null to null if (foo != null) {... if (foo == null) { foo = new... } Comparing Checked NonNull to null MEDIUM ELEVATED RISK OF PROGRAM FAILURE R.I.P MEDIUM ELEVATED RISK OF PROGRAM FAILURE R.I.P
22
Other Solutions Check for methods that unconditionally dereference parameters Annotations –@NotNull: parameter/return value must not be null –@CheckForNull: check the parameter/return value before dereferencing it
23
Experiments: Student Code With Annotations ProjectNPEWarning FN % Search Tree Web Spider 71 162 38 127 46 21 ProjectWarningNPE FP % Search Tree Web Spider 40 129 36 101 10 21
24
Experiments: Student Code Without Annotations ProjectNPEWarning FN % Search Tree Web Spider 71 162 1 47 98 70 ProjectWarningNPE FP % Search Tree Web Spider 2 77 2 75 0202
25
Experiments: Production Code Cannot calc. false negatives! Warning typeSeriousFalse FP % Null dereference No-Kaboom RCN Other RCN 73 33 15 16 15 17 18 31 53 Eclipse 3.0.1
26
Conclusion More inter-procedural techniques could find more bugs But often finding simple bugs with low FP rate is effective
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.