Presentation is loading. Please wait.

Presentation is loading. Please wait.

Scalable Defect Detection Manuvir Das, Zhe Yang, Daniel Wang Center for Software Excellence Microsoft Corporation.

Published byLewis Cummings Modified over 9 years ago

Similar presentations

Presentation on theme: "Scalable Defect Detection Manuvir Das, Zhe Yang, Daniel Wang Center for Software Excellence Microsoft Corporation."— Presentation transcript:

1 Scalable Defect Detection Manuvir Das, Zhe Yang, Daniel Wang Center for Software Excellence Microsoft Corporation

2 What this series covers Various techniques for static analysis of large, real imperative programs Lessons from our experience building static analyses in the “real world” –“real world” == Microsoft product teams A pragmatic methodology for mixing specifications with static analysis

3 Who we are Microsoft Corporation –Center for Software Excellence Program Analysis Group –10 full time people including 7 PhDs We are program analysis researchers –But we measure our success by impact –CSE impact on Windows Vista Developers fixed ~100K bugs that we found Developers added ~500K specifications we designed We answered thousands of developer emails

4 The real world Code on a massive scale –10s of millions of lines of code –Many configurations & code branches Developers on a massive scale –Small mistakes in tools are magnified –Small developer overheads are magnified Defects on a massive scale –Bug databases and established processes rule –Defect classes repeat, both across code bases and across defect properties

5 Code in the real world Main Branch Team Branch Desktop Team Branch Team Branch Desktop ……

6 Process in the real world – 1 An opportunity for lightweight tools –“always on” on every developer desktop –issues tracked within the program artifacts –enforcement by rejection at “quality gate” Speed, suppression, determinism Main Branch Team Branch Desktop Team Branch Team Branch Desktop ……

7 Process in the real world – 2 An opportunity for heavyweight tools –run routinely after integration in main branch –issues tracked through a central bug database –enforcement by developer “bug cap” Scale, uniqueness, defect management Team Branch Desktop Team Branch Team Branch Desktop …… Main Branch

8 Implications for analysis Scale, scale, scale –Should be run routinely on massive scale High accuracy –Ratio of bugs “worth fixing” should be high High clarity –Defect reports must be understandable Low startup cost –Developer effort to get results must be low High return on investment –More developer effort should reveal more bugs High agility –New defect detection tools should be easy to produce

9 Our solutions over time Gen 1: Manual Review –Too many code paths to think about Gen 2: Massive Testing –Inefficient detection of simple errors Gen 3: Global Program Analysis –Delayed results Gen 4: Local Program Analysis –Lack of calling context limits accuracy Gen 5: Formal interface specifications

10 Contrast this with … Build it into the language –e.g. memory management in Java/C# If not, then fix it with a type system –e.g. memory safety in Cyclone If not, then add formal specifications –e.g. memory defect detection in ESC/Java If not, then find bugs with static analysis –e.g. memory defect detection in PREfix If not, then find bugs with dynamic analysis

11 Our approach to scale Scalable whole program analysis –Combine lightweight analysis everywhere with heavyweight analysis in just the right places Accurate modular analysis –Assume availability of function-level pre- conditions and post-conditions –Powerful analysis + defect bucketing Programmer supplied specifications –Designed to be developer friendly –Automatically inferred via global analysis

12 … explained in 3 lectures Scalable whole program analysis –ESP –Manuvir Das Accurate modular analysis –espX, μSPACE –Zhe Yang Programmer supplied specifications –SAL, SALinfer –Daniel Wang

13 Scalable Whole Program Analysis

14 Safety properties Dynamic checking –Instrument the program with a monitor –Fail if the monitor enters a bad state What is a safety property? –Anything that can be monitored Static checking –Simulate all possible executions of the instrumented program

15 Example void main () { if (dump) fil = fopen(dumpFile,”w”); if (p) x = 0; else x = 1; if (dump) fclose(fil); } Closed Opened Error Open Print Open Close Print/Close * void main () { if (dump) Open; if (p) x = 0; else x = 1; if (dump) Close; }

16 Symbolic evaluation Execute multiple paths in the program –Use symbolic values for variables –Execution state = Symbolic state + Monitor state Assignments & function calls: –Update execution state Branch points: –Does execution state imply branch direction? –Yes: process appropriate branch –No: split & update state, process branches Merge points: –Collapse identical states

17 Example [Opened|dump=T] [Closed] [Closed|dump=F] [Opened|dump=T,p=T,x=0] [Opened|dump=T,p=F,x=1] entry dump p x = 0x = 1 Open Close exit dump T T T F F F [Closed|dump=T,p=T,x=0] [Closed|dump=T,p=F,x=1]

18 Example [Opened|dump=T] [Closed] [Closed|dump=F] [Closed|dump=F,p=T,x=0] [Closed|dump=F,p=F,x=1] entry dump p x = 0x = 1 Open Close exit dump T T T F F F [Closed|dump=F,p=T,x=0] [Closed|dump=F,p=F,x=1]

19 Assessment [+] can make this arbitrarily precise [+] can show debugging traces [-] may not scale (exponential paths) [-] may not terminate (loops) PREfix (SP&E 2000) – explore a subset of all paths

20 Dataflow analysis Merge points: –Collapse all states –One execution state per program point

21 Example [Opened|dump=T] [Closed] [Closed|dump=F] [Opened/Closed|p=T,x=0] [Opened/Closed|p=F,x=1] [Closed/Error] entry dump p x = 0x = 1 Open Close exit dump T T T F F F [Opened/Closed]

22 Assessment [-] precision is limited [-] cannot show debugging traces [+] scales well [+] terminates CQual (PLDI 2002) – apply to type-based properties

23 Property simulation Merge points: –Do states agree on monitor state? –Yes: merge states –No: process states separately ESP –PLDI 2002, ISSTA 2004

24 Example [Opened|dump=T] [Closed] [Closed|dump=F] [Opened|dump=T,p=T,x=0] [Opened|dump=T,p=F,x=1] [Opened|dump=T] [Closed|dump=F] [Closed] entry dump p x = 0x = 1 Open Close exit dump T T T F F F [Closed|dump=T] [Closed|dump=F] [Closed|dump=T]

25 Assessment [=] is usually precise [=] can usually show debugging traces [=] usually scales well [=] usually terminates ESP –a pragmatic compromise

26 Multiple state machines void main () { if (dump1) fil1 = fopen(dumpFile1,”w”); if (dump2) fil2 = fopen(dumpFile2,”w”); if (dump1) fclose(fil1); if (dump2) fclose(fil2); } Code Pattern Monitor Transition e = fopen(_)Open(e) fclose(e)Close(e)

27 Multiple state machines void main () { if (dump1) Open(fil1); if (dump2) Open(fil2); if (dump1) Close(fil1); if (dump2) Close(fil2); } Code Pattern Monitor Transition e = fopen(_)Open(e) fclose(e)Close(e)

28 Bit vector analysis void main () { if (dump1) Open; if (dump2) ID; if (dump1) Close; if (dump2) ID; } void main () { if (dump1) ID; if (dump2) Open; if (dump1) ID; if (dump2) Close; }

29 Bit vector analysis Source to sink safety properties –Sources: Object creation points or function/component entry points –Sinks: Transitions to error state Analyze every source independently –Requires (exponentially) less memory –Spans smaller segments of code –Parallelizes easily

30 Memory aliasing void main () { if (dump) fil = fopen(dumpFile,”w”); pfil = &fil; if (dump) fclose(*pfil); } Does Event( exp ) invoke a transition on the monitor for location l ?

31 Value alias analysis Precise alias analysis is expensive Solution: value alias sets (ISSTA 04) –For a given execution state, which syntactic expressions refer to location l ? Must and May sets for accuracy Transfer functions to update these Observation: We can make value alias analysis path-sensitive by tracking value alias sets as part of monitor state

32 Selective merging Property simulation is really an instance of a more general analysis approach Selective merging –Define a projection on symbolic states –Define equality on projections –Ensure that domain of projections is finite Merge points: –Do states agree on projection? –Yes: merge states –No: process states separately Examples –Value flow analysis, call graph analysis

33 ESP at Microsoft Windows Vista IssueFixedNoise Security – RELOJ3864% Security – Impersonation Token13510% Security – OpenView542% Leaks – RegCloseHandle630% In Progress IssueFound Localization – Constant strings1214 Security – ClientID282 …

34 Summary Scalable whole program analysis –Combine lightweight analysis everywhere with heavyweight analysis in just the right places Accurate modular analysis –Assume availability of function-level pre- conditions and post-conditions –Powerful analysis + defect bucketing Programmer supplied specifications –Designed to be developer friendly –Automatically inferred via global analysis

35 © 2007 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. www.microsoft.com/cse www.microsoft.com/cse/pa research.microsoft.com/manuvir

Download ppt "Scalable Defect Detection Manuvir Das, Zhe Yang, Daniel Wang Center for Software Excellence Microsoft Corporation."

Similar presentations

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Verification and Validation

Verification and Validation
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.

Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.

Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
Building a Better Backtrace: Techniques for Postmortem Program Analysis Ben Liblit & Alex Aiken.

Building a Better Backtrace: Techniques for Postmortem Program Analysis Ben Liblit & Alex Aiken.
Building a Better Backtrace: Techniques for Postmortem Program Analysis Ben Liblit & Alex Aiken.

Building a Better Backtrace: Techniques for Postmortem Program Analysis Ben Liblit & Alex Aiken.
Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.

Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.
Limits on ILP. Achieving Parallelism Techniques – Scoreboarding / Tomasulo’s Algorithm – Pipelining – Speculation – Branch Prediction But how much more.

Limits on ILP. Achieving Parallelism Techniques – Scoreboarding / Tomasulo’s Algorithm – Pipelining – Speculation – Branch Prediction But how much more.
Background for “KISS: Keep It Simple and Sequential” cs264 Ras Bodik spring 2005.

Background for “KISS: Keep It Simple and Sequential” cs264 Ras Bodik spring 2005.
Programming Types of Testing.

Programming Types of Testing.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Taming Win32 Threads with Static Analysis Jason Yang Program Analysis Group Center for Software Excellence (CSE) Microsoft Corporation.

Taming Win32 Threads with Static Analysis Jason Yang Program Analysis Group Center for Software Excellence (CSE) Microsoft Corporation.
Final exam week Three things on finals week: –final exam –final project presentations –final project report.

Final exam week Three things on finals week: –final exam –final project presentations –final project report.
Speeding Up Dataflow Analysis Using Flow- Insensitive Pointer Analysis Stephen Adams, Tom Ball, Manuvir Das Sorin Lerner, Mark Seigle Westley Weimer Microsoft.

Speeding Up Dataflow Analysis Using Flow- Insensitive Pointer Analysis Stephen Adams, Tom Ball, Manuvir Das Sorin Lerner, Mark Seigle Westley Weimer Microsoft.
PowerPoint Presentation for Dennis, Wixom & Tegarden Systems Analysis and Design Copyright 2001 © John Wiley & Sons, Inc. All rights reserved. Slide 1.

PowerPoint Presentation for Dennis, Wixom & Tegarden Systems Analysis and Design Copyright 2001 © John Wiley & Sons, Inc. All rights reserved. Slide 1.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?

Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
ESP: Program Verification Of Millions of Lines of Code Manuvir Das Researcher PPRC Reliability Team Microsoft Research.

ESP: Program Verification Of Millions of Lines of Code Manuvir Das Researcher PPRC Reliability Team Microsoft Research.
ISBN 0-321-19362-8 Lecture 01 Preliminaries. Copyright © 2004 Pearson Addison-Wesley. All rights reserved.1-2 Lecture 01 Topics Motivation Programming.

ISBN Lecture 01 Preliminaries. Copyright © 2004 Pearson Addison-Wesley. All rights reserved.1-2 Lecture 01 Topics Motivation Programming.
Software Excellence via Program Verification at Microsoft Manuvir Das Center for Software Excellence Microsoft Corporation.

Software Excellence via Program Verification at Microsoft Manuvir Das Center for Software Excellence Microsoft Corporation.

Similar presentations

Ads by Google