Presentation is loading. Please wait.

Presentation is loading. Please wait.

Evaluating and Tuning a Static Analysis to Find Null Pointer Bugs Dave Hovemeyer Bill Pugh Jaime Spacco.

Published byAugust Ford Modified over 9 years ago

Similar presentations

Presentation on theme: "Evaluating and Tuning a Static Analysis to Find Null Pointer Bugs Dave Hovemeyer Bill Pugh Jaime Spacco."— Presentation transcript:

1 Evaluating and Tuning a Static Analysis to Find Null Pointer Bugs Dave Hovemeyer Bill Pugh Jaime Spacco

2 How hard is it to find null- pointer exceptions? Large body of work –academic research too much to list on one slide –commercial applications PREFix / PREFast Coverity Polyspace

3 Lots of hard problems Aliasing Infeasible paths Resolving call targets Providing feedback to developers under what conditions an error can happen

4 Can we use simple techniques to find NPE? Yes, when you have code like: // Eclipse 3.0.1 if (in == null) try { in.close(); } catch (IOException e) {} Easy to confuse == and !=

5 Easy to confuse && with || // JBoss 4.0.0RC1 if (header != null || header.length > 0) {... } This type of error (and less obvious bugs) occur in production mode more frequently than you might expect

6 The FindBugs Project Open-Source static bug finder –http://findbugs.sourceforge.net –127,394 downloads as of Saturday –Java bytecode Used at several companies –Goldman-Sachs Bug-driven bug finder –start with a bug –What’s the simplest analysis to find the bug?

7 FindBugs null pointer analysis Intra-procedural analysis –Compute all reaching paths for a value Take conditionals into account –Use value numbering analysis to update all copies of updated value No modeling of heap values Don’t report warnings that might be false positives due to infeasible paths Extended basic analysis with limited inter- procedural analysis using annotations

8 Dataflow Lattice

9 Null on a Simple Path (NSP) Merge null with anything else We only care that there is control flow where the value is null –We don’t try to identify infeasible paths –The NPE happens if the program achieves full branch coverage

10 Null on a Simple Path (NSP)

11 Null on a Complex Path (NCP) Most conservative approximation –Tell the analysis we lack sufficient information to justify issuing a warning when the value is dereferenced so we don’t issue any warnings Used for: –method parameters –Instance variables –NSP values that reach a conditional

12 No Kaboom Non-Null Definitely non-null because the pointer was dereferenced Suspicious when programmer compares a No-Kaboom value against null –Confusion about program specification or contracts

13 // Eclipse 3.0.1 // fTableViewer is method parameter property = fTableViewer.getColumnProperties();... if (fTableViewer != null) {... }

14 // Eclipse 3.0.1 // fTableViewer is method parameter // fTableViewer : NCP property = fTableViewer.getColumnProperties();... if (fTableViewer != null) {... }

15 // Eclipse 3.0.1 // fTableViewer is method parameter // fTableViewer : NCP property = fTableViewer.getColumnProperties(); // fTableViewer : NoKaboom nonnull... if (fTableViewer != null) {... }

16 // Eclipse 3.0.1 // fTableViewer is method parameter // fTableViewer : NCP property = fTableViewer.getColumnProperties(); // fTableViewer : NoKaboom nonnull... // redundant null-check => warning! if (fTableViewer != null) {... }

17 Redundant Checks for Null (RCN) Compare a value statically known to be null (or non-null) with null Does not necessarily indicate a problem –Defensive programming Assume programmers don’t intend to write (non-trivial) dead code

18 Extremely Defensive Programming // Eclipse 3.0.1 File dir = new File(...); if (dir != null && dir.isDirectory()) {... }

19 Non-trivial dead code x = null … does not assign x… if (x!=null) { // non-trivial dead code x.importantMethod() }

20 What do we report? Dereference of value known to be null –Guaranteed NPE if dereference executed –Highest priority Dereference of value known to be NSP –Guaranteed NPE if the path is ever executed –Exploitable NPE assuming full branch coverage –Medium priority If paths can only be reached if an exception occurs –lower priority

21 Reporting RCNs No-Kaboom RCNs –higher priority RCNs that create dead code –medium priority other RCNs –low priority

22 Evaluate our analysis using: Production software –jdk1.6.0-b48 –glassfish-9.0-b12 (Sun's application server) –Eclipse 3.0.1 Manually classified each warning Student programming projects

23 Production Results Software # NP derefs and RCN warnings JDK 1.6.0-b48242 Glassfish-9.0-b12 (Sun’s app server) 317 Eclipse 3.0.1169

24 Eclipse Results with Manual Inspection of warnings Warning TypeAccurate Warnings False Positives Precision Null Deref.731682% No KaBoom RCN 331569% Other RCN151747%

25 How many of the existing NPEs are we detecting? Difficult question for production software Student code base allows us to study all NPE produced by a large code base covered by fairly complete unit tests –How many NP Warnings correspond with a run-time fault? False Positives –How many NPE do we issue a warning for? False Negatives

26 The Marmoset Project Automated snapshot, submission and testing system –Eclipse plug-in captures snapshots of all saves to central repository Students submit code to a central server for testing against suite of unit tests –End of semester we run all snapshots against tests –Also run FindBugs on all intermediate snapshots

27 student73 snapshots51,484 compilable40,742 unique33,015 total test outcomes505,423 not implemented67,650 exception thrown63,488 NP exception29,467 assertion failed138,834 passed235,448 Overall numbers, Fall 2004, 2nd semester OOP course

28 Analyzing Marmoset results Analyze two projects –Binary Search Tree –WebSpider Difficult to decide what to count –per snapshot, per warning, per NPE? –false positives persist and get over-counted –multiple warnings / NPEs per snapshot –exceptions can mask each other –difficult to match warnings and NPEs

29 project snapshots with recall NPEwarning BST7111% WebSpider1624729% project snapshots with precision warningNPE BST22100% WebSpider777597% Marmoset Results

30 What are we missing? Projects have javadoc specifications about which parameters and return values can be null Encode specifications into a format FindBugs can use for limited inter-procedural analysis Easy to add annotations to the interface students were to implement –Though we did this after the semester

31 Annotations Lightweight way to communicate specifications about method parameters or return values –@NonNull issue warning if ever passed a null value –@CheckForNull issue warning if unconditionally dereferenced –@Nullable null in a complicated way no warnings issued

32 @CheckForNull vs @Nullable By default, all values are implicitly @Nullable Mark an entire class or package @NonNull or @CheckForNull by default –Must explicitly mark some values as @Nullable –Map.get() can return null Not every application needs to check every call to Map.get()

33

34

35 project snapshots with precision previous precision warningNPE BST403690%100% WebSpider12910178%97% Marmoset Results with Annotations project snapshots with recall previous recall NPEwarning BST713854%1% WebSpider16212778%29%

36 Related Work Lint (Evans) Metal (Engler et al) –“Bugs as Deviant Behavior” ESC Java –more general annotations Fahndrich and Leino –Non-null types for C#

37 Conclusions We can find bugs with simple methods –in student code –in production code –student bug patterns can often be generalized into patterns found in production code Annotations look promising –lightweight way of simplifying inter-procedural analysis –helpful when assigning blame

38 Thank you! Questions?

39 Difficult to decide what to count False positives tend to persist –over-counted Students fix NPEs quickly –under-count Multiple warnings / exceptions per snapshot Some exceptions can mask other exceptions

Download ppt "Evaluating and Tuning a Static Analysis to Find Null Pointer Bugs Dave Hovemeyer Bill Pugh Jaime Spacco."

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Automating Software Module Testing for FAA Certification Usha Santhanam The Boeing Company.

Automating Software Module Testing for FAA Certification Usha Santhanam The Boeing Company.
Author: Carlos Pacheco, Shuvendu K. Lahiri, Michael D. Ernst, Thomas Ball MIT CSAIL.

Author: Carlos Pacheco, Shuvendu K. Lahiri, Michael D. Ernst, Thomas Ball MIT CSAIL.
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.

Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.

Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
(Quickly) Testing the Tester via Path Coverage Alex Groce Oregon State University (formerly NASA/JPL Laboratory for Reliable Software)

(Quickly) Testing the Tester via Path Coverage Alex Groce Oregon State University (formerly NASA/JPL Laboratory for Reliable Software)
Evaluating and Tuning a Static Analysis to Find Null Pointer Bugs David Hovemeyer, Jaime Spacco, and William Pugh Presented by Nathaniel Ayewah CMSC838P.

Evaluating and Tuning a Static Analysis to Find Null Pointer Bugs David Hovemeyer, Jaime Spacco, and William Pugh Presented by Nathaniel Ayewah CMSC838P.
API Design CPSC 315 – Programming Studio Fall 2008 Follows Kernighan and Pike, The Practice of Programming and Joshua Bloch’s Library-Centric Software.

API Design CPSC 315 – Programming Studio Fall 2008 Follows Kernighan and Pike, The Practice of Programming and Joshua Bloch’s Library-Centric Software.
Nov 10, Fall 2006IAT 8001 Debugging. Nov 10, Fall 2006IAT 8002 How do I know my program is broken?  Compiler Errors –easy to fix!  Runtime Exceptions.

Nov 10, Fall 2006IAT 8001 Debugging. Nov 10, Fall 2006IAT 8002 How do I know my program is broken?  Compiler Errors –easy to fix!  Runtime Exceptions.
Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.

Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.
RubyPolish: Static Bug Detection in Ruby Programs John Locke Alex Mont.

RubyPolish: Static Bug Detection in Ruby Programs John Locke Alex Mont.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?

Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
14-Jun-05White Elephant GmbH1 Ada Bug Finder. 14-Jun-05White Elephant GmbH2 Ada Bug Finder The Ada Bug Finder is a Windows application that searches Ada.

14-Jun-05White Elephant GmbH1 Ada Bug Finder. 14-Jun-05White Elephant GmbH2 Ada Bug Finder The Ada Bug Finder is a Windows application that searches Ada.
Precision Going back to constant prop, in what cases would we lose precision?

Precision Going back to constant prop, in what cases would we lose precision?
CSE 6329 Project Team 1 Aliasgar Kagalwala Aditya Mone Derek White Dengfeng (Thomas) Xia.

CSE 6329 Project Team 1 Aliasgar Kagalwala Aditya Mone Derek White Dengfeng (Thomas) Xia.

Similar presentations

Ads by Google