Presentation is loading. Please wait.

Presentation is loading. Please wait.

Generating Analyses for Detecting Faults in Path Segments Wei Le* and Mary Lou Soffa University of Virginia *currently with Rochester Institute of Technology.

Published byAshley Simpson Modified over 9 years ago

Similar presentations

Presentation on theme: "Generating Analyses for Detecting Faults in Path Segments Wei Le* and Mary Lou Soffa University of Virginia *currently with Rochester Institute of Technology."— Presentation transcript:

1 Generating Analyses for Detecting Faults in Path Segments Wei Le* and Mary Lou Soffa University of Virginia *currently with Rochester Institute of Technology

2 2 Motivation Static analysis: an integral part of fault detection –High code coverage –No executables required –Find faults early, so cheaper to fix

3 3 Challenges of Current Static Analysis Precision many false positives and little support for diagnosis Scalability manual annotations sometimes required Generality hardcode heuristics, new tools for different types of faults Important to achieve all three

4 4 Precision: Path-Sensitive Analyses Heuristics based: ESP [das02] (based on an assumption of typestate fault) Summary based: Saturn [xie07] (lack of interprocedual path-sensitivity) Partially exploring the state space: Prefix [bush00] exhaustive analysis based on the structure of a program

5 Framework: Athena Automatically generate analyses from specifications: precise: low false positives and rich diagnostic info interprocedural path-sensitive analysis reports path-segments of a fault scalable: only covers code relevant to the fault demand-driven analysis general: data- and control-centric, liveness and safety a specification technique and a generation algorithm 5

6 6 Faults Commonality of the faults - Generality –The violations are always observable at certain statements –We are able to construct constraints to express violations Locality of a fault - Scalability –Only the segments along the paths that are relevant to the fault –Only a limited number of statements on the paths that contribute to the fault –Fault locality holds for a variety of the faults

7 Path-Sensitive Demand-Driven Template Specification Language Parser Analyzer Generator Precision and Scalability of the Analyses Generate Analyses Athena: Components Specification Repository

8 Syntax treesCode modules Athena: Workflow Demand-Driven Template Parser Analyzer Generator Spec Analyzer for the Spec Path Classification Path Segment Infeasible Safe Faulty (severity, root cause) Don’t-know Program Generated Analysis Step 1: Specifying Faults Step 2: Generating Analysis Step 3: Analyzing programs with Generated Analysis 8 Definition of a Fault Information for Detecting the Fault

9 Path-Sensitive Demand-Driven Template Specification Language Parser Analyzer Generator Precision and Scalability of the Analyses Generate Analyses Components I: Specification and Language Specification Repository Spec: Language: attributes and operators on attributes Attributes – abstractions on program objects, e.g. len(s) Operators – comparison (>,<), computation (+, -), command (:=)

10 Grammar of the Language Specification→ Vars VarList DefineFault FaultSigList DetectFault DetectSigList VarList → Var* Var → VarType namelist; VarType → Vbuffer|Vint|Vany|Vptr|... FaultSigList → FaultSigItem * DetectSigList → DetectSigItem * |# include FaultSigItem → CodeSignature ProgramPoint S-Constraint Condition| CodeSignature ProgramPoint L-Constraint Condition DetectSigItem → CodeSignature ProgramPoint Update Action ProgramPoint → $LangSyntax$|Condition|$LangSyntax$&&Condition Condition → Attribute Comparator Attribute|!Condition|[Condition]| Condition&&Condition|Condition || Condition Action → Attribute:=Attribute| ^ Condition|[Action]|Action&&Action|Action || Action|Condition → Action Attribute → PrimitiveAttribute(var,...)|Constant|!Attribute| ¬ Attribute|[Attribute]| Attribute ° Attribute|Attribute Op Attribute|min(Attribute,Attribute)|[Attribute,Attribute] PrimitiveAttribute → Size|Len|Value|MatchOperand|TMax|TMin|... Constant → 0|true|false|... Comparator → = |  | > | < |  |  |  |  Op → +| − | * |  | 

11 Grammar of the Language Specification→ Vars VarList DefineFault FaultSigList DetectFault DetectSigList VarList → Var* Var → VarType namelist; VarType → Vbuffer|Vint|Vany|Vptr|... FaultSigList → FaultSigItem * DetectSigList → DetectSigItem * |# include FaultSigItem → CodeSignature ProgramPoint S-Constraint Condition| CodeSignature ProgramPoint L-Constraint Condition DetectSigItem → CodeSignature ProgramPoint Update Action ProgramPoint → $LangSyntax$| Condition|$LangSyntax$&&Condition Condition → Attribute Comparator Attribute |!Condition|[Condition]| Condition&&Condition|Condition || Condition Action → Attribute:=Attribute| ^ Condition |[Action]|Action&&Action|Action || Action|Condition → Action Attribute → PrimitiveAttribute(var,...)| Constant|!Attribute| ¬ Attribute|[Attribute]| Attribute ° Attribute|Attribute Op Attribute|min(Attribute,Attribute)|[Attribute,Attribute] PrimitiveAttribute → Size|Len|Value|MatchOperand|TMax|TMin|... Constant → 0|true|false|... Comparator → = |  | > | < |  |  |  |  Operators → +| − | * |  | 

12 12 DetectFaultCodeSignature Update $strcpy(a,b)$ Len(a):=Len(b) orCodeSignature Update $d=strlen(b)$ Value(d):=Len(b) Specification Buffer Overflow Specification VarsVbuffer a, b; Vint d; Vany e; DefineFaultCodeSignature$strcpy(a,b)$ S_Constraint Len(b)  Size(a) orCodeSignature$memcpy(a,b,d)$ S_Constraint Min(Len(b),Value(a)  Size(a)

13 Specification Language Precision and Scalability of the Analyses Generate Analyses Component II: Demand-Driven Template Specification Repository Parser Analyzer Generator Path-Sensitive Demand-Driven Template Formulate fault detection problems into queries about program facts, e.g., variable relations Scalable: Buffer overflow detection [le08]

14 14 Safe x[10] = ‘0’ bar() s = (char*)malloc(80) strlen(t) < 8 strcpy(s,t)strcat(x,t) size(s)>= len(t) size(s)>= len(t) len(t) < 8 yesno 80/8>=len(t) len(t)<8 : safe size(s)>= len(t) len(t) < 8 Query Resolution 1 2 3 4 56 buffer overflowbuffer accesssize(buf) >= len(str) Demand-Driven Template Program no yes Raise Queries Propagate Queries Update Queries Evaluate Queries

15 Program no yes Raise Queries Propagate Queries Update Queries Evaluate Queries Demand-Driven Template Rules for Propagating Query  Interprocedural, path-sensitive, context-sensitive  Branch, loop, call, infeasible path Evaluating Queries (integer constraints)  Algebra rules, inequalities  Integer constraint solver

16 Path-Sensitive Demand-Driven Template Specification Language Precision and Scalability of the Analyses Generate Analyses Components III: Parser and Code Generator Specification Repository Parser Analyzer Generator

17 CodeSignature$strcpy(a,b)$ S_Constraint Len(b)  Size(a) 17 CodeSignature: GetOp(s) = strcpy S_Constraint: Size(Src 1 (s))  Len(Src 2 (s)) = GetOpstrcpy Size º  º LenSrc 1 CodeSignature, S_Constraint AB Src 2 Parsing Specification (YACC) Leaf: attribute Non-leaf: Operator

18 18 Construct a function that implements the semantics of the tree based on the semantics of operators bool IsStrcpy(statement t){ if (GetOp(t)==“strcpy”) return true; else return false; } Create the instance of the call IsStrcpy(n) Find the function that implements the semantics of leaf attributes int GetOp (statement t) { C_Syntax(t); return t.opcode; } Code Generation = GetOpstrcpy Code Signature

19 19 Generating Analysis no Demand-Driven Template Raise Queries Propagate Queries Update Queries Evaluate Queries yes Code Module Generated if(isnode(s)) q= raiseQ(s) if(isnode(s)) updateQ(q) CodeSignature$strcpy(a,b)$ S_Constraint Len(b)  Size(a) CodeSignature Update $strcpy(a,b)$ Len(a):=Len(b) if(isnode(s)) q= raiseQ(s) if(isnode(s)) updateQ(q) Syntax treesCode modules Demand-Driven Template Parser Analyzer Generator Spec Analyzer for the Spec

20 20 Experimental Setup Athena ( analyze C/C++/C# ) – Y ACC, Phoenix and Disolver Research QuestionsExperimentsBenchmarksEvaluation Metrics Can we generate analyses for detecting different faults? buffer overflow integer fault null-pointer deref memory leak bugbench ffmpeg putty apache detection rate false positives false negatives diagnostic info scalability Comparable with manually customized detectors? memory leak detectors Saturn SPEC CPU- INT 2000

21 Detection: 84 faults of four types from 9 benchmarks, 68 new False positive/negative: 18 false positives, missed 3 Path segments: generally relevant to 1-4 procedures; maximum 35 procedures Scalability: apache (268.9 k) – 4 hours and ffmpeg (48.1 k) – 2.3 hours 21 Can We Generate Analyses for Different Faults? New faults: many located along the same paths; dynamic tools would halt Main source of imprecision: infeasible paths and pointers Locality helped achieve the scalability; without guidance, manual inspection is hard Code complexity matters; Generality does compromise scalability, but still scalable

22 22 Comparable with Manually Customized Detectors? Heuristics designed for suppressing false positives may adversely hurt detection rate LeakFP Athena536 NoPaths [Orlovich06] 329 ValueGraph [Jeffery07] 386 Null-pFPFinish Athena939/12 Saturn [xie07] 7445/12 Lack interprocedural path- sensitivity Heuristics of applying consistency rules

23 23 Related Work Static fault detection: type based, model checking, data flow analysis Path-sensitive fault detection: Prefix, Metal, ESP, Archer, Saturn, Calysto – exhaustive based static analysis Athena is demand-driven, more precise, scalable and general Slicing and other demand-driven analyses Athena first uses it for computing path segments of faults

24 24 Conclusions Athena - generates demand-driven, path-based, symbolic analysis for detecting specified faults: Faults are developed along paths, but manifest locality, thus demand- driven, path-based analysis is more precise and scalable Specification provides a way of mapping fault detection problems to constraints on program objects at the program points To specify different faults, the required attributes are limited, and the expression power comes from the composition of the attributes

25 Thank you and Questions?

26 26 i <10 strcpy(p,t) p[10] scanf(%s, t) yes 1 2 3 i = strlen(t) Value(i) < 10 Len(t) < 10 Feasible Size(p)  Len(t) Len(t)<10 Size(p)  Len(t) Len(t)<10  IsEntry(t) Size(p)  Len(t) Fault DetectionBranch Analysis 4 Len(t)<10  IsEntry(t) 10  Len(t) [Safe] 5

Download ppt "Generating Analyses for Detecting Faults in Path Segments Wei Le* and Mary Lou Soffa University of Virginia *currently with Rochester Institute of Technology."

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Data-Flow Analysis II CS 671 March 13, 2008. CS 671 – Spring 2008 1 Data-Flow Analysis Gather conservative, approximate information about what a program.

Data-Flow Analysis II CS 671 March 13, CS 671 – Spring Data-Flow Analysis Gather conservative, approximate information about what a program.
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.

3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
CS7100 (Prasad)L16-7AG1 Attribute Grammars Attribute Grammar is a Framework for specifying semantics and enables Modular specification.

CS7100 (Prasad)L16-7AG1 Attribute Grammars Attribute Grammar is a Framework for specifying semantics and enables Modular specification.
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Program Slicing Mark Weiser and Precise Dynamic Slicing Algorithms Xiangyu Zhang, Rajiv Gupta & Youtao Zhang Presented by Harini Ramaprasad.

Program Slicing Mark Weiser and Precise Dynamic Slicing Algorithms Xiangyu Zhang, Rajiv Gupta & Youtao Zhang Presented by Harini Ramaprasad.
Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.

Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.
Kai Pan, Xintao Wu University of North Carolina at Charlotte Generating Program Inputs for Database Application Testing Tao Xie North Carolina State University.

Kai Pan, Xintao Wu University of North Carolina at Charlotte Generating Program Inputs for Database Application Testing Tao Xie North Carolina State University.
Fall 20021 Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.

Fall Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.
Some Improvements for More Precise Model Checking Zhi Zhang State Key Laboratory for Novel Software Technology Nanjing University, China.

Some Improvements for More Precise Model Checking Zhi Zhang State Key Laboratory for Novel Software Technology Nanjing University, China.
Compiler Principle and Technology Prof. Dongming LU Mar. 28th, 2014.

Compiler Principle and Technology Prof. Dongming LU Mar. 28th, 2014.
1 Marple: A Demand-Driven Path- Sensitive Buffer Overflow Detector Wei Le and Mary Lou Soffa University of Virginia.

1 Marple: A Demand-Driven Path- Sensitive Buffer Overflow Detector Wei Le and Mary Lou Soffa University of Virginia.
1 Refining Buffer Overflow Detection via Demand-Driven Path-Sensitive Analysis Wei Le and Mary Lou Soffa University of Virginia sotesty.cs.virginia.edu.

1 Refining Buffer Overflow Detection via Demand-Driven Path-Sensitive Analysis Wei Le and Mary Lou Soffa University of Virginia sotesty.cs.virginia.edu.
1 Static Testing: defect prevention SIM3302. 2 objectives Able to list various type of structured group examinations (manual checking) Able to statically.

1 Static Testing: defect prevention SIM objectives Able to list various type of structured group examinations (manual checking) Able to statically.
Common Sub-expression Elim Want to compute when an expression is available in a var Domain:

Common Sub-expression Elim Want to compute when an expression is available in a var Domain:
Control Flow Analysis Mooly Sagiv Tel Aviv University 640-6706 Sunday 18-21 Scrieber 8 Monday 10-12 Schrieber.

Control Flow Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.

Similar presentations

Ads by Google