Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Software Analysis CS 6340. Why Take This Course? Learn methods to improve software quality – reliability, security, performance, etc.

Published byMaurice Turner Modified over 8 years ago

Similar presentations

Presentation on theme: "Introduction to Software Analysis CS 6340. Why Take This Course? Learn methods to improve software quality – reliability, security, performance, etc."— Presentation transcript:

1 Introduction to Software Analysis CS 6340

2 Why Take This Course? Learn methods to improve software quality – reliability, security, performance, etc. Become a better software developer/tester Build specialized tools for software diagnosis and testing For the war stories

3 The Ariane Rocket Disaster (1996)

4 Post Mortem Caused due to numeric overflow error – Attempt to fit 64-bit format data in 16-bit space Cost – $100M’s for loss of mission – Multi-year setback to the Ariane program Read more at http://www.around.com/ariane.html http://www.around.com/ariane.html

5 Mars Polar Lander (1999)

6 Post Mortem A units problem – Caller expected values in inches/feet – Callee assumed values in meters – Essentially, a type error Total loss of $100M mission Read more at https://en.wikipedia.org/wiki/Mars_Polar_Lander https://en.wikipedia.org/wiki/Mars_Polar_Lander

7 East Coast USA

8 East Coast USA: 2003 Blackout

9 Post Mortem Local failure rapidly cascaded through grid Cause: unnoticed crash of automated alarm system due to race condition 10M’s of people affected Read more at https://en.wikipedia.org/wiki/Northeast_blackout_of_2003 https://en.wikipedia.org/wiki/Northeast_blackout_of_2003

10 Security Vulnerabilities Exploits of errors in programs Widespread problem – Moonlight Maze (1998) – Code Red (2001) – Titan Rain (2003) – Stuxnet Worm Getting worse … 2011 Mobile Threat Report (Lookout™ Mobile Security) 0.5-1 million Android users affected by malware in first half of 2011 3 out of 10 Android owners likely to face web-based threat each year Attackers using increasingly sophisticated ways to steal data and money

11 What is Program Analysis? Body of work to discover useful facts about programs Broadly classified into three kinds: – Dynamic (execution-time) – Static (compile-time) – Hybrid (combines dynamic and static)

12 Dynamic Program Analysis Infer facts of program by monitoring its runs Examples: Array bound checking Purify Datarace detection Eraser Memory leak detection Valgrind Finding likely invariants Daikon

13 Static Analysis Infer facts of the program by inspecting its source (or binary) code Examples: Suspicious error patterns Lint, FindBugs, Coverity Checking API usage rules Microsoft SLAM Memory leak detection Facebook Infer Verifying invariants ESC/Java

14 QUIZ: Program Invariants An invariant at the end of the program is (z == c) for some constant c. What is c? int p(int x) { return x * x; } void main() { int z; if (getc() == ‘a’) z = p(6) + 6; else z = p(-7) – 7; } z = ?

15 QUIZ: Program Invariants An invariant at the end of the program is (z == c) for some constant c. What is c? int p(int x) { return x * x; } void main() { int z; if (getc() == ‘a’) z = p(6) + 6; else z = p(-7) – 7; if (z != 42) disaster(); } z = 42 Disaster averted!

16 Discovering Invariants By Dynamic Analysis (z == 42) might be an invariant (z == 30) is definitely not an invariant int p(int x) { return x * x; } void main() { int z; if (getc() == ‘a’) z = p(6) + 6; else z = p(-7) – 7; if (z != 42) disaster(); } z = 42

17 Discovering Invariants By Static Analysis is definitely (z == 42) might be an invariant (z == 30) is definitely not an invariant int p(int x) { return x * x; } void main() { int z; if (getc() == ‘a’) z = p(6) + 6; else z = p(-7) – 7; if (z != 42) disaster(); } z = 42

18 Terminology Control-flow graph Abstract vs. concrete states Termination Completeness Soundness

19 Example Static Analysis Problem Find variables that have a constant value at a given program point void main() { z = 3; while (true) { if (x == 1) y = 7; else y = z + 4; assert (y == 7); } }

20 Iterative Approximation z =3 while (x > 0) if (x == 1) y =7y = z + 4 assert (y == 7) [x=?, y=?, z=?] [x=?, y=?, z=3] [x=1, y=?, z=3] [x=1, y=7, z=3] [x=?, y=7, z=3] [x=?, y=?, z=3] true false true false

21 QUIZ: Iterative Approximation false Fill in the value of variable b that the analysis infers at: 1) the loop header 2) entry of loop body 3) exit of loop body Enter “?” if a definite value cannot be inferred. 1) 2) 3) b = 1 while (true) b = b + 1 [b=?] true

22 QUIZ: Iterative Approximation b = 1 while (true) b = b + 1 false Fill in the value of variable b that the analysis infers at: 1) the loop header 2) entry of loop body 3) exit of loop body Enter “?” if a definite value cannot be inferred. [b=?] 1) 2) 3) [b=1] [b=?] [b=1] [b=?] [b=2] true

23 QUIZ: Dynamic vs. Static Analysis DynamicStatic Cost Effectiveness Match each box with its corresponding feature. A. Unsound (may miss errors) D. Incomplete (may report spurious errors) B. Proportional to program’s execution time C. Proportional to program’s size

24 DynamicStatic Cost Effectiveness QUIZ: Dynamic vs. Static Analysis Match each box with its corresponding feature. B. Proportional to program’s execution time C. Proportional to program’s size A. Unsound (may miss errors) D. Incomplete (may report spurious errors)

25 Undecidability of Program Properties Can program analysis be sound and complete? – Not if we want it to terminate! Questions like “is a program point reachable on some input?” are undecidable Designing a program analysis is an art – Tradeoffs dictated by consumer

26 Who Needs Program Analysis? Three primary consumers of program analysis: Compilers Software Quality Tools Integrated Development Environments (IDEs)

27 Compilers Bridge between high-level languages and architectures Use program analysis to generate efficient code z = 42 int p(int x) { return x * x; } void main(int arg) { int z; if (arg != 0) z = p(6) + 6; else z = p(-7) - 7; print (z); } int p(int x) { return x * x; } void main() { print (42); } Runs faster More energy-efficient Smaller in size

28 Software Quality Tools Primary focus of this course Tools for testing, debugging, and verification Use program analysis for: – Finding programming errors – Proving program invariants – Generating test cases – Localizing causes of errors –…–… int p(int x) { return x * x; } void main() { int z; if (getc() == ‘a’) z = p(6) + 6; else z = p(-7) – 7; if (z != 42) disaster(); } z = 42

29 Integrated Development Environments Examples: Eclipse and Microsoft Visual Studio Use program analysis to help programmers: – Understand programs – Refactor programs Restructuring a program without changing its behavior Useful in dealing with large, complex programs

30 What Have We Learned? What is program analysis? Dynamic vs. static analysis: pros and cons Program invariants Iterative approximation method for static analysis Undecidability => program analysis cannot ensure termination + soundness + completeness Who needs program analysis?

Download ppt "Introduction to Software Analysis CS 6340. Why Take This Course? Learn methods to improve software quality – reliability, security, performance, etc."

Similar presentations

Static Analysis for Security

Static Analysis for Security
Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
CS 355 – Programming Languages

CS 355 – Programming Languages
The Future of Correct Software George Necula. 2 Software Correctness is Important ► Where there is software, there are bugs ► It is estimated that software.

The Future of Correct Software George Necula. 2 Software Correctness is Important ► Where there is software, there are bugs ► It is estimated that software.
Recursion. Binary search example postponed to end of lecture.

Recursion. Binary search example postponed to end of lecture.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc06.html.

Program analysis Mooly Sagiv html://
Dynamically Discovering Likely Program Invariants to Support Program Evolution Michael D. Ernst, Jake Cockrell, William G. Griswold, David Notkin Presented.

Dynamically Discovering Likely Program Invariants to Support Program Evolution Michael D. Ernst, Jake Cockrell, William G. Griswold, David Notkin Presented.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc08.html.

Program analysis Mooly Sagiv html://
1 Program Analysis Mooly Sagiv Tel Aviv University 640-6706 Textbook: Principles of Program Analysis.

1 Program Analysis Mooly Sagiv Tel Aviv University Textbook: Principles of Program Analysis.
Overview of program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc05.html.

Overview of program analysis Mooly Sagiv html://
Describing Syntax and Semantics

Describing Syntax and Semantics

Similar presentations

Ads by Google