crash testing and coverity the numbers
play

Crash Testing and Coverity The Numbers Caoln McNamara, Red Hat - PowerPoint PPT Presentation

Jan 04, 2024 •488 likes •763 views

Crash Testing and Coverity The Numbers Caoln McNamara, Red Hat 2015-09-25 1 Caoln McNamara Coverity Examples Defect Density Trends Crash Testing Process Trends 2/26 Caoln McNamara Examples 3 Caoln

  1. Crash Testing and Coverity The Numbers Caolán McNamara, Red Hat 2015-09-25 1 Caolán McNamara

  2. ● Coverity ● Examples ● Defect Density ● Trends ● Crash Testing ● Process ● Trends 2/26 Caolán McNamara

  3. Examples 3 Caolán McNamara

  4. CID#707771 UNINIT_CTOR

  5. CID#1209362 DEADCODE Copy and Paste from previous ImplGetUndefinedAsciiMultiByte without corresponding change of UNDEFINED_MASK to INVALID_MASK

  6. CID#983942 UNCAUGHT_EXCEPT That doesn't actually specify what it throws

  7. CID#1158113 FORWARD_NULL Somebody got confused on checking the result of dynamic_cast

  8. CID#704127 CONSTANT_EXPRESSION_RESULT typo, should be 0x0020 not 0x002, wrong for 14 years

  9. Defect Density Last Years density at conference time was 0.08 9/26 Caolán McNamara

  10. Defects over time Here, “ignored” third party module warnings are counted. 10/26 Caolán McNamara

  11. Process integration ● Now run about twice a week ● Those are the nums of slots coverity makes available to a project of this size ● Typically back to back ● One to collect warnings ● One after warnings fixed ● Results now mailed to the list ● Takes about 4-6 hours to build ● Takes about 12+ hours to analyze server-side 11/26 Caolán McNamara

  12. Crash Testing 12 Caolán McNamara

  13. What it does ● Loads a bunch of documents ● 118 different columns for formats in output ● Some are now sort of pointless, e.g. staroffice binary format ● See if anything crashes or triggers an assert ● Saves a bunch of documents ● Exports to 12 different formats from all the compatible import formats ● Export to doc, docx, odb, odg, odp, ods, odt, ppt, pptx, rtf, xls, xlsx 13/26 Caolán McNamara

  14. Process integration ● Typically run once or two a week ● Takes about two days to complete ● Approx 80,000 documents in the document horde ● Mostly populated from get-bugzilla-by-mimetype ● + cloudon test documents ● + w3c svg test documents ● + various interesting documents that have caused trouble for some app or other in the past 14/26 Caolán McNamara

  15. Horde Updating ● Typically fairly rarely ● Full update takes about 12/13 hours ● Downloads are cached, so only new documents are updated ● Bugzilla is trusted wrt the mime-type ● Lots of miscategorized stuff ● Doesn't really matter, rtfs pretending to be docs, etc ● Just made doc import filter look a little worse than it was 15/26 Caolán McNamara

  16. Import Failure Trends Import Crashes 450 400 350 300 250 failures 200 150 100 50 0 build Build 1 is 31 Oct 2013, final build was 16 Sep 2015 16/26 Caolán McNamara

  17. Export Failure Trends Export Failures 4000 3500 3000 2500 2000 failures 1500 1000 500 0 build Build 1 is 31 Oct 2013, final build was 16 Sep 2015 17/26 Caolán McNamara

  18. Triple 0 week ● 20 – 27 August 2015 ● 0 coverity warnings ● 0 import failures ● 0 export failures Then everyone came back from their Summer holidays 18/26 Caolán McNamara

  19. This week ● 4 (fixed) coverity warnings, pending next build ● 0 import failures ● 4 export asserts (2 unique asserts) ● Fairly typical 19/26 Caolán McNamara

  20. Taking the battle onwards 20 Caolán McNamara

  21. Generating troublesome documents ● Fuzzing ● Played with CERT bff for a while, some small results ● American Fuzzy Lop is much more fun ● Build with afl-clang/afl-clang++ ● “coverage-assisted fuzz testing tool” ● Generates new documents that trigger new internal states in the target ● Got to love the UI 21/26 Caolán McNamara

  22. Screen Shot 22/26 Caolán McNamara

  23. Speed #1 ● Crucial thing is to be able to cycle fast ● under 100 execs a second is super cruddy ● soffice.bin is ponderous to startup ● 0.18 executions a second for pngs ● Configuration loading and parsing is expensive ● Custom no ui, no config, application ● After much hacking ● 40 executions a second for pngs ● Approximately 200 times faster 23/26 Caolán McNamara

  24. Speed #2 ● “Persistent mode” ● Don't exit after each document ● Just loop over the same document again and again ● SIGSTOP to afl controller to signal ready again ● Build with afl-clang-fast/afl-clang-fast++ ● Makes something of a difference ● 3000-4000 executions per second with custom loader ● So that's approx 20,000 faster 24/26 Caolán McNamara

  25. Process/Results to date ● Between stock crash testing runs afl runs ● 64 core box ● Currently 20+ instances running for the last month or so ● Mostly on a different file format, can run multiple for a single file format ● Crashes rare ● Rich source of hangs ● Using afl-cmin minimized corpus of crash testing as input 25/26 Caolán McNamara

  26. Thanks for your time 26/26 Caolán McNamara

Recommend

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile philip@tecnocode.co.uk July 30, 2017 MANCHESTER What is static analysis? Compile-time testing of all possible code paths. Whats Coverity static analysis

236 views • 12 slides
LibreOffice oss-fuzz, crashtesting, coverity Overview Oss-Fuzz Crashtesting Coverity

LibreOffice oss-fuzz, crashtesting, coverity Overview Oss-Fuzz Crashtesting Coverity

LibreOffice oss-fuzz, crashtesting, coverity Overview Oss-Fuzz Crashtesting Coverity Oss-Fuzz Overview Continuous Fuzzing of our import filters Thanks to Google we get to use their infrastructure and resources

542 views • 26 slides
ALICE experience using Coverity ALICE experience using Coverity Federico Carminati, Peter

ALICE experience using Coverity ALICE experience using Coverity Federico Carminati, Peter

ALICE experience using Coverity ALICE experience using Coverity Federico Carminati, Peter Hristov, Axel Naumann and Olga Datskova (CERN) presented by Olga Datskova (CERN, ALICE Offline) Ferrara, 04/07/2011 1 AliRoot framework AliRoot

377 views • 18 slides
CO444H Pointer analysis Ben Livshits 1 Approaches to Finding Reliability and Security Bugs

CO444H Pointer analysis Ben Livshits 1 Approaches to Finding Reliability and Security Bugs

Datalog CO444H Pointer analysis Ben Livshits 1 Approaches to Finding Reliability and Security Bugs Static Analysis Tools Black-box Testing/Fuzzing 2 Coverity: a Static Analysis Company 3 Bug Report From Coverity Actual bug Path

701 views • 59 slides
BY THE NUMBERS BY THE NUMBERS BY THE NUMBERS BY THE NUMBERS BY THE NUMBERS BY THE NUMBERS

BY THE NUMBERS BY THE NUMBERS BY THE NUMBERS BY THE NUMBERS BY THE NUMBERS BY THE NUMBERS

BY THE NUMBERS BY THE NUMBERS BY THE NUMBERS BY THE NUMBERS BY THE NUMBERS BY THE NUMBERS Pre-roll, Outstream, Video Production, OTT, Social Video Display, Audience Extension, Mobile Precise, Programmatic, Retargeting, Social, Native SEM,

476 views • 31 slides
Field Testing, Marketing, and Crash Analyses of Mini-roundabouts W E I ZH AN G F H W A O F F I

Field Testing, Marketing, and Crash Analyses of Mini-roundabouts W E I ZH AN G F H W A O F F I

Field Testing, Marketing, and Crash Analyses of Mini-roundabouts W E I ZH AN G F H W A O F F I C E O F S A F E T Y R &D 2 0 2 - 4 9 3 - 3 3 17 W E I . Z H A N G @ D O T . G O V FHWA Safety R&D Intersection Program Field

646 views • 36 slides
WHEELCHAIR CRASH TESTING Making Sense of the Standards. Sunrise Medical Education Department

WHEELCHAIR CRASH TESTING Making Sense of the Standards. Sunrise Medical Education Department

WHEELCHAIR CRASH TESTING Making Sense of the Standards. Sunrise Medical Education Department amy.bjornson@sunmed.com Amy Bjornson, Physio, PT, ATP, SMS FUNDAMENTALS The vehicle seat offers the highest level of safety as it is secured to the

605 views • 34 slides
Finding Crash-Consistency Bugs with Bounded Black-Box Testing Jayashree Mohan , Ashlie Martinez,

Finding Crash-Consistency Bugs with Bounded Black-Box Testing Jayashree Mohan , Ashlie Martinez,

Finding Crash-Consistency Bugs with Bounded Black-Box Testing Jayashree Mohan , Ashlie Martinez, Soujanya Ponnapalli, Pandian Raju, Vijay Chidambaram Crashes I crashed This is very File saved! important File missing Image

878 views • 87 slides
Static Analysis of Your OSS Project with Coverity LinuxCon EU 2015 Stefan Schmidt Samsung Open

Static Analysis of Your OSS Project with Coverity LinuxCon EU 2015 Stefan Schmidt Samsung Open

Static Analysis of Your OSS Project with Coverity LinuxCon EU 2015 Stefan Schmidt Samsung Open Source Group stefan@osg.samsung.com Samsung Open Source Group 1 Agenda Introduction Survey of Available Analysers Coverity Scan

455 views • 41 slides
Arizona Crash Report Presentation by Glen Robison State Custodian of Crash Records Prepared

Arizona Crash Report Presentation by Glen Robison State Custodian of Crash Records Prepared

Arizona Crash Report Presentation by Glen Robison State Custodian of Crash Records Prepared 6/3/2020 1- Crash Identification Block The month, day and hour should be when the crash occurred Not when reported Not when you arrived 2- General

561 views • 15 slides
Evolutionary Testing for Crash Reproduction Mozhan Soltani Annibale Panichella Arie van Deursen

Evolutionary Testing for Crash Reproduction Mozhan Soltani Annibale Panichella Arie van Deursen

Evolutionary Testing for Crash Reproduction Mozhan Soltani Annibale Panichella Arie van Deursen Bugs are everywhere Cost of Bug Fixings Major Bug for Apache Commons Collections https://issues.apache.org/jira/browse/COLLECTIONS-70 Cost

653 views • 37 slides
SENTINEL TESTING, RESULTS TO DATE TOTAL NUMBERS: Inmates have been tested at the Butte

SENTINEL TESTING, RESULTS TO DATE TOTAL NUMBERS: Inmates have been tested at the Butte

MONTANA DEPARTMENT OF CORRECTIONS + COVID-19 RESPONSE UPDATE LAW AND JUSTICE INTERIM COMMITTEE JUNE 30, 2020 + COVID-19 SENTINEL TESTING AT DOC FACILITIES + COVID-19 SENTINEL TESTING MAY 21, 2020 DOC started sentinel testing of

511 views • 12 slides
PUEBLO MS2 - CRASH http://pueblo.ms2soft.com/ By: Hannah Haunert TCDS Traffic Crash Location

PUEBLO MS2 - CRASH http://pueblo.ms2soft.com/ By: Hannah Haunert TCDS Traffic Crash Location

PUEBLO MS2 - CRASH http://pueblo.ms2soft.com/ By: Hannah Haunert TCDS Traffic Crash Location System Website Address: http://pueblo.ms2soft.com Quick Search By: Study Location Location Crash Data Crash ID Date Crash Type LOG

555 views • 31 slides
My code doesnt crash why should I still use Valgrind? Tyson Whitehead April 16, 2014

My code doesnt crash why should I still use Valgrind? Tyson Whitehead April 16, 2014

My code doesnt crash why should I still use Valgrind? Tyson Whitehead April 16, 2014 Notes Modern digital computers are binary systems. frequently numbers are powers of two 1000 multiple is usually 1024 instead will not

244 views • 6 slides
2009: Historic Truck Crash Declines September 29, 2010 Ralph Craft, Ph.D. Analysis Division

2009: Historic Truck Crash Declines September 29, 2010 Ralph Craft, Ph.D. Analysis Division

2009: Historic Truck Crash Declines September 29, 2010 Ralph Craft, Ph.D. Analysis Division Fatal Large Truck Numbers, 2008 to 2009 Three levels of crash data: Fatalities: Down 20% (4,245 to 3,380) Large Trucks: Down 21% (4,089 to

522 views • 25 slides
TESTING CHEBYSHEVS BIAS FOR PRIME NUMBERS UP TO 10 15 Andrey Sergeevich SHCHEBETOV

TESTING CHEBYSHEVS BIAS FOR PRIME NUMBERS UP TO 10 15 Andrey Sergeevich SHCHEBETOV

1 TESTING CHEBYSHEVS BIAS FOR PRIME NUMBERS UP TO 10 15 Andrey Sergeevich SHCHEBETOV Lomonosovskaya School & MIEM HSE Moscow, Russia Presentation for the 30th European Union Contest for Young Scientists EUCYS 2018 Dublin, Ireland

674 views • 30 slides
How not to generate random numbers Nadia Heninger University of Pennsylvania June 15, 2018 A

How not to generate random numbers Nadia Heninger University of Pennsylvania June 15, 2018 A

How not to generate random numbers Nadia Heninger University of Pennsylvania June 15, 2018 A crash course in cryptographic protocols AES k ( m ) A crash course in cryptographic protocols g a g b AES k ( m ) k = KDF( g ab ) k = KDF( g ab ) A

845 views • 71 slides
A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas

A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas

A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas State] John Hatcliff Work on specification patterns by Matthew Dwyer, Jay Corbett, and George Avrunin http://www.cis.ksu.edu/santos/bandera

303 views • 29 slides
A Crash Course in Genetics A Crash Course in Genetics General Overview: DNA Structure

A Crash Course in Genetics A Crash Course in Genetics General Overview: DNA Structure

A Crash Course in Genetics A Crash Course in Genetics General Overview: DNA Structure RNA DNA Replication Encoding Proteins Protein Folding Types of DNA Manipulating DNA PCR Biological Computation CPSC

378 views • 36 slides
Crash Course into the New Finnish Government and HQ Communication Crash Course into the New

Crash Course into the New Finnish Government and HQ Communication Crash Course into the New

@amchamwatch| @HofstedeInsight @RudPedersenFIN Country Manager Network Breakfast: Crash Course into the New Finnish Government and HQ Communication Crash Course into the New Finnish Government and HQ Communication Esa Suominen Managing

262 views • 25 slides
CRASH COURSE OR COURSE CRASH: Gaming, VR and a Pedagogical Approach Dr. Brent Chamberlain

CRASH COURSE OR COURSE CRASH: Gaming, VR and a Pedagogical Approach Dr. Brent Chamberlain

CRASH COURSE OR COURSE CRASH: Gaming, VR and a Pedagogical Approach Dr. Brent Chamberlain Landscape Architecture & Regional and Community Planning Kansas State University DLA Conference 2015 June 6, 2015 BACKGROUND AND CONTEXT

702 views • 31 slides
Crash and Burn: Learning from Failure SOA 2020 June 17, 2020 Crash and Burn Collette N.

Crash and Burn: Learning from Failure SOA 2020 June 17, 2020 Crash and Burn Collette N.

Crash and Burn: Learning from Failure SOA 2020 June 17, 2020 Crash and Burn Collette N. McDonough Archivist and Library Manager at the Kettering Foundation Owned by one cat Crash and Burn One fails toward success.

434 views • 7 slides
Taint Nobody Got Time for Crash Analysis Crash Analysis Triage Goals Execution Path What

Taint Nobody Got Time for Crash Analysis Crash Analysis Triage Goals Execution Path What

Taint Nobody Got Time for Crash Analysis Crash Analysis Triage Goals Execution Path What code paths were executed What parts of the execution interacted with external data Input Determination Which input bytes influence the crash

583 views • 45 slides
Crash Course Entrepreneurship Crash Course Escape from Corporate [Case Study] Who wants

Crash Course Entrepreneurship Crash Course Escape from Corporate [Case Study] Who wants

Entrepreneurship Crash Course Entrepreneurship Crash Course Escape from Corporate [Case Study] Who wants to become your own boss, set your own schedule, work from anywhere in the world, make a lot of money, love what you do, AND

1.06k views • 79 slides

More recommend