Fugue: Annotations for Protocol Checking Reading: The Fugue Protocol Checker: Is Your Software Baroque? 17-654/17-765 Analysis of Software Artifacts Jonathan Aldrich
Find the Bug! 2/22/2005 4
Find the Bug! 2/22/2005 6
Specifications(1) 2/22/2005 7
Specifications(2) 2/22/2005 8
Specifications(3) 2/22/2005 9
Aliasing Challenges a.Open(); b.Open(); • Legal only if a != b 2/22/2005 10
Fugue Alias Analysis • Annotations – NotAliased • Field or param is unique pointer to an object • Allows type system to track state changes • Warning (lost track of object) if assigned to Escaping parameter – MayBeAliased • May have aliases • May not call state-changing functions • If not escaping, error if assigned to field or passed to Escaping parameter – Escaping • A MayBeAliased parameter that may be (transitively) assigned to a field 2/22/2005 11
Fugue Alias Analysis • Analysis information – Environment env: var � addr – Capabilities: addr � aliasInfo – aliasInfo: one of NotAliased, MayBeAliased, MayBeAliased/Escaping 2/22/2005 12
Example: Alias Analysis void f([MayBeAliased][Escaping] x); void g([MayBeAliased] x); Environment Capabilities y � a a � NA void h([NotAliased] y) { y � a, z � a a � NA z = y; y � a, z � a, v � b a � NA, b � NA v = new T(); y � a, z � a, v � b a � NA, b � NA g(z); a still NotAliased y � a, z � a, v � b a � NA, b � MBA f(v); Warning: lost track of b } 2/22/2005 14
Flow Functions • init • x = f(y) – if cap[env[y]] == NotAliased – initialization based on && annot (f_arg)==Escaping param. annotations warn(“lost track of y”) • x = y cap[env[y] � MayBeAliased MayBeAliased ]? MayBeAliased MayBeAliased – env [x � env[y]] – env[x � a ] • x = new T() • a ∉ domain (cap) – env[x � a ] – cap[ a � annot (f_return)] • a ∉ domain (cap) – cap[ a � NotAliased] • Analysis is underspecified • x = y.f in paper – [slightly simplified rule] – How to perform joins? – env[x � a ] – How to model MayBeAliased • a ∉ domain (cap) params? – cap[ a � annot (f)] 2/22/2005 15
Type State Analysis • Extended analysis information • Environment – Symbolic address for references – Also stores constants (for constant prop.) • Capabilities – Aliasing state – Symbolic object state – Contents of fields (symbolic addresses) 2/22/2005 16
Example: Type State Analysis [WithProtocol(“raw”, “bound”, “connected”, Analysis Information “down”)] • Entry to Close class Socket { env: this � a 0 – … cap: a 0 � (WebPageFetcher, NA, – [InState(“connected”)] “open”, ∅ ) public int Send(…); • Socket sock = this.Socket; [Disposes(State.Any)] env: this � a 0 , sock � a 1 – public void Close(); cap: a 0 � (WebPageFetcher, NA, – } “open”, {socket � a 1 }), a 1 � (Socket, NA, “connected”, ∅ ) [WithProtocol(“open”, “closed”)] • sock.Send(…); class WebPageFetcher { – verify: sock in “connected” state (yes) [InState(“connected”, • sock.Close(); WhenEnclosingState=“open”), NotAliased(WhenEnclosingState=“open”)] – verify: sock in State.Any private Socket socket; – verify: env[sock] is NotAliased env: this � a 0 , sock � a 1 … – cap: a 0 � (WebPageFetcher, NA, [ChangesState(“open”, “closed”)] – “open”, {socket � a 1 }) public void Close() { – sock and this.socket become dangling Socket sock = this.socket; • Exit of Close sock.Send(…); verify: env[sock] ∉ cap sock.Close(); – } 2/22/2005 17 }
Experience • Web server application – 16,000 lines of code – Well tested, deployed – Checked DB library usage • Errors – Disposing command object (17 times) – Closing DB connections (9 times) • Could cause end of resources • Observations – Added states to objects to track initialization – Annotated 24 methods and 6 fields • 3 more methods used library only intra-procedurally • How would Metal have done? 2/22/2005 18
Fugue vs. Metal, PREfix • Fugue • Metal – Manual annotations – Fully automatic (once protocol specified) – Can find inter- procedural errors – Finds only intra- procedural errors – Tracks aliases for soundness – Unsound • PREfix – Fully automatic – Finds only language errors – Unsound 2/22/2005 20
Recommend
More recommend
