improving software quality with static analysis
play

Improving Software Quality with Static Analysis William Pugh - PowerPoint PPT Presentation

Jul 13, 2023 •354 likes •991 views

Improving Software Quality with Static Analysis William Pugh Professor Univ. of Maryland http://www.cs.umd.edu/~pugh TS-2007 2007 JavaOne SM Conference | Session TS-2007 | You will believe... Static analysis tools can find real bugs

  1. Improving Software Quality with Static Analysis William Pugh Professor Univ. of Maryland http://www.cs.umd.edu/~pugh TS-2007 2007 JavaOne SM Conference | Session TS-2007 |

  2. You will believe... Static analysis tools can find real bugs and real issues in your code. You can and should effectively incorporate static analysis into your software development process. 2 2007 JavaOne SM Conference | Session TS-2007 |

  3. Agenda Introduction Correctness issues Bad Practice Security defects Demos (FindBugs, Fortify SCA) Integrating static analysis Wrap up 3 2007 JavaOne SM Conference | Session TS-2007 |

  4. About Me • Professor at Univ. of Maryland since 1988, doing research in programming languages, algorithms, software engineering • Technical Lead on JSR-133 (Memory model), JSR- 305 (Annotations for Software Defect Detection) • Founder of the FindBugs ™ project • Open source static analysis tool for defect detection in the Java ™ Programming Language • Technical advisory board of 4 2007 JavaOne SM Conference | Session TS-2007 |

  5. Agenda Introduction Correctness issues Bad Practice Security defects Demos (FindBugs, Fortify SCA) Integrating static analysis Wrap up 5 2007 JavaOne SM Conference | Session TS-2007 |

  6. Static Analysis • Analyzes your program without executing it • Doesn’t depend on having good test cases • or even any test cases • Generally, doesn’t know what your software is supposed to do • Looks for violations of reasonable programming • Shouldn’t throw NPE • Shouldn’t allow SQL injection • Not a replacement for testing • Very good at finding problems on untested paths • But many defects can’t be found with static analysis 6 2007 JavaOne SM Conference | Session TS-2007 |

  7. Common Wisdom about Bugs and Static Analysis • Programmers are smart • Smart people don’t make dumb mistakes • We have good techniques (e.g., unit testing, pair programming, code inspections) for finding bugs early • So, bugs remaining in production code must be subtle, and finding them must require sophisticated static analysis techniques • I tried lint and it sucked: lots of warnings, few real issues 7 2007 JavaOne SM Conference | Session TS-2007 |

  8. Can You Find The Bug? if (listeners == null) listeners.remove(listener); • JDK1.6.0, b105, sun.awt.x11.XMSelection • lines 243-244 8 2007 JavaOne SM Conference | Session TS-2007 |

  9. Why Do Bugs Occur? • Nobody is perfect • Common types of errors: • Misunderstood language features, API methods • Typos (using wrong boolean operator, forgetting parentheses or brackets, etc.) • Misunderstood class or method invariants • Everyone makes syntax errors, but the compiler catches them • What about bugs one step removed from a syntax error? 9 2007 JavaOne SM Conference | Session TS-2007 |

  10. Who Uses Static Analysis? • Lots and lots of projects and companies • Among many others, Glassfish and Google use FindBugs • Many companies are weird about letting you say they use your open source tool • Lots of open source tools: PMD, CheckStyle, etc. • IDEs include some: Eclipse, IntelliJ, Netbeans • Commercial tools available from Fortify Software, KlocWork, Coverity, Parasoft, SureLogic • Static analysis used even more widely/intensely for C/C++ • More bugs to find • Bugs a lot scarier • Free tools not as good 10 2007 JavaOne SM Conference | Session TS-2007 |

  11. FindBugs • I'm mostly going to be talking about FindBugs • I know it best • Some things will be specific to FindBugs • What we classify as a "correctness" issue • Which potential null pointer issues we report • But most of the concepts apply to other tools 11 2007 JavaOne SM Conference | Session TS-2007 |

  12. Bug Categories Selected categories for today's discussion • Correctness - the code seems to be clearly doing something the developer did not intend • Bad practice - the code violates good practice • Security defect • Vulnerability to malicious code • Vulnerability to malicious input • SQL injection, cross site scripting 12 2007 JavaOne SM Conference | Session TS-2007 |

  13. Bug Patterns • Some big, broad and common patterns • Dereferencing a null pointer • An impossible checked cast • Methods whose return value should not be ignored • Lots of small, specific bug patterns, that together find lots of bugs • Every Programming Puzzler • Every chapter in Effective Java • Most postings to http://thedailywtf.com/ 13 2007 JavaOne SM Conference | Session TS-2007 |

  14. Analysis Techniques Whatever you need to find the bugs • Local pattern matching • If you invoke String.toLowerCase() , don’t ignore the return value • Intraprocedural dataflow analysis • Null pointer, type cast errors • Interprocedural method summaries • This method always dereferences its parameter • Context sensitive interprocedural analysis • Interprocedural flow of untrusted data • SQL injection, cross site scripting 14 2007 JavaOne SM Conference | Session TS-2007 |

  15. Categories, ranking, use cases • Every tool has categories, rules/patterns, priorities • You can generally customize what you want to look at • Sometimes, you want to do a code audit of a newly written module with 1,000 lines of code • and sometimes you want to scan 1,000,000 lines of code that has been in production for a year • Different use cases require different tunings, different tools 15 2007 JavaOne SM Conference | Session TS-2007 |

  16. Agenda Introduction Correctness issues Bad Practice Security defects Demos (FindBugs, Fortify SCA) Integrating static analysis Wrap up 16 2007 JavaOne SM Conference | Session TS-2007 |

  17. Correctness issues Stuff you really want to look at • In FindBugs, we reserve the Correctness category for issues we are most confident are wrong • code does something the developer didn’t intend • Many of the other categories reflect correctness issues • But correctness issues are the things we think you should look at when scanning that million line code base • low false positive rate, few low impact bugs 17 2007 JavaOne SM Conference | Session TS-2007 |

  18. Infinite recursive loop ... Students are good bug generators • Student came to office hours, was having trouble with his constructor: /** Construct a WebSpider */ public WebSpider() { WebSpider w = new WebSpider(); } • A second student had the same bug • Wrote a detector, found 3 other students with same bug 18 2007 JavaOne SM Conference | Session TS-2007 |

  19. Double Check Against JDK1.6.0-b13 • Found 5 infinite recursive loops • Including one written by Joshua Bloch public String foundType() { return this.foundType(); } • Smart people make dumb mistakes • 27 across all versions of JDK, 31 in Google’s Java code • Embrace and fix your dumb mistakes 19 2007 JavaOne SM Conference | Session TS-2007 |

  20. Finding Null Pointer Bugs with FindBugs • FindBugs looks for a statement or branch that, if executed, guarantees a null pointer exception • Either a null pointer exception could be thrown, or the program contains a statement/branch that can’t be executed • Could look for exceptions that only occur on a path • e.g., if the condition on line 29 is true and the condition on line 38 is false, then a NPE will be thrown • but would need to worry about whether that path is feasible 20 2007 JavaOne SM Conference | Session TS-2007 |

  21. Null Pointer Bugs Found by FindBugs JDK1.6.0-b105 • 109 statements/branches that, if executed, guarantee NPE • We judge at least 54 of them to be serious bugs that could generate a NPE on valid input • Most of the others were deemed to be unreachable branches or statements, or reachable only with erroneous input • Only one case where the analysis was wrong 21 2007 JavaOne SM Conference | Session TS-2007 |

  22. Examples of null pointer bugs simple ones //com.sun.corba.se.impl.naming.cosnaming.NamingContextImpl if (name != null || name.length > 0) //com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser if (part == null | part.equals("")) // sun.awt.x11.ScrollPanePeer if (g != null) paintScrollBars(g,colors); g.dispose(); 22 2007 JavaOne SM Conference | Session TS-2007 |

  23. Redundant Check For Null Also known as a reverse null dereference error • Checking a value to see if it is null • When it can't possibly be null // java.awt.image.LoopupOp, lines 236-247 public final WritableRaster filter( Raster src, WritableRaster dst) { int dstLength = dst.getNumBands(); // Create a new destination Raster, // if needed if (dst == null) dst = createCompatibleDestRaster(src); 23 2007 JavaOne SM Conference | Session TS-2007 |

  24. Redundant Check For Null Is it a bug or a redundant check? • Check the JavaDoc for the method • Performs a lookup operation on a Raster . • If the destination Raster is null, • a new Raster will be created. • Is this case, a bug • particularly look for those cases where we know it can't be null because there would have been a NPE if it were null 24 2007 JavaOne SM Conference | Session TS-2007 |

Recommend

Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
Static and dynamic verification Software inspections Concerned with analysis of the

Static and dynamic verification Software inspections Concerned with analysis of the

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis

310 views • 12 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot & CNRS VTSA 2015 1 / 99 Static Analysis Establish

2.15k views • 186 slides
Static (Software) Analysis Dagstuhl 16172: Machine Learning for Dynamic Software Analysis Reiner

Static (Software) Analysis Dagstuhl 16172: Machine Learning for Dynamic Software Analysis Reiner

Static (Software) Analysis Dagstuhl 16172: Machine Learning for Dynamic Software Analysis Reiner Hhnle Software Engineering Group Department of Computer Science Technische Universitt Darmstadt http://www.se.tu-darmstadt.de/

239 views • 23 slides
Using Static Code Analysis to Find Bugs Before They Become Failures Presented by Brian Walker

Using Static Code Analysis to Find Bugs Before They Become Failures Presented by Brian Walker

Using Static Code Analysis to Find Bugs Before They Become Failures Presented by Brian Walker Senior Software Engineer, Video Product Line, Tektronix, Inc. Pacific Northwest Software Quality Conference, 2010 In the Beginning, There Was Lint

486 views • 20 slides
Improving the Quality of Software Using Testing and Fault Prediction Professor Iftekhar Ahmed

Improving the Quality of Software Using Testing and Fault Prediction Professor Iftekhar Ahmed

Improving the Quality of Software Using Testing and Fault Prediction Professor Iftekhar Ahmed Department of Informatics https://www.ics.uci.edu/~iftekha/ 1 About me Research focus: Software testing and analysis. 4 years of industry

335 views • 33 slides
Numerical Static Analysis of Embedded Software with Interrupts Liqian Chen National University of

Numerical Static Analysis of Embedded Software with Interrupts Liqian Chen National University of

The 2016 Workshop on Static Analysis of Concurrent Software, Edinburgh, Scotland Numerical Static Analysis of Embedded Software with Interrupts Liqian Chen National University of Defense Technology, Changsha, China 11/09/2016 (Joint work with

604 views • 39 slides
Static and dynamic verification Static and dynamic V&V Software inspections Concerned

Static and dynamic verification Static and dynamic V&V Software inspections Concerned

1 2 Static and dynamic verification Static and dynamic V&V Software inspections Concerned with analysis of the static system Static representation to discover problems (static verification verification) May be supplement by

107 views • 6 slides
Detection of Software Vulnerabilities: Static Analysis (Part I) Lucas Cordeiro Department of

Detection of Software Vulnerabilities: Static Analysis (Part I) Lucas Cordeiro Department of

Systems and Software Verification Laboratory Detection of Software Vulnerabilities: Static Analysis (Part I) Lucas Cordeiro Department of Computer Science lucas.cordeiro@manchester.ac.uk Static Analysis Lucas Cordeiro (Formal Methods

1.9k views • 188 slides
Program Analysis Extracting static and dynamic information from a software system Program

Program Analysis Extracting static and dynamic information from a software system Program

Program Analysis Extracting static and dynamic information from a software system Program Analysis Extracting information, in order to present abstractions of, or answer questions about, a software system Static Analysis: Examines the

754 views • 32 slides
Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
Detection of Software Vulnerabilities: Static Analysis (Part II) Lucas Cordeiro Department of

Detection of Software Vulnerabilities: Static Analysis (Part II) Lucas Cordeiro Department of

Systems and Software Verification Laboratory Detection of Software Vulnerabilities: Static Analysis (Part II) Lucas Cordeiro Department of Computer Science lucas.cordeiro@manchester.ac.uk Static Analysis (Part II) Lucas Cordeiro (Formal

2.24k views • 169 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot & CNRS VTSA 2015 1 / 149 Outline Introduction 1 Formal

861 views • 68 slides
Fundamentals of (Static ic and Dynamic ic) ) Software Verif ific icatio ion Control-flow

Fundamentals of (Static ic and Dynamic ic) ) Software Verif ific icatio ion Control-flow

Fundamentals of (Static ic and Dynamic ic) ) Software Verif ific icatio ion Control-flow Analysis Data-flow Analysis Static VS Dynamic Analysis Software Testing Control Con ol Flow ow Gr Graph entry S1 Procedure AVG S1 count =

1.08k views • 104 slides
1 QUALITY CONTROL QUALITY ASSURANCE Controlling the software development process

1 QUALITY CONTROL QUALITY ASSURANCE Controlling the software development process

SOFTWARE ENGINEERING SOFTWARE QUALITY - SOFTWARE QUALITY QUALITY COMPONENTS Today we talk about software process quality and Objective quality component: properties that can certification be measured or approximated objectively

228 views • 7 slides
CS510 Software Engineering Static Program Analysis Asst. Prof. Mathias Payer Department of

CS510 Software Engineering Static Program Analysis Asst. Prof. Mathias Payer Department of

CS510 Software Engineering Static Program Analysis Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Scott A. Carr Slides inspired by Xiangyu Zhang http://nebelwelt.net/teaching/15-CS510-SE Spring 2015 Static

586 views • 24 slides
Static Analysis Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some

Static Analysis Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some

Static Analysis Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some slides adapted from those by Trent Jaeger Prevention: Program Analysis Any automated analysis at compile or dynamic time to find potential bugs

798 views • 61 slides
Outline Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation Overview

Outline Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation Overview

Outline Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation Overview TDDC90: Software Security Syntactic Analysis Ahmed Rezine Abstract Interpretation IDA, Linkpings Universitet Hsttermin 2014 Static Program

75 views • 7 slides
Software Quality & Software Quality Assurance p. 1 Software Quality A definition of

Software Quality & Software Quality Assurance p. 1 Software Quality A definition of

Software Quality & Software Quality Assurance p. 1 Software Quality A definition of quality should emphasize three important points: 1. Software requirements are the foundation from which quality is measured. Lack of conformance to

326 views • 13 slides
Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ? Basic analysis ! Example : Flow analysis ! Increasing precision ! Context -, flow -, and path sensitivity Scaling it up !

527 views • 27 slides
1 QUALITY ASSURANCE - PROCESS QUALITY METRICS PREREQUISITES Top management commitment

1 QUALITY ASSURANCE - PROCESS QUALITY METRICS PREREQUISITES Top management commitment

SOFTWARE ENGINEERING SOFTWARE QUALITY - SOFTWARE QUALITY QUALITY COMPONENTS Today we talk about software process quality and Objective quality component: properties that can certification be measured or approximated objectively

237 views • 5 slides
Using Invariant Analysis for Improving Instrumentation-based Performance Evaluation of

Using Invariant Analysis for Improving Instrumentation-based Performance Evaluation of

Using Invariant Analysis for Improving Instrumentation-based Performance Evaluation of SPECjvm2008 Benchmarks Michael Kuperberg, Martin Krogmann, Ralf Reussner Karlsruhe Institute of Technology SOFTWARE DESIGN AND QUALITY GROUP INSTITUTE FOR

591 views • 16 slides
Software Verification for Space Applications Part 1. Static Analysis Guillaume Brat USRA/RIACS

Software Verification for Space Applications Part 1. Static Analysis Guillaume Brat USRA/RIACS

Software Verification for Space Applications Part 1. Static Analysis Guillaume Brat USRA/RIACS Software blowup 10000 Lines of Code (Thousands) 1700 1000 430 160 100 32 8 10 3 1 Voyager Galileo Cassini MPF Shuttle ISS (1977)

495 views • 49 slides
Dataflow Analysis Iterative Data-flow Analysis and Static-Single-Assignment cs5363 1

Dataflow Analysis Iterative Data-flow Analysis and Static-Single-Assignment cs5363 1

Dataflow Analysis Iterative Data-flow Analysis and Static-Single-Assignment cs5363 1 Optimization And Analysis Improving efficiency of generated code Correctness: optimized code must preserve meaning of the original program

467 views • 31 slides

More recommend