bug driven bug finding
play

Bug Driven Bug Finding Chadd C. Williams Jeffrey K. Hollingsworth - PowerPoint PPT Presentation

Oct 06, 2022 •14 likes •294 views

Bug Driven Bug Finding Chadd C. Williams Jeffrey K. Hollingsworth University of Maryland Overview Review historical data to choose a static bug checker to apply manual inspection to gather background data identify common types of

  1. Bug Driven Bug Finding Chadd C. Williams Jeffrey K. Hollingsworth University of Maryland

  2. Overview � Review historical data to choose a static bug checker to apply – manual inspection to gather background data – identify common types of bugs being fixed – Bug report database – CVS commit messages � Mine historical data to refine the results of a static bug checker – automatic data gathering – reduce false positive warnings – provide ranking of warnings – CVS commits University of Maryland

  3. Background � Statically checking source code has been very effective – finds complex errors – test suite is not needed � Which checkers to run? – there are lots of possible static checkers – what kinds of bugs are really out there? � False positive warnings are a challenge for static checkers – can we rank the warnings better? – too many make a tool unusable University of Maryland

  4. Bug Database � Inspect fixed bugs – manual inspection to gain understanding – review bug discussions – tie fixed bug to source code change – classify the type of the bug – look for bugs that can be found statically Users Developers Bug Database University of Maryland

  5. Bug Database: Practical Experience � We inspected the Apache httpd bug database – inspected 200 bug reports marked as fixed – bug reports include a discussion of the problem – not as helpful as we expected � Only 24% easily tied directly to a software change – rarely is a diff or a CVS revision noted � Most bugs were logic errors – verification errors – system specific errors – also includes feature requests University of Maryland

  6. Bug Database Bug Types NULL pointer check Return Value check Logic Errors/Feature Request Uninitialized Variable Errors Error Branch Confusion External Bugs (OS or other software failed) System specific pattern � Most classified bugs are logic errors University of Maryland

  7. Bug Database: Practical Experience � Most bug reports came from outside the project – 197 out of 200 – does not capture bugs found by developers � Most bug reports came against a release of the software, not a CVS-HEAD – 198 out of 200 – does not capture bugs between releases � What about the bugs that don’t make it into the release? – they may be in the CVS repository… University of Maryland

  8. CVS Repository � Commits may contain useful data – any bug fix must show up in a commit – will commit messages lead us to bug fixes? � Shows bugs fixed between releases � Bugs caught by developers 1.1 1.2 CVS 1.3 Repository University of Maryland

  9. CVS Repository: Practical Experience � Inspected commit messages – manual inspection – looked for ‘fix’, ‘bug’ or ‘crash’ – ignored those with bug number listed � Commit messages more useful – trivially tied to source code change – fewer logic errors � Common errors found – NULL pointer check – failing to check the return value of a function before use University of Maryland

  10. CVS Repository Bug Types NULL pointer check Return Value Check Logic Errors/Feature Request Uninitialized Variable Errors Failure to set value of pointer parameter Error caused by if conditional short circuiting Loop iterator increment error System specific pattern � NULL pointer bugs and return value bugs are both statically checkable University of Maryland

  11. Function Return Value Check Bug � Returning error code and valid data from a function is a common C idiom – the return value should be int foo(){ checked before being used … – control flow decision must if( error ){ return error_code; depend on it } …. – lint checks for this error return data; } � Error types … – completely ignored value = foo(); • foo(); newPosition + = value; // ??? – return value used directly as an argument • bar(foo()); – others … University of Maryland

  12. Our Tool � Static checker that looks for return value check bugs – based on ROSE by Dan Quinlan, et al., at Lawrence Livermore National Laboratory � Classify each warning by category – ignored return value – return value used as argument, etc. � Produce a ranking of the warnings – group warnings by called function – rank functions that most need their return value checked higher University of Maryland

  13. Return Value Checker: Problems � Some functions don’t need their return value checked – no error value returned – could lead to many false positives – int printf() � Naively flagging all unchecked return values leads to many false positives – over 7,000 warnings reported for the Apache httpd-2.0 source � Must find which are most likely true bugs – use historical data University of Maryland

  14. Which return values need checked? � Infer from historical data – look for an add of a check of a return value in a CVS commit – implies the programmer thinks its important … Commit value = foo(); … Bug Fix if( value != Error) { // Check value = foo(); newPosition + = value; newPosition + = value; // ??? } … … � Infer from current usage – does the return value of a function get checked in the current version of the software? – how often? University of Maryland

  15. Ranking Warnings � Rank warnings in two ways � Split functions into two groups – functions flagged with a CVS commit • at least one CVS commit adds a check of the function’s return value – functions not flagged with a CVS commit � Within each group, rank by how often the function’s return value is checked in the current software distribution University of Maryland

  16. Case Study � Apache httpd-2.0 on Linux � Checked all CVS commits for bug fix – 6100 commits checked – 2600 commits failed to go through our tool • required older version of autoconf • compile bugs in the CVS commits � Difficult to check an old version! – may rely on specific compiler release – may rely on specific configuration tools – may rely on specific libraries/header files University of Maryland

  17. Case Study � Our checker marked over 7,000 warnings – individual call site for non-void function where the return is not checked � Too many too look at! value = foo(); // WARNING newPosition + = value; – expect many are false positives … result = foo(); // WARNING � Rank warnings zoo(result); – 115 functions called in the current software distribution were involved in a bug fix • 62 always had their return value checked – inspect CVS flagged functions – inspect functions with return value checked >50% of the time in the current source tree University of Maryland

  18. Case Study: Warning Breakdown � Inspected 490 warning (of 7000) – found 129 potential bugs! � 235 warnings associated with a CVS flagged function – 84 of the bugs found here – false positive rate of 64% � 255 warnings associated with a function that has its return value checked > 50% of the time – 45 of the bugs found here – false positive rate of 82% University of Maryland

  19. Case Study: A Bug � We investigated a warning and found it did crash httpd – warning near the top of the ranking � The function builds a string from arguments that represent a filename and a pathname – a char array is returned and directly used as an argument to strcmp() – NULL return value will cause a seg fault – return value is NULL if the path is too long! University of Maryland

  20. Analysis � False positive rate too high! – overall false positive rate: 74% (1-(129/490)) – for CVS flagged functions it’s only 64% � A false positive rate closer to 50% would be acceptable – the user is as likely as not to find a true error – cluster true errors near the top of the ranking • CVS flagged functions, fewer false positives � We did cull 7,000 warnings down to 490 – lint would have flagged only the ‘ignored’ warnings and not ranked them University of Maryland

  21. Conclusion � Bug databases are not useful in understanding much about low-level bugs – deeper analysis could match bug report to CVS commit but this can be expensive � CVS commit messages give a better picture of low-level bugs – CVS commits can give useful data to help classify error reports � Mining data from CVS commits is useful to determine properties of the code – which functions need return value checked University of Maryland

  22. Future Work � Run on different software project � What other checkers can benefit from CVS data? � Can we dynamically gather data on functions called via function pointers? – many of the warnings involved calls through function pointers � What other uses for CVS data can we find for refining bug finding techniques? – can we use data on a semantic level about how the code changes? University of Maryland

  23. University of Maryland

  24. Bug Driven Bug Finding � We have done a study of a bug report database and a CVS repository – found types of bugs that are being fixed � Used CVS data to refine the output of a bug finder – static source code checker – reduced false positive error reports to a usable number � Suggests looking at CVS commits is a good way to determine important properties of the code University of Maryland

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Data-driven growth : From finding product-market fit to scaling Sep 13, 2016 Agenda:

Data-driven growth : From finding product-market fit to scaling Sep 13, 2016 Agenda:

Data-driven growth : From finding product-market fit to scaling Sep 13, 2016 Agenda: About me Affinio Data Stages: Early Growth About me Came to Canada in 2004 Holds two degrees from Dalhousie

618 views • 35 slides
Enabling Data-Driven API Design with Community Usage Data: A Need-Finding Study Tianyi Zhang 1 ,

Enabling Data-Driven API Design with Community Usage Data: A Need-Finding Study Tianyi Zhang 1 ,

Enabling Data-Driven API Design with Community Usage Data: A Need-Finding Study Tianyi Zhang 1 , Bjrn Hartmann 2 , Miryung Kim 3 , Elena Glassman 1 1 Harvard University 2 UC Berkeley 3 UCLA APIs are ubiquitous Frameworks SDKs Web APIs &

602 views • 28 slides
Finding your way in a graph Finding your way in a graph Finding your way in a graph Finding your

Finding your way in a graph Finding your way in a graph Finding your way in a graph Finding your

Finding your way in a graph Finding your way in a graph Finding your way in a graph Finding your way in a graph = station One loop = junction A system of interconnected loops L L What is the best way to go from L to ? L L L 1 ? L

2.13k views • 166 slides
STATUS COUNT FINDING APPROVED 5 FINDING CONDITIONAL 16 FINDING DENIED 11

STATUS COUNT FINDING APPROVED 5 FINDING CONDITIONAL 16 FINDING DENIED 11

STATUS COUNT FINDING APPROVED 5 FINDING CONDITIONAL 16 FINDING DENIED 11 LICENSED 148 PENDING 27 WITHDRAWN 32 TOTAL 239 ADUs reviewed as Special Exceptions Pre 2013 ZTA 12-11 Allows ADUs as

741 views • 14 slides
EventRacer: Finding Concurrency Errors in Event-Driven Applications Pavol Bielik Android Errors

EventRacer: Finding Concurrency Errors in Event-Driven Applications Pavol Bielik Android Errors

EventRacer: Finding Concurrency Errors in Event-Driven Applications Pavol Bielik Android Errors Caused by Concurrency Display article twice Display wrong directory Display wrong order Rate wrong card 1 Web Page Errors Caused by Concurrency

590 views • 25 slides
Priority-Driven Scheduling of Periodic Tasks Priority-driven vs. clock-driven scheduling:

Priority-Driven Scheduling of Periodic Tasks Priority-driven vs. clock-driven scheduling:

CPSC-663: Real-Time Systems Priority Driven Scheduling Priority-Driven Scheduling of Periodic Tasks Priority-driven vs. clock-driven scheduling: executive processor clock-driven: cyclic schedule tasks a priori! priority-driven:

654 views • 21 slides
NEEDFINDING IN HUMAN CENTERED DESIGN What is need finding? What is need finding? What is need

NEEDFINDING IN HUMAN CENTERED DESIGN What is need finding? What is need finding? What is need

NEEDFINDING IN HUMAN CENTERED DESIGN What is need finding? What is need finding? What is need finding? Needfinding is the process of uncovering User needs Opportunities for improvement Design Insights by learning about their goals

418 views • 14 slides
Finding t Finding the he fue fuel poor: an l poor: an exploration of challenges and ex

Finding t Finding the he fue fuel poor: an l poor: an exploration of challenges and ex

Finding t Finding the he fue fuel poor: an l poor: an exploration of challenges and ex practicable pract icable s solut olutions ions. Postgraduate symposium on household energy consumption, technology and efficiency, University of

551 views • 27 slides
FE FELI LIX Tes est Fi Firmware Purpos ose type with Hit Finding/Hit Finding Emulator Com

FE FELI LIX Tes est Fi Firmware Purpos ose type with Hit Finding/Hit Finding Emulator Com

FE FELI LIX Tes est Fi Firmware Purpos ose type with Hit Finding/Hit Finding Emulator Com ompatible inter erface ty Add FELIX bloc ock hea eader er and chunk trailer er - Compatible with FELIX FULLMODE data - Identify

267 views • 6 slides
Finding Finding Al All l Nearest earest Neighb Neighbors ors wi with th a Single a Single

Finding Finding Al All l Nearest earest Neighb Neighbors ors wi with th a Single a Single

Finding Finding Al All l Nearest earest Neighb Neighbors ors wi with th a Single a Single Graph Traversal raph Traversal Yixin Xu, Jianzhong Qi, Renata Borovica-Gajic, and Lars Kulik Motivation Parking undersupply? 65% oversupply [1]

417 views • 22 slides
1 Finding Value in the Most Finding Value in the Most Overlooked Elements of the Due Overlooked

1 Finding Value in the Most Finding Value in the Most Overlooked Elements of the Due Overlooked

1 Finding Value in the Most Finding Value in the Most Overlooked Elements of the Due Overlooked Elements of the Due Diligence Process Diligence Process James Ewing, Senior Counsel, Biotechnology & Pharmaceutical Practice, Foley

442 views • 32 slides
EXPERIMENTS WITH MODEL-DRIVEN DATA ACQUISITION FOR CROWDSENSING 7/27/2013 Phillip Dold Socially

EXPERIMENTS WITH MODEL-DRIVEN DATA ACQUISITION FOR CROWDSENSING 7/27/2013 Phillip Dold Socially

EXPERIMENTS WITH MODEL-DRIVEN DATA ACQUISITION FOR CROWDSENSING 7/27/2013 Phillip Dold Socially Relevant REU Program 2013 Air Pollution You are concerned about air pollution in your city Finding the causes of the pollution Traditional

239 views • 13 slides
CRC: VALUE-DRIVEN ANALYST & INVESTOR DAY O c t o b e r 3 , 2 0 1 8 | N e w Y o r k C i

CRC: VALUE-DRIVEN ANALYST & INVESTOR DAY O c t o b e r 3 , 2 0 1 8 | N e w Y o r k C i

CRC: VALUE-DRIVEN ANALYST & INVESTOR DAY O c t o b e r 3 , 2 0 1 8 | N e w Y o r k C i t y , N e w Y o r k Agenda Strategic Overview Value Driven Exploration & Development Todd Stevens, President and CEO Darren Williams, EVP

1.47k views • 132 slides
More Recursion Summary Topics: more recursion Subset sum: finding if a subset of an

More Recursion Summary Topics: more recursion Subset sum: finding if a subset of an

csci 210: Data Structures More Recursion Summary Topics: more recursion Subset sum: finding if a subset of an array that sum up to a given target Permute: finding all permutations of a given string Subset: finding all

436 views • 15 slides
Gene Finding Strategies to find gene structures on the web Swiss Institute of Bioinformatics

Gene Finding Strategies to find gene structures on the web Swiss Institute of Bioinformatics

Gene Finding Strategies to find gene structures on the web Swiss Institute of Bioinformatics (SIB) 26-30 November 2001 Course 2001 Gene finding Introduction Gene finding is about detecting coding regions and infer gene structure Gene finding

647 views • 36 slides
Finding max/min under constraint The behaviour of economic actors is often constrained by the

Finding max/min under constraint The behaviour of economic actors is often constrained by the

Topic 9: Constrained Optimisation Reading: Jacques: Chapter 5.5, 5.6 1. Finding max/min under constraint: Substitution Method Lagrange Multiplier Method 2. Application I: Utility 3. Application II: Production Finding max/min

239 views • 12 slides
Filters (Bloom & Quotient) CSCI 333 Operations Filters approximately represent sets.

Filters (Bloom & Quotient) CSCI 333 Operations Filters approximately represent sets.

Filters (Bloom & Quotient) CSCI 333 Operations Filters approximately represent sets. Therefore, a filter must support: Insertions: insert(key) Queries: lookup(key) Filters may also support other operations: Deletion:

510 views • 24 slides
Bloom Filters and their Applications These slides were developed by -- and used with permission

Bloom Filters and their Applications These slides were developed by -- and used with permission

Bloom Filters and their Applications These slides were developed by -- and used with permission from -- Shengquan Wang. CPSC 662 Introduction Membership Query Given a set S={x 1 , x 2 , , x n } on a universe U , want to answer the query

304 views • 12 slides
Category-level localization Cordelia Schmid Recognition Classification Object

Category-level localization Cordelia Schmid Recognition Classification Object

Category-level localization Cordelia Schmid Recognition Classification Object present/absent in an image Often presence of a significant amount of background clutter Localization / Detection Localize object within the

712 views • 56 slides
THE MILLERRABIN PRIMALITY TEST 1. Fast Modular Exponentiation Given positive integers a , e ,

THE MILLERRABIN PRIMALITY TEST 1. Fast Modular Exponentiation Given positive integers a , e ,

THE MILLERRABIN PRIMALITY TEST 1. Fast Modular Exponentiation Given positive integers a , e , and n , the following algorithm quickly computes the reduced power a e % n . ( Initialize ) Set ( x, y, f ) = (1 , a, e ). ( Loop ) While f >

175 views • 5 slides
CS 5410 - Computer and Network Security: Intrusion Detection Professor Kevin Butler Fall 2015

CS 5410 - Computer and Network Security: Intrusion Detection Professor Kevin Butler Fall 2015

CS 5410 - Computer and Network Security: Intrusion Detection Professor Kevin Butler Fall 2015 Southeastern Security for Enterprise and Infrastructure (SENSEI) Center Locked Down Youre using all the techniques we will talk about over the

577 views • 19 slides
Lab 8: Firewalls & Intrusion Detection Systems Fengwei Zhang SUSTech CS 315 Computer

Lab 8: Firewalls & Intrusion Detection Systems Fengwei Zhang SUSTech CS 315 Computer

Lab 8: Firewalls & Intrusion Detection Systems Fengwei Zhang SUSTech CS 315 Computer Security 1 Firewall & IDS Firewall A device or application that analyzes packet headers and enforces policy based on protocol type, source

323 views • 20 slides
Interest Points Computer Vision Jia-Bin Huang, Virginia Tech Many slides from N Snavely, K.

Interest Points Computer Vision Jia-Bin Huang, Virginia Tech Many slides from N Snavely, K.

Interest Points Computer Vision Jia-Bin Huang, Virginia Tech Many slides from N Snavely, K. Grauman & Leibe, and D. Hoiem Administrative Stuffs HW 1 posted, due 11:59 PM Sept 25 Submission through Canvas Frequently Asked

1.49k views • 104 slides
A Simula)on of Document Detec)on Methods and Reducing False

A Simula)on of Document Detec)on Methods and Reducing False

A Simula)on of Document Detec)on Methods and Reducing False Posi)ves for Private Stream Searching Michael Oehler University of Maryland Bal)more County

523 views • 28 slides

More recommend