crash testing and coverity the numbers
play

Crash Testing and Coverity The Numbers Caoln McNamara, Red Hat - PowerPoint PPT Presentation

Jan 04, 2024 •488 likes •763 views

Crash Testing and Coverity The Numbers Caoln McNamara, Red Hat 2015-09-25 1 Caoln McNamara Coverity Examples Defect Density Trends Crash Testing Process Trends 2/26 Caoln McNamara Examples 3 Caoln

  1. Crash Testing and Coverity The Numbers Caolán McNamara, Red Hat 2015-09-25 1 Caolán McNamara

  2. ● Coverity ● Examples ● Defect Density ● Trends ● Crash Testing ● Process ● Trends 2/26 Caolán McNamara

  3. Examples 3 Caolán McNamara

  4. CID#707771 UNINIT_CTOR

  5. CID#1209362 DEADCODE Copy and Paste from previous ImplGetUndefinedAsciiMultiByte without corresponding change of UNDEFINED_MASK to INVALID_MASK

  6. CID#983942 UNCAUGHT_EXCEPT That doesn't actually specify what it throws

  7. CID#1158113 FORWARD_NULL Somebody got confused on checking the result of dynamic_cast

  8. CID#704127 CONSTANT_EXPRESSION_RESULT typo, should be 0x0020 not 0x002, wrong for 14 years

  9. Defect Density Last Years density at conference time was 0.08 9/26 Caolán McNamara

  10. Defects over time Here, “ignored” third party module warnings are counted. 10/26 Caolán McNamara

  11. Process integration ● Now run about twice a week ● Those are the nums of slots coverity makes available to a project of this size ● Typically back to back ● One to collect warnings ● One after warnings fixed ● Results now mailed to the list ● Takes about 4-6 hours to build ● Takes about 12+ hours to analyze server-side 11/26 Caolán McNamara

  12. Crash Testing 12 Caolán McNamara

  13. What it does ● Loads a bunch of documents ● 118 different columns for formats in output ● Some are now sort of pointless, e.g. staroffice binary format ● See if anything crashes or triggers an assert ● Saves a bunch of documents ● Exports to 12 different formats from all the compatible import formats ● Export to doc, docx, odb, odg, odp, ods, odt, ppt, pptx, rtf, xls, xlsx 13/26 Caolán McNamara

  14. Process integration ● Typically run once or two a week ● Takes about two days to complete ● Approx 80,000 documents in the document horde ● Mostly populated from get-bugzilla-by-mimetype ● + cloudon test documents ● + w3c svg test documents ● + various interesting documents that have caused trouble for some app or other in the past 14/26 Caolán McNamara

  15. Horde Updating ● Typically fairly rarely ● Full update takes about 12/13 hours ● Downloads are cached, so only new documents are updated ● Bugzilla is trusted wrt the mime-type ● Lots of miscategorized stuff ● Doesn't really matter, rtfs pretending to be docs, etc ● Just made doc import filter look a little worse than it was 15/26 Caolán McNamara

  16. Import Failure Trends Import Crashes 450 400 350 300 250 failures 200 150 100 50 0 build Build 1 is 31 Oct 2013, final build was 16 Sep 2015 16/26 Caolán McNamara

  17. Export Failure Trends Export Failures 4000 3500 3000 2500 2000 failures 1500 1000 500 0 build Build 1 is 31 Oct 2013, final build was 16 Sep 2015 17/26 Caolán McNamara

  18. Triple 0 week ● 20 – 27 August 2015 ● 0 coverity warnings ● 0 import failures ● 0 export failures Then everyone came back from their Summer holidays 18/26 Caolán McNamara

  19. This week ● 4 (fixed) coverity warnings, pending next build ● 0 import failures ● 4 export asserts (2 unique asserts) ● Fairly typical 19/26 Caolán McNamara

  20. Taking the battle onwards 20 Caolán McNamara

  21. Generating troublesome documents ● Fuzzing ● Played with CERT bff for a while, some small results ● American Fuzzy Lop is much more fun ● Build with afl-clang/afl-clang++ ● “coverage-assisted fuzz testing tool” ● Generates new documents that trigger new internal states in the target ● Got to love the UI 21/26 Caolán McNamara

  22. Screen Shot 22/26 Caolán McNamara

  23. Speed #1 ● Crucial thing is to be able to cycle fast ● under 100 execs a second is super cruddy ● soffice.bin is ponderous to startup ● 0.18 executions a second for pngs ● Configuration loading and parsing is expensive ● Custom no ui, no config, application ● After much hacking ● 40 executions a second for pngs ● Approximately 200 times faster 23/26 Caolán McNamara

  24. Speed #2 ● “Persistent mode” ● Don't exit after each document ● Just loop over the same document again and again ● SIGSTOP to afl controller to signal ready again ● Build with afl-clang-fast/afl-clang-fast++ ● Makes something of a difference ● 3000-4000 executions per second with custom loader ● So that's approx 20,000 faster 24/26 Caolán McNamara

  25. Process/Results to date ● Between stock crash testing runs afl runs ● 64 core box ● Currently 20+ instances running for the last month or so ● Mostly on a different file format, can run multiple for a single file format ● Crashes rare ● Rich source of hangs ● Using afl-cmin minimized corpus of crash testing as input 25/26 Caolán McNamara

  26. Thanks for your time 26/26 Caolán McNamara

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile philip@tecnocode.co.uk July 30, 2017 MANCHESTER What is static analysis? Compile-time testing of all possible code paths. Whats Coverity static analysis

236 views • 12 slides
LibreOffice oss-fuzz, crashtesting, coverity Overview Oss-Fuzz Crashtesting Coverity

LibreOffice oss-fuzz, crashtesting, coverity Overview Oss-Fuzz Crashtesting Coverity

LibreOffice oss-fuzz, crashtesting, coverity Overview Oss-Fuzz Crashtesting Coverity Oss-Fuzz Overview Continuous Fuzzing of our import filters Thanks to Google we get to use their infrastructure and resources

542 views • 26 slides
ALICE experience using Coverity ALICE experience using Coverity Federico Carminati, Peter

ALICE experience using Coverity ALICE experience using Coverity Federico Carminati, Peter

ALICE experience using Coverity ALICE experience using Coverity Federico Carminati, Peter Hristov, Axel Naumann and Olga Datskova (CERN) presented by Olga Datskova (CERN, ALICE Offline) Ferrara, 04/07/2011 1 AliRoot framework AliRoot

377 views • 18 slides
CO444H Pointer analysis Ben Livshits 1 Approaches to Finding Reliability and Security Bugs

CO444H Pointer analysis Ben Livshits 1 Approaches to Finding Reliability and Security Bugs

Datalog CO444H Pointer analysis Ben Livshits 1 Approaches to Finding Reliability and Security Bugs Static Analysis Tools Black-box Testing/Fuzzing 2 Coverity: a Static Analysis Company 3 Bug Report From Coverity Actual bug Path

701 views • 59 slides
BY THE NUMBERS BY THE NUMBERS BY THE NUMBERS BY THE NUMBERS BY THE NUMBERS BY THE NUMBERS

BY THE NUMBERS BY THE NUMBERS BY THE NUMBERS BY THE NUMBERS BY THE NUMBERS BY THE NUMBERS

BY THE NUMBERS BY THE NUMBERS BY THE NUMBERS BY THE NUMBERS BY THE NUMBERS BY THE NUMBERS Pre-roll, Outstream, Video Production, OTT, Social Video Display, Audience Extension, Mobile Precise, Programmatic, Retargeting, Social, Native SEM,

476 views • 31 slides
Field Testing, Marketing, and Crash Analyses of Mini-roundabouts W E I ZH AN G F H W A O F F I

Field Testing, Marketing, and Crash Analyses of Mini-roundabouts W E I ZH AN G F H W A O F F I

Field Testing, Marketing, and Crash Analyses of Mini-roundabouts W E I ZH AN G F H W A O F F I C E O F S A F E T Y R &D 2 0 2 - 4 9 3 - 3 3 17 W E I . Z H A N G @ D O T . G O V FHWA Safety R&D Intersection Program Field

646 views • 36 slides
WHEELCHAIR CRASH TESTING Making Sense of the Standards. Sunrise Medical Education Department

WHEELCHAIR CRASH TESTING Making Sense of the Standards. Sunrise Medical Education Department

WHEELCHAIR CRASH TESTING Making Sense of the Standards. Sunrise Medical Education Department amy.bjornson@sunmed.com Amy Bjornson, Physio, PT, ATP, SMS FUNDAMENTALS The vehicle seat offers the highest level of safety as it is secured to the

605 views • 34 slides
Finding Crash-Consistency Bugs with Bounded Black-Box Testing Jayashree Mohan , Ashlie Martinez,

Finding Crash-Consistency Bugs with Bounded Black-Box Testing Jayashree Mohan , Ashlie Martinez,

Finding Crash-Consistency Bugs with Bounded Black-Box Testing Jayashree Mohan , Ashlie Martinez, Soujanya Ponnapalli, Pandian Raju, Vijay Chidambaram Crashes I crashed This is very File saved! important File missing Image

878 views • 87 slides
Static Analysis of Your OSS Project with Coverity LinuxCon EU 2015 Stefan Schmidt Samsung Open

Static Analysis of Your OSS Project with Coverity LinuxCon EU 2015 Stefan Schmidt Samsung Open

Static Analysis of Your OSS Project with Coverity LinuxCon EU 2015 Stefan Schmidt Samsung Open Source Group stefan@osg.samsung.com Samsung Open Source Group 1 Agenda Introduction Survey of Available Analysers Coverity Scan

455 views • 41 slides
Arizona Crash Report Presentation by Glen Robison State Custodian of Crash Records Prepared

Arizona Crash Report Presentation by Glen Robison State Custodian of Crash Records Prepared

Arizona Crash Report Presentation by Glen Robison State Custodian of Crash Records Prepared 6/3/2020 1- Crash Identification Block The month, day and hour should be when the crash occurred Not when reported Not when you arrived 2- General

561 views • 15 slides
Evolutionary Testing for Crash Reproduction Mozhan Soltani Annibale Panichella Arie van Deursen

Evolutionary Testing for Crash Reproduction Mozhan Soltani Annibale Panichella Arie van Deursen

Evolutionary Testing for Crash Reproduction Mozhan Soltani Annibale Panichella Arie van Deursen Bugs are everywhere Cost of Bug Fixings Major Bug for Apache Commons Collections https://issues.apache.org/jira/browse/COLLECTIONS-70 Cost

653 views • 37 slides
SENTINEL TESTING, RESULTS TO DATE TOTAL NUMBERS: Inmates have been tested at the Butte

SENTINEL TESTING, RESULTS TO DATE TOTAL NUMBERS: Inmates have been tested at the Butte

MONTANA DEPARTMENT OF CORRECTIONS + COVID-19 RESPONSE UPDATE LAW AND JUSTICE INTERIM COMMITTEE JUNE 30, 2020 + COVID-19 SENTINEL TESTING AT DOC FACILITIES + COVID-19 SENTINEL TESTING MAY 21, 2020 DOC started sentinel testing of

511 views • 12 slides
PUEBLO MS2 - CRASH http://pueblo.ms2soft.com/ By: Hannah Haunert TCDS Traffic Crash Location

PUEBLO MS2 - CRASH http://pueblo.ms2soft.com/ By: Hannah Haunert TCDS Traffic Crash Location

PUEBLO MS2 - CRASH http://pueblo.ms2soft.com/ By: Hannah Haunert TCDS Traffic Crash Location System Website Address: http://pueblo.ms2soft.com Quick Search By: Study Location Location Crash Data Crash ID Date Crash Type LOG

555 views • 31 slides
My code doesnt crash why should I still use Valgrind? Tyson Whitehead April 16, 2014

My code doesnt crash why should I still use Valgrind? Tyson Whitehead April 16, 2014

My code doesnt crash why should I still use Valgrind? Tyson Whitehead April 16, 2014 Notes Modern digital computers are binary systems. frequently numbers are powers of two 1000 multiple is usually 1024 instead will not

244 views • 6 slides
2009: Historic Truck Crash Declines September 29, 2010 Ralph Craft, Ph.D. Analysis Division

2009: Historic Truck Crash Declines September 29, 2010 Ralph Craft, Ph.D. Analysis Division

2009: Historic Truck Crash Declines September 29, 2010 Ralph Craft, Ph.D. Analysis Division Fatal Large Truck Numbers, 2008 to 2009 Three levels of crash data: Fatalities: Down 20% (4,245 to 3,380) Large Trucks: Down 21% (4,089 to

522 views • 25 slides
TESTING CHEBYSHEVS BIAS FOR PRIME NUMBERS UP TO 10 15 Andrey Sergeevich SHCHEBETOV

TESTING CHEBYSHEVS BIAS FOR PRIME NUMBERS UP TO 10 15 Andrey Sergeevich SHCHEBETOV

1 TESTING CHEBYSHEVS BIAS FOR PRIME NUMBERS UP TO 10 15 Andrey Sergeevich SHCHEBETOV Lomonosovskaya School & MIEM HSE Moscow, Russia Presentation for the 30th European Union Contest for Young Scientists EUCYS 2018 Dublin, Ireland

673 views • 30 slides
Relational Database Design Theory Part II CPS 196.3 Introduction to Database Systems 2

Relational Database Design Theory Part II CPS 196.3 Introduction to Database Systems 2

Relational Database Design Theory Part II CPS 196.3 Introduction to Database Systems 2 Announcement ! Project proposal/progress report due today ! Midterm next Thursday in class " Everything up to todays lecture, with a focus on the

301 views • 7 slides
ROHC: compress your VoIP traffic Didier Barvaux didier.barvaux@toulouse.viveris.com

ROHC: compress your VoIP traffic Didier Barvaux didier.barvaux@toulouse.viveris.com

Header compression The ROHC protocol The ROHC library Perspectives ROHC: compress your VoIP traffic Didier Barvaux didier.barvaux@toulouse.viveris.com didier@rohc-lib.org July, 7th 2014 Viveris Technologies ROHC: compress your VoIP traffic

476 views • 26 slides
Querying Relational Data: Algebra Gerome Miklau UMass Amherst CMPSCI 645 Database Systems

Querying Relational Data: Algebra Gerome Miklau UMass Amherst CMPSCI 645 Database Systems

Querying Relational Data: Algebra Gerome Miklau UMass Amherst CMPSCI 645 Database Systems Jan 31, 2008 Some slide content courtesy of Zack Ives, Ramakrishnan & Gehrke, Dan Suciu, Ullman & Widom Next lectures Today

1.34k views • 36 slides
Identity internetworking with eduGAIN Diego R. Lopez - RedIRIS Confederations Federate

Identity internetworking with eduGAIN Diego R. Lopez - RedIRIS Confederations Federate

Connect. Communicate. Collaborate Identity internetworking with eduGAIN Diego R. Lopez - RedIRIS Confederations Federate Federations Connect. Communicate. Collaborate Same federating principles applied to federations themselves Own

510 views • 22 slides
Regularity and Grbner bases of the Rees algebra of edge ideals of bipartite graphs Yairon Cid

Regularity and Grbner bases of the Rees algebra of edge ideals of bipartite graphs Yairon Cid

Regularity and Grbner bases of the Rees algebra of edge ideals of bipartite graphs Yairon Cid Ruiz University of Barcelona Journes Nationales de Calcul Formel CIRM, Luminy, January 2018 Definition A bipartite graph G = ( X , Y , E )

604 views • 38 slides
Uniform Resource Names (URNs) & % April 21, 1998 ' $ URN 2 URNs persistent

Uniform Resource Names (URNs) & % April 21, 1998 ' $ URN 2 URNs persistent

' $ URN 1 Uniform Resource Names (URNs) & % April 21, 1998 ' $ URN 2 URNs persistent resource identifiers (names) URLs = location for long-lived resources (papers, newspaper article archives, legal records, Dilbert

148 views • 10 slides
Outline Background Mining Sequential Patterns Introduction Problem Decomposition and

Outline Background Mining Sequential Patterns Introduction Problem Decomposition and

Outline Background Mining Sequential Patterns Introduction Problem Decomposition and Solution Algorithm Authors: Rakesh Agrawal and Ramakrishnan Srikant Performance Presenter: Yunping Wang Discussions and Conclusion

618 views • 12 slides
Introduction to Information Systems SSC, Semester 6 Lecture 1 Priv.-Doz. Dr. Heinz Stockinger

Introduction to Information Systems SSC, Semester 6 Lecture 1 Priv.-Doz. Dr. Heinz Stockinger

Introduction to Information Systems SSC, Semester 6 Lecture 1 Priv.-Doz. Dr. Heinz Stockinger Summer Term 2008 1 Outline for Today s Lecture Overview of database systems Course Outline First Steps in SQL 2 Staff

621 views • 20 slides

More recommend