improving software quality with static analysis
play

Improving Software Quality with Static Analysis William Pugh - PowerPoint PPT Presentation

Jul 13, 2023 •354 likes •991 views

Improving Software Quality with Static Analysis William Pugh Professor Univ. of Maryland http://www.cs.umd.edu/~pugh TS-2007 2007 JavaOne SM Conference | Session TS-2007 | You will believe... Static analysis tools can find real bugs

  1. Improving Software Quality with Static Analysis William Pugh Professor Univ. of Maryland http://www.cs.umd.edu/~pugh TS-2007 2007 JavaOne SM Conference | Session TS-2007 |

  2. You will believe... Static analysis tools can find real bugs and real issues in your code. You can and should effectively incorporate static analysis into your software development process. 2 2007 JavaOne SM Conference | Session TS-2007 |

  3. Agenda Introduction Correctness issues Bad Practice Security defects Demos (FindBugs, Fortify SCA) Integrating static analysis Wrap up 3 2007 JavaOne SM Conference | Session TS-2007 |

  4. About Me • Professor at Univ. of Maryland since 1988, doing research in programming languages, algorithms, software engineering • Technical Lead on JSR-133 (Memory model), JSR- 305 (Annotations for Software Defect Detection) • Founder of the FindBugs ™ project • Open source static analysis tool for defect detection in the Java ™ Programming Language • Technical advisory board of 4 2007 JavaOne SM Conference | Session TS-2007 |

  5. Agenda Introduction Correctness issues Bad Practice Security defects Demos (FindBugs, Fortify SCA) Integrating static analysis Wrap up 5 2007 JavaOne SM Conference | Session TS-2007 |

  6. Static Analysis • Analyzes your program without executing it • Doesn’t depend on having good test cases • or even any test cases • Generally, doesn’t know what your software is supposed to do • Looks for violations of reasonable programming • Shouldn’t throw NPE • Shouldn’t allow SQL injection • Not a replacement for testing • Very good at finding problems on untested paths • But many defects can’t be found with static analysis 6 2007 JavaOne SM Conference | Session TS-2007 |

  7. Common Wisdom about Bugs and Static Analysis • Programmers are smart • Smart people don’t make dumb mistakes • We have good techniques (e.g., unit testing, pair programming, code inspections) for finding bugs early • So, bugs remaining in production code must be subtle, and finding them must require sophisticated static analysis techniques • I tried lint and it sucked: lots of warnings, few real issues 7 2007 JavaOne SM Conference | Session TS-2007 |

  8. Can You Find The Bug? if (listeners == null) listeners.remove(listener); • JDK1.6.0, b105, sun.awt.x11.XMSelection • lines 243-244 8 2007 JavaOne SM Conference | Session TS-2007 |

  9. Why Do Bugs Occur? • Nobody is perfect • Common types of errors: • Misunderstood language features, API methods • Typos (using wrong boolean operator, forgetting parentheses or brackets, etc.) • Misunderstood class or method invariants • Everyone makes syntax errors, but the compiler catches them • What about bugs one step removed from a syntax error? 9 2007 JavaOne SM Conference | Session TS-2007 |

  10. Who Uses Static Analysis? • Lots and lots of projects and companies • Among many others, Glassfish and Google use FindBugs • Many companies are weird about letting you say they use your open source tool • Lots of open source tools: PMD, CheckStyle, etc. • IDEs include some: Eclipse, IntelliJ, Netbeans • Commercial tools available from Fortify Software, KlocWork, Coverity, Parasoft, SureLogic • Static analysis used even more widely/intensely for C/C++ • More bugs to find • Bugs a lot scarier • Free tools not as good 10 2007 JavaOne SM Conference | Session TS-2007 |

  11. FindBugs • I'm mostly going to be talking about FindBugs • I know it best • Some things will be specific to FindBugs • What we classify as a "correctness" issue • Which potential null pointer issues we report • But most of the concepts apply to other tools 11 2007 JavaOne SM Conference | Session TS-2007 |

  12. Bug Categories Selected categories for today's discussion • Correctness - the code seems to be clearly doing something the developer did not intend • Bad practice - the code violates good practice • Security defect • Vulnerability to malicious code • Vulnerability to malicious input • SQL injection, cross site scripting 12 2007 JavaOne SM Conference | Session TS-2007 |

  13. Bug Patterns • Some big, broad and common patterns • Dereferencing a null pointer • An impossible checked cast • Methods whose return value should not be ignored • Lots of small, specific bug patterns, that together find lots of bugs • Every Programming Puzzler • Every chapter in Effective Java • Most postings to http://thedailywtf.com/ 13 2007 JavaOne SM Conference | Session TS-2007 |

  14. Analysis Techniques Whatever you need to find the bugs • Local pattern matching • If you invoke String.toLowerCase() , don’t ignore the return value • Intraprocedural dataflow analysis • Null pointer, type cast errors • Interprocedural method summaries • This method always dereferences its parameter • Context sensitive interprocedural analysis • Interprocedural flow of untrusted data • SQL injection, cross site scripting 14 2007 JavaOne SM Conference | Session TS-2007 |

  15. Categories, ranking, use cases • Every tool has categories, rules/patterns, priorities • You can generally customize what you want to look at • Sometimes, you want to do a code audit of a newly written module with 1,000 lines of code • and sometimes you want to scan 1,000,000 lines of code that has been in production for a year • Different use cases require different tunings, different tools 15 2007 JavaOne SM Conference | Session TS-2007 |

  16. Agenda Introduction Correctness issues Bad Practice Security defects Demos (FindBugs, Fortify SCA) Integrating static analysis Wrap up 16 2007 JavaOne SM Conference | Session TS-2007 |

  17. Correctness issues Stuff you really want to look at • In FindBugs, we reserve the Correctness category for issues we are most confident are wrong • code does something the developer didn’t intend • Many of the other categories reflect correctness issues • But correctness issues are the things we think you should look at when scanning that million line code base • low false positive rate, few low impact bugs 17 2007 JavaOne SM Conference | Session TS-2007 |

  18. Infinite recursive loop ... Students are good bug generators • Student came to office hours, was having trouble with his constructor: /** Construct a WebSpider */ public WebSpider() { WebSpider w = new WebSpider(); } • A second student had the same bug • Wrote a detector, found 3 other students with same bug 18 2007 JavaOne SM Conference | Session TS-2007 |

  19. Double Check Against JDK1.6.0-b13 • Found 5 infinite recursive loops • Including one written by Joshua Bloch public String foundType() { return this.foundType(); } • Smart people make dumb mistakes • 27 across all versions of JDK, 31 in Google’s Java code • Embrace and fix your dumb mistakes 19 2007 JavaOne SM Conference | Session TS-2007 |

  20. Finding Null Pointer Bugs with FindBugs • FindBugs looks for a statement or branch that, if executed, guarantees a null pointer exception • Either a null pointer exception could be thrown, or the program contains a statement/branch that can’t be executed • Could look for exceptions that only occur on a path • e.g., if the condition on line 29 is true and the condition on line 38 is false, then a NPE will be thrown • but would need to worry about whether that path is feasible 20 2007 JavaOne SM Conference | Session TS-2007 |

  21. Null Pointer Bugs Found by FindBugs JDK1.6.0-b105 • 109 statements/branches that, if executed, guarantee NPE • We judge at least 54 of them to be serious bugs that could generate a NPE on valid input • Most of the others were deemed to be unreachable branches or statements, or reachable only with erroneous input • Only one case where the analysis was wrong 21 2007 JavaOne SM Conference | Session TS-2007 |

  22. Examples of null pointer bugs simple ones //com.sun.corba.se.impl.naming.cosnaming.NamingContextImpl if (name != null || name.length > 0) //com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser if (part == null | part.equals("")) // sun.awt.x11.ScrollPanePeer if (g != null) paintScrollBars(g,colors); g.dispose(); 22 2007 JavaOne SM Conference | Session TS-2007 |

  23. Redundant Check For Null Also known as a reverse null dereference error • Checking a value to see if it is null • When it can't possibly be null // java.awt.image.LoopupOp, lines 236-247 public final WritableRaster filter( Raster src, WritableRaster dst) { int dstLength = dst.getNumBands(); // Create a new destination Raster, // if needed if (dst == null) dst = createCompatibleDestRaster(src); 23 2007 JavaOne SM Conference | Session TS-2007 |

  24. Redundant Check For Null Is it a bug or a redundant check? • Check the JavaDoc for the method • Performs a lookup operation on a Raster . • If the destination Raster is null, • a new Raster will be created. • Is this case, a bug • particularly look for those cases where we know it can't be null because there would have been a NPE if it were null 24 2007 JavaOne SM Conference | Session TS-2007 |

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
Static and dynamic verification Software inspections Concerned with analysis of the

Static and dynamic verification Software inspections Concerned with analysis of the

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis

310 views • 12 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot & CNRS VTSA 2015 1 / 99 Static Analysis Establish

2.15k views • 186 slides
Static (Software) Analysis Dagstuhl 16172: Machine Learning for Dynamic Software Analysis Reiner

Static (Software) Analysis Dagstuhl 16172: Machine Learning for Dynamic Software Analysis Reiner

Static (Software) Analysis Dagstuhl 16172: Machine Learning for Dynamic Software Analysis Reiner Hhnle Software Engineering Group Department of Computer Science Technische Universitt Darmstadt http://www.se.tu-darmstadt.de/

239 views • 23 slides
Using Static Code Analysis to Find Bugs Before They Become Failures Presented by Brian Walker

Using Static Code Analysis to Find Bugs Before They Become Failures Presented by Brian Walker

Using Static Code Analysis to Find Bugs Before They Become Failures Presented by Brian Walker Senior Software Engineer, Video Product Line, Tektronix, Inc. Pacific Northwest Software Quality Conference, 2010 In the Beginning, There Was Lint

486 views • 20 slides
Improving the Quality of Software Using Testing and Fault Prediction Professor Iftekhar Ahmed

Improving the Quality of Software Using Testing and Fault Prediction Professor Iftekhar Ahmed

Improving the Quality of Software Using Testing and Fault Prediction Professor Iftekhar Ahmed Department of Informatics https://www.ics.uci.edu/~iftekha/ 1 About me Research focus: Software testing and analysis. 4 years of industry

335 views • 33 slides
Numerical Static Analysis of Embedded Software with Interrupts Liqian Chen National University of

Numerical Static Analysis of Embedded Software with Interrupts Liqian Chen National University of

The 2016 Workshop on Static Analysis of Concurrent Software, Edinburgh, Scotland Numerical Static Analysis of Embedded Software with Interrupts Liqian Chen National University of Defense Technology, Changsha, China 11/09/2016 (Joint work with

604 views • 39 slides
Static and dynamic verification Static and dynamic V&V Software inspections Concerned

Static and dynamic verification Static and dynamic V&V Software inspections Concerned

1 2 Static and dynamic verification Static and dynamic V&V Software inspections Concerned with analysis of the static system Static representation to discover problems (static verification verification) May be supplement by

107 views • 6 slides
Detection of Software Vulnerabilities: Static Analysis (Part I) Lucas Cordeiro Department of

Detection of Software Vulnerabilities: Static Analysis (Part I) Lucas Cordeiro Department of

Systems and Software Verification Laboratory Detection of Software Vulnerabilities: Static Analysis (Part I) Lucas Cordeiro Department of Computer Science lucas.cordeiro@manchester.ac.uk Static Analysis Lucas Cordeiro (Formal Methods

1.9k views • 188 slides
Program Analysis Extracting static and dynamic information from a software system Program

Program Analysis Extracting static and dynamic information from a software system Program

Program Analysis Extracting static and dynamic information from a software system Program Analysis Extracting information, in order to present abstractions of, or answer questions about, a software system Static Analysis: Examines the

754 views • 32 slides
Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
Detection of Software Vulnerabilities: Static Analysis (Part II) Lucas Cordeiro Department of

Detection of Software Vulnerabilities: Static Analysis (Part II) Lucas Cordeiro Department of

Systems and Software Verification Laboratory Detection of Software Vulnerabilities: Static Analysis (Part II) Lucas Cordeiro Department of Computer Science lucas.cordeiro@manchester.ac.uk Static Analysis (Part II) Lucas Cordeiro (Formal

2.24k views • 169 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot & CNRS VTSA 2015 1 / 149 Outline Introduction 1 Formal

861 views • 68 slides
Fundamentals of (Static ic and Dynamic ic) ) Software Verif ific icatio ion Control-flow

Fundamentals of (Static ic and Dynamic ic) ) Software Verif ific icatio ion Control-flow

Fundamentals of (Static ic and Dynamic ic) ) Software Verif ific icatio ion Control-flow Analysis Data-flow Analysis Static VS Dynamic Analysis Software Testing Control Con ol Flow ow Gr Graph entry S1 Procedure AVG S1 count =

1.08k views • 104 slides
1 QUALITY CONTROL QUALITY ASSURANCE Controlling the software development process

1 QUALITY CONTROL QUALITY ASSURANCE Controlling the software development process

SOFTWARE ENGINEERING SOFTWARE QUALITY - SOFTWARE QUALITY QUALITY COMPONENTS Today we talk about software process quality and Objective quality component: properties that can certification be measured or approximated objectively

228 views • 7 slides
CS510 Software Engineering Static Program Analysis Asst. Prof. Mathias Payer Department of

CS510 Software Engineering Static Program Analysis Asst. Prof. Mathias Payer Department of

CS510 Software Engineering Static Program Analysis Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Scott A. Carr Slides inspired by Xiangyu Zhang http://nebelwelt.net/teaching/15-CS510-SE Spring 2015 Static

586 views • 24 slides
Human Science Institute Conference - Call for Presentations September 8-10, 2016 Salt Lake City,

Human Science Institute Conference - Call for Presentations September 8-10, 2016 Salt Lake City,

Human Science Institute Conference - Call for Presentations September 8-10, 2016 Salt Lake City, Utah http://humanscienceinstitute.org Compassion, Connection and Response-Ability Todays social and environmental challenges call all of us to

365 views • 3 slides
Responses to Questions/Comments from Public Forum Session Beijing, April 11, 2013 As regards New

Responses to Questions/Comments from Public Forum Session Beijing, April 11, 2013 As regards New

Responses to Questions/Comments from Public Forum Session Beijing, April 11, 2013 As regards New gTLD evaluation panels, are we going to have information about what these dispute resolution providers were saying, and more importantly - what is

343 views • 8 slides
Project Plan AppDynamics Platform Configuration Tool The Capstone Experience Team Evolutio Kp

Project Plan AppDynamics Platform Configuration Tool The Capstone Experience Team Evolutio Kp

Project Plan AppDynamics Platform Configuration Tool The Capstone Experience Team Evolutio Kp Inuaeyen Jon Dressel Ian Guswiler Cameron Rasico Ben Haase Department of Computer Science and Engineering Michigan State University From

247 views • 12 slides
Advanced Usage of OpenSSH Sean Cody MUUG Presentation September 9, 2008 Tuesday, September 9,

Advanced Usage of OpenSSH Sean Cody MUUG Presentation September 9, 2008 Tuesday, September 9,

Advanced Usage of OpenSSH Sean Cody MUUG Presentation September 9, 2008 Tuesday, September 9, 2008 1 Who am I? Senior Systems Administrator for Prime Focus VFX Services (formerly Frantic Films VFX). Editor at The OpenBSD Journal

694 views • 54 slides
Homelessness Response and Prevention Presentation to Policy and Government Oversight Committee

Homelessness Response and Prevention Presentation to Policy and Government Oversight Committee

CITY OF MINNEAPOLIS Homelessness Response and Prevention Presentation to Policy and Government Oversight Committee July 23, 2020 1 Presentation Overview City Housing Strategy Homeless Response Eviction Prevention Policy and

352 views • 10 slides
HTTP status code 451 : Hackathon Overview and Human Rights Considerations Outline Last

HTTP status code 451 : Hackathon Overview and Human Rights Considerations Outline Last

HTTP status code 451 : Hackathon Overview and Human Rights Considerations Outline Last weekends hackathon overview Best New Work Introduction to HTTP 451 status code Hackathon implementations Implementation Report

382 views • 24 slides
WCF & ASP.NET Web API An Architects Primer Presented at Southern California .NET

WCF & ASP.NET Web API An Architects Primer Presented at Southern California .NET

WCF & ASP.NET Web API An Architects Primer Presented at Southern California .NET Architecture User Group; Feb 21 st 2013. Adnan Masood MS (CS). MCSD. MCPD. Software Architect & Doctoral Candidate blog.AdnanMasood.com

873 views • 52 slides
Change agreed

Change agreed

Change agreed at CAB to use HTTP New approach discussed at 2536 REST RPN & Payroll responses. Validation rules RESOLVED PSDA meeting. CAB required to

601 views • 27 slides

More recommend