1 / 26

Automatic Technology for Detecting Fatal SW Errors Before Testing

Automatic Technology for Detecting Fatal SW Errors Before Testing. 이광근 교수 Programming Research Lab. Seoul National University 12/19/2006 @ Samsung-SNU Workshop. Content. Technology: Static Program Analysis Product: Sparrow 1.0 Research: Sparrow 1.0SE. Open Problem. 소프트웨어가 실행되기 전에

denise-hayes
Download Presentation

Automatic Technology for Detecting Fatal SW Errors Before Testing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Automatic Technology for Detecting Fatal SW Errors Before Testing 이광근 교수 Programming Research Lab.Seoul National University 12/19/2006 @ Samsung-SNU Workshop

  2. Content • Technology: Static Program Analysis • Product: Sparrow 1.0 • Research: Sparrow 1.0SE

  3. Open Problem • 소프트웨어가 실행되기 전에 • 우리가 바라는대로 실행될 지를 • no core dump/segmentation fault • no buffer overrun • no memory leak • “x.s > 0 at line 321” • “notNull(y) whenever x = 0” • etc. • 엄밀하게 미리 확인해주는 기술은?

  4. Static Program Analysis 프로그램의 실행 내용을 실행전에 자동으로 안전하게 어림잡는 일반적인 기술 “static analysis” “정적분석” “프로그램분석”

  5. “실행전”: 프로그램을 실행시키지 않고 • “자동으로”: 프로그램이 프로그램을 분석 • “안전하게”: 모든 가능성을 포섭 • “어림잡는”: 실제 이외의 것들이 포함됨 • 어림잡지 않으면 불가능 • “일반적”: 소스 언어와 분석가능한 성질이 무제한 • C, C++, C#, Java, ML, UML, JVM, x86, bits, etc. • buffer overrun? memory leak? x=y at line 2? notNull(x) whenever y.s=0?

  6. 테스트와 다른점 • 테스트는 SW 를 실행시킬 수 있을 때 까지 기다려야 • 테스트는 찾고자 하는 오류를 모두 찾을 수 없음 • 프로그램 분석기(static program analyzer)는 • SW를 실행시키지 않고 타겟 오류의 위치를 자동으로 찾아줌 • SW의 소스만 준비되면 됨

  7. Limitation: 허위 경보(false alarm) • inevitable • repeat if E then x = x+1 else x = x-1 until B • rule of the game • minimize false alarms • no (few) undetected errors • with a reasonable cost

  8. Sparrow 1.0

  9. SW오류 검증 기술의 진화 정적분석기술 효용 및 성숙도 coverity.com polyspace.com Sparrow 1.0 테스트기술 1980s 2000s 2010s 1990s

  10. Sparrow 1.0 • 타겟 소스언어 • C, C++ • ANSI, GNU, MS, ARM, etc. • 타겟 오류 • buffer overrun • memory leak • uninitialized access

  11. Other Players • coverity.com • Stanford U., 미국시장에서 활발, ’05 국내 진출시도 • polyspace.com • Ecole Polytech., 유럽시장에서 활발, ’06 국내 진출시도 • grammatech.com • U. of Wisconsin-Madison, 미국정부시장 • 기타 (분석기술 미흡: “shallow” analysis) • fortify, klocwork, secure, seque, wily • 기존의 runtime tools • 상용 • PurifyPlus, Parasoft Insure++, Trace32, WinDBG, … • 공개SW • Valgrind …

  12. BMT Results • Sparrow vs Prevent (coverity.com) • buffer overrun • 최대 30% 더 많이 오류 검출 • Sparrow vs Prevent(coverity.com) • memory leak • 최대 200% 더 많이 오류 검출 errors errors

  13. Sparrow 성능 1/2 Buffer Overrun On a Linux 2.6 box with Pentium4 3.2GHz, 4GB RAM

  14. Sparrow 성능 2/2 Memory Leaks On a Linux 2.6 box with Pentium4 3.2GHz, 4GB RAM

  15. Sparrow beats Prevent for 1/4 True Buffer Overrun 11 • deep call chain • function pointers • function argument • loop induction variables • C standard library – memcpy, memset, … 20 False 36

  16. Sparrow beats Prevent for 1/5 Memory Leaks • arbitrary pointer aliasing • alloc/free complex data structure • linking argument pointers • infinite loop • recursion 12 True 3 7 2 16 False

  17. Sparrow 1.0

  18. Sparrow 1.0SE for Verified System SWs maybe interesting to Samsung Electronics SW Labs.

  19. Our Position 1/2 • Goal • zero-false-alarm analyzer for key system sws • “domain-specific” zero-false-alarm sound analyzer

  20. Our Position 2/2 • For a particular sw A • Can safely specialize Sparrow 1.0 • Precise enough not to generate false alarms • Will be effective for later versions of A • zfa Sparrow 1.0SE for Apache • zfa Sparrow 1.0SE for Flash-memory Linux • zfa Sparrow 1.0SE for Flash-memory DB • ...

  21. Example: Work In Progress • toward zfa Sparrow 1.0 SE for Apache httpd-2.2.2 • we runned Sparrow 1.0 for Apache httpd-2.2.2 • found 2 real bugs, w • identified 6 classes of false alarms • addressed one class of false alarms • have removed 9 false alarms • and so on...

  22. Conclusion • Technology: Static Program Analysis • Product: Sparrow 1.0 • Research: Sparrow 1.0SE Thank you.

  23. About me • 연구 • static program analysis 연구 • 2003-현재: 부교수, 서울대 컴퓨터공학부 • 1998-2003: 단장, 프로그램분석시스템 연구단, 과기부 창의 연구단 • 1995-2003: 조교수/부교수, KAIST • 1993-1995: 정규연구원, SW Principles Research, Bell Labs., Murry Hill, USA • 1993: PhD, CS, Univ. of Illinois at Urbana-Champaign • ropas.snu.ac.kr/~kwang

  24. Real Bugs Found srclib/apr/file_io/unix/filepath.c 158 if (addpath[0] == '/') { 159 /* Ignore the given root path, strip off leading 160 * '/'s to a single leading '/' from the addpath, 161 * and leave addpath at the first non-'/' character. 162 */ 163 keptlen = 0; 164 while (addpath[0] == '/') 165 ++addpath; 166 path[0] = '/'; 167 pathlen = 1; 168 } What if the array addpath onlyhas ‘/’

More Related