Catching Bugs in the Web of Program Invariants

1. Catching Bugs in the Web of Program Invariants Proseminar „Programmanalyse”, Prof. Dr. Heike Wehrheim Universität Paderborn, WS 2011/2012 Anton Tonkushin

2. Static debugging Identifying problems at compile- or runtime • Array indexing outside of its proper bounds • Division by zero • Referencing of null pointers • Jumping to non-function pointers • etc Solution: Magic Tool • Assisting the programmer in verifying the preconditions of program operations • Immediate errors’ signaling • Programmanalyse, WS 2011/2012, Anton Tonkushin

3. MrSpidey Introduction & Goals • Interactive, static debugger for Scheme • Understanding complex programs • Debugging complex programs Main functions: • Describes the set of possible values for each program variable and expression (value set invariant) • Identifies possibly unsafe program operations that may cause run-time errors • Provides a supporting graphical explanation for these invariants • Programmanalyse, WS 2011/2012, Anton Tonkushin

4. Set-based analysis in MrSpidey Introduction: • Program variables and expressions are viewed as sets of values • Possibly infinite sets of values represented finitely using abstract values • Each abstract value corresponds to a particular constructor expression in the analyzed program • Programmanalyse, WS 2011/2012, Anton Tonkushin

5. Sample source language Λ Introduction: P ∈ Program ::= (define x M) ... M, N ∈ Λ ::= Vl Ι(M M)l Ι(cons M M)l Ι(car M)l Ι(cdr M)l V ∈ Value ::= c Ι x Ι(λx.M)l Ι(cons V V) c ∈ Const = Num ∪ {nil, ...} n ∈ Num={0, 1, 2, ...} x ∈ Vars={x, y, z, ...} l ∈ Label • Programmanalyse, WS 2011/2012, Anton Tonkushin

6. Abstract values & abstract store Abstract values • Sets of values infinite → abstract values • Correspond to a particular construction expression • Represent set of run-time values • AbsValueP={Ι∈ P} ∪ {Ι∈ P} ∪ {c Ιc ∈ P} Abstract store • Result of the set-based analysis • Finite table • Maps variables and labels to sets of abstract values • S ∈ AbsStore = (Vars ∪ Label) →P(AbsValueP) • Programmanalyse, WS 2011/2012, Anton Tonkushin

7. Two stage algorithm of MrSpidey • Deriving constraints in a syntax-directed manner from the program text • Determining the minimal (i.e., most accurate) abstract store satisfying these constraints Example (define sum (λtree. ( if (number? tree) tree (+ (sum) (sum))))) (sum) • Programmanalyse, WS 2011/2012, Anton Tonkushin

8. A sample analysis: deriving constraints (define sum (λtree. ( if (number? tree) tree (+ (sum) (sum))))) (sum) • Programmanalyse, WS 2011/2012, Anton Tonkushin

9. A sample analysis: solving constraints From (1),(10): From (9),(11): From (2),(12): From (3),(13): From (7),(14): From (1),(4): From (15),(16): From (2),(17): From (3),(18): From (5),(19): From (16),(20): From (2),(21): • Programmanalyse, WS 2011/2012, Anton Tonkushin

10. Value Flow & Value Flow Browser • Construction of a value flow graph from the subset relations • Each edge in this graph -> arrow overlaid on the program text • Programmanalyse, WS 2011/2012, Anton Tonkushin

11. Questions?