David Evans cs.virginia/evans

Lecture 9: Designing Exceptionally David Evans http://www.cs.virginia.edu/evans CS201j: Engineering Software University of Virginia Computer Science

Menu • Section Problem • Weakly Uses Example • Handling Mistakes • No checking • Run-time checking • Static checking • PS3 Comments CS 201J Fall 2003

Design • What are the things in the problem? • Obvious things: advisor, student, course • Less obvious things: prerequisites, set of courses • Most of the things in the problem should be abstract datatypes CS 201J Fall 2003

Weakly Uses public class Course { private Department dept; private int number; //@invariant dept != null //@invariant number > 0 public Course (Department d, int n) { dept = d; number = n; } public Department getDepartment () { return dept; } public int getNumber () { return number; } } Course Department CS 201J Fall 2003

public class Course { private Department dept; private int number; //@invariant dept != null //@invariant number > 0 public Course (Department d, int n) { dept = d; number = n; } public Department getDepartment () { return dept; } public int getNumber () { return number; } public String toString () { return (dept.getMnemonic () + number); } } Course Department CS 201J Fall 2003

Handling Mistakes • No checking • Assume programmers know what they are doing • Run-time checking • Check for anomalous behavior during program execution • Static checking • Check at compile-time • Know properties of all possible executions before executing code CS 201J Fall 2003

Example: Array Bounds What should happen when the program writes beyond the bounds of an array? int a[10]; a[10] = 17; CS 201J Fall 2003

C/C++ Answer Checking is just a waste of execution time, we should trust the programmer not to make mistakes. # include <iostream.h> int main (void) { int x = 9; char s[4]; cin >> s; cout << "s is: " << s << endl; cout << "x is: " << x << endl; } CS 201J Fall 2003

C/C++ Bounds NonChecking > g++ -o bounds bounds.cc > bounds cs s is: cs x is: 9 > bounds cs201 s is: cs201 x is: 49 > bounds cs201j s is: cs201j x is: 27185 > bounds aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa s is: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa x is: 1633771873 Segmentation fault (core dumped) # include <iostream.h> int main (void) { int x = 9; char s[4]; cin >> s; cout << "s is: " << s << endl; cout << "x is: " << x << endl; } (User input) CS 201J Fall 2003

What’s going on?!! s ‘c’ # include <iostream.h> int main (void) { int x = 9; char s[4]; cin >> s; cout << "s is: " << s << endl; cout << "x is: " << x << endl; } ‘s’ ‘2’ ‘0’ x ‘1’ = 49 9 > bounds cs201 s is: cs201 x is: 49 CS 201J Fall 2003

What’s going on?!! s ‘c’ # include <iostream.h> int main (void) { int x = 9; char s[4]; cin >> s; cout << "s is: " << s << endl; cout << "x is: " << x << endl; } ‘s’ ‘2’ ‘0’ ‘1’ = 49 9 ‘j’ = 106 x 0 0 > bounds cs201j s is: cs201j x is: 27185 0 = (106*256) + 49 In C/C++, space for int (32 bits) is enough to hold 4 chars (8 bits). CS 201J Fall 2003

# include <iostream.h> int main (void) { int x = 9; char s[4]; cin >> s; cout << "s is: " << s << endl; cout << "x is: " << x << endl; } s ‘a’ ‘a’ ‘a’ ‘a’ x > bounds aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa s is: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa x is: 1633771873 Segmentation fault (core dumped) ‘a’ 9 ‘a’ ‘a’ 9 ‘a’ When main returns, execution jumps to the return address stored on the stack. But, the input overwrote that return address! return address ‘a’ CS 201J Fall 2003

When things go really bad… • If person entering input is clever, they can put what they want in the return address, and their own code after that to jump to! “Buffer Overflow Attack” “Stack Smashing” CS 201J Fall 2003

Code Red CS 201J Fall 2003

Buffer Overflows • Code Red: exploited buffer overflow in Microsoft’s IIS (web server) • Attacker sends excessively long request to web server, overflows buffer and puts virus code on stack • About ½ of all security problems are due to buffer overflows! CS 201J Fall 2003

Array Bounds in Java public class AverageLength { public static void main (/*@non_null@*/ String args[]) { String filename = args[0]; … } } > javac AverageLength.java > java AverageLength Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException at AverageLength.main(AverageLength.java:7) CS 201J Fall 2003

Array Bounds Checking • C/C++: No checking • No execution cost • Lower Development cost? (if you don’t care about robustness) • Really, really bad things can happen (and do often for typical programs) CS 201J Fall 2003

Array Bounds Checking • Java: Run-time checking • Performance cost: virtual machine needs to check array indexes are in bounds • Get a run-time error, instead of Code Red But, sometimes run-time errors can be really, really bad too! CS 201J Fall 2003

Run-Time Exceptions Before Run-Time Exception After Run-Time Exception Rubble, $0B Ariane V (European) rocket, $5B Rocket exploded because of Run-Time Exception (1996) (not array bounds, value out of range – one bad line of code) CS 201J Fall 2003

Array Bounds with ESC/Java public class AverageLength { public static void main (/*@non_null@*/ String args[]) { String filename = args[0]; … } } > escjava AverageLength.java AverageLength.java:7: Warning: Array index possibly too large (IndexTooBig) String filename = args[0]; ^ CS 201J Fall 2003

Array Bounds Checking • ESC/Java: static checking • Check at compile-time: know there will not be an array bounds error on any possible execution • If you trust the compile time checking, can turn off run-time checking (no performance penalty) • More apparent effort to develop code (but is there really?) CS 201J Fall 2003

PS3 • PS3 • Read the comments! • The choice of rep had a big impact on success in implementation • Easiest implementation had a rep invariant that kept entries in tally-sorted order • PS4: turn in TWO copies of your design document tomorrow CS 201J Fall 2003

David Evans cs.virginia/evans