1 / 26

Evaluating and Tuning a Static Analysis to Find Null Pointer Bugs

Evaluating and Tuning a Static Analysis to Find Null Pointer Bugs. David Hovemeyer, Jaime Spacco, and William Pugh. Presented by Nathaniel Ayewah CMSC838P 11/16/2006. Why Simple. Programmers make simple mistakes // org.eclipse.jdt.internal.ui.compare.JavaStructureDiffViewer

weldon
Download Presentation

Evaluating and Tuning a Static Analysis to Find Null Pointer Bugs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Evaluating and Tuning a Static Analysis to Find Null Pointer Bugs David Hovemeyer, Jaime Spacco, and William Pugh Presented by Nathaniel Ayewah CMSC838P 11/16/2006

  2. Why Simple • Programmers make simple mistakes // org.eclipse.jdt.internal.ui.compare.JavaStructureDiffViewer Control c = getControl(); if (c == null && c.isDisposed()) return; • Low False Positive Rate  • Cannot find all bugs 

  3. Findbugs

  4. Findbugs INPUT PROCESSING OUTPUT • Set of “.class” files containing byte-code • Configurations • Bug Pattern Code • Source Line Number • Descriptive Message Detectors

  5. Findbugs Detectors PROCESSING • Independent of each other • May share some resources • GOAL: Low false positives • Each detector is driven by a set of heuristics Know Your Bug Patterns

  6. Output HIGH SEVERE RISK OF PROGRAM FAILURE MEDIUM ELEVATED RISK OF PROGRAM FAILURE LOW LOW RISK OF PROGRAM FAILURE Source: US Department of Program Security

  7. Findbugs Detectors PROCESSING Null Pointer Analysis

  8. Null Pointer Analysis PROCESSING • Forward intra-procedural • Build Control Flow graph for each method Slot Method parmeter, local variable, or stack operand Null NonNull Data-flow Frame

  9. Simple Analysis Detector foo = null; foo.execute(); HIGH SEVERE RISK OF PROGRAM FAILURE Dereferencing Null Detector foo = new Detector(…); foo.execute(); Dereferencing NonNull 

  10. If only it were that simple… • Is a method’s parameter null? void foo(Object obj) { int x = obj.hashcode(); … } • Infeasible Paths

  11. Infeasible Paths • Guard indirectly connected to null check boolean b; if (p != null) b = true; else b = false; if (b) p.f()

  12. Infeasible Paths • Assertions p = null; ... // throws exception if p null: checkAssertion(p != null); p.f(); // safe

  13. Infeasible Paths • Checked Exceptions that are never thrown Foo dup = null; try { dup = super.clone(); } catch (CloneNotSupportedException e) { // Can’t happen } dup.contents = ...

  14. Solution • Null and NonNull are not enough Checked NonNull No Kaboom NonNull if (b) { A } else { B } C  ? NonNull Null-E NCP Null NSP-E NSP

  15. Solution • Dereferencing a variable that has value Null, NSP, … MEDIUM ELEVATED RISK OF PROGRAM FAILURE Null-E … HIGH SEVERE RISK OF PROGRAM FAILURE LOW LOW RISK OF PROGRAM FAILURE Null NSP-E NSP MEDIUM ELEVATED RISK OF PROGRAM FAILURE

  16. Solution • Choosing a value for a variable after each statement: Statement Value of p p = null Null p = this NonNull p = new ... NonNull p = "string" NonNull p = Foo.class NonNull p = q.x NCP p = a[i] NCP p = f() NCP

  17. Solution: Infeasible Paths p = null; Null Null p = new … NonNull Null NSP NCP NCP

  18. Solution: Infeasible Paths Null or NSP checkAssertion(p != null) NCP p.f()

  19. Solution: Infeasible Paths try { } Null NSP catch(Exception e) { } Null-E NSP-E

  20. Comparing a Value to null foo.execute(); if (foo != null) { ... } Comparing No-Kaboom to null HIGH SEVERE RISK OF PROGRAM FAILURE

  21. Comparing a value to null Detector foo = null; if (foo != null) { foo.execute(); } MEDIUM ELEVATED RISK OF PROGRAM FAILURE Comparing Null to null R.I.P if (foo != null) { ... if (foo == null) { foo = new ... } } Comparing Checked NonNull to null MEDIUM ELEVATED RISK OF PROGRAM FAILURE R.I.P

  22. Other Solutions • Check for methods that unconditionally dereference parameters • Annotations • @NotNull: parameter/return value must not be null • @CheckForNull: check the parameter/return value before dereferencing it

  23. Experiments: Student Code • With Annotations

  24. Experiments: Student Code • Without Annotations

  25. Experiments: Production Code • Cannot calc. false negatives!  Eclipse 3.0.1

  26. Conclusion • More inter-procedural techniques could find more bugs • But often finding simple bugs with low FP rate is effective

More Related