Académique Documents
Professionnel Documents
Culture Documents
Program Analysis
Ch 19, slide 1
Why Analysis
Ch 19, slide 2
! Examples
! Automated analysis
!race conditions
!faulty memory accesses
Ch 19, slide 4
Concurrency faults
! Concurrency faults
! Static analysis
! Dynamic analysis
! Prevention
! Programming styles
Ch 19, slide 5
Memory faults
Example
} else if (c == '%') {
int digit_high = Hex_Values[*(++eptr)];
int
digit_low
= Hex_Values[*(++eptr)];
! fault
! input string terminated by an hexadecimal digit
! scan beyond the end of the input string and corrupt
memory
! failure may occur much after the execution of the
faulty statement
! Common faults
! buffer overflow in C programs
! access through dangling pointers
! slow leakage of memory
! hard to detect
Ch 19, slide 6
Ch 19, slide 7
Ch 19, slide 8
Symbolic Testing
! analysis tools
! Java dynamic checks for out-of-bounds indexing and null pointer dereferences
(sensitivity principle)
Ch 19, slide 9
Ch 19, slide 10
Ch 19, slide 11
! Example:
analyses based on finite state machines (FSM)
! data values by states
! operations by state transitions
Ch 19, slide 12
Pointer Analysis
Merging States
! Potential misuse
Ch 19, slide 13
Buffer Overflow
Ch 19, slide 14
Identifies
the problem
}
(c) 2007 Mauro Pezz & Michal Young
! Flow analysis
merge states obtained along different execution paths
Ch 19, slide 15
Ch 19, slide 16
Memory Analysis
Data Races
allocate
Unallocated
(unwritable and unreadable)
deallocate
Allocated and initialized
(readable and writable)
initialize
(c) 2007 Mauro Pezz & Michal Young
Ch 19, slide 17
Thread
! END: set of locks after executing a test = set of locks always held
by threads accessing that variable
Program trace
Locks held
Lockset(x)
{}
{lck1, lck2}
lck1 held
{lck1}
x=x+1
{lck1}
unlock(lck1}
Intersect with
locks held
{}
tread B
lock{lck2}
{lck2}
x=x+1
lck2 held
{}
unlock(lck2}
{}
Ch 19, slide 19
thread A lock(lck1)
Ch 19, slide 18
Empty intersection
potential
race
Ch 19, slide 20
Virgin
write
Exclusive
write/new thread
Multiple writers
report violations
read/write/first thread
Shared-Modified
read/new thread
read
Shared
write
Multiple readers
single writer
do not report violations
Ch 19, slide 21
Ch 19, slide 22
Ch 19, slide 23
Ch 19, slide 24
Predicate templates
constant
x=a
uninitialized
x=uninit
x={a,b,c}
over a single
numeric variable
in a range
x!a,x"b,a"x"b
nonzero
x#0
modulus
x=a(mod b)
nonmodulus
x#a(mod b)
linear relationship
y=ax+b
ordering
relationship
x"y,x<y,x=y,x#y
Ch 19, slide 25
Derived Models
useless (redundant)
information
father >= 0
left == 2
left >= 0
right == 7
leftHeight == rightHeight
rightHeight == diffHeight
leftHeight == 0
fatherHeight >= 0
rightHeight == 0
leftHeight >= 0
rightHeight >= 0
limited validity
of the test case:
the tree is perfectly
balanced
elements are
inserted correctly
Ch 19, slide 26
additional information:
all elements are
non-negative
the tree
is balanced
Ch 19,
leftHeight - rightHeight + diffHeight
==slide
0 27
Ch 19, slide 28
Ch 19, slide 29
Summary
! Program analysis complements testing and
inspection
! Addresses problems (e.g., race conditions, memory
leaks) for which conventional testing is ineffective
! Can be tuned to balance exhaustiveness, precision,
and cost (e.g., path-sensitive or insensitive)
! Can check for faults or produce information for
other uses (debugging, documentation, testing)
Ch 19, slide 31
! Program analysis
! understand program behavior
! Regression testing
! compare versions or configurations
! Debugging
! Identify anomalous behaviors and understand causes
(c) 2007 Mauro Pezz & Michal Young
Ch 19, slide 30