Verification and Static Analysis

A Brief Overview
Professor Mark Gabel Department of Computer Science University of Texas at Dallas

Whats wrong here?

String s = if (s == null) { int count = s.indexOf(.); }

How do we know?
String s = if (s == null) { int count = s.indexOf(.); }

We didnt actually run the code.

How do we know?
String s = // know nothing at this point // facts = {} if (s == null) { // know that s is null // facts = {s is null} // know that this call will fail! int count = s.indexOf(.); }

Analysis: Beyond Testing

New process: reasoning about programs
In the example, we used logic to reason about the existence of a bug We didnt run the program Static reasoning

Static reasoning is powerful

Can extract facts about entire classes of inputs in one run! (How did we attempt to do this while testing?) Applications are numerous
Bug finding Test case generation Formal verification Prove the absence of bugs
5

Practical Success
Verification (Software)
NASA/JPL: Mars Rovers (selected algorithms) Microsoft: Static Driver Verifier
Proves the absence of certain types of bugs in Windows drivers

Bug finding
Coverity
Grew from research at Stanford

FindBugs/Eclipse/IntelliJ
Lightweight analysis for bug patterns

Schema
String s = // know nothing at this point if (s == null) { // know that s is null // know that this call will fail! int count = s.indexOf(.); }

Program

Programming Language Semantics

How is an if statement interpreted?

Analysis or Reasoning Technique

Facts

Scope of Facts
Testing: we learn facts about one input at a time Static Analysis: we learn facts about all inputs at once
On every possible execution, x is null at line 9 This program never writes beyond the end of an array Every path from a user form to the database passes through a sanitizing function (security errors)

Exhaustiveness
Testing: can never prove the absence of bugs
(Except for exhaustive testing)

Static Analysis: can Don Knuth: Beware of bugs in the above code; I have only proved it correct, not tried it.
Incorrect assumptions invalidate results
Assuming single-threaded execution Assuming the lack of memory errors Assuming fault-free hardware

Depends on specification, what you prove

If you prove a fact like bank account balance remains positive on all executions, you dont necessarily prove the entire program is correct with respect to all requirements.
9

Precision
Testing: every bug you find is real
You can replicate it using a test case

Static analysis
Bugs and Errors may not be real
Dead code Flaws in reasoning, over-abstraction These are called False positives

Example verification tool output

Yes verified No, possible errors at line 3, 6, 8 may actually not be errors!
10

Soundness and Completeness

These terms are drawn from mathematics A sound static analysis:
Is always correct when it returns no errors/verified Can report false positives: it may think bugs exist that arent real

A complete analysis:
Can be incorrect when it returns no errors/verified Will never report false positives: every bug it finds is real

A static analysis can be sound, complete, or neither

But it can never be both! (unless you dont guarantee termination) Why?
11

Soundness and Completeness

Usage
Where is a sound static analysis likely to be used? Where is a complete analysis likely to be used?

Practicality
Sound tools can be highly noisy (most bugs are false) They often dont scale well

Problems
Loops Complex control flow Function calls and recursion Unconstrained input variables
12

Unsound and Incomplete?

When is it useful to have an unsound and incomplete software tool?
When you are just interested in finding bugs as quickly as possible Augmenting your testing

An unsound and incomplete static analysis tool is often called a bug finding tool
Clarifies its intentions not trying to prove things correct Coverity, CodeSonar, IntelliJ Inspections, FindBugs

Strategy
Go after low hanging fruit: obvious bugs Increase analysis power until false positive rate is unacceptable
13

Uses of Static Analysis

In what domains (problem types, software types) might static analysis be superior to testing?
Sound analyses? Unsound/Incomplete analyses?

14

Other Applications
Static analysis technology can be used for other purposes, not just bug-finding or verification
Test case generation
Pick a line of code. Generate a test that will reach that line.

Static profiling
Research: how fast will your program run?

15

Summary and Takeaways

Verification and Analysis is a complement to testing
When reasoning about programs statically, we can prove code correct (in theory) Testing can never do this

It has had some practical success and is improving constantly, but it is still far from being truly practical
One of the key motivating domains is security It will only improve

Bug-finding tools have had the highest industrial penetration across domains
You already used one in your project
16