Presentation is loading. Please wait.

Presentation is loading. Please wait.

Null Dereference Verification Via Over-approximated Weakest Precondition analysis Ravichandhran Madhavan Microsoft Research, India Joint work with Raghavan.

Published bySara Summers Modified over 8 years ago

Similar presentations

Presentation on theme: "Null Dereference Verification Via Over-approximated Weakest Precondition analysis Ravichandhran Madhavan Microsoft Research, India Joint work with Raghavan."— Presentation transcript:

1 Null Dereference Verification Via Over-approximated Weakest Precondition analysis Ravichandhran Madhavan Microsoft Research, India Joint work with Raghavan Komondoor, Indian Institute of Science

2 Problem Definition ● Verify absence of Null dereferences ● ● Demand-driven ● Analyze a dereference in almost real-time ● Sound (i.e, no false negatives) ● No programmer annotations ● Reasonably precise ● Should work on real-world Java programs

3 Weakest (atleast once) Precondtion ● WP(p,C) ● Constraint on the initial state that ensures that C holds whenever control reaches p ● p may never be reached when WP(p,C) holds ● WP 1 (p,C) ● Constraint on the initial state that ensures that p is reached atleast once in a state satisfying C. ● WP(p,C) = ¬WP 1 (p,¬C)

4 Null deref verification using WP 1 1: foo(a) { 2: b = null; 3: if (a != null) 4: b.g = 10; 5: } ➢ We need to show that WP(S4, b != null) = true ➢ Equivalently, WP 1 (S4, b = null) = false

5 Null deref verification using WP 1 1: foo(a) { 2: b = null; 3: if (a != null) 4: b.g = 10; 5: } b = null if(a != null) b.g = 10 Dereference of b is not safe

6 Our approach ● Computing WP and WP 1 is undecidable ● Our approach: compute a condition that is weaker than WP 1

7 Design Goals ● Perform strong updates even in the presence of aliasing ● Incorporate path-sensitivity: track relevant branches ● Perform context-sensitive inter-procedural analysis

8 Abstract Domain ● The domain excludes access-paths in which a field repeats. ● Eg:

9 Illustration if(y != null) x = tz = new... x.data = y t.next.data = z...= t.data.msg t = t.next TF

10 Illustration if(y != null) x = tz = new... x.data = y t.next.data = z...= t.data.msg t = t.next TF

11 Illustration if(y != null) x = tz = new... x.data = y t.next.data = z...= t.data.msg t = t.next TF

12 Illustration if(y != null) x = tz = new... x.data = y t.next.data = z...= t.data.msg t = t.next TF

13 Illustration if(y != null) x = tz = new... x.data = y t.next.data = z...= t.data.msg t = t.next TF

14 Illustration if(y != null) x = tz = new... x.data = y t.next.data = z...= t.data.msg t = t.next TF

15 Illustration if(y != null) x = tz = new... x.data = y t.next.data = z...= t.data.msg t = t.next TF

16 Illustration if(y != null) x = tz = new... x.data = y t.next.data = z...= t.data.msg t = t.next TF

17 Illustration if(y != null) x = tz = new... x.data = y t.next.data = z...= t.data.msg t = t.next TF

18 Illustration if(y != null) x = tz = new... x.data = y t.next.data = z...= t.data.msg t = t.next TF

19 Illustration if(y != null) x = tz = new... x.data = y t.next.data = z...= t.data.msg t = t.next TF

20 Illustration if(y != null) x = tz = new... x.data = y t.next.data = z...= t.data.msg t = t.next TF

21 Illustration if(y != null) x = tz = new... x.data = y t.next.data = z...= t.data.msg t = t.next TF

22 Illustration if(y != null) x = tz = new... x.data = y t.next.data = z...= t.data.msg t = t.next TF

23 Simplification rules ap 1 = new...

24 Abstract Interpretation Formulation ● Concrete semantics ● Domain: sets of concrete stores ordered by set inclusion ● Backward collecting semantics – set union is the join operator

25 Abstract Interpretation Formulation ● Abstract semantics: ● ●, but the converse does not hold ● Transfer functions and simplification rules are monotonic ● Abstract transfer functions over-approximate the concrete transfer functions

26 E() {... } Inter-procedural analysis Main { if(*) A() else B() } B() {... C()... } A() {... D()... C() } C() {... F()... D()... r.f =... } F() {... } D() {... E()... }

27 Inter-procedural analysis m ai n B C A D E F

28 Inter-procedural analysis m ai n B C A D E F

29 Inter-procedural analysis m ai n B C A D E F φ1φ1

30 Inter-procedural analysis m ai n B C A D E F φ1φ1 φ2φ2

31 Inter-procedural analysis m ai n B C A D E F φ1φ1 φ2φ2

32 Inter-procedural analysis m ai n B C A D E F φ1φ1

33 Inter-procedural analysis m ai n B C A D E F φ5φ5

34 Inter-procedural analysis m ai n B C A D E F φ5φ5

35 Inter-procedural analysis m ai n B C A D E F

36 Inter-procedural analysis m ai n B C A D E F

37 Inter-procedural analysis m ai n B C A D E F

38 Inter-procedural analysis m ai n B C A D E F

39 Inter-procedural analysis m ai n B C A D E F

40 Inter-procedural analysis m ai n B C A D E F φ1φ1

41 Inter-procedural analysis m ai n B C A D E F

42 Inter-procedural analysis m ai n B C A D E F

43 Inter-procedural analysis m ai n B C A D E F

44 E() {... } Inter-procedural analysis B() {... C()... } A() {... D()... C() } C() {... F()... D()... r.f =... } F() {... } D() {... E()... } φ1φ1 φ2φ2 φ3φ3 φ5φ5 φ6φ6 φ7φ7 φ8φ8 φ9φ9 φ 10 φ 11 φ4φ4 φ7φ7 Main { if(*) A() else B() } φ1φ1 φ4φ4

45 Inter-procedural analysis ● Uses depth-first strategy instead of conventional chaotic iteration ● Analyzes callees before callers ● Pros: ● Uses less memory ● Can abort search on discovering a satisfiable path

46 Handling Recursion m ai n B C A D E F

47 Handling Recursion m ai n B C A D F

48 Handling Recursion m ai n B C A D F

49 Handling Recursion m ai n B C A D F φ1φ1

50 Handling Recursion φ1φ1 m ai n B C A D F φ1φ1 Recursion detected

51 Handling Recursion φ1φ1 m ai n B C A D F

52 Handling Recursion φ1φ1 m ai n B C A D F φ1φ1

53 Handling Recursion φ1φ1 m ai n B C A D F Iterate until precondition for φ 1 stabilises

54 Handling Recursion φ1φ1 m ai n B C A D F

55 Handling Recursion m ai n B C A D F φ1φ1

56 Challenges: Calls to/from standard library m ai n B Library call call back Standard library (S, r = null)......... Library call... Do not enter callers in the library Reduce to true predicates modified by the library method

57 Challenges: Explosion of formulas ● Formula sizes can increase due to ● Put-field statements (aliasing predicates) ● Branch statements ● Put-field statements ● We use an inexpensive alias analysis to invalidate alias predicates ● if the access-paths are not may-aliases

58 Limiting Path-sensitivity ● Tracking all branch conditions without bounds will not scale ● Can we do better than arbitrarily bounding the disjunct sizes ? ● For null-dereference verification, null-checks are a good target !

59 Targeting null-checks if(b != null) b.g = 10 b = a if(a != null) b.g = 10 Null-check which needs to be tracked

60 Limited path-sensitivity ● Track “AP op null” branches where AP aliases with AP in the root predicate ● Ageing: ● Drop predicates propagated beyond a threshold ● Track only k recent branch conditions ● Parameterizable: Predicate age, disjunct sizes and branches to be tracked can be configured.

61 Results In all programs (except antlr), 93% of the derefs took < 250ms

62 Complexity of verified dereferences ● Context Depth Max context depth

63 Max context depth Vs safe derefs

64 Example with high context depth class L2Object { ObjectPosition _position public L2Object(){ InitPosition(); } public void initPosition(){ SetObjectPosition( new CharPosition(this)) } public void setObjectPosition(...) { _position = value } public ObjectPosition getPosition() { return _position; } class L2Character extends L2Object { public L2Character() { super() } class L2AirShipInstance extends Character{ public L2AirShipInstance() { super() } public void L2AirShipInstanceParseLine() { airship = new L2AirShipInstance(..); t = airship.getPosition() t.setHeading(); }

65 Max propagation count Vs safe derefs

66 Evaluation of limited path-sensitivity Did not scale to the rest

67 Summary miss percentage

68 Related Work ● SALSA ● Non demand-driven analysis ● Performs limited scope analysis for scalability. ● Findbugs ● Bug finding tool based on a set of heuristics ● Xylem ● Uses a similar WP based approach ● Bug finding tool (has false negatives/positives)

69 Related Work ● Snugglebug ● Under-approximates WP 1 (computes a condition stronger than WP 1 ) ● Can prove presence of bugs (not its absence) ● ESC/Java ● Uses pre/post, loop-invariant annotations for computing WP

70 Conclusion ● Our evaluations on real Java programs reveal that ● Deep inter-procedural analysis is important ● Complex interactions with libraries (esp. with GUI, DB libs) present a huge challenge ● Complications arise due to virtual method dispatch and exceptions ● Our design trade-offs result in an highly responsive analysis with reasonable precision ● Ideal for use in desktop development environments

Download ppt "Null Dereference Verification Via Over-approximated Weakest Precondition analysis Ravichandhran Madhavan Microsoft Research, India Joint work with Raghavan."

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Program Verification using Probabilistic Techniques Sumit Gulwani Microsoft Research Invited Talk: VSTTE Workshop August 2006 Joint work with George Necula.

Program Verification using Probabilistic Techniques Sumit Gulwani Microsoft Research Invited Talk: VSTTE Workshop August 2006 Joint work with George Necula.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Runtime Techniques for Efficient and Reliable Program Execution Harry Xu CS 295 Winter 2012.

Runtime Techniques for Efficient and Reliable Program Execution Harry Xu CS 295 Winter 2012.
De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.

De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Abstraction of Source Code (from Bandera lectures and talks)

Abstraction of Source Code (from Bandera lectures and talks)
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.

Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
1 CS 201 Compiler Construction Lecture Interprocedural Data Flow Analysis.

1 CS 201 Compiler Construction Lecture Interprocedural Data Flow Analysis.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Proofs from Tests Nels E. Beckman Aditya V. Nori Sriram K. Rajamani Robert J. Simmons Carnegie Mellon UniversityMicrosoft Research India Carnegie Mellon.

Proofs from Tests Nels E. Beckman Aditya V. Nori Sriram K. Rajamani Robert J. Simmons Carnegie Mellon UniversityMicrosoft Research India Carnegie Mellon.
1 Automatic Predicate Abstraction of C Programs Parts of the slides are from

1 Automatic Predicate Abstraction of C Programs Parts of the slides are from
Partial correctness © Marcelo d’Amorim 2010.

Partial correctness © Marcelo d’Amorim 2010.
CSE 331 Software Design & Implementation Dan Grossman Winter 2014 Lecture 2 – Reasoning About Code With Logic 1CSE 331 Winter 2014.

CSE 331 Software Design & Implementation Dan Grossman Winter 2014 Lecture 2 – Reasoning About Code With Logic 1CSE 331 Winter 2014.
Taming Win32 Threads with Static Analysis Jason Yang Program Analysis Group Center for Software Excellence (CSE) Microsoft Corporation.

Taming Win32 Threads with Static Analysis Jason Yang Program Analysis Group Center for Software Excellence (CSE) Microsoft Corporation.
Discovering Affine Equalities Using Random Interpretation Sumit Gulwani George Necula EECS Department University of California, Berkeley.

Discovering Affine Equalities Using Random Interpretation Sumit Gulwani George Necula EECS Department University of California, Berkeley.
Martin Vechev IBM Research Michael Kuperstein Technion Eran Yahav Technion (FMCAD’10, PLDI’11) 1.

Martin Vechev IBM Research Michael Kuperstein Technion Eran Yahav Technion (FMCAD’10, PLDI’11) 1.

Similar presentations

Ads by Google