© 2017 Spazio IT - Soluzioni Informatiche s.a.s.
1June 2017
SpAziO IT – Soluzioni Informatiche
s.a.s.
BoundedModelCheckingandAbstractInterpretationofLarge C Codebases
Maurizio Martignano
Spazio IT – Soluzioni Informatiche s.a.s.
Via Manzoni 40
46030 San Giorgio di Mantova, Mantova
http://www.spazioit.com
© 2017 Spazio IT - Soluzioni Informatiche s.a.s.
2
Agenda
Code Analyzers
Model Generation and Execution
Staying on phase one (model generation)
Local Analyses and Code Partitioning
Clang Static Analyzer and Facebook Infer
SonarQube Code Quality Platform
Code Inspection (a human activity)
© 2017 Spazio IT - Soluzioni Informatiche s.a.s.
3
Code Analizers
Why?
– To get metrics / “quality stamps”
– To check compliance with standards/recommendations
– To look for (potential) issues: e.g. bugs, vulnerabilities, code smells (http://sonarsrv.spazioit.com/projects)
– To look for “hot spots” and help/facilitate development, code inspection, ISVV
Two broad categories
– Pattern matcher(s) (e.g. Lint)
– Symbolic / Abstract Executors/Interpreters (e.g. CBMC and Frama-C)
© 2017 Spazio IT - Soluzioni Informatiche s.a.s.
4
Model Generation and Execution
Program(piece of code)
ModelGenerator
Program Model ModelExecution
ExecutionResults
© 2017 Spazio IT - Soluzioni Informatiche s.a.s.
5
Model Generation and Execution
CBMC and Frama-C Value Analysis Plugin organize their computation into two phases:
– Generation of a model of the code under analysis
– “Symbolic execution” or “logic verification” of the model itself.
The computation resources required by phase one grow in a polynomial way with the complexity of code under analysis (number of files, packages, classes, functions, parameters, variables, lines of code, loops, constructs and so on…)
© 2017 Spazio IT - Soluzioni Informatiche s.a.s.
6
Model Generation and Execution
The computation resources required by phase two grow exponentially with the complexity of the code under of analysis.
What can we do about this situation?
© 2017 Spazio IT - Soluzioni Informatiche s.a.s.
7
Staying on phase one
Infinite Loop
Example
© 2017 Spazio IT - Soluzioni Informatiche s.a.s.
8
Staying on phase one
A simple never ending C program:
#include <stdio.h>
int main() {
int i = 0;
int n = 10;
for (i = 0; i < n; i++) {
printf("Iteration #% 2d.\n", i + 1);
if (i == 5) i = 0;
}
return 0;
}
© 2017 Spazio IT - Soluzioni Informatiche s.a.s.
9
Staying on phase one
CBMC analysis results…
Unwinding loop c::main.0 iteration 1205 file loops.c
line 7 function main thread 0
Unwinding loop c::main.0 iteration 1206 file loops.c
line 7 function main thread 0
Unwinding loop c::main.0 iteration 1207 file loops.c
line 7 function main thread 0
Unwinding loop c::main.0 iteration 1208 file loops.c
line 7 function main thread 0
Unwinding loop c::main.0 iteration 1209 file loops.c
line 7 function main thread 0
…
© 2017 Spazio IT - Soluzioni Informatiche s.a.s.
10
Staying on phase one
Frama-C analysis results…
[value] Done for function printf
[value] computing for function printf <- main.
Called from loops.c:8.
[value] Done for function printf
[value] computing for function printf <- main.
Called from loops.c:8.
[value] Done for function printf
[value] Recording results for main
[value] done for function main
[value] ====== VALUES COMPUTED ======
[value] Values at end of function main:
NON TERMINATING FUNCTION
© 2017 Spazio IT - Soluzioni Informatiche s.a.s.
11
Local Analyses & Code
Partitioning
© 2017 Spazio IT - Soluzioni Informatiche s.a.s.
12
Local Analyses & Code
Partitioning
© 2017 Spazio IT - Soluzioni Informatiche s.a.s.
13
Local Analyses & Code
Partitioning
“Compiler”C Sources ProjectDB
ScriptsGenerator
Scripts
AnalysisTool
(CBMC /Frama-C)
Analysis Results
© 2017 Spazio IT - Soluzioni Informatiche s.a.s.
14
Clang Static Analyzer
and Facebook Infer
Still too
complicated?
Clang FB Infer
© 2017 Spazio IT - Soluzioni Informatiche s.a.s.
15
Clang Static Analyzer
and Facebook Infer
Normal build operation
./autogen.sh
./configure
make
Analizers Invocation
./autogen.sh
./configure
scan-build make [clang]
infer – make [fb infer]
© 2017 Spazio IT - Soluzioni Informatiche s.a.s.
16
Clang Static Analyzer
and Facebook Infer
#include <stdio.h>
#include <stdlib.h>
int main(void) {
int *ip, i;
ip = &i;
ip += 100;
char *ptr = NULL;
/* what will be printed here? */
printf("ip - &i = %d.\n", ip - &i);
printf("(unsigned)ip - (unsigned)&i = %u.\n", (unsigned)ip - (unsigned)&i);
// allocating some memory
ptr = (char *) malloc(100);
// and never releasing it...
return 0;
}
© 2017 Spazio IT - Soluzioni Informatiche s.a.s.
17
Clang Static Analyzer
and Facebook Infer
[clang]pexa0.c:13:29: warning: format specifies type 'int' but the argument has type 'long' [clang-diagnostic-format]
printf("ip - &i = %d.\n", ip - &i);
^
pexa0.c:17:3: warning: Value stored to 'ptr' is never read [clang-analyzer-deadcode.DeadStores]
ptr = (char *) malloc(100);
^
pexa0.c:17:3: note: Value stored to 'ptr' is never read
ptr = (char *) malloc(100);
^
pexa0.c:21:3: warning: Potential leak of memory pointed to by 'ptr' [clang-analyzer-unix.Malloc]
return 0;
^
pexa0.c:17:18: note: Memory is allocated
ptr = (char *) malloc(100);
^
pexa0.c:21:3: note: Potential leak of memory pointed to by 'ptr'
return 0;
^
© 2017 Spazio IT - Soluzioni Informatiche s.a.s.
18
Clang Static Analyzer
and Facebook Infer
[fb infer]
pexa0.c:17: error: MEMORY_LEAK
memory dynamically allocated to `ptr` by call to `malloc()` at line 17, column 18 is not reachable after line 17, column 3
15.
16. // allocating some memory
17. > ptr = (char *) malloc(100);
18. // and never releasing it...
19.
Summary of the reports
MEMORY_LEAK: 1
© 2017 Spazio IT - Soluzioni Informatiche s.a.s.
19
SonarQube Code Quality
Platform
© 2017 Spazio IT - Soluzioni Informatiche s.a.s.
20
SonarQube Code Quality Platform
SonarQube is an open source Web Application (http://www.sonarqube.org) which
– Takes in input a set of source code files and a set of analyses results (produced by external tools).
– Stores both sources and results in a database.
– Makes available the gathered information via a dynamic website where the results are shown in the context of the code itself.
© 2017 Spazio IT - Soluzioni Informatiche s.a.s.
21
SonarQube – What is it?
Source Code
Files
SonarQube
Database
SonarQube
Engine
Analyses
Results
© 2017 Spazio IT - Soluzioni Informatiche s.a.s.
22
SonarQube / Plugins / Sensors
SonarQube
Plugin-Me.g. Java
Plugin-Ie.g. C/C++
Plugin-1e.g. Ada
Sensor-Je.g. PC-Lint
Sensor-Me.g. GCOV
Sensor-1eg. CppCheck
Post-Processinge.g. CPD, Decorators
Pre-Processinge.g. scanning
and parsing
© 2017 Spazio IT - Soluzioni Informatiche s.a.s.
23
SonarQube – Working with Issues
Analyses on the same code base can be performed at different moments in time and SonarQube keeps track of the changes/evolution.
The problems found during analyses (a.k.a. issues) can be managed directly from within the system itself, e.g.
– Identifying false positives
– Assigning issues to developers
– Checking their status (if they have been solved)
– …
© 2017 Spazio IT - Soluzioni Informatiche s.a.s.
24
Code Inspection
Code Inspection is a human activity but proper tools
– increase efficiency
– reduce risks.
© 2017 Spazio IT - Soluzioni Informatiche s.a.s.
25
Further Readings
CBMC - http://www.cprover.org/cbmc/
Frama-C - http://frama-c.com/
Clang Static Analyzer - http://clang-analyzer.llvm.org/
Facebook Infer - http://fbinfer.com/
SonarQube – http://www.sonarqube.org
Spazio IT activities on Code Quality -http://www.spazioit.com/pages_en/sol_inf_en/code_quality_en/
SonarQube Demo - http://sonarsrv.spazioit.com/projects
Clang Static Analyzer Demo -http://www.spazioit.com/software/scan-view-naviserver
Facebook Infer Demo - http://www.spazioit.com/software/infer-out/bugs.html
© 2017 Spazio IT - Soluzioni Informatiche s.a.s.
26
Questions?