33
Lightweight Verification of Array Indexing Martin Kellogg*, Vlastimil Dort**, Suzanne Millstein*, Michael D. Ernst* * University of Washington, Seattle ** Charles University, Prague
Lightweight Verification of Array Indexing
Martin Kellogg*, Vlastimil Dort**, Suzanne Millstein*, Michael D. Ernst*
* University of Washington, Seattle** Charles University, Prague
The problem: unsafe array indexing● In unsafe languages (C): buffer overflow!
● In managed languages (Java, C#, etc.): exception, program crashes
2
The state of the art
3
Strength of guarantees
Practical for developers
The state of the art
4
Strength of guarantees
Practical for developers
CoqKeY
Clousot
The state of the art
5
Strength of guarantees
Practical for developers
CoqKeY
Clousot
FindBugsCoverity
The state of the art
6
Strength of guarantees
Practical for developers
CoqKeY
Clousot
FindBugsCoverity
The Index Checker (this talk)
Problems with complex analyses
- false positives
- annotation burden
- complex analyses are hard to predict7
Problems with complex analyses
- false positives● bounds checking is hard → complex analysis● complex analysis → harder to implement● harder to implement → more false positives
- annotation burden
- complex analyses are hard to predict8
Problems with complex analyses
- false positives● bounds checking is hard → complex analysis● complex analysis → harder to implement● harder to implement → more false positives
- annotation burden● complex analysis → complex annotations
- complex analyses are hard to predict9
Problems with complex analyses
- false positives● bounds checking is hard → complex analysis● complex analysis → harder to implement● harder to implement → more false positives
- annotation burden● complex analysis → complex annotations
- complex analyses are hard to predict10
Fundamental problem is complex analyses!Insight:
11
Cooperating simple analysesSolve all three problems:
12
Cooperating simple analysesSolve all three problems:● simpler implementation → fewer false positives
13
Cooperating simple analysesSolve all three problems:● simpler implementation → fewer false positives● simpler abstractions → easier to write annotations
14
Cooperating simple analysesSolve all three problems:● simpler implementation → fewer false positives● simpler abstractions → easier to write annotations● simpler analysis → simpler to predict
15
Proving an array access safe
T[] a = …;int i = …;... a[i] ...
We need to show that:● i is an index for a
16
Proving an array access safe
T[] a = …;int i = …;... a[i] ...
We need to show that:● i is an index for a● i ≥ 0● i < a.length 17
Proving an array access safe
T[] a = …;int i = …;... a[i] ...
We need to show that:● i is an index for a● i ≥ 0 A lower bound on i● i < a.length An upper bound on i 18
A type system for lower bounds
T
↑
i ≥ -1↑
↑
i ≥ 0
i ≥ 1
@LowerBoundUnknown int i
↑
@GTENegativeOne int i
↑
↑
@NonNegative int i
@Positive int i19
A type system for lower bounds
T
↑
i ≥ -1↑
↑
i ≥ 0
i ≥ 1
@LowerBoundUnknown int i
↑
@GTENegativeOne int i
↑
↑
@NonNegative int i
@Positive int i20
A type system for upper bounds
if (i >= 0 && i < a.length) {a[i] = ...
}
21
A type system for upper bounds
if (i >= 0 && i < a.length) {a[i] = ...
}
22
i < a.length @LTLengthOf(“a”) int i
Type systems
Linear inequalitiesi < j
Minimum lengthsa.length > 10
Negative indices| i | < a.length
Lower boundsi ≥ 0
Equal lengthsa.length = b.length
Upper boundsi < a.length
23
Type systems
Linear inequalitiesi < j
Minimum lengthsa.length > 10
Negative indices| i | < a.length
Lower boundsi ≥ 0
Equal lengthsa.length = b.length
Upper boundsi < a.length
24
A type system for minimum array lengths
if (a.length >= 3) {a[2] = ...;
}
25
A type system for minimum array lengths
if (a.length >= 3) {a[2] = ...;
}
26
a.length ≥ i T @MinLen(i) [] a
EvaluationThree case studies:● Google Guava (two packages)● JFreeChart● plume-lib
Comparison to existing tools:● FindBugs, KeY, Clousot
27
Case Studies
Guava JFreeChart plume-lib Total
Lines of code 10,694 94,233 14,586 119,503
Bugs found 5 64 20 89
Annotations 510 2,938 241 3,689
False positives 138 386 43 567
Java casts 222 2,740 219 3,181
28
Comparison to other tools: confirmed bugs
Tool Index Checker FindBugs KeY Clousot
True Positives
False Negatives
Approach Types Bug finder Verif. w/ solver Abs. interpret.
Time (100k LoC)
29
Comparison to other tools: confirmed bugs
Tool Index Checker FindBugs KeY Clousot
True Positives
False Negatives
Approach Types Bug finder Verif. w/ solver Abs. interpret.
Time (100k LoC) ~10 minutes ~1 minute cannot scale ~200 minutes
30
Comparison to other tools: confirmed bugs
Tool Index Checker FindBugs KeY Clousot
True Positives 18/18 0/18 9/18 16/18
False Negatives 0/18 18/18 1/18 2/18
Approach Types Bug finder Verif. w/ solver Abs. interpret.
Time (100k LoC) ~10 minutes ~1 minute cannot scale ~200 minutes
31
Using the Index Checker● Distributed with Checker Framework
www.checkerframework.org
32
Contributions● A methodology: simple, cooperative type systems
● An analysis: abstractions for array indexing
● An implementation and evaluation for Java
● Verifying the absence of array bounds errors in real codebases (and finding bugs in the process!)
33
