Hidden Truths in Dead Software Paths
1 like1,835 views
The document discusses detecting dead paths in software through abstract interpretation, highlighting how well-written code should ideally have all paths eventually taken. It presents various examples of code issues, such as null confusion and dead extensibility, which can lead to infeasible paths. The analysis was applied on the JDK and emphasizes filtering out irrelevant issues while providing a link to further tools and discussions.
![Identifying Infeasible Paths
public
static
X
doX(SomeType[]
array)
{
if
(array
!=
null
||
array.length
>
0)
{
(a)
}
//
…
(b)
}//
(ex)
1: public static X doX(SomeType[] array){
2: if (array != null || array.length > 0) {(a) }
5: // … (b)
6: }// (ex)
ifnonnull array arraylength array ifgt (>0)
(a)
(b) (ex)
(B) Corresponding CFG
true true false
false
(A) Java Source Code.
ifnonnull array arraylength array ifgt (>0)
(C) Computed AIFG
false
Java Bytecode
Java Bytecode
:- array is null
CFG](https://image.slidesharecdn.com/hiddentruthsindeadsoftwarepaths-150903150216-lva1-app6891/85/Hidden-Truths-in-Dead-Software-Paths-4-320.jpg)
![Identifying Infeasible Paths
1: public static X doX(SomeType[] array){
2: if (array != null || array.length > 0) {(a) }
5: // … (b)
6: }// (ex)
ifnonnull array arraylength array ifgt (>0)
(a)
(b) (ex)
(B) Corresponding CFG
true true false
false
ifnonnull array arraylength array ifgt (>0)
(a)
(b) (ex)
(C) Computed AIFG
true true false
false
relevant missing edge
a missing edge
Java Bytecode
Java Bytecode
:- array is null
:- array not null
1: public static X doX(SomeType[] array){
2: if (array != null || array.length > 0) {(a) }
5: // … (b)
6: }// (ex)
ifnonnull array arraylength array ifgt (>0)
(a)
(b) (ex)
(B) Corresponding CFG
true true false
false
ifnonnull array arraylength array ifgt (>0)
(a)
(b) (ex)
(C) Computed AIFG
true true false
false
relevant missing edge
a missing edge
Java Bytecode
Java Bytecode
:- array is null
:- array not null
CFG
AIFG](https://image.slidesharecdn.com/hiddentruthsindeadsoftwarepaths-150903150216-lva1-app6891/85/Hidden-Truths-in-Dead-Software-Paths-5-320.jpg)
Hidden Truths in Dead Software Paths
- 1. Hidden Truths in Dead Software Paths Michael Eichberg, Ben Hermann, Mira Mezini, and Leonid Glanz ESEC/FSE 2015, Bergamo, Italy
- 2. When is a path dead? if (maxBits > 4 || maxBits < 8) { maxBits = 8; } if (maxBits > 8) { maxBits = 16; } OpenJDK 8 update 25, com.sun.imageio.plugins.png.PNGMetadata, line 1842ff Hidden inside a 278 LOC method
- 3. Hypothesis In well-written code every path between an instruction and all its successors is eventually taken A path that will never be taken indicates an issue
- 4. Identifying Infeasible Paths public static X doX(SomeType[] array) { if (array != null || array.length > 0) { (a) } // … (b) }// (ex) 1: public static X doX(SomeType[] array){ 2: if (array != null || array.length > 0) {(a) } 5: // … (b) 6: }// (ex) ifnonnull array arraylength array ifgt (>0) (a) (b) (ex) (B) Corresponding CFG true true false false (A) Java Source Code. ifnonnull array arraylength array ifgt (>0) (C) Computed AIFG false Java Bytecode Java Bytecode :- array is null CFG
- 5. Identifying Infeasible Paths 1: public static X doX(SomeType[] array){ 2: if (array != null || array.length > 0) {(a) } 5: // … (b) 6: }// (ex) ifnonnull array arraylength array ifgt (>0) (a) (b) (ex) (B) Corresponding CFG true true false false ifnonnull array arraylength array ifgt (>0) (a) (b) (ex) (C) Computed AIFG true true false false relevant missing edge a missing edge Java Bytecode Java Bytecode :- array is null :- array not null 1: public static X doX(SomeType[] array){ 2: if (array != null || array.length > 0) {(a) } 5: // … (b) 6: }// (ex) ifnonnull array arraylength array ifgt (>0) (a) (b) (ex) (B) Corresponding CFG true true false false ifnonnull array arraylength array ifgt (>0) (a) (b) (ex) (C) Computed AIFG true true false false relevant missing edge a missing edge Java Bytecode Java Bytecode :- array is null :- array not null CFG AIFG
- 6. Abstract Interpretation Not targeted at a specific goal Not a whole program analysis, but instead everything may be an entry point Inter-procedural, path-, flow-, object- and context-sensitive with configurable call chain length (typically low)
- 7. Abstract Interpretation Integers support all arithmetic operations (of the JVM) maximum size for intervals before we consider them as AnyInt float, long, double at type level reference values objects distinguished by their allocation site alias- and path-sensitive
- 8. Post-Processing Compiler Generated Dead Code The Intricacies of Java Established Idioms Assertions Reflection and Reflection-like Mechanisms
- 9. Post-Processing Compiler Generated Dead Code void conditionInFinally(java.io.File f) { boolean completed = false; try { f.canExecute(); completed = true; } finally { if (completed) doSomething(); } } Finally blocks are included twice by Java compilers
- 10. Post-Processing The Intricacies of Java Throwable doFail() { throw new Exception(); } Object compute(Object o) { if (o == null) { return doFail(); } else return o; }
- 11. Post-Processing Established Idioms switch (i) { case 1: break; // complete enumerable of all cases default: throw new UnknownError(); }
- 12. Post-Processing Assertions Reflection and Reflection-like Mechanisms
- 13. Study: JDK 8 Update 25 Category Percentage Null Confusion 54 % Range Double Checks 11 % Dead Extensibility 9 % Unsupported Operation Usage 7 % Unexpected Return Value 5 % Forgotten Constant 4 % Confused Language Semantics 3 % Type Confusion 3 % Confused Conjunctions 2 % Obviously Useless Code 1 % False Positives 1 % • Found 556 issues • For 19 we found no source code • 279 of 537 were considered irrelevant • The remaining 258 issues were manually inspected
- 14. Null Confusion Infeasible path because of too much checks for null Infeasible path because of too less checks for null if (o == null) return doSomething(); if (o == null) return doSomeOtherThing(); int num = array.length; if (array == null) throw InvalidArgumentException();
- 15. Range Double Checks if (extendableSpaces <= 0) return; int adjustment = (target -‐ currentSpan); int spaceAddon = (extendableSpaces > 0) ? adjustment / extendableSpaces : 0; OpenJDK 8 update 25, javax.swing.text.ParagraphView$Row.layoutMajorAxis, line 1095ff
- 16. Dead Extensibility // For now we set owner to null. In the future, it may be // passed as an argument. Window owner = null; if (owner instanceof Frame) { ... } OpenJDK 8 update 25, javax.print.ServiceUI.printDialog, line 189ff
- 17. Summary General analysis approach to find various different and complex issues Dead Path detection using Abstract Interpretation We evaluated on the JDK (and on the Qualitas Corpus) We filter out irrelevant issues
- 18. Thanks and please try it out http://www.opal-‐project.de/tools/bugpicker/ And also see my other talk on a Capability Model for Java on Friday’s 11:30 session R8.c in the same room