CSE 501 Principles and Applications of Program Analysis

CSE 501 ! Principles and Applications! of Program Analysis! " Alvin Cheung" Spring 15" Welcome to CSE 501!" The Cast" App–4 A. Cheung et al.

Q, D, , h , e Q0, D0, , h0 ,(0, e ) h i i !h i i Q0, D0, , h0 , e Q00, D00, , h00 ,(00, e ) h i a !h i a force(Q00, D00,(0, e )) Q000, D000, v J K i ! i force(Q000, D000,(00, ea)) Q0000, D0000, va J K ! [Array deference] Q, D, , h , e [e ] Q0000, D0000, , h00 , h00[v , v ] h i a i !h i a i J K Q, D, , h , e Q0, D0, , h0 ,(0, e) Q000 = Q00[id (v, )] h i !h i ! ; force(Q0, D0,(0, e)) Q00, D00, v id is a fresh identiﬁer ! [Read query] J Q, DK, , h , R(e) Q000, D00, , h0 , ([ ], id) h i !h i Semantics ofJ statements: K

[Skip] Q, D, , h , skip Q, D, , h h i !h i J K Q, D, , h , e Q0, D0, , h0 ,(0, e) h i !h i Q0, D0, , h0 , el Q00, D00, , h00 , vl h i !h i [Assignment] Q, D, ,Jh , e := e KQ00, D00, [v (0, e)], h00 h i l !h l ! i J K J K Q, D, , h , e Q0, D0, , h0 ,(0, e) h i !h i force(Q0, D0,(0, e)) Q00, D00, True ! J Q00, D00, , h0 K, s1 Q000, D00, 0, h00 h i !h i [Conditional–true] Q, D, , h , if(e) then s else s Q000, D000, 0, h00 h i 1 2 !h i J K J K Q, D, , h , e Q0, D0, , h0 ,(0, e) h i !h i force(Q0, D0,(0, e)) Q00, D00, False ! Q00, D00, , h0 , s2 Q000, D00, 0, h00 Jh iK !h i [Conditional–false] Q, D, , h , if(e) then s1 else s2 Q000, D000, 0, h00 h J i K !h i J K Q, D, , h , s Q0, D0, 0, h0 h i !h i [Loop] Q, D, , h , while(True) do s Q0, D0, 0, h0 h i !h i Instructor" J K J K Q, D, , h , e Q0, D0, , h0 ,(0, e) h i !h i force(Q0, D0,(0, e)) Q00, D00, v ! update(D00, v) D000 J K ! D000[Q00[id].s] if Q00[id].rs = Alvin Cheung" id Q00 . Q000[id]= ; 8 2 Q00[id].rs otherwise ⇢ [Write query] Q, D, , h , W (e) Q000, D000, , h0 CSE 530! h i !h i J K Q, D, , h , s1 Q0, D0, 0, h0 Q, D0, 0, h0 , s2 Q00, D00, 00, h00 " h i !h i h i !h i [Sequence] Q, D, , h , s ; s Q00, D00, 00, h00 h i 1 2 !h i J K J K

J ACM TransactionsK on Database Systems, Vol. V, No. N, Article A, Publication date: January YYYY. TA Extraordinaire!

Andre Baixo! Ofﬁce hours: TBD" You!" Course Communication"

• Discussion board" – HW help" – Find project partners"

• Course website: ! courses.cs.washington.edu/501

• Email: [email protected] Course Goals"

• What are the techniques used to understand programs?" – Mix of classical and recent advances" • What can we use these techniques for?" – Variety of applications across different domains" • How do we build tools that utilize such techniques?" Course Goals"

• How to do research?" – How to choose problems" – How to devise solutions" – How to evaluate" – How to report results" Course Non-Goals"

• How to build a compiler from scratch" – Check out CSE 401" • What are all the compiler optimizations out there?" – Check out list of references on website" • Cover all research topics in program analysis" – 35 years of PLDI but we only have 10 weeks!" Class Format"

• Two class meetings per week" – Tuesday and Thursday 11am – 12:20 pm" – Here!"

• Occasional HW help and project feedback sessions" Class Format"

• We will discuss 1-2 research papers during each class meeting" – Please read them beforehand" – We ask you to write a small commentary before class to share with everyone" – Be prepared to ask questions!" Grading" • Programming assignments (30%)" – Get to know available tools out there" – No late days" • Project (50%)" – Open-ended: ﬁnd problems in your research area " – Work with a partner" – We will provide you with potential ideas" – Project milestones, end-of-quarter presentation, ﬁnal report" • Paper summaries (20%)" – Submit paper summary 24-hrs before lecture" – See details on course website" Course Topics"

• Dataﬂow frameworks"

• Abstract interpretation"

• Domain-speciﬁc languages"

• Program veriﬁcation"

• Dynamic analysis" Course Topics"

• Dataﬂow frameworks & abstract interpretation" – Pointer analysis" – Compiler optimizations" – Information ﬂow" – Detecting malware"

• Domain-speciﬁc languages" – Parallel programming" – High-performance computing" – New hardware" " Course Topics"

• Program veriﬁcation" – Finding program invariants" – Provably-correct compilers"

• Dynamic analysis" – Program testing" – Model checking"

• Compiler construction" Prerequisites"

• Coding"

• Data structures" • Mathematical logic"

• [Optional] Knowledge about compilers" Now the fun begins…" Why understand programs?"

• We all write code!"

• It’s good to get some understanding about what we are coding"

• It’s good to develop a formal framework for understanding programs"

• It’s good to have somebody else do this for us, perhaps automatically" List of software bugs From Wikipedia, the free encyclopedia

Many software bugs are merely annoying or inconvenient but some can have extremely serious consequences – either financially or as a threat to human well-being. The following is a list of notable software bugs with significant consequences:

Contents

1 Space exploration 2 Medical 3 Tracking years In 1997, the Mars Pathfinder mission was jeopardised by a bug in concurrent software shortly after the 4 Electric power transmission rover landed, which had not been found in preflight testing because it only occurred in certain 5 Administration [5] u6n aTnetlieccipoamtemd uhneiacvayti-olnosad conditions. The problem, which was identified and corrected from Earth, [6][7] Februawr7ya Ms2 0dil0uit7ea ,rt yoa gcoromuppu otef rs rixes Fet-s2 2ca Rusaepdto brsy fplyriionrgit yfr oinmv eHrsiicokna.m AFB, Hawaii, experienced multiple compuTt8ehr Me c Ereadusirhaoepse caoni nScpidaceen tA wgiethn cthye'si rC crryoosSsiantg-1 o sfa ttheell i1te8 0wtha sm loesritd iina na olafu lnocnhg iftauidluer e(t hine 2In0t0e5rn dautieo ntoa la missing Date Lsi9hn ueVt)d.i doTewhoen g ccaoommminpmguatenrd f ianil uthre sf liingchltu cdoendt raot ll esaysstt enmav oigf aitsio Rn o(kcomt cpalrertieelry r olocskt)e ta.[n8d] communication. The figNh1At0e SrEsA nwc Mreyraepr tasio bPnleo ltaor rLeatunrdne tro w Haas wdeasiit rboyy efodl lboewcainugse t hitesi rf ltiagnhkt esrosf,t wsoamree tmhiinstgo othka tv mibirgahtito hnas vdeu be eteon pLrobilesma1tma1 t iooTcs rphafhan desrs ptihcoo ertt uawfrtbiteouanwltehnecra en rofot reb ee vebind egunocoegd .t hsTaht eth eer rvoerh wicales hfiaxde dla wnditehdin a n4d8 shhouutr so,f fa ltlhoew eingi na edse 4la0y medeters from From Wikipedia, the free encyclopedia deployFtmh1ee2eb n MrBut.au[2rsy9tiin] a2en0s s0u7r,f ac ger o(Dupe coefm sbixe rF 3-2, 21 9R9a9p)t.o[9r]s flying from Hickam AFB, Hawaii, experienced multiple Manyc s1oo3mf tRpwueIatftereser r s ecbinsruatcegserhss seapsr aecc omeicnercraeifdlty eM natna wnrsoi tCyhil nitmhge aoitrre c iOnrocrsobsniitnveger n woiefa ntsht aebl su1ot8 s0dotehms tmero ceyareind i,ha danvu oef et olxo tsnroegfmittwuedlayer e s( etohrnieo tuIhnset e cgronrnoasuteinoqdnuaelnces – either financially or as a threat to human well-being. The following is a list of notable software bugs with Date Line). The computer failures included at least navigation (completely lost) and communication. Medsiiagnificant cgoennseqrauteinngc ecso:mmands in pound-force (lbf), while the orbiter expected newtons (N). TAh me ifsig-shetnetr sc owmerme aanbdle f rtom re Etuarrnt hto c aHuasweda itih bey s ofoftlwloawrein ogf tthheei rN taAnSkAer sM, saorms Getlhoibnagl tShuatr vmeiygohrt thoa ivnec obrereenctly ISn pthae cpSasroeosnu byemle Bxem MptahtGlaicot ahCr amDado tcthioeopr wyhn aepdar etfhvaeeilrne ntdio, tnc ba suecesainn dga oilto (tdOo. cpTtoohiben ete ror r2no0er0 ow5f)a ,is tSs f oibxnaeytdt eB rwiMeisthG aitn pt h4roe8d shuuocnue.dr Ts ,ah aVilsl oacnwa uZinsaegnd ta t hdee lbaaytetedry music CD that emp[2lo9y] ed a copy protect[i1o0n][ 1sc1h] eme that covertly installed a rootkit on any Windows PC InC 19o9d7ntoe, tptohelvoeney Mrmhteasearnstt .(PNatohvfeinmdbeer rm 2i,s s2i0o0n6 w).as jeopardised by a bug in concurrent software shortly after the that waAs ubsoeods tteor pwlaeyn ti to. fTf hcoeiurr isnet ednutr iwngas l atou nhcidhe, rtehseu cltoinpgy ipnr othtec dtieosntr umceticohna noifs mN AtoS mAa Mkea irti nhearr d1e. rT thois was the rover laNnAdeSdA, 'ws hSipcihri th raodv neor tb beeceanm feo uunnrde sinp opnrseifvlieg hotn t eJastninugar bye 2c1a,u 2se0 0it4 o, nal yfe owc cwurereekds ianf tceerr tlainnding on Mars. circumrve1esnu Stl.tp Uoafcn etfh oeerx tfpualniolaurtareetli yoo,nf t ha et rraonostckriitb ienra tdov neortteicnetl ya no poevneerbda ar isne cau writryit theonl es precsuiflitcinatgio in fao wr tahvee g oufidance uMnanetdicEiipnaagtiende ehresa fvoyu-nloda tdh acto tnodoi tmioanns.y[5 f]i lTesh eh apdro abclceumm, uwlahtiecdh iwn aths ei dreonvteifri'es df lanshd mcoermreocrtyed. Iftr womas E reasrtho,red to [30] [1] succespsfr2uo lgM trraeomdjai,cn ra ehlsourlstien agt tianc tkhse o cno dthine gc oomf apnu tienrcso orrfe tchto fsoer [mw12uh]loa hina dit sin FnOocReTntRlyA pNla ysoefdt wthaer eC. D(J.uly 2 S2o, n1y9'6s2). working condition after deleting unnecessary files[.6][7] was due to computer resets caused by priority inversion. [2] subseqINun3eo tn thTete ret ahSfcfaooktn ritntyhsg e Bt oyiMn epiatGriroas vlC irdDeep ocaor tupintyigl ip toyrfe t vothe feni xtci oathunes se pc oaronf bdthlaeilsm ( bO aucgto uwbalealrsy 2ien0xc0ao5cr)er,er bSctao.tneyd Bit.M[31G] produced a Van Zant The European Space Agency's CryoSat-1 satellite was lost in a launch failure in 2005 due to a missing mTh4ue sE iRcl euCcstDsri cat nhp aoSt wpeamecrpe t lrRoayneesdmea iarsc schioo Ipnnys tpitruottee'cs tPiohno sbcohse 1m (eP thhoabt ocso vperortglyra imns)t adleleadct iav raoteodtk iitts oantt iatundye W thirnudsotewrss aPnCd Medical [8] Videshou tdgoatcwhom5anut Alcwdiod nanmmsog mi unlosaiensdtdgr a etiotrni o pptnhrloaeyp f eliirtg.l yhT toh creioeirnn titrn oittels n ssyto swltaearm sa troraf h yiitsds oeR rt ohckeoo mcto mcpauyrnr piiecrroa rteo cwtkioiettnh. mEaercth,a nevisemn ttuoa lmlya kde pitl ehtianrgd eirts to NASA Mars Polar Lander was destroyed because its flight software mistook vibrations due to cbAiar6 tcb tuTeurmgeiel veisnec. no(thStm.e eUm pctnuoefndmoiecrb tacuetornio na1ntt0reso,l ly1li,9n t8gh8 et) h.r[eo3 o]Ttkhietr ianca-d2v5e rratedniatltyio onp tehneeradp ay smecauchriitnye h wolaes rdeisruelctitnlyg riens pao wnsaivbele o ffor at atmospheric turbulence for evidence that the vehicle had landed and shut off the engines 40 meters from Eve OsTlneulh7aicnes cMte e E'fsiusl vidfrteuoae lrp ytlearoatoiynejma nSnte p dnhaetoc aoretsf heA ts ha gietnet a nTtchcrkyiens 's 1iot 9yAn8 prt0ihaasten cw ehc oh,5 mew Fnph liuitgc tahedrt esm5 ro0aifns1 eit shwdto eatsrhsee d wb eeoshxtoorcot e.hyisnaseidid vf ie4nl e0qn fuosraeconcemonti ntslidyes vp eaolraffat yeXle rt d-htra oatkhuyeesoa .C[fn1fdD3 (] J[u.1[us34ne0]er[]1s S4'5o,] ny's [9] tchoem Mpuartetirasn, rseunrdfaecrein (gD tehceemm ubnear b3l,e 1 t9o9 b9o)o. t. This was due to the usage of a legacy syste[m31 ]within the s1Au98 b9M sM6ee)qe.d udTtreiohannet ieUcf hfSoe$ra1trs t b tdoile lpivorioncev p iwrdoeat osa t fyuoptuielni trdyo vctoku elfnti xes retahlbfe-ld epe rtsot rbruleecmmteod at ecd tauuteata ltlcoyk ase xbinau cgMe iranbr acththee d2 o 0int0.-8b.o[1a6rd] guidance Its sister spacecraft Mars Climate Orbiter was also destroyed, due to software on the ground game tshoa9ft t Vwwiaadrse oa.[l 4sg]oa mnainmged boot.ini. As such, the deletion had targeted the wrong directory instead of the V/Tevried adeigcreok1nc0 teiog rnEraaytngi.ncm[3 rgy2 ]cpieontimaognmrsands in pound-force (lbf), while the orbiter expected newtons (N). ATh me iCs-oser1rnu1tp cTtoerdman Bmsplaoonordtda ftirinocmnid Eenatr twh acsa ua sseodf ttwhea rseo bftuwga irne Wof othrled NofA WSAar cMraafrts t hGalto cbaaul sSeudr av esytaotru sto a inlmcoernrte,ctly athssaut mweaET stvh1 hse2au tOypB aepnu aomlsrisi none2etde0o's 0rt so 0dh ebappderlo olfboyalcimelaemeldlny ,s t cp roaeafusw tstrhniinceegt deT difrt eitnaoir tsapy o cpifena rwttc aoohinr, le wdl ewohvfie cdilth eso ebf rcatahotstenee ordgime atsmhi ceae tc,b totoholeol a btsp.eiusn nesi e. f atTi nlfehdr ei fsaer on,c m aifun fsdeeucvdtsie tntrrhygae loa tblfhla octtouensraysnudlt aunstesrs' [10][11] tpol aoyveerrscph oree1omva3vetp iRr(duyNietwnefogrehvsr e,le arrmnesect nb-ienmdes reti hnr2ieun, t2gve0 i trf0htiux6eaem).ls .gu[1an7ma]bel ew toor lbdo. oTt.h Tish cias uwseads dpulaey teor st htoe auvsaogide corfo aw ldeegda cpyl ascyesst eimn- gwamithei,n the NjuAst SliAkgAe'sa imsSnip meai rti"hliatra errt ao pwlv rwoearbso lbarelelmdsco"a wmenpiaeliml d uoencmdrce iubscrop, oiantn. i2sdni0 vit.3he A8e o bs(nt uh sJguea cnbyhue,ac trahy me2 20ed13 et,8hl e2 ept0 icro0oen4bn ,hlt eraaem d foe )t,fwa asr gsow emmeteead kna sytc h aUedf tenwemrixr loi-aclnni kgrdee idsn esigryae rsoctnethom Mroysn ac irtnahssl.ecteualdat eo ft hthee [32] Espnrgeiande/t eiomvrfs ee i fn doifniuer censtecdicto otouhrnsya d.td sti osseoina msceeas n1.[y 3J 3af]inleusa rhya d1 9a7c0c,u amnudl astteodre i nth tihse n ruomvebre'sr aflsa sah 3 m2-ebmito sriyg.n Ietd w inaste rgeesrt,o froedr wtohich the wISno tprhkeain T2mcg5h aec6exot ihCnem dolxueirtvmrpiuoe plnp to oeafsdfr stP eiBabar cltdeo-i eMovoldeaa ntliniun,ec ga ii d sub en2unn3gte1 wrc e−eas sus1s l aat(rs 2ys ,io 1nff4i tlaw7e sk,a4.i[rl81el 32 sb],c6ur4eg7e in)n .s WeTchoern lmds ao.[xf1 i8Wm] uamrc rnauftm thbaetr coafu fsreudit aa vstaailtaubs laei lims ent, seven taAhnandt ewrrahoser n siu ntph tpahtoe n speuadmy tmboe ebrn ert o ltolelcsrm aolilvnyea rl,e cistot rcdiaceut efsdoe rst oBth ae n ceken rotiafr ieQn ruliegevheent ls oliadfn etd ho erf e gtnhademe srece,r dteo em nba etno sy eb dte efcrvoeimec,e eas faif nejuocmptienbrglae badlel for A booster went off course during launch, resulting in the destruction of NASA Mariner 1. This was the Medicalpulpa ytoe ras weveeerky.w Thheer ep rino bthleem v iwrtausa ld geatemrme iwneodrl dto[.3 Tb4e]h iasn c ianucsoerdr epclta hyexrsa dtoe caivmoaidl ncuromwbdere dc opnlavceersi oinn- groamutein,e. mess ofr essyumltb oofl sth we hfailielu trhee olef fat striadnes rcermibaeirn tso n noortmicael .an overbar in a written specification for the guidance Valve'jWsu Sshtt elinakm eth icenl idaee n"vtr iefcoaerl wwLaionsr ultdox" tc ieocpkui ldodev amecric ctio,d ae2n0dt1a lt0lhy,e i dtb esuklegitp ebp eaecldla tmshixe utyhseeea rrc'sse ntfoitlr e2es0 oi1nf6 se,o vcmearueys a idncigarde tcetmromricyin roaenlss e tthaore cdhe colnin tehe program, resulting in the coding of an incorrect formula in its FORTRAN software. (July 22, 1962).[1] A bug in the code controlling the T[1h[39e3]r]ac-25 radiation therapy machine was directly responsible for at compusctpeurse.t oaTdmh oiesrf s hi'n acfpaeprcdetinso eaudss tedoxi spueisraeesrdes.s t.hat had moved Steam's installation directory.[35] The bug is the result least fivNe optaet itehnatt dtheea tihnsi tiina lt hreep 1o9rt8in0gs wofh tehne ict aaudsme ionfi sttheirse bdu egx cweass iivnec oqruraencti.t[i2e]s of X-rays.[13][14][15] of unsaInfe t hshe e2ll5s6ctrhip lte pvreol gorfa mPamc-inMga:n, a bug results in a kill screen. The maximum number of fruit available is The Russian Space Research Institute's Phobos 1 (Phobos program) deacti[v1a6t]ed its attitude thrusters and A Medstervoennic a hneda rwt hdenv itchea wt naus mfobuenr dr ovlulsl noevrearb, liet tcoa uresmeso tthee a ettnatcirkes riing hMt asirdche o2f0 0th8e. screen to become a jumbled could no longer properly orient its solar arrays or communicate with Earth, eventually depleting its mess of symbols while the left side remains normal.[34] batteries. (September 10, 1988).[3] TSTrEAaMRcOkOTi=n"$Vg(ac ldyv ee"'$sa {S0rt%es/a*m}" c l&ie&n te cfohro L$iPnWuDx) "could accidentally delete all the user's files in every directory on the The European Space Agency's Ariane 5 Flight 501 was destroyed 40 seconds after takeoff (June 4, computer. This happened to users that had moved Steam's installation directory.[35] The bug is the result The yea1r9 29060).0 T phroe bUleSm$ 1s pbaiwllinoend p freoatorst yopfe w rocrlkdewt isdeelf -edceosntroumctiecd c odlulaep tsoe a a bnudg a nin i nthdeu ostnry-b oofa rcdo ngsuuidltanctse of unsafe shellscript p[1r7o]gramming: providinsogf ltawsat-rme.i[n4u] te fixes. A similar problem will occur in 2038 (the year 2038 problem), as many Unix-like systems calculate the time in seconds since 1 January 1970, and store this number as a 32-bit signed integer, for which the STEAMROOT="$(cd "${0%/*}" && echo $PWD)" m aximum possible value is 231 − 1 (2,147,483,647) seconds.[18] An error in the payment terminal code for Bank of Queensland rendered many devices inoperable for up to a week. The problem was determined to be an incorrect hexadecimal number conversion routine. When the device was to tick over to 2010, it skipped six years to 2016, causing terminals to decline customers' cards as expired.[19]

A Classical Example: Compilers"

A 50,000 ft view:"

Source" Target" Language" Compiler" Language" A Classical Example: Compilers"

A 10,000 ft view:"

Java" Intermediate! JVM ! Representation " bytecode"

Runtime Lexer" Optimizer" system" Bytecode! Parser" JIT Selector" compiler"

[See CSE 401 for details]" Optimizations" Dataﬂow! • Dead code elimination" • Partial redundancy elimination"Analysis!!" • Function inlining" • Strength reduction" • Loop transformations" – Hoisting" Intermediate! – Unrolling" Representation " – Vectorizing" • Constant propagation" Optimizer" Beyond compilers"

• Program correctness"

• Security breaches"

• Have programs write themselves" Program representation" int pow (int a, int n) { int p = 1; for (int i = 0; i < n; ++i) p *= a; return p; }

Program representation" int pow (int a, int n) { p = 1 int p = 1;

for (int i = 0; i < n; i = 0 ++i)

p *= a; i < n return p; } i = i + 1

p = p * a

return p Data-ﬂow graph" int pow (int a, int n) {

int p = 1; a n for (int i = 0; i < n; ++i) p *= a; p = 1 return p; i = 0 } return p p = p * a i < n

i = i + 1 Control-ﬂow graph" Enter" int pow (int a, int n) { p = 1 int p = 1;

for (int i = 0; i < n; ++i) i = 0 p *= a;

return p; i < n }

p = p * a return p

i = i + 1 Control-ﬂow graph" Enter" • Directed graph" p = 1 – Each node is a statement" – Edges represents possible ! i = 0 ﬂow of control"

i < n • Statements" – Assignments" p = p * a – Branches" return p – Enter / return" i = i + 1 – Declarations usually omitted " Basic blocks" Enter"

• Sequence of statements ! p = 1 with only one entry ! and exit point" i = 0

i < n • Condensed representation! of statements" p = p * a return p

i = i + 1 " Program point"

Enter" • Every statement entry and exit" p = 1 i = 0

• Program behavior at ! i < n each program point"

p = p * a return p i = i + 1 " Special edges" • Back edge" • Critical edge" – Points to a block that has ! – Edge that is neither the ! been traversed" only edge leaving source! " nor entering target" Enter" "

p = 1 " i < n x < n i = 0 "

i = 5 i = i + 1 i < n

p = p * a return p i = i + 1 Summary"

• We will study techniques to understand code" • Not (just) a compiler class!" • Many connections to programming languages, systems, security, architecture etc" • [Programming systems quals for grad students]"

• Next time: dataﬂow!"