Tailoring Programs for Static Analysis Via Program Transformation

Tailoring Programs for Static Analysis Via Program Transformation

Tailoring Programs for Static Analysis via Program Transformation Rijnard van Tonder Claire Le Goues School of Computer Science School of Computer Science Carnegie Mellon University Carnegie Mellon University USA USA [email protected] [email protected] ABSTRACT analyses in practice. Analyses must approximate, both theoreti- Static analysis is a proven technique for catching bugs during soft- cally [22, 25] and in the interest of practicality [9, 11]. Developers ware development. However, analysis tooling must approximate, are sensitive to whether tools integrate seamlessly into their exist- both theoretically and in the interest of practicality. False positives ing workflows [21]; at minimum analyses must be fast, surface few are a pervading manifestation of such approximations—tool con- false positives, and provide mechanisms to suppress warnings [10]. figuration and customization is therefore crucial for usability and The problem is that the choices that tools make toward these ends directing analysis behavior. To suppress false positives, develop- are broadly generic, and the divergence between tool assumptions ers readily disable bug checks or insert comments that suppress and program reality (i.e., language features or quality concerns) spurious bug reports. Existing work shows that these mechanisms can lead to unhelpful, overwhelming, or incorrect output [20]. fall short of developer needs and present a significant pain point Tool configuration and customization is crucial for usability and for using or adopting analyses. We draw on the insight that an directing analysis behavior. The inability to easily and selectively analysis user always has one notable ability to influence analysis disable analysis checks and suppress warnings presents a significant behavior regardless of analyzer options and implementation: modi- pain point for analysis users [10]. Common existing mechanisms fying their program. We present a new technique for automated, include analysis options for turning off entire bug classes (gen- generic, and temporary code changes that tailor to suppress spuri- erally too coarse [21]) or adding comment-like annotations that ous analysis errors. We adopt a rule-based approach where simple, suppress spurious warnings at particular lines (a predominantly declarative templates describe general syntactic changes for code manual exercise that leads to code smells and is insufficiently gran- patterns that are known to be problematic for the analyzer. Our ular [10, 21]). It is notably the analysis author, not the user, who has technique promotes program transformation as a general primitive agency over the shape of these analysis knobs: which configuration for improving the fidelity of analysis reports (we treat any given options are available and how to suppress errors. It follows that it analyzer as a black box). We evaluate using five different static is infeasible for analysis writers to foresee and accommodate indi- analyzers supporting three different languages (C, Java, and PHP) vidual user preferences or analysis corner cases through a myriad on large, real world programs (up to 800KLOC). We show that our of configuration options or suppression mechanisms. approach is effective in sidestepping long-standing and complex An analysis user always has one notable ability to influence anal- issues in analysis implementations. ysis behavior and output: modifying their program. For example, developers may slightly modify existing code in a way that sup- ACM Reference Format: presses false positives or undesired warnings. A concrete example Rijnard van Tonder and Claire Le Goues. 2020. Tailoring Programs for Static 1 Analysis via Program Transformation. In 42nd International Conference on is the following change, which was made in rsyslog to suppress a Software Engineering (ICSE ’20), May 23–29, 2020, Seoul, Republic of Korea. Clang Static Analyzer warning: ACM, New York, NY, USA, 11 pages. https://doi.org/10.1145/3377811.3380343 - if(strcmp(rectype, "END")) { £+ // clang static analyzer work-around 1 INTRODUCTION + const char *const const_END = "END"; Writing and maintaining high-quality, bug-free software remains a + if(strcmp(rectype, const_END)) { largely manual and expensive process. Static analysis has proven indispensable in software quality assurance for automatically catch- The analyzer¢ warns that a potential out-of-bounds access¡ occurs ing bugs early in the development process [31]. A number of open when comparing two strings using strcmp. However, the warning challenges underlie successful adoption and integration of static only surfaces when complex macro expansions take place (in this case, macro expansion activates for strcmp because the second ar- Permission to make digital or hard copies of all or part of this work for personal or gument is a string literal). One contributor notes that under normal classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation circumstances these warnings are suppressed for macros, but can on the first page. Copyrights for components of this work owned by others than the surface if macro preprocessing is done manually.2 The workaround author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or in this case extracts the string literal out of the strcmp call so that republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]. no macro expansion takes place. After the change, the analyzer ICSE ’20, May 23–29, 2020, Seoul, Republic of Korea sees strcmp as a C library function and no longer emits a warning. © 2020 Copyright held by the owner/author(s). Publication rights licensed to ACM. ACM ISBN 978-1-4503-7121-6/20/05...$15.00 1https://github.com/rsyslog/rsyslog/commit/ea7497 https://doi.org/10.1145/3377811.3380343 2https://bugs.llvm.org/show_bug.cgi?id=20144 ICSE ’20, May 23–29, 2020, Seoul, Republic of Korea Rijnard van Tonder and Claire Le Goues In practice, modifying programs to avoid analyzer issues are exer- 1 function test(): void{ cised as manual, one-off changes. Changes like the one above can 2 § if (($file= @fopen( 'file ', 'wb+ ')) === false){ ¤ 3 return ; have the undesirable side-effect of persisting in the code solely to 4} suppress unwanted analysis warnings. Despite these shortcomings, 5 modification of the analysis target (the program) does, however, al- 6// analyzer complains that $file may be false 7 if (\fputcsv($file, [1,2,3]) === false){ low a primitive for analysis users to draw on their particular domain 8\fclose($file); knowledge of their code to positively influence analysis behavior. 9 return ; 10} For example, a developer may recognize that a particular API call 11... is the cause of a false positive resource leak and modify or model 12\fclose($file); the call differently to suppress a false positive.3 Our technique in 13} particular affords agency to analysis users to change and suppress analysis behavior when no recourse is available in tool support (e.g., (a) Assigning¦ the result of fopen to $file in Line 2 confuses the ana-¥ when analysis maintainers delay fixing analysis issues, or limit tool lyzer. It doesn’t track the effect that $file is not false on Line 7, and configuration options). Our insight is that the same flavor ofone- emits a false positive warning that $file may be false when passed to $putcsv. off, manual code changes like the one above can apply generally and automatically to remedy analysis shortcomings. Additionally, 1 function test(): void{ 2 § $file= @fopen( 'file ', 'wb+ '); ¤ workaround changes need not have the undesirable trait of per- 3 if ($file === false){ sisting in production code, and are applied only temporarily while 4 return ; performing analysis. 5} 6... We propose a rule-based approach where simple, declarative 7} templates describe general syntactic changes for known problem- atic code patterns. Undesired warnings and false positives are thus (b) An¦ analysis user proposed this workaround: extract the assign-¥ removed during analysis by rewriting code fragments. Our ap- ment out of the conditional. This allows the analyzer to correctly proach can be seen as a preprocessing step that tailors programs track the assignment effect and does not emit a false positive. Unfor- for analysis using lightweight syntactic changes. It operates on tunately this approach is hard to blanket-apply automatically and the basis of temporary suppression (a desirable trait in configuring diverges from developer preferences who prefer the former style analyses [21]) and also enables catching false positives before they for readability. happen by rewriting problematic patterns. Since patterns can occur across projects, codifying transformations as reusable templates Figure 2: Variable assignment inside if-statements can cause amortizes developer effort for suppressing false positives. a false positive report in PHPStan. A workaround is to put the The notion that syntactic transformations abstract semantic assignment outside of the if conditional. transformations [13] underpins our intuition that manipulating syntax can achieve desirable changes in the analysis domain and implementation. Work on semantic properties of transformations • We show that our approach is effective in improving existing emphasize the potential for improving analysis precision [26, 28], static analyses and resolves

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    11 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us