Helping Student Programmers Identify and Fix Bugs Using Static Analysis Tools

Senger, Allyson Lauren

11 January 2022

Static analysis tools can be used to help programmers identify problems in their code. However, these tools often assume that developers have some programming background knowledge, so they can be hard to use in an educational context. We investigated the most common FindBugs errors from student code submissions and determined those errors that were related to incorrect solutions to problems and potential struggling for students. FindBugs is a static analysis tool that looks for incorrect patterns in Java bytecode analysis to identify potential coding flaws. For the common errors, we rewrote some of the original FindBugs messages to help students more easily understand the problems with their code. We found that students with at least one FindBugs warning in their final submission to an assignment had more submissions, longer work times, and lower correctness scores than students who did not have a FindBugs warning in their final submission. Adding modified FindBugs feedback to the automated grader resulted in students making fewer submissions and decreasing the length of time required to complete assignments. / Master of Science / Professional software developers use automated tools when they code to help them catch potential coding problems. These tools are difficult for novice student programmers because they do not have the same level of background as professionals. In this work, we attempted to change the feedback given by these tools so that students could understand it and use it to fix their code. We found that, across all of the undergraduate courses in this study, FindBugs warnings were associated with students having more trouble with assignments. When students could see FindBugs warnings, their time to complete assignments and the number of attempts they made both went down.

static analysis tools

FindBugs

error messages

novice programmers

feedback

Partitioning Strategies to Enhance Symbolic Execution

Marcellino, Brendan Adrian

11 August 2015

Software testing is a fundamental part of the software development process. However, testing is still costly and consumes about half of the development cost. The path explosion problem often necessitates one to consider an extremely large number of paths in order to reach a specific target. Symbolic execution can reduce this cost by using symbolic values and heuristic exploration strategies. Although various exploration strategies have been proposed in the past, the number of Satisfiability Modulo Theories (SMT) solver calls for reaching a target is still large, resulting in longer execution times for programs containing many paths. In this paper, we present two partitioning strategies in order to mitigate this problem, consequently reducing unnecessary SMT solver calls as well. In sequential partitioning, code sections are analyzed sequentially to take advantage of infeasible paths discovered in earlier sections. On the other hand, using dynamic partitioning on SSA-applied code, the code sections are analyzed in a non-consecutive order guided by data dependency metrics within the sections. Experimental results show that both strategies can achieve significant speedup in reducing the number of unnecessary solver calls in large programs. More than 1000x speedup can be achieved in large programs over conflict-driven learning. / Master of Science

Symbolic Execution

Software Testing

Static Analysis

Partitioning Strategies

A language-independent static checking system for coding conventions

Mount, Sarah

January 2013

Despite decades of research aiming to ameliorate the difficulties of creating software, programming still remains an error-prone task. Much work in Computer Science deals with the problem of specification, or writing the right program, rather than the complementary problem of implementation, or writing the program right. However, many desirable software properties (such as portability) are obtained via adherence to coding standards, and therefore fall outside the remit of formal specification and automatic verification. Moreover, code inspections and manual detection of standards violations are time consuming. To address these issues, this thesis describes Exstatic, a novel framework for the static detection of coding standards violations. Unlike many other static checkers Exstatic can be used to examine code in a variety of languages, including program code, in-line documentation, markup languages and so on. This means that checkable coding standards adhered to by a particular project or institution can be handled by a single tool. Consequently, a major challenge in the design of Exstatic has been to invent a way of representing code from a variety of source languages. Therefore, this thesis describes ICODE, which is an intermediate language suitable for representing code from a number of different programming paradigms. To substantiate the claim that ICODE is a universal intermediate language, a proof strategy has been developed: for a number of different programming paradigms (imperative, declarative, etc.), a proof is constructed to show that semantics-preserving translation exists from an exemplar language (such as IMP or PCF) to ICODE. The usefulness of Exstatic has been demonstrated by the implementation of a number of static analysers for different languages. This includes a checker for technical documentation written in Javadoc which validates documents against the Sun Microsystems (now Oracle) Coding Conventions and a checker for HTML pages against a site-specifc standard. A third system is targeted at a variant of the Python language, written by the author, called python-csp, based on Hoare's Communicating Sequential Processes.

005.13

Improving dynamic analysis with data flow analysis

Chang, Walter Chochen

26 October 2010

Many challenges in software quality can be tackled with dynamic analysis. However, these techniques are often limited in their efficiency or scalability as they are often applied uniformly to an entire program. In this thesis, we show that dynamic program analysis can be made significantly more efficient and scalable by first performing a static data flow analysis so that the dynamic analysis can be selectively applied only to important parts of the program. We apply this general principle to the design and implementation of two different systems, one for runtime security policy enforcement and the other for software test input generation. For runtime security policy enforcement, we enforce user-defined policies using a dynamic data flow analysis that is more general and flexible than previous systems. Our system uses the user-defined policy to drive a static data flow analysis that identifies and instruments only the statements that may be involved in a security vulnerability, often eliminating the need to track most objects and greatly reducing the overhead. For taint analysis on a set of five server programs, the slowdown is only 0.65%, two orders of magnitude lower than previous taint tracking systems. Our system also has negligible overhead on file disclosure vulnerabilities, a problem that taint tracking cannot handle. For software test case generation, we introduce the idea of targeted testing, which focuses testing effort on select parts of the program instead of treating all program paths equally. Our “Bullseye” system uses a static analysis performed with respect to user-defined “interesting points” to steer the search down certain paths, thereby finding bugs faster. We also introduce a compiler transformation that allows symbolic execution to automatically perform boundary condition testing, revealing bugs that could be missed even if the correct path is tested. For our set of 9 benchmarks, Bullseye finds bugs an average of 2.5× faster than a conventional depth-first search and finds numerous bugs that DFS could not. In addition, our automated boundary condition testing transformation allows both Bullseye and depth-first search to find numerous bugs that they could not find before, even when all paths were explored. / text

Data flow

Software testing

Software security

Dynamic analysis

Static analysis

Test input generation

Impacts of liquefaction and lateral spreading on bridge pile foundations from the February 22nd 2011 Christchurch earthquake

Winkley, Anna Margaret Mathieson

January 2013

The Mw 6.2 February 22nd 2011 Christchurch earthquake (and others in the 2010-2011 Canterbury sequence) provided a unique opportunity to study the devastating effects of earthquakes first-hand and learn from them for future engineering applications. All major events in the Canterbury earthquake sequence caused widespread liquefaction throughout Christchurch’s eastern suburbs, particularly extensive and severe during the February 22nd event. Along large stretches of the Avon River banks (and to a lesser extent along the Heathcote) significant lateral spreading occurred, affecting bridges and the infrastructure they support. The first stage of this research involved conducting detailed field reconnaissance to document liquefaction and lateral spreading-induced damage to several case study bridges along the Avon River. The case study bridges cover a range of ages and construction types but all are reinforced concrete structures which have relatively short, stiff decks. These factors combined led to a characteristic deformation mechanism involving deck-pinning and abutment back-rotation with consequent damage to the abutment piles and slumping of the approaches. The second stage of the research involved using pseudo-static analysis, a simplified seismic modelling tool, to analyse two of the bridges. An advantage of pseudo-static analysis over more complicated modelling methods is that it uses conventional geotechnical data in its inputs, such as SPT blowcount and CPT cone resistance and local friction. Pseudo-static analysis can also be applied without excessive computational power or specialised knowledge, yet it has been shown to capture the basic mechanisms of pile behaviour. Single pile and whole bridge models were constructed for each bridge, and both cyclic and lateral spreading phases of loading were investigated. Parametric studies were carried out which varied the values of key parameters to identify their influence on pile response, and computed displacements and damages were compared with observations made in the field. It was shown that pseudo-static analysis was able to capture the characteristic damage mechanisms observed in the field, however the treatment of key parameters affecting pile response is of primary importance. Recommendations were made concerning the treatment of these governing parameters controlling pile response. In this way the future application of pseudo-static analysis as a tool for analysing and designing bridge pile foundations in liquefying and laterally spreading soils is enhanced.

Liquefaction

lateral spreading

Christchurch earthquakes

bridges

piles

foundations

pseudo-static analysis

damage

Towards a Gold Standard for Points-to Analysis

Gutzmann, Tobias

January 2010

Points-to analysis is a static program analysis that computes reference informationfor a given input program. It serves as input to many client applicationsin optimizing compilers and software engineering tools. Unfortunately, the Gold Standard – i.e., the exact reference information for a given program– is impossible to compute automatically for all but trivial cases, and thus, little can been said about the accuracy of points-to analysis. This thesis aims at paving the way towards a Gold Standard for points-to analysis. For this, we discuss theoretical implications and practical challenges that occur when comparing results obtained by different points-to analyses. We also show ways to improve points-to analysis by different means, e.g., combining different analysis implementations, and a novel approach to path sensitivity. We support our theories with a number of experiments.

Points-to Analysis

Dataflow Analysis

Static Analysis

Dynamic Analysis

Gold Standard

Static analyses over weak memory

Nimal, Vincent P. J.

January 2014

Writing concurrent programs with shared memory is often not trivial. Correctly synchronising the threads and handling the non-determinism of executions require a good understanding of the interleaving semantics. Yet, interleavings are not sufficient to model correctly the executions of modern, multicore processors. These executions follow rules that are weaker than those observed by the interleavings, often leading to reorderings in the sequence of updates and readings from memory; the executions are subject to a weaker memory consistency. Reorderings can produce executions that would not be observable with interleavings, and these possible executions also depend on the architecture that the processors implement. It is therefore necessary to locate and understand these reorderings in the context of a program running, or to prevent them in an automated way. In this dissertation, we aim to automate the reasoning behind weak memory consistency and perform transformations over the code so that developers need not to consider all the specifics of the processors when writing concurrent programs. We claim that we can do automatic static analysis for axiomatically-defined weak memory models. The method that we designed also allows re-use of automated verification tools like model checkers or abstract interpreters that were not designed for weak memory consistency, by modification of the input programs. We define an abstraction in detail that allows us to reason statically about weak memory models over programs. We locate the parts of the code where the semantics could be affected by the weak memory consistency. We then provide a method to explicitly reveal the resulting reorderings so that usual verification techniques can handle the program semantics under a weaker memory consistency. We finally provide a technique that synthesises synchronisations so that the program would behave as if only interleavings were allowed. We finally test these approaches on artificial and real software. We justify our choice of an axiomatic model with the scalability of the approach and the runtime performance of the programs modified by our method.

005.1

Statická analýza programů v C# / Static analysis of C# programs

Malý, Petr

January 2014

The goal of this diploma thesis is to study and implement selected methods of static code analysis for C# programs translated into the Common Intermediate Language. The results of this work are integrated into the ParallaX Development Environment system. This diploma thesis focuses on Structural, Points-to and Dependence. analysis. Powered by TCPDF (www.tcpdf.org)

Implementace rezoluce řízení toku v dynamickém jazyce / Implementing control flow resolution in dynamic language

Šindelář, Štěpán

January 2014

Dynamic programming languages allow us to write code without type information and types of variables can change during execution. Although easier to use and suitable for fast prototyping, dynamic typing can lead to error prone code and is challenging for the compilers or interpreters. Programmers often use documentation comments to provide the type information, but the correspondence of the documentation and the actual code is usually not checked by the tools. In this thesis, we focus on one of the most popular dynamic programming languages: PHP. We have developed a framework for static analysis of PHP code as a part of the Phalanger project -- the PHP to .NET compiler. The framework supports any kind of analysis, but in particular, we implemented type inference analysis with emphasis on discovery of possible type related errors and mismatches between documentation and the actual code. The implementation was evaluated on real PHP applications and discovered several real errors and documentation mismatches with a good ratio of false positives. Powered by TCPDF (www.tcpdf.org)

Demand-Driven Static Analysis of Heap-Manipulating Programs

Chenguang Sun (5930306)

16 August 2019

<div>Modern Java application frameworks present significant challenges for existing static analysis algorithms. Such challenges include large-scale code bases, heap-carried dependency, and asynchronous control flow caused by message passing.</div><div>Existing analysis algorithms are not suitable to deal with these challenges. One reason is that analyses are typically designed to operate homogeneously on the whole program. This leads to scalability problems when the analysis algorithms are used on applications built as plug-ins of large frameworks, since the framework code is analyzed together with the application code. Moreover, the asynchronous message passing of the actor model adopted by most modern frameworks leads to control flows which are not modeled by existing analyses.</div><div>This thesis presents several techniques for more powerful debugging and program understanding tools based on slicing. In general, slicing-based techniques aim to discover interesting properties of a large program by only reasoning about the relevant part of the program (typically a small amount of code) precisely, abstracting away the behavior of the rest of the program.</div><div>The key contribution of this thesis is a demand-driven framework to enable precise and scalable analyses on programs built on large frameworks. A slicing algorithm, which can handle heap-carried dependence, is used to identify the program elements relevant to an analysis query. We instantiated the framework to infer correlations between registration call sites and callback methods, and resolve asynchronous control flows caused by asynchronous message passing.</div>

Computer Software

Programming Languages

static analysis

demand-driven

slicing analysis

points-to analysis

shape analysis