static program analysis tools
TRANSCRIPT
STATIC PROBLEMS
DETECTION Overview and Tool Demonstration
Kamil Ježek [email protected]
Přemek Brada [email protected]
Západočeská univerzita v Plzni
Katedra informatiky a výpočetní techniky
What We Detect
LinkageError ClassCastException
NoSuchMethodError
IncompatibleClassChangeError
…
and more Recompilable problems
Duplicated and redundant libraries
Brief Example
LineIterator it = ... String line = it.next();
class LineIterator { Object next(); }
Where We Detect Problems
• Binaries (modules, libraries)
Source
code
Is This Real Problem?
75% of programs
riddled with static errors
Probable Cause
51% developers
unfamiliar with problem
Compatibility May Be Tricky
public class Main {
public static void main(String[] args) {
Object n = new LineIterator().next();
}
}
public class LineIterator {
public String next() {
return …;
}
}
JVM and Compiler Differences
public class Main {
public static void main(String[] args) {
LineIterator it = …
Object n = it.next();
}
}
public class LineIterator {
public Object next() {
return …;
}
}
public interface LineIterator {
public Object next();
}
v1 v2
Evidence in Real Life Software
Popular projects • Apache Roller
• Commons-IO
Even Maven is not answer
Example 1: Apache Roller
Apache Roller links to two httpcore versions
Impact on Apache Roller
Method releaseConnection() invoked by
Spring-web missing in httpcore 4.1
• Reported and acknowledged
Example 2: Apache Commons-io
Commons-io is distributed in two packages
Impact of Apache Commons-IO
Maven Central Repository
org.apache.commons used by 542 projects
commons-io used by 293 projects
We Propose Solution
JAR files Reverse
Engineering Verification Report
Architecture
Another integration
Eclipse Plugin
Maven Plugin
Backward Compatibility
Composition Verification
Reverse Engineering
Detected Problems
● Missing dependencies (1)
● Inconsistent dependencies (2)
● Redundant dependencies (3)
● Duplicated dependencies (4)
Source code
(1)
(2)
(4)
(3)
Reverse Engineering
class LineIterator {
Object next(...) { … }
}
class Client {
private iterate(...) {
LineIterator it = IOUtils.lineIterator(…);
while (it.hasNext()) {
String data = it.next();
}
Consumer Changed in 2.x Provider
<<Class>>
LineIterator
<<Method>>
next
<<Return>>
Object
<<Class>>
LineIterator
<<Method>>
next
<<Return>>
String
Verification
>
≥
<
≤
=
≠
?
Consumer Provider
<<Class>>
LineIterator
<<Method>>
next
<<Return>>
Object
<<Class>>
LineIterator
<<Method>>
next
<<Return>>
String
Impact Demonstration
• Problem with duplicated Commons-IO
• Based on semi-real Booking web application
Web Page With Bug
Standard Debug I
Standard Debug II
• Log analysis (when enabled)
2015-04-15 17:17:58.538 WARN [org.eclipse.jetty.util.thread.QueuedThreadPool:run:577] -
java.lang.NoSuchMethodError: org.apache.commons.io.LineIterator.next()Ljava/lang/String;
at cz.zcu.kiv.examples.booking.preferences.RatingLoader.load(RatingLoader.java:29)
at cz.zcu.kiv.examples.booking.server.RunServer$2.handle(RunServer.java:53)
at spark.webserver.MatcherFilter.doFilter(MatcherFilter.java:139)
at spark.webserver.JettyHandler.doHandle(JettyHandler.java:54)
Our Way: Maven plugin • > mvn install
cz.zcu.kiv.examples.booking.preferences.RatingLoader
#4 <>-- org.apache.commons.io.LineIterator
Method: next
Generalised Return type: java.lang.String x java.lang.Object
=============================================================
Duplicated <>-- org.apache.commons.io.LineIterator
#5 /../.m2/repository/../commons-io-1.3.2.jar
-> #4
#6 /../.m2/repository/../commons-io-2.1.jar
---------------------------------------------------------------------------------
Must remove /../.m2/repository/../commons-io-1.3.2.jar
-> #5
---------------------------------------------------------------------------------
Redundant /../.m2/repository/../jetty-security-9.0.2.v20130417.jar
Eclipse Plugin
Easy to Fix Now
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>1.3.2 2.1</version>
<type>jar</type>
<scope>compile</scope>
</dependency>
Result is Working System
We Offer
• Presented tools
• Customization
• Development of new features
Conclusion
• Automatic tools
• Problems detected early in development
• Solve current problems
• Cheaper and more robust software
Discussion
Questions now
or
Kamil Ježek [email protected]
Přemek Brada [email protected]
Západočeská univerzita v Plzni
Katedra informatiky a výpočetní techniky