SlideShare a Scribd company logo

C言語静的解析ツールと Ruby 1.9 trunk

ikegami__, profile picture
ikegami__

Cppcheck and Splint static analysis tools found several potential errors in the Ruby 1.9 source code such as memory leaks and possible null pointer dereferences. Frama-C was able to verify assertions and preconditions in the code and detect a potential division by zero. Static analysis helps improve software quality by finding bugs early.

TechnologyEducation
1 of 35
Downloaded 15 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
C Ruby 1.9 trunk @ikegami_ _
@ikegami_ _ • 2003 • 2003-2010 • Haskell • C • 10/27 - 11/10 2 • Ruby/Mathematica, Ruby/Ming, RushCheck, Karatsuba
C言語静的解析ツールと Ruby 1.9 trunk
1/2 • C++ • BLAST • Frama-C • • • • CIL GCC
2/2 • ← • • cppcheck C C++ • Emacs + Flymake • Vim + • Vim + QuickFix + errormaker
Emacs + Flymake + cppcheck →
• • cppcheck • splint • • BLAST • Frama-C
• -Wall • • • • •
• division by zero • assert • unroll • assertion • if • • • Call flow graph •
cppcheck • written in C++ • C/C++ • • Tokenize • Run all checks - pattern matching of the tokens http://sourceforge.net/apps/trac/cppcheck/
cppcheck ruby • ruby-1.9 trunk revision 33685 (2011-11-09 ) • compile.c 77 files 2:01:02.55 • error 6 • compile.c 54:46.94s •
cppcheck Ruby 6 [hash.c:2351]: (error) Memory leak: str [io.c:5264]: (error) fflush() called on input stream "stdin" may result in undefined behaviour [regcomp.c:5524]: (error) Memory leak: new_reg [vm_dump.c:831]: (error) Possible null pointer dereference: vm - otherwise it is redundant to check if vm is null at line 778 [vm_dump.c:834]: (error) Possible null pointer dereference: vm - otherwise it is redundant to check if vm is null at line 778 [vm_dump.c:835]: (error) Possible null pointer dereference: vm - otherwise it is redundant to check if vm is null at line 778
hash.c [hash.c:2351]: (error) Memory leak: str 2351 } /* ruby_setenv */ 2303 str = malloc(len += strlen(value) + 2); str free 2287 #elif defined __sun Solaris
io.c [io.c:5264]: (error) fflush() called on input stream "stdin" may result in undefined behaviour 5264 fflush(stdin); /* is it really needed? */ Q. How can I flush pending input so that a user's typeahead isn't read at the next prompt? Will fflush(stdin) work? A. fflush is defined only for output streams. (omit) comp.lang.c FAQ list · Question 12.26a
splint • written in C • • annotation • cppcheck • • cont.c gc.c random.c thread_pthread.h http://www.splint.org/
splint hash.c • ruby-1.9 trunk revision 33685 (2011-11-09 ) • 397 • header • Solaris Solaris configure • cppcheck hash.c x86
splint regcomp.c • ruby-1.9 trunk revision 33685 (2011-11-09 ) • 737 • •
splint regcomp.c regcomp.c:180:10: Only storage uslist->us->target (type struct _Node *) derived from released storage is not released (memory leak): uslist->us (omit) 176 static void 177 unset_addr_list_end(UnsetAddrList* uslist) 178 { 179 if (IS_NOT_NULL(uslist->us)) 180 xfree(uslist->us); 181 }
176 static void 177 unset_addr_list_end(UnsetAddrList* uslist) 178 { 179 if (IS_NOT_NULL(uslist->us)) 180 xfree(uslist->us); typedef struct { 181 } int offset; struct _Node* target; } UnsetAddr; uslist->us->target typedef struct { free int num; int alloc; UnsetAddr* us; } UnsetAddrList;
183 static int 184 unset_addr_list_add(UnsetAddrList* uslist, int offset, struct _Node* node) 185 { 186 UnsetAddr* p; 187 int size; 188 189 if (uslist->num >= uslist->alloc) { 190 size = uslist->alloc * 2; 191 p = (UnsetAddr* )xrealloc(uslist->us, sizeof(UnsetAddr) * size); 192 CHECK_NULL_RETURN_MEMERR(p); 193 uslist->alloc = size; 194 uslist->us = p; 195 } 196 197 uslist->us[uslist->num].offset = offset; 198 uslist->us[uslist->num].target = node; 199 uslist->num++; 200 return 0; ↑ free 201 }
false positive
BLAST • with CIL OCaml • • assert() • • assert http://mtc.epfl.ch/software-tools/blast/index-epfl.php
escape
#include <assert.h> int watched; /* a global variable */ void foo(int i) { watched = i; } ← void bar() {   int j;   foo(j);   assert(j == watched);   /* assert(j != watched); */ } % gcc -E -I ${BLAST_INCLUDE} -main bar target.c % pblast.opt target.i -main bar :-)
#include <assert.h> int *watched; void foo(int *p) { watched = p; } void bar() {   int i, *j;   i = 1;   j = &i;   foo(j);   assert(j == watched);   /* assert(j != watched); */ } % gcc -E -I ${BLAST_INCLUDE} -main bar target.c % pblast.opt target.i -main bar :-)
ruby 1.9 trunk • for while • if • • • •
Frama-C • with CIL OCaml •C • • • value plug-in ← • users plug-in http://frama-c.com/
division by zero void foo(int x, int y) { int z = x / y; /* y should not be zero */ return; } int main(int argc, char **argv) { int x = 1, y = 0; foo(x, y); return 0; }
Frama-C value plug-in % frama-c -val foo.c [value] Analyzing a complete application starting at main foo.c:3:[kernel] warning: division by zero: assert y ≢ 0;
division by zero • ruby trunk revision no. 33685 • bignum.c • 1044 ds[k] = (BDIGIT)(num / hbase); • util.c • • 331 n = (r - l + size) / size; Frama-C value plugin
Frama-C users plug-in • callee •
void foo(void) {} void bar(void) {foo();} int main(void) { bar(); return 0; } % frama-c -users foo.c [kernel] preprocessing with "gcc -C -E -I. foo.c" [users] ====== DISPLAYING USERS ====== bar: foo main: foo bar ====== END OF USERS ==========
ruby string.c callee http://sovmoess.tumblr.com/ post/12364993205/frama-c-ruby-1-9-string-c-callee @ikegami_ _
• • false positive • • CPU • annotation • annotation • Frama-C + jessie plug-in → Coq
•2 C • ruby-1.9 trunk revision 33685 • cppcheck/splint • escape • BLAST/Frama-C •

More Related Content

PPTX
Scope and closures
Monu Chaudhary
 
DOCX
Miblagh (2)
Muhammadi Iblagh
 
PDF
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Miguel Arroyo
 
PDF
lldb – Debugger auf Abwegen
inovex GmbH
 
PPT
Vcs23
Malikireddy Bramhananda Reddy
 
PDF
R/C++ talk at earl 2014
Romain Francois
 
PDF
Rcpp11 useR2014
Romain Francois
 
PDF
Radare2 @ ndh2k15 : First r2babies steps
Maijin
 
Scope and closures
Monu Chaudhary
 
Miblagh (2)
Muhammadi Iblagh
 
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Miguel Arroyo
 
lldb – Debugger auf Abwegen
inovex GmbH
 
Vcs23
Malikireddy Bramhananda Reddy
 
R/C++ talk at earl 2014
Romain Francois
 
Rcpp11 useR2014
Romain Francois
 
Radare2 @ ndh2k15 : First r2babies steps
Maijin
 

What's hot (19)

PPTX
Understand more about C
Yi-Hsiu Hsu
 
PDF
Tiramisu をちょっと、味見してみました。
Mr. Vengineer
 
PDF
Rcpp11 genentech
Romain Francois
 
PDF
Application of Radare2 Illustrated by Shylock and Snakso.A Analysis
Positive Hack Days
 
PDF
All I know about rsc.io/c2go
Moriyoshi Koizumi
 
PPTX
Protecting C++
Pavel Filonov
 
PDF
TVM VTA (TSIM)
Mr. Vengineer
 
PDF
Web 2 . .3 Development Services
Theawaster485
 
PDF
When RV Meets CEP (RV 2016 Tutorial)
Sylvain Hallé
 
PDF
Basicsof c make and git for a hello qt application
Dinesh Manajipet
 
PDF
Why my Go program is slow?
Inada Naoki
 
PDF
"A 1,500 line (!!) switch statement powers your Python!" - Allison Kaptur, !!...
akaptur
 
DOCX
Codigo fuente
BlackD10
 
PDF
Bytes in the Machine: Inside the CPython interpreter
akaptur
 
PDF
Swift core
Yusuke Kita
 
PDF
Roots of a quadratic equation1
Wilson ak
 
PDF
Powered by Python - PyCon Germany 2016
Steffen Wenz
 
PDF
深入淺出C語言
Simen Li
 
PDF
Cluj.py Meetup: Extending Python in C
Steffen Wenz
 
Understand more about C
Yi-Hsiu Hsu
 
Tiramisu をちょっと、味見してみました。
Mr. Vengineer
 
Rcpp11 genentech
Romain Francois
 
Application of Radare2 Illustrated by Shylock and Snakso.A Analysis
Positive Hack Days
 
All I know about rsc.io/c2go
Moriyoshi Koizumi
 
Protecting C++
Pavel Filonov
 
TVM VTA (TSIM)
Mr. Vengineer
 
Web 2 . .3 Development Services
Theawaster485
 
When RV Meets CEP (RV 2016 Tutorial)
Sylvain Hallé
 
Basicsof c make and git for a hello qt application
Dinesh Manajipet
 
Why my Go program is slow?
Inada Naoki
 
"A 1,500 line (!!) switch statement powers your Python!" - Allison Kaptur, !!...
akaptur
 
Codigo fuente
BlackD10
 
Bytes in the Machine: Inside the CPython interpreter
akaptur
 
Swift core
Yusuke Kita
 
Roots of a quadratic equation1
Wilson ak
 
Powered by Python - PyCon Germany 2016
Steffen Wenz
 
深入淺出C語言
Simen Li
 
Cluj.py Meetup: Extending Python in C
Steffen Wenz
 
Ad

Similar to C言語静的解析ツールと Ruby 1.9 trunk (20)

PDF
Boosting Developer Productivity with Clang
Samsung Open Source Group
 
PPTX
C Programming Training in Ambala ! Batra Computer Centre
jatin batra
 
PDF
GoFFIng around with Ruby #RubyConfPH
Gautam Rege
 
PDF
C++ amp on linux
Miller Lee
 
PPTX
Gun make
psychesnet Hsieh
 
PDF
シェル芸でライフハック(特論)
Yuki Shimazaki
 
KEY
Objective-Cひとめぐり
Kenji Kinukawa
 
PDF
Tales from the dark side: developing SDKs at scale
Kenneth Geisshirt
 
PDF
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
Teddy Hsiung
 
PPTX
Chp7_C++_Functions_Part1_Built-in functions.pptx
ssuser10ed71
 
PPTX
What has to be paid attention when reviewing code of the library you develop
Andrey Karpov
 
PPTX
Java Jit. Compilation and optimization by Andrey Kovalenko
Valeriia Maliarenko
 
PDF
[Golang] 以 Mobile App 工程師視角,帶你進入 Golang 的世界 (Introduction of GoLang)
Johnny Sung
 
PDF
Diving into HHVM Extensions (php[tek] 2016)
James Titcumb
 
PDF
start_printf: dev/ic/com.c comstart()
Kiwamu Okabe
 
PDF
Vim Script Programming
Lin Yo-An
 
PDF
Crash_Report_Mechanism_In_Tizen
Lex Yu
 
PDF
LCU14 302- How to port OP-TEE to another platform
Linaro
 
PDF
Secure Programming Practices in C++ (NDC Oslo 2018)
Patricia Aas
 
PDF
Quiz 9
Keroles karam khalil
 
Boosting Developer Productivity with Clang
Samsung Open Source Group
 
C Programming Training in Ambala ! Batra Computer Centre
jatin batra
 
GoFFIng around with Ruby #RubyConfPH
Gautam Rege
 
C++ amp on linux
Miller Lee
 
Gun make
psychesnet Hsieh
 
シェル芸でライフハック(特論)
Yuki Shimazaki
 
Objective-Cひとめぐり
Kenji Kinukawa
 
Tales from the dark side: developing SDKs at scale
Kenneth Geisshirt
 
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
Teddy Hsiung
 
Chp7_C++_Functions_Part1_Built-in functions.pptx
ssuser10ed71
 
What has to be paid attention when reviewing code of the library you develop
Andrey Karpov
 
Java Jit. Compilation and optimization by Andrey Kovalenko
Valeriia Maliarenko
 
[Golang] 以 Mobile App 工程師視角,帶你進入 Golang 的世界 (Introduction of GoLang)
Johnny Sung
 
Diving into HHVM Extensions (php[tek] 2016)
James Titcumb
 
start_printf: dev/ic/com.c comstart()
Kiwamu Okabe
 
Vim Script Programming
Lin Yo-An
 
Crash_Report_Mechanism_In_Tizen
Lex Yu
 
LCU14 302- How to port OP-TEE to another platform
Linaro
 
Secure Programming Practices in C++ (NDC Oslo 2018)
Patricia Aas
 
Quiz 9
Keroles karam khalil
 
Ad

More from ikegami__ (6)

PDF
Agda 入門@ProofSummit 2011
ikegami__
 
PDF
Mac Laptop で Gentoo
ikegami__
 
PDF
Lightening Talk at Open Source Conference 2007
ikegami__
 
PDF
Introduction to Haskell games in Open Source Conference 2007 Hokkaido
ikegami__
 
PDF
Advanced Topics in Haskell
ikegami__
 
PDF
Introduction to Haskell@Open Source Conference 2007 Hokkaido
ikegami__
 
Agda 入門@ProofSummit 2011
ikegami__
 
Mac Laptop で Gentoo
ikegami__
 
Lightening Talk at Open Source Conference 2007
ikegami__
 
Introduction to Haskell games in Open Source Conference 2007 Hokkaido
ikegami__
 
Advanced Topics in Haskell
ikegami__
 
Introduction to Haskell@Open Source Conference 2007 Hokkaido
ikegami__
 

Recently uploaded (20)

PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 

C言語静的解析ツールと Ruby 1.9 trunk

  • 1. C Ruby 1.9 trunk @ikegami_ _
  • 2. @ikegami_ _ • 2003 • 2003-2010 • Haskell • C • 10/27 - 11/10 2 • Ruby/Mathematica, Ruby/Ming, RushCheck, Karatsuba
  • 4. 1/2 • C++ • BLAST • Frama-C • • • • CIL GCC
  • 5. 2/2 • ← • • cppcheck C C++ • Emacs + Flymake • Vim + • Vim + QuickFix + errormaker
  • 6. Emacs + Flymake + cppcheck →
  • 7. • cppcheck • splint • • BLAST • Frama-C
  • 8. -Wall • • • • •
  • 9. division by zero • assert • unroll • assertion • if • • • Call flow graph •
  • 10. cppcheck • written in C++ • C/C++ • • Tokenize • Run all checks - pattern matching of the tokens http://sourceforge.net/apps/trac/cppcheck/
  • 11. cppcheck ruby • ruby-1.9 trunk revision 33685 (2011-11-09 ) • compile.c 77 files 2:01:02.55 • error 6 • compile.c 54:46.94s •
  • 12. cppcheck Ruby 6 [hash.c:2351]: (error) Memory leak: str [io.c:5264]: (error) fflush() called on input stream "stdin" may result in undefined behaviour [regcomp.c:5524]: (error) Memory leak: new_reg [vm_dump.c:831]: (error) Possible null pointer dereference: vm - otherwise it is redundant to check if vm is null at line 778 [vm_dump.c:834]: (error) Possible null pointer dereference: vm - otherwise it is redundant to check if vm is null at line 778 [vm_dump.c:835]: (error) Possible null pointer dereference: vm - otherwise it is redundant to check if vm is null at line 778
  • 13. hash.c [hash.c:2351]: (error) Memory leak: str 2351 } /* ruby_setenv */ 2303 str = malloc(len += strlen(value) + 2); str free 2287 #elif defined __sun Solaris
  • 14. io.c [io.c:5264]: (error) fflush() called on input stream "stdin" may result in undefined behaviour 5264 fflush(stdin); /* is it really needed? */ Q. How can I flush pending input so that a user's typeahead isn't read at the next prompt? Will fflush(stdin) work? A. fflush is defined only for output streams. (omit) comp.lang.c FAQ list · Question 12.26a
  • 15. splint • written in C • • annotation • cppcheck • • cont.c gc.c random.c thread_pthread.h http://www.splint.org/
  • 16. splint hash.c • ruby-1.9 trunk revision 33685 (2011-11-09 ) • 397 • header • Solaris Solaris configure • cppcheck hash.c x86
  • 17. splint regcomp.c • ruby-1.9 trunk revision 33685 (2011-11-09 ) • 737 • •
  • 18. splint regcomp.c regcomp.c:180:10: Only storage uslist->us->target (type struct _Node *) derived from released storage is not released (memory leak): uslist->us (omit) 176 static void 177 unset_addr_list_end(UnsetAddrList* uslist) 178 { 179 if (IS_NOT_NULL(uslist->us)) 180 xfree(uslist->us); 181 }
  • 19. 176 static void 177 unset_addr_list_end(UnsetAddrList* uslist) 178 { 179 if (IS_NOT_NULL(uslist->us)) 180 xfree(uslist->us); typedef struct { 181 } int offset; struct _Node* target; } UnsetAddr; uslist->us->target typedef struct { free int num; int alloc; UnsetAddr* us; } UnsetAddrList;
  • 20. 183 static int 184 unset_addr_list_add(UnsetAddrList* uslist, int offset, struct _Node* node) 185 { 186 UnsetAddr* p; 187 int size; 188 189 if (uslist->num >= uslist->alloc) { 190 size = uslist->alloc * 2; 191 p = (UnsetAddr* )xrealloc(uslist->us, sizeof(UnsetAddr) * size); 192 CHECK_NULL_RETURN_MEMERR(p); 193 uslist->alloc = size; 194 uslist->us = p; 195 } 196 197 uslist->us[uslist->num].offset = offset; 198 uslist->us[uslist->num].target = node; 199 uslist->num++; 200 return 0; ↑ free 201 }
  • 22. BLAST • with CIL OCaml • • assert() • • assert http://mtc.epfl.ch/software-tools/blast/index-epfl.php
  • 24. #include <assert.h> int watched; /* a global variable */ void foo(int i) { watched = i; } ← void bar() {   int j;   foo(j);   assert(j == watched);   /* assert(j != watched); */ } % gcc -E -I ${BLAST_INCLUDE} -main bar target.c % pblast.opt target.i -main bar :-)
  • 25. #include <assert.h> int *watched; void foo(int *p) { watched = p; } void bar() {   int i, *j;   i = 1;   j = &i;   foo(j);   assert(j == watched);   /* assert(j != watched); */ } % gcc -E -I ${BLAST_INCLUDE} -main bar target.c % pblast.opt target.i -main bar :-)
  • 26. ruby 1.9 trunk • for while • if • • • •
  • 27. Frama-C • with CIL OCaml •C • • • value plug-in ← • users plug-in http://frama-c.com/
  • 28. division by zero void foo(int x, int y) { int z = x / y; /* y should not be zero */ return; } int main(int argc, char **argv) { int x = 1, y = 0; foo(x, y); return 0; }
  • 29. Frama-C value plug-in % frama-c -val foo.c [value] Analyzing a complete application starting at main foo.c:3:[kernel] warning: division by zero: assert y ≢ 0;
  • 30. division by zero • ruby trunk revision no. 33685 • bignum.c • 1044 ds[k] = (BDIGIT)(num / hbase); • util.c • • 331 n = (r - l + size) / size; Frama-C value plugin
  • 32. void foo(void) {} void bar(void) {foo();} int main(void) { bar(); return 0; } % frama-c -users foo.c [kernel] preprocessing with "gcc -C -E -I. foo.c" [users] ====== DISPLAYING USERS ====== bar: foo main: foo bar ====== END OF USERS ==========
  • 33. ruby string.c callee http://sovmoess.tumblr.com/ post/12364993205/frama-c-ruby-1-9-string-c-callee @ikegami_ _
  • 34. • false positive • • CPU • annotation • annotation • Frama-C + jessie plug-in → Coq
  • 35. •2 C • ruby-1.9 trunk revision 33685 • cppcheck/splint • escape • BLAST/Frama-C •