CodePeer – Introduction and Examples of Use

Tucker TaftNovember 2015

What is new in CodePeer?• Support for Ada 2012 and user-specified “contracts”• Precise analysis of IEEE Float computations• Analysis of library-unit elaboration to detect uninitialized globals• Better support in GPS for analysis of race conditions• CWE message IDs included in messages and filtering checkboxes• GPS can display Value Sets and Backtraces – “static debugging”• Incremental Analysis

Why CodePeer?❖How Robust is your code?

❖ How do you know your code really works on all possible

inputs?

❖Do you ever worry about...

❖ Uninitialized variables or components?

❖ Unreachable code?

❖ Race conditions?

❖ Unexpected run-time exceptions?

Why CodePeer?❖Do you really understand your code?

The

packages your code is calling?

❖ Is there any documentation?

❖ Is that documentation correct and up to

date?

❖Do you participate in code reviews?

❖ How much fun is that?

How to use CodePeer❖ In a single installation directory:

❖ Download and install latest GPS

❖ Download and install latest CodePeer

❖Create a project using GPS in the usual way

❖ Make sure it builds successfully

How to use CodePeer❖Use CodePeer menu in GPS to ‘Analyze All’

❖ Progress bar shows number of files analyzed

❖View CodePeer results:

❖ Summary report with totals of high/medium/low ranking

messages

❖ Double click on file in summary to bring up file and

annotations

❖ Click on message at bottom to scroll to associated line

CodePeer overall structure

GNAT Tree

SCIL

Annotations

HTML

GNAT2SCIL

CodePeerGPS / GNATBench

HistoricalDatabase

Web Browser

DB_Lister

XMLCodePeer Web Server

CodePeer Screen Shot

CodePeer Screen shot: Inferred Pre/Postconditions and Test Vectors

CodePeer - Behind the scenes❖ Determines all possible values at every point in subprogram of:

❖ Every variable

❖ Every expression

❖ Deals with values coming from ‘outside’ world:

❖ Inputs to subprogram => Preconditions

❖ Results of calling analyzed code => Postconditions

❖ Results of calling unanalyzed code => Presumptions

❖ Global constants => Postconditions of ‘init’ procedures

CodePeer - Behind the scenes

❖ Substitutes actual parameters into Postconditions to

produce precise output value sets

❖ Iterates to deal with recursion and indirection

❖ Does it all symbolically and numerically

❖ Does it all before breakfast…

CodePeer Checks and Warnings• CodePeer analyzes every line of code looking for places

where run-time checks might fail• CodePeer also looks for “suspicious” code which might be

redundant, unreachable, or otherwise not serving a useful purpose

• CodePeer analyzes multitasking programs for possible race conditions

Run-time checks• array index check

– Index value could be outside the array bounds (buffer overflow)• divide by zero

– Second operand of a divide, mod or rem operation could be zero• tag check

– Tag check may fail• discriminant check

– Field of wrong variant / discriminant is accessed• access check

– Attempt to dereference a null pointer• range check

– Calculation may generate a value outside the bounds of the Ada type or subtype

• overflow check– Calculation may overflow the bounds of a numeric type

• precondition– Subprogram call may violate the subprogram’s generated precondition

Other checks

• User checks– assertion

• User assertion (pragma Assert or Precondition) could fail– conditional check

• Exception could be raised depending on a conditional test– raise exception

• Exception is raised on a reachable path– postcondition

• Subprogram’s body may violate its specified postcondition

• Uninitialized and invalid variables– validity check

• Code may be reading an uninitialized or invalid value

Liveness warnings• dead code

– Code cannot be executed• test predetermined / test always true / test always false

– Condition tested has a known value• condition predetermined

– Comparison inside a conditional has a known result• loop does not terminate

– Loop runs forever or fails to terminate normally• unused assignment

– Value written is ignored• unused assignment in callee

– Value written in out parameter or global is ignored• useless self assignment

– Assignment does not change the value stored in the variable

Other warnings

• suspicious precondition– A precondition requires a non-contiguous set of values for some

input• suspicious input

– A value for an out parameter may be read before the parameter is assigned

• suspicious constant operation– An operation computes a constant value from non-constant

operands

Race condition detection

• Detect concurrent access to an object, with one task doing an update– Performed by default

• Identify daemon / reentrant entry points– Task bodies and task types– Given by user in options / pragmas

• Identify locking mechanism– Ada protected objects– Given by user in pragmas

CodePeer Examples of Use

CodePeer - Technology❖ CodePeer ‘engine’ is ground breaking in its depth of

code source analysis for:

❖ Logic inconsistencies

❖ Race conditions

❖ Redundant code

❖ Automated pre and post condition generation

❖ Orients tool toward formal methods and

review/understanding

CodePeer - Technology❖ Scalable to realistic-sized programs

❖ Uses a highly modular, ‘bottom-up’ approach

❖ Avoids exponential ‘top-down’ path explosion

❖ Historical database preserves results of every

inspection

❖ Allows user to focus on ‘new’ problems or compare against

baseline

❖ Integrated with GNAT front-end and GPS

❖ CodePeer messages can be available on every build

CodePeer - Features of Architecture❖ Sound

❖ Algorithms use conservative assumptions to avoid False

Negatives

❖ Precise

❖ Whole-program alias analysis with flow sensitivity

❖ Global value numbering

❖ Precise value set propagation (not just ranges)

❖ Scalable

❖ Bottom-up structure based on compiler technology

CodePeer - Features of Architecture

❖Flexible

❖ Flow analysis and propagation algorithms work on real and

‘pseudo’ components of entities

❖ Incremental

❖ Strictly bottom-up, pre/post-condition approach support

iterative and incremental analysis

What is new in CodePeer?

• Support for Ada 2012– New syntax for specifying pre/postconditions

• with Pre => not Full(S);• Precise analysis of IEEE Float computations

– Identifies Underflow and Overflow possibilities

• Analysis of the elaboration of library units– Enables detection of uninitialized global variables

What is new in CodePeer? (cont’d)

• Better support for analysis of race conditions– Includes new GPS reports

• CWE (Common Weakness Enumeration) message IDs used througout– CWE Ids shown in brackets [124, 393] in messages– CWE Ids used as labels for filtering checkboxes

What is new in CodePeer? (cont’d)

• GPS can display Value Sets and Backtraces– Hover over variable to see value set at that point in program– Can display set of lines that contribute to a message or precondition– A kind of “static debugger”

• Incremental Analysis– Program can be reanalyzed using results of prior CodePeer run– Provides dramatic speedup– Improves precision for “partitioned” analyses