Simulated program execution error detection method and apparatus

Abstract

A computer program error detection system that detects errors in a computer program by simulating execution of program statements. An internal format structure is retrieved along with a list of all functions defined by the computer program. The internal format structure is analyzed to determine all function calls and the function call ordering. External behavior models corresponding to the discovered function calls are retrieved and stored in a model table. One or more control flow paths are traversed through the computer program. For each path traversed, a structural memory model is maintained to represent the effect of the simulated execution of statements along the control flow path. A statement is simulated by executing a built in model of the operation. A function call is emulated by executing an external behavior model corresponding to the called function. Execution of an external behavior model causes the structural model memory to be updated to reflect execution of the called function. Information describing the manipulation of the memory model is logged for automodelling purposes. Invalid conditions in the structural memory model are detected and reported. The information logged for automodelling purposes is scanned after analysis of each path to build an outcome for that path. After individual path analysis completes, the different outcomes are processed, duplicates are removed, and an external behavior model representing the computer program under analysis is generated.

Claims

We claim:

1. A method for simulating execution of a computer program to detect programming errors in said computer program, said computer program containing at least one function, said function containing one or more statements, said method comprising:

retrieving a representation of said computer program;

traversing a first control flow path through said function wherein said first control flow path comprises a first sequence of said statements, wherein said traversing comprises:

maintaining a first structural memory model for said function over said first control flow path;

manipulating said first structural memory model to simulate execution of said first sequence of said statements;

detecting an invalid condition in said first structural memory model; and

reporting said invalid condition in said first structural memory model.

2. A method as in claim 1 wherein said representation of said computer program is an internal format structure.

3. A method as in claim 1 further comprising:

identifying all said functions defined by said computer program;

ordering a list of said functions defined by said computer program based on a function call ordering; and

scheduling an analysis of said computer program based upon said ordering a list of said functions defined by said computer program.

4. A method as in claim 1 further comprising:

accepting a configuration control command; and

modifying an analysis of said computer program based upon said configuration control command.

5. A method as in claim 4 further comprising:

accepting a second configuration control command for a specified function; and

modifying an analysis of said specified function based upon said second configuration control command.

6. A method as in claim 5 further comprising:

accepting a third configuration control command for a specified statement; and

modifying an analysis of said specified statement based upon said third configuration control command.

7. A method as in claim 6 wherein said reporting said invalid condition in said first sturctural memory model further comprises:

determining that one of said configuration control command, said second configuration control command and said third configuration control command orders suppression of said invalid condition; and

suppressing reporting of said invalid condition.

8. A method as in claim 1 wherein said traversing a first control flow path through said function further comprises:

identifying an unresolved choice point in said first control flow path;

representing said unresolved choice point by a node in a tree, wherein said node contains an edge for each potential resolution of said choice point; and

resolving said unresolved choice point by randomly choosing a first unselected edge to determine a first choice.

9. A method as in claim 8 wherein said resolving said unresolved choice point further comprises:

maintaining a history of said first choice; and

randomly choosing a second unselected edge to determine a second choice.

10. A method as in claim 8 wherein said traversing a first control flow path through said function further comprises:

updating said first structural memory model to reflect said resolving said unresolved choice point.

11. A method as in claim 1 further comprising:

analyzing said representation of said computer program to identify a function call;

locating an external behavior model of a called function corresponding to said function call;

retrieving said external behavior model of a called function corresponding to said function call; and, wherein said manipulating said first structural memory model to simulate execution of said first sequence of said statements further comprises:

emulating execution of said function call through execution of said external behavior model of a called function corresponding to said function call.

12. A method as in claim 1 wherein said invalid condition in said first structural memory model signals an uninitialized piece of memory.

13. A method as in claim 1 wherein said invalid condition in said first structural memory model signals an invalid pointer.

14. A method as in claim 1 wherein said invalid condition in said first structural memory model signals a zero divisor.

15. A method as in claim 1 further comprising:

logging information describing said manipulating said first structural memory model to produce a first logged data.

16. A method as in claim 15 further comprising automodelling said function to generate an external behavior model corresponding to said function, wherein said automodelling comprises:

scanning said first logged data to produce a first outcome for said first control flow path.

17. A method as in claim 16 wherein said automodelling said function further comprises:

scanning said first logged data to identify an extern of said function.

18. A method as in claim 17 further comprising:

traversing a second control flow path through said function, wherein said second control flow path comprises a second sequence of said statements, wherein said traversing comprises:

maintaining a second structural memory model for said function over said second control flow path;

manipulating said second structural memory model to simulate execution of said second sequence of said statements;

logging information describing said manipulating said second structural memory model to produce a second logged data; and wherein, automodelling said function to generate an external behavior model corresponding to said function further comprises:

scanning said second logged data to produce a second outcome for said second control flow path;

eliminating duplicates among said first outcome and said second outcome to generate one or more remaining outcomes; and

packaging said remaining outcomes and said extern into said external behavior model corresponding to said function.

19. A method as in claim 18 wherein said computer program is a first function.

20. A method as in claim 19 wherein said first function is part of a second computer program and wherein said external behavior model generated by said automodelling said function is used to emulate said first function in an analysis of said second computer program.

21. A method as in claim 16 wherein said automodelling said function further comprises:

ordering a symbol table, wherein said symbol table comprises one or more links to said first structural memory model prior to said logging information describing said manipulating said first structural memory model.

22. A method as in claim 1 wherein said reporting said invalid condition in said first structural memory model further comprises:

determining that said invalid condition is a duplicate; and

suppressing reporting of said invalid condition.

23. A method for simulating execution of a computer program to detect programming errors in said computer program, said computer program containing at least one function, said function containing zero statements, said method comprising:

retrieving a representation of said computer program;

traversing a control flow path through said function wherein said control flow path comprises zero statements, wherein said traversing comprises:

maintaining a structural memory model for said function over said control flow path;

logging information describing said function to produce a logged data; and

automodelling said function to generate an external behavior model corresponding to said function, wherein said automodelling comprises:

scanning said logged data to produce an outcome for said control flow path.

24. A method as in claim 23 wherein said automodelling said function further comprises:

scanning said logged data to identify an extern of said function.

25. A method for simulating execution of a computer program to detect programming errors in said computer program, said computer program containing one or more statements, said method comprising:

retrieving a representation of said computer program;

traversing a first control flow path through said computer program wherein said first control flow path comprises a first sequence of said statements, wherein said traversing comprises:

maintaining a first structural memory model for said computer program over said first control flow path;

manipulating said first structural memory model to simulate execution of said first sequence of said statements;

detecting invalid conditions in said first structural memory model; and

reporting said invalid conditions in said first structural memory model.

26. A method as in claim 25 wherein said representation of said computer program is an internal format structure.

27. A method as in claim 25 wherein said traversing a first control flow path through said computer program further comprises:

identifying an unresolved choice point in said first control flow path;

representing said unresolved choice point by a node in a tree, wherein said node contains an edge for each potential resolution of said choice point; and

resolving said unresolved choice point by randomly choosing a first unselected edge to determine a first choice.

28. A method as in claim 27 wherein said resolving said unresolved choice point further comprises:

maintaining a history of said first choice; and

randomly choosing a second unselected edge to determine a second choice.

29. A method as in claim 27 wherein said traversing a first control flow path through said computer program further comprises:

updating said first structural memory model to reflect said resolving said unresolved choice point.

30. A method as in claim 25 further comprising:

analyzing said representation of said computer program to identify a function call;

locating an external behavior model of a called function corresponding to said function call;

retrieving said external behavior model of a called function corresponding to said function call; and, wherein said manipulating said first structural memory model to simulate execution of said first sequence of said statements further comprises:

emulating execution of said function call through execution of said external behavior model of a called function corresponding to said function call.

31. A method as in claim 25 wherein said invalid condition in said first structural memory model signals an uninitialized piece of memory.

32. A method as in claim 25 wherein said invalid condition in said first structural memory model signals an invalid pointer.

33. A method as in claim 25 wherein said invalid condition in said first structural memory model signals a zero divisor.

34. A method as in claim 25 further comprising:

logging information describing said manipulating said first structural memory model to produce a first logged data.

35. A method as in claim 34 further comprising automodelling said computer program to generate an external behavior model corresponding to said computer program, wherein said automodelling comprises:

scanning said first logged data to produce a first outcome for said first control flow path.

36. A method as in claim 35 wherein said automodelling said computer program further comprises:

ordering a symbol table, wherein said symbol table comprises one or more links to said first structural memory model prior to said logging information describing said manipulating said first structural memory model.

37. A method as in claim 35 wherein said automodelling said computer program further comprises:

scanning said first logged data to identify an extern of said computer program.

38. A method as in claim 37 further comprising:

traversing a second control flow path through said computer program wherein said second control flow path comprises a second sequence of said statements, wherein said traversing comprises:

maintaining a second structural memory model for said computer program over said second control flow path;

manipulating said second structural memory model to simulate execution of said second sequence of said statements;

logging information describing said manipulating said second structural memory model to produce a second logged data; and wherein, automodelling said computer program to generate an external behavior model corresponding to said computer program further comprises:

scanning said second logged data to produce a second outcome for said second control flow path;

eliminating duplicates among said first outcome and said second outcome to generate one or more remaining outcomes;

packaging said remaining outcomes and said extern into said external behavior model corresponding to said computer program.

39. A method as in claim 25 wherein said computer program is part of a second computer program and wherein said external behavior model generated by said automodelling said computer program is used to emulate said computer program in an analysis of said second computer program.

40. An error detection processor for detecting errors in a computer program, said computer program comprising one or more statements, said error detection processor comprising:

a structural memory model which represents the behavior of said computer program upon a simulation;

an analysis engine which traverses a control flow path through said computer program, wherein said control flow path is comprised of a sequence of said statements;

a statement unit which simulates the effect of said statements in the said control flow path; and

an error generation unit which reports invalid conditions detected within said structural memory model after said simulation.

41. The error detection processor of claim 40 further comprising:

an automodeller which generates an external behavior model to represent the visible behavior of said computer program.

Description

CROSS REFERENCE TO MICROFICHE APPENDIX

Appendix A, which is a part-of this disclosure, is a microfiche appendix consisting of 22 sheets of microfiche having a total of 2146 frames. Microfiche Appendix A is a list of computer programs and related data in one embodiment of the present invention, which is described more completely below.

A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the Patent and Trademark Office patent files or records, but otherwise reserves all copyright rights whatsoever.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to the analysis of computer programs and, in particular, to the detection of programming errors in a computer program through analysis of the effects of simulated execution of the computer program upon a structural memory model.

2. Background

A large amount of effort in the development of computer programs is spent ensuring the correctness of the completed program. The objective of a computer program is to implement a specified input/output function. The correctness of a computer program is the degree to which the program is free from errors in its specification, design and implementation. The two most common methods for detecting errors in a computer program are compile-time checking and runtime checking.

Compile-time checking is the process of evaluating a computer program based on its form, structure or content. Compile-time checking tests properties that can be established before the execution of a program. "Syntax checking", one form of compile-time checking, verifies compliance with structural or grammatical rules defined for a language. For example, in the context of a computer program written in the well known C computer language, using the statement B+C=A produces an error because the correct format is A=B+C. Syntax checking is discussed further in Richard Conway and David Gries, An Introduction to Programming, (Winthrop Publishers, Inc. 1979). "Data flow analysis", another type of compile-time checking, analyzes the sequence in which data transfer, use and transformation are performed in a computer program to detect programming errors. Data flow analysis includes the use of control flow information; "control flow" is the sequence in which statements are performed in the execution of a computer program. A control flow is also referred to as a "control flow path" or, simply, a "code path". Data flow analysis can detect such errors as the use of a variable before assignment, two consecutive assignments to a variable or assigning a value to a variable that is never used.

Most shortcomings of compile-time checking methods stem from the fact that they do not consider consequences of computer program execution. Compile-time checking is limited to what can be determined without considering the dynamic effects of program execution. For example, the lint compile-time checker available in the SPARCworks.TM. 3.0.1 programming environment from Sun Microsystems of Mountain View, Calif., analyzes computer code without regard to the dynamic flow of control through the code. This shortcoming leads lint to report values being used before they are initialized when that is, in fact, not the case.

Error messages produced by compile-time checking methods are typically either under-inclusive or over-inclusive. A particular function in a computer program may use a resource before checking if the resource is valid. If resource validity is not checked outside the instant function, then failure to report a potential program terminating error could result in the corruption of data structures and even loss of valuable data. However, if resource validity is checked prior to the instant function, then reporting an error clutters the analysis of the instant function with false errors and, in a large program, may render analysis of the computer program useless.

Another type of false error reported by compile-time analysis methods is an "apparent" error in instructions through which control flow cannot go. The sequence in which statements are performed often depends on particular values associated with particular variables. Compile-time checking methods generally assume statements are always executed because they cannot determine if a particular code path is executed or under what specific circumstances program control flows through the code path.

Runtime checking, the other primary type of programming error detection method, is the process of evaluating a computer program based on its behavior during execution. Runtime checking involves executing the computer program with a known set of inputs and verifying the program results against the expected outcome. The set of test inputs, execution conditions and expected results is called a "test case". Often, in order to help locate errors, a printout (trace) showing the value of selected variables at different points in the program is produced.

Although simple in concept, the usefulness of runtime checking is limited by the complexity of the computer program. A tremendous amount of effort is required to design, make and run test cases. Even after an extensive effort, the error detection capability of runtime checking is limited to the code paths executed by the specific set of inputs chosen. In all but the most simple computer programs, it is generally impractical to execute all possible control flow paths. Furthermore, runtime checking requires that a computer program be complete and ready for execution. Since a function must be executed to be analyzed, testing a function apart from incorporating it into a complete program requires the additional effort of building a program shell which provides the function with the necessary environment for execution.

One method to overcome the deficiencies of typical programming error detection methods is presented by Applicants in U.S. patent application Ser. No. 08/289,148, entitled "Computer Process Resource Modelling Method and Apparatus", filed on Aug. 10, 1994, and assigned to the same assignee as this application, which is expressly incorporated herein by reference. This programming error detection method analyzes components of computer programs by tracking the effect of program instructions on the state of program resources. Each resource has a prescribed behavior represented by a number of states and transitions between states. However, since state machines are cumbersome to maintain and use, computer process resource modelling is limited in its ability to suppress spurious errors and provide detailed error messages. Further, the complexity of the method itself makes it difficult to maintain the structure embodying the method and to extend the method to new types of programming errors and programming languages.

What is needed is a programming error detection method which considers the behavior of executed program instructions, which automatically considers substantially all possible control flow paths through a computer program, and which can analyze an individual function of a computer program. What is further needed is a programming error detection method which considers the behavior of a called function when analyzing the calling function. The needed programming error detection method must also be easy to maintain and extend to new programming languages and different types of errors. The needed method should also be able to minimize spurious errors and provide detailed error messages.

SUMMARY OF THE INVENTION

In accordance with this invention, a computer program error detection system is provided to analyze the runtime behavior of a computer program by simulating the execution of program statements. Specifically, the system can be used to analyze only a subset of functions within a computer program or the entire program. In one embodiment, an object based design methodology is employed to increase maintainability of the system while providing high extensibility.

In one embodiment of the present invention, a computer program is input into a preprocessor. Also input into the preprocessor are user specified configuration options contained in a configuration file, header files, and command line information. The preprocessor transforms the computer program into an internal format structure (a parse tree structure). The parse tree structure is put into an intermediate file along with a list of all the functions defined within the computer program. This intermediate file, the configuration options, command line information and external behavior models are input into the analysis engine.

Analysis engine processing starts with accepting the configuration options. Configuration options control the analysis performed by the analysis engine. Once the controlling configuration options are determined, the internal format structure of the computer program is retrieved from the intermediate file. Also from the intermediate file, the analysis engine identifies all of the functions defined by the computer program. The internal format structure of the computer program is analyzed to identify all the function calls. The scheduling of function analysis is controlled by the ordering of identified function calls. In another embodiment of this invention, a different representation of the computer program can be used in place of the internal format structure. For example, source code representing the computer program.

Before analysis of the functions, the analysis engine locates and retrieves any previously constructed external behavior models corresponding to the identified called functions. The gathered external behavior models are represented by model table entries. Each model table entry is collected into the model table. If no external behavior model can be found for a called function, that function is represented by the missing model. The model table provides a reference to the external behavior models during function analysis.

Analysis of each function defined by the computer program is performed in a loop. At the start of analysis of a function, the internal format structure corresponding to the function is read into memory. The analysis engine analyzes a function by traversing code flow paths through the function until either the maximum number of paths has been reached or there are no more paths to analyze. The maximum number of paths is set with a configuration option to put a ceiling on analysis engine processing. A control flow path is selected using a deterministic choice point history. The simulated execution of a function through different control flow paths is modelled by a CPH tree. A control flow path may contain an unresolved choice point. That means, there may be a conditional or predicate in the control flow path that can't be resolved. A node in the CPH tree is used to represent each unresolved choice point. An edge from the node is randomly chosen to simulate resolution of the unresolved choice point. After a path is chosen in the CPH tree, that path is analyzed. When an edge is randomly chosen, there are implications for program variables which are remembered by updating the structural memory model representing the effect of the statements in the control flow path.

After all the selected paths have been analyzed, the externals of the function under analysis are gathered. Then, when it is no longer needed, the internal format structure of the function being analyzed is released from memory. Finally, the automodeller scans all the individual path outcomes, removes extraneous operations and deletes duplicate outcomes. The automodeller then packages the remaining outcomes together to generate an external behavior model of the function being analyzed.

Analysis of a particular control flow path entails simulation of each statement along the control flow path. At the start of path analysis, the analysis engine checks for configuration options specified only for the function being analyzed. Processing for the current function is influenced by the configuration options detected. For each code path analyzed, the analysis engine constructs a new structural memory model. The structural memory model is used to simulate the effects of execution of each statement along the control flow path. A table, called the "chunk table" is provided to keep track of all the modeled memory locations. For each code path analyzed, a symbol table is created that associates variable names used in the computer program to locations in modelled memory.

Prior to processing the first statement in the path, a modeled memory location is created for the function's return value and this location is inserted into the symbol table. A modeled memory location consists of one stored value per each addressable unit of the memory being modeled. If a four byte pointer is modelled, then the modeled memory location will contain four stored values (one per byte--the lowest addressable unit). Stored values are collected in stored value sets. The chunk table manages the memory model by keeping track of all the stored value sets.

Once the return value is laid out in the memory model, each statement along the path is processed. After the statements are processed, the symbol table is ordered to facilitate the comparison of outcomes between different code paths. Path processing also performs leak detection which searches each modeled memory location to determine if a piece of memory is allocated but will not be pointed to by any symbol after the function exits. Appropriate error messages are generated for any leaks detected. Path processing concludes with the automodeller scanning structures in the memory model to determine the tests performed on and the changes made to each external of the function. This information is summarized into an outcome for the path.

Analysis of a particular statement entails manipulating the memory model to reflect the effect the statement has in a computer memory. At the start of statement processing, the analysis engine checks for configuration options specified only for the statement being analyzed. Processing for the current statement is influenced by the configuration options detected. Statements are distributed for processing to an appropriate statement unit. There is a different statement unit for each type of statement. In general, a statement unit simulates execution of the program statement by evaluating the expressions in a statement and reproducing the appropriate processing control results.

Expressions are evaluated by creating modeled memory locations to represent the operands of the expression and updating the memory model to simulate the effect of applying the operator of the expression to the operands. Information describing the manipulating of the memory model is logged for later inspection by the automodeller. Simulating the effect of applying operators is performed by the operation unit. The operation unit simulates operations by executing built in models analogous to the external behavior models used to represent functions.

If the statement is a function call, an external behavior model corresponding to the called function is executed to emulate the effect of the function call. If a corresponding external behavior model does not exist then the memory model is updated under the assumption the called function returned normally. An external behavior model generated by the automodeller for a called function can be used to emulate the called function in an analysis of the calling function.

When an invalid condition is detected in the memory model an error message is generated. Reporting error messages is controlled by configuration options. Configuration options can permit only certain invalid conditions to be reported or can suppress the reporting of certain invalid conditions. Further, the analysis engine does not report duplicate error messages.

This invention will be more fully understood in view of the following detailed description taken together with the drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of the inputs and outputs to one embodiment of the present invention.

FIG. 2 is a block diagram of one operating environment for the present invention as depicted in FIG. 1.

FIG. 3 is a more detailed block diagram of the internals of the analyzer of FIG. 2.

FIG. 4 is a more detailed block diagram of the preprocessor of FIG. 3.

FIG. 5 is an illustration of a sample C programming language statement and a corresponding parse tree.

FIG. 6 is a more detailed block diagram of the analysis engine of FIG. 3.

FIG. 7 is a block diagram of a functional view of the per function control block of FIG. 6.

FIG. 8 is a block diagram representing the processing performed by the analysis engine of FIG. 3.

FIG. 9 is an illustration of a model table entry employed in one embodiment of the present invention.

FIG. 10 is an illustration of a sample function call ordering and external behavior function model inventory that exists at the beginning of processing by the analysis engine of FIG. 3.

FIG. 11 is a block diagram representing the processing performed by the analyze functions block of FIG. 8.

FIG. 12 is a block diagram representing the processing performed by the analyze paths block of FIG. 11.

FIG. 13 is an illustration of a symbol table entry employed in one embodiment of the present invention.

FIG. 14a is a high level depiction of two pointers in a symbol table and their linkages to modeled memory used in the order symbol table block of FIG. 12.

FIG. 14b is a high level depiction of the two pointers from FIG. 14a (and their linkages to modeled memory) placed, in reverse order from FIG. 14a, into the symbol table used in the order symbol table block of FIG. 12.

FIG. 15 is a block diagram representing the processing performed by one embodiment of the memory creation unit of this invention.

FIG. 16 is an illustration of an origin context structure employed by the memory creation unit of FIG. 15.

FIG. 17 is an illustration of a chunk data structure employed by the memory creation unit of FIG. 15.

FIG. 18 is an illustration of a stored value block employed by the memory creation unit of FIG. 15.

FIG. 19 is an illustration of a stored resource block employed by the memory creation unit of FIG. 15.

FIG. 20 is a high level depiction of the linkages between data structures created by the memory creation unit of FIG. 15.

FIG. 21 is an illustration of an execution context block employed by the initialize per-functions data structures block of FIG. 11.

FIG. 22 is a block diagram representing the processing performed in the process statements along path block of FIG. 12.

FIG. 23 is a logic flow diagram of one embodiment of the block unit of this invention.

FIG. 24 is a logic flow diagram of one embodiment of the expression unit of this invention.

FIG. 25a is a logic flow diagram describing part of the processing performed in process operation action 2424 of FIG. 24.

FIG. 25b is a logic flow diagram completing the description begun in FIG. 25a of the processing performed in process operation action 2424 of FIG. 24.

FIG. 26 is an illustration of an argument info block employed by evaluate operation action 2538 of FIG. 25b.

FIG. 27 is a logic flow diagram of one embodiment of the operation unit of this invention.

FIG. 28 is a logic flow diagram of one embodiment of the if-else unit of this invention.

FIG. 29 is a logic flow diagram of one embodiment of the loop execution unit of this invention.

FIG. 30a is a logic flow diagram of part of one embodiment of the switch unit of this invention.

FIG. 30b is a logic flow diagram completing the description begun in FIG. 30a of the switch unit.

FIG. 31 is a logic flow diagram of one embodiment of the variable initialization unit of this invention.

FIG. 32 is a logic flow diagram of one embodiment of the return unit of this invention.

FIG. 33 is a logic flow diagram of one embodiment of the CPH choose condition unit of this invention.

FIG. 34 is an illustration of a memory type information block employed in one embodiment of the present invention.

FIG. 35 is an illustration of a fetched value block employed in one embodiment of the present invention.

FIG. 36 is an illustration of a predicate block employed in one embodiment of the present invention.

FIG. 37 is a logic flow diagram of one embodiment of the error generation unit of this invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

According to the principles of this invention, methods and apparatus are provided for simulating computer program execution and detecting programming errors. In particular, in accordance with this invention a novel error detection method maps the source code of a computer program to a sequence of operations on a virtual machine. A virtual image, a detailed structural model of memory as used by the computer program under analysis (sometimes referred to as a "memory model"), represents the condition of the virtual machine. Each variable in the computer program is associated with a unique location in the memory model. Each location contains a value. Each value is uniquely identified and represents a particular instance of a variable or other program resource. Executable program instructions are converted to instructions for the virtual machine. The virtual machine operates by applying behavior models of the instructions to the values contained in the memory model. Application of the models detects illegal operations, invalid values, leaks and other kinds of errors.

Analysis of a computer program involves multiple iterations traversing different code paths. While traversing an individual code path, unresolved choice points are resolved. A "choice point" is a point in the computer program at which one of two or more alternative sets of program statements is selected for execution based upon the value of a condition or predicate. When analysis is conducted with only partial knowledge of a program's variables and resources, a condition or predicate value may be undetermined resulting in an unresolved choice point.

Function calls along a code path are analyzed by executing an external behavior model of the function. This external behavior model reflects what must be true when the corresponding function is entered and what will be true when the corresponding function exits. The information distilled from multiple iterations of the computer program is abstracted to form an external behavior model of the program under analysis.

In the following description, numerous specific details are set forth such as language syntax, program interfaces, and sample data, etc. in order to provide a more thorough understanding of the present invention. However, it will be apparent to one skilled in the art that the present invention may be practiced without these specific details. In some cases, well known data formats and data structures are not described in detail in order not to unnecessarily obscure the present invention.

Analyzing at the Function Level

Typically, computer programs are developed by combining previously developed components with newly written code. As used herein, "code" refers to source code, i.e., computer instructions in human intelligible form and/or object code, i.e., computer instructions in computer intelligible form. A component of a computer program is a piece of code which performs one or more specified tasks. To execute a computer program on a computer, the source code is translated into machine code and the program is loaded into memory as a load module. For more discussion on creating load modules and executing programs see Arthur Gill, Machine and Assembly Language Programming of the PDP-11, (Prentice-Hall, Inc. 1978).

Computer programs can be written in any of a number of computer languages. In traditional computer languages, called procedural languages, the programmer states a specific set of instructions that the computer must perform in a given sequence. An instruction is a statement in a programming language which specifies an operation to be performed by the computer and the addresses or values of the associated operands. For example, in the instruction A=B+1, "B" and "1" are the operands and "+" is the operator used to specify the addition operation. In general, a statement specifies an action to be performed. Examples of procedural computer languages are C, Ada, Pascal, Fortran, COBOL and PL/1.

Some procedural languages, such as C++, are object oriented. Object oriented programming languages maintain objects which are conceptual groupings of functions and associated data. Objects are structured into components known as "classes". Some computer languages are graphics-based in that instructions are represented as graphical images which are displayed on a computer screen and which are linked by a computer programmer to create a computer program. Some computer languages are specific to a particular software product such as the Lotus 1-2-3 macro language for the Lotus 1-2-3 Spreadsheet program available from Lotus Development Corporation of Cambridge, Mass. The present invention is applicable to any computer language, i.e., to any computer instruction protocol, in which memory is manipulated.

While source code computer instruction protocols are described above, it is appreciated that the teachings herein are equally applicable to computer instructions in the form of object code. In the illustrative embodiment described herein, the particular computer language analyzed is the well-known C computer language.

Computer programs written in the C computer language are typically divided into a number of functions. A function accepts as input zero or more parameters, performs a specific action and produces as output at most one returned item. The parameters and returned item are data structures which are stored in memory. A function can be a component or part of a component. In the illustrative embodiment of the present invention described herein, each function of a computer program is analyzed individually.

Computer Program Analysis

FIG. 1 illustrates one embodiment of the present invention. Error detection processor 102 reduces computer program 104 into fault indicators 106, and models 118. Fault indicators 106 pinpoint and describe specific errors within computer program 104. In one embodiment of the present invention, fault indicators 106 take the form of error messages. Error messages are described below in more detail. Model 118 defines the mapping of input memory to output memory that a corresponding function within computer program 104 performs. Model 118 is an external behavior model because it is a summary representation of the externally visible behavior of a corresponding function. Modelling a computer function is described below in greater detail.

Error detection processor's 102 treatment of computer program 104 is influenced by a variety of input factors; the input factors include: config file 110, command line information 108, header files 112 and models 118. The input factors are described below in greater detail.

FIG. 2 illustrates one typical operating environment for error detection processor 102. In the embodiment of FIG. 2, error detection processor 102 comprises analyzer 202 executed upon central processing unit (CPU) 204. CPU 204 executes stored program instructions. Analyzer 202 along with computer program 104, config file 110 and header files 112 are contained in memory 206. Memory 206 can be further subdivided into main memory (not shown) and secondary storage (not shown). Main memory holds program instructions or data and is directly addressable by CPU 204. Secondary storage contains data not directly under control of or addressable by CPU 204. One skilled in the art will realize that the information contained in memory 206 can be stored in main memory or it can be kept in secondary storage and transferred into main memory when required for execution on CPU 204.

Input/Output (I/O) circuitry 208 is responsible for the transfer of data to and from CPU 204. CPU 204, memory 206 and I/O circuitry 208 are interconnected through an internal data channel called a bus 210. Keyboard 212 and mouse 214 are two common input devices designed to assist in the entry of data and instructions to CPU 204. For example, typically command line information 108 is entered through keyboard 212 for presentation to error detection processor 102. Display device 216 and printer 218 are two common output devices designed to assist in the output of data from CPU 204. In the embodiment of FIG. 2, the output signal, fault indicator 106, is stored in memory. One skilled in the art will recognize that this output signal can also be directed to other output devices, such as display device 216 and printer 218.

FIG. 3 illustrates a functional description of analyzer 202. Preprocessor 302 translates computer program 104 into a corresponding parse tree structure 304. Preprocessor 302 stores parse tree structure 304 in intermediate file 306. Also in intermediate file 306, preprocessor 302 stores analyze function list 310, a list of all the functions defined in computer program 104. The functions defined in computer program 104 are the functions analyzed by analysis engine 308. Analysis engine 308 traverses parse tree structure 304 to detect errors and generate fault indicators 106. Additionally, analysis engine 308 generates a model 118 for each function of computer program 104. Models 118 and other output of analysis engine 308 are described below in greater detail.

A functional description of preprocessor 302 is illustrated in FIG. 4. Preprocessor 302 receives operating instructions from config file 110. Config file 110 allows a user to customize analyzer 202. The settings contained in config file 110 determine characteristics of the environment in which computer program 104 is analyzed. For example, in one embodiment of the present invention, configuration option "maximum.sub.-- paths" sets a limit on the amount of analysis performed for each function. An integer option value specifies a limit on the number of paths analyzed by analyzer 202. A full list of configuration options for one embodiment of the present invention is shown in Appendix B.

The configuration options contained in config file 110 are processed by config file reader 402. Config file reader 402 reads in the configuration options from config file 110 and sets the operating attributes of parser 404 as indicated by the configuration options. Parser 404 creates an internal, intermediate representation of computer program 104. Parser 404 uses header files 112 to translate computer program 104. In one embodiment, header files 112 include standard library functions that are available to a C program through the "#include" C preprocessor directive. Header files are well known in the prior art. For a more detailed discussion on header files, see Mark Williams Company, Ansi C: A Lexical Guide, (Prentice Hall 1988).

In preparation for analysis, parser 404 parses computer program 104. Parsing a computer program determines the syntactic structure of the program by decomposing it into more elementary subunits and establishing the relationships among the subunits. Parser 404 checks that the statements appearing in computer program 104 occur in patterns that are permitted by the source language (C) specification. Parser 404 generates fault indicator 106 for statements that violate the language specification. In one embodiment of the present invention, fault indicator 106 is in the form of an error message. Errors that violate the language specification are called "syntax errors".

Additionally, and more importantly for purposes of further error detection, parser 404 imposes parse tree structure 304 upon the elementary subunits of computer program 104. Parse tree structure 304 is a parse tree which exhibits the syntactic structure of computer program 104. A tree is a collection of elements grouped in a hierarchical structure with many branches. The top element in the tree is called the root node. Terminal nodes, nodes without any branches, are called leaf nodes. The remaining nodes in a tree are interior nodes.

The concept of a parse tree is best understood by way of example. FIG. 5 shows a simple C statement and the corresponding parse tree. Statement 502, "a=b+1;", is decomposed into two expressions. The primary expression is an equality expression that sets "a" equal to the value generated by a secondary expression. The primary expression's two operands are "a" and the secondary expression. The secondary expression is an addition operation that adds 1 to "b". The secondary expression's two operands are "b" and "1". Statement 502 is represented by parse tree 504. The root of parse tree 504, root node 506, contains the equality operator which represents the equality expression. The two branches off of root node 506 lead to the two operands of the equality expression. Leaf node 508 contains operand "a" and interior node 510 contains the addition operator which represents the addition operation. The two branches off of interior node 510 lead to the operands of the addition operation. Leaf node 512 contains "b" and leaf node 514 contains "1".

Using a parser to parse computer programs, generate error messages for syntax errors and build a parse tree are all well known in the prior art. For a detailed discussion on parsing computer programs, see Alfred V. Aho, Ravi Sethi and Jeffrey D. Ullman, Compilers: Principles, Techniques, and Tools, (Addison-Wesley Publishing Company 1986).

In addition to parse tree structure 304, preprocessor 302 also produces a list of all functions defined in computer program 104. This list, analyze function list 310, is stored with parse tree structure 304 in intermediate file 306. Analysis engine 308 accesses analyze function list 310 to determine which functions to analyze.

FIG. 6 illustrates a functional description of analysis engine 308. Main control block 602 is the main entry point of analysis engine 308. Main control block 602 is invoked from the command line directly by the user or indirectly by integration scripts or build tools. A user can invoke analyzer 202 directly with a command entered through keyboard 212 or mouse 214. The key information input on the command line, part of command line information 108, is a list of intermediate files 306 (containing parse tree structures 304) that corresponds to computer programs to be analyzed. In addition, command line information 108 may also contain a specification of configuration file 110. Main control block 602 controls the order of processing within analysis engine 308.

Initialization block 604 performs the first processing within analysis engine 308. Initialization block 604 processes command line information 108 (including the list of intermediate files 306 and the optional specification of a configuration file 110) and models 118. When processing is complete, control returns to main control block 602.

Next, processing is performed by per function control block 606. One parse tree structure 304, corresponding to one computer program, is analyzed at a time. Each parse tree structure 304 may have multiple functions represented within it. Per function control block 606 analyzes a single function at a time. Per function control block 606 traverses parse tree structure 304 and produces fault indicators 106. Processing is repeated for each parse tree structure 304 to be analyzed. When all parse tree structures 304 have been analyzed, control returns to main control block 602.

Final processing is completed by post-processing block 608. Post-processing block 608 writes out models 118 corresponding to functions analyzed by per function control block 606. Models 118 can be written to any output medium. Typically, models 118 are written to secondary storage where they are available for the analysis of additional computer programs. Post-processing block 608 returns control to main control block 602 and analysis is concluded.

The majority of processing performed by analysis engine 308 occurs within per function control block 606. A functional description of per function control block 606 is presented in FIG. 7. Per function control block 606 is built upon five main objects. An object is a conceptual grouping of functions and associated data. By designing per function control block 606 with an object based methodology, analysis engine 308 has greater extensibility and is easier to maintain. Extensibility is increased because functionality can be added within a particular object without affecting other objects. Objects interact by using carefully defined interfaces. Maintenance within one object will not affect other objects as long as the interfaces are observed. Thus, it is easy to maintain analysis engine 308 and perform localized corrections, as opposed to having to make wholesale corrections throughout analysis engine 308.

Parse tree object 702 traverses multiple code paths in computer program 104 as represented by parse tree structure 304. As it traverses a code path, parse tree object 702 processes an instruction along the code path by retrieving its operator along with the corresponding operands. The operator and operands retrieved are passed to instruction object 706 for simulation. Parse tree object 702 also passes function calls to instruction object 706 for emulation. Both simulation of instruction execution and emulation of function calls will be described in greater detail below.

Virtual machine 704 simulates the execution and internal representation of computer program 104 on a computer. Virtual machine 704 consists of instruction object 706, virtual image object 708 and automodel object 710. Instruction object 706 interprets operators passed by parse tree object 702. Furthermore, instruction object 706 executes models 118 corresponding to the operator or function being processed. The effect of executing a model 118 is to appropriately modify the memory model. The memory model is described below in greater detail.

Virtual image object 708 maintains the virtual image (not shown). The virtual image is a structural model of computer memory ("memory model"). Virtual image object 708 keeps track of locations in the memory model, what values have been stored at each location during the course of "execution" of computer program 104, and what tests have been performed on particular memory model locations. Virtual image object 708 also maintains a set of primitives, referred to as vim primitives, that operate on the values in memory. The model of computer memory and vim primitives will be described below in greater detail.

Automodel object 710 is responsible for constructing a model 118 of the function currently under analysis. After execution of each code path within a function, auto model object 710 queries virtual image object 708 to obtain information relevant to the input to output mapping performed by the function. The model 118 that is created by auto model object 710 is an abstraction of the information obtained from virtual image object 708 over multiple code paths. Models 118 and the information required to build them will be discussed below in greater detail.

The majority of programming errors detected are found in virtual image object 708; however, the actual fault indicators 106 are generated in fault indicator object 712. Fault indicator object 712 receives information identifying the programming error. In one embodiment of the present invention, the information is assembled and a fault indicator 106 is presented to the user in the form of an error message. More description of error message processing is given below.

Analyzer Construction

In one embodiment of the present invention, the source code which represents the different components of analyzer 202 is implemented in groupings called packages. A package is a logically related subset of a larger computer program which provides an associated set of services to the computer program. For one embodiment of the present invention, Table 1 lists all is of the packages that form analyzer 202.

                  TABLE 1
    ______________________________________
    Package    Description    Packages Used
    ______________________________________
    ana        analyzer       none
    auto       automodelling  bot,conf,ctx,vim,
                              ins,sym
    bot        utilities      none
    conf       configuration  bot,err
    cph        choice point   bot,conf
               history
    ctx        execution context
                              bot
    edg        parser         none
    eng        main control block
                              bot,conf,mcil,
                              exe,err
    err        error reporting
                              bot,conf,edg,ctx
    exe        execution      bot,conf,auto,
                              ins,sym,vim,ctx
    ins        instructions   bot,conf,ctx,vim,
                              auto,cph,err
    mcil       multiple       bot,conf,edg
               intermediate files
    sym        symbol table   bot,edg,vim
    vim        virtual image  bot,conf,ctx,err
    ______________________________________

                  TABLE 2
    ______________________________________
    Utility       Description
    ______________________________________
    bot.sub.-- col
                  collections; fixed and variable sized
                  arrays and lists
    bot.sub.-- date
                  date handling
    bot.sub.-- debug
                  debugging printing and topics
    bot.sub.-- fio
                  file input and output
    bot.sub.-- fname
                  file names
    bot.sub.-- mem
                  memory allocation, reallocation,
                  freeing
    bot.sub.-- str
                  string handling
    bot.sub.-- sys
                  miscellaneous system calls
    ______________________________________

    ______________________________________
    #pragma INTRINSA "supress=null.sub.-- pointer, uninitialized"
    int main ( )
           int i,j:
           j = 1 + 2;
           return 0;
    }
    ______________________________________