Slides

Download Report

Transcript Slides 

Lecture 9:
Designing
Exceptionally
CS201j: Engineering Software
University of Virginia
Computer Science
David Evans
http://www.cs.virginia.edu/evans
Menu
• Section Problem
– Weakly Uses Example
• Handling Mistakes
– No checking
– Run-time checking
– Static checking
• PS3 Comments
30 September 2003
CS 201J Fall 2003
2
Design
• What are the things in the problem?
– Obvious things: advisor, student, course
– Less obvious things: prerequisites, set of
courses
• Most of the things in the problem should
be abstract datatypes
30 September 2003
CS 201J Fall 2003
3
Weakly Uses
public class Course {
private Department dept;
private int number;
//@invariant dept != null
//@invariant number > 0
public Course (Department d, int n) {
dept = d;
number = n;
}
public Department getDepartment () {
return dept;
}
}
Course
Department
public int getNumber () {
return number;
}
30 September 2003
CS 201J Fall 2003
4
public class Course {
private Department dept;
private int number;
//@invariant dept != null
//@invariant number > 0
public Course (Department d, int n) {
dept = d;
number = n;
}
Course
public Department getDepartment () {
return dept;
}
public int getNumber () {
return number;
}
}
Department
public String toString () {
return (dept.getMnemonic () + number);
}
30 September 2003
CS 201J Fall 2003
5
Handling Mistakes
• No checking
– Assume programmers know what they are doing
• Run-time checking
– Check for anomalous behavior during program
execution
• Static checking
– Check at compile-time
– Know properties of all possible executions before
executing code
30 September 2003
CS 201J Fall 2003
6
Example: Array Bounds
What should happen when the program
writes beyond the bounds of an array?
int a[10];
a[10] = 17;
30 September 2003
CS 201J Fall 2003
7
C/C++ Answer
Checking is just a waste of execution time,
we should trust the programmer not to
make mistakes.
# include <iostream.h>
int main (void) {
int x = 9;
char s[4];
}
30 September 2003
cin >> s;
cout << "s is: " << s << endl;
cout << "x is: " << x << endl;
CS 201J Fall 2003
8
C/C++ Bounds NonChecking
# include <iostream.h>
int main (void) {
int x = 9;
char s[4];
}
cin >> s;
cout << "s is: " << s << endl;
cout << "x is: " << x << endl;
30 September 2003
> g++ -o bounds bounds.cc
> bounds
cs
(User input)
s is: cs
x is: 9
> bounds
cs201
s is: cs201
x is: 49
> bounds
cs201j
s is: cs201j
x is: 27185
> bounds
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
s is: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
x is: 1633771873
Segmentation fault (core dumped)
CS 201J Fall 2003
9
s
‘c’
‘s’
‘2’
What’s going on?!!
# include <iostream.h>
int main (void) {
int x = 9;
char s[4];
‘0’
x
‘1’ =
9 49
}
cin >> s;
cout << "s is: " << s << endl;
cout << "x is: " << x << endl;
> bounds
cs201
s is: cs201
x is: 49
30 September 2003
CS 201J Fall 2003
10
s
‘c’
What’s going on?!!
# include <iostream.h>
‘s’
int main (void) {
int x = 9;
char s[4];
‘2’
‘0’
‘1’ =
9 49
x
}
‘j’ = 0106
0
0
In C/C++, space for int (32 bits) is
enough to hold 4 chars (8 bits).
30 September 2003
cin >> s;
cout << "s is: " << s << endl;
cout << "x is: " << x << endl;
> bounds
cs201j
s is: cs201j
x is: 27185 = (106*256) + 49
CS 201J Fall 2003
11
# include <iostream.h>
s
‘a’
‘a’
int main (void) {
int x = 9;
char s[4];
‘a’
‘a’
x
‘a’
9
‘a’
‘a’
9
‘a’
return
address
30 September 2003
‘a’
}
cin >> s;
cout << "s is: " << s << endl;
cout << "x is: " << x << endl;
> bounds
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
s is: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
x is: 1633771873
Segmentation fault (core dumped)
When main returns, execution jumps to
the return address stored on the stack.
But, the input overwrote that return address!
CS 201J Fall 2003
12
When things go really bad…
• If person entering input is clever, they can
put what they want in the return address,
and their own code after that to jump to!
“Buffer Overflow Attack”
“Stack Smashing”
30 September 2003
CS 201J Fall 2003
13
Code Red
30 September 2003
CS 201J Fall 2003
14
Buffer Overflows
• Code Red: exploited buffer overflow in
Microsoft’s IIS (web server)
• Attacker sends excessively long request to
web server, overflows buffer and puts virus
code on stack
• About ½ of all security problems are due
to buffer overflows!
30 September 2003
CS 201J Fall 2003
15
Array Bounds in Java
public class AverageLength {
public static void main (/*@non_null@*/ String args[])
{
String filename = args[0];
…
}
}
> javac AverageLength.java
> java AverageLength
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException
at AverageLength.main(AverageLength.java:7)
30 September 2003
CS 201J Fall 2003
16
Array Bounds Checking
• C/C++: No checking
+ No execution cost
? Lower Development cost? (if you don’t care
about robustness)
- Really, really bad things can happen (and do
often for typical programs)
30 September 2003
CS 201J Fall 2003
17
Array Bounds Checking
• Java: Run-time checking
– Performance cost: virtual machine needs to
check array indexes are in bounds
+ Get a run-time error, instead of Code Red
But, sometimes run-time errors can be
really, really bad too!
30 September 2003
CS 201J Fall 2003
18
Run-Time Exceptions
Before Run-Time Exception
After Run-Time Exception
Rubble, $0B
Ariane V (European) rocket, $5B
Rocket exploded because of Run-Time Exception (1996)
(not array bounds, value out of range – one bad line of code)
30 September 2003
CS 201J Fall 2003
19
Array Bounds with ESC/Java
public class AverageLength {
public static void main (/*@non_null@*/ String args[])
{
String filename = args[0];
…
}
}
> escjava AverageLength.java
AverageLength.java:7: Warning: Array index possibly too large (IndexTooBig)
String filename = args[0];
^
30 September 2003
CS 201J Fall 2003
20
Array Bounds Checking
• ESC/Java: static checking
+ Check at compile-time: know there will not be
an array bounds error on any possible
execution
? If you trust the compile time checking, can
turn off run-time checking (no performance
penalty)
? More apparent effort to develop code (but is
there really?)
30 September 2003
CS 201J Fall 2003
21
PS3
• PS3
– Read the comments!
– The choice of rep had a big impact on
success in implementation
– Easiest implementation had a rep invariant
that kept entries in tally-sorted order
• PS4: turn in TWO copies of your design
document tomorrow
30 September 2003
CS 201J Fall 2003
22