ABSTRACT
It is difficult to write programs that behave correctly in the presence of run-time errors. Existing programming language features often provide poor support for executing clean-up code and for restoring invariants in such exceptional situations. We present a dataflow analysis for finding a certain class of error-handling mistakes: those that arise from a failure to release resources or to clean up properly along all paths. Many real-world programs violate such resource safety policies because of incorrect error handling. Our flow-sensitive analysis keeps track of outstanding obligations along program paths and does a precise modeling of control flow in the presence of exceptions. Using it, we have found over 800 error handling mistakes almost 4 million lines of Java code. The analysis is unsound and produces false positives, but a few simple filtering rules suffice to remove them in practice. The remaining mistakes were manually verified. These mistakes cause sockets, files and database handles to be leaked along some paths. We present a characterization of the most common causes of those errors and discuss the limitations of exception handling, finalizers and destructors in addressing them. Based on those errors, we propose a programming language feature that keeps track of obligations at run time and ensures that they are discharged. Finally, we present case studies to demonstrate that this feature is natural, efficient, and can improve reliability; for example, retrofitting a 34kLOC program with it resulted in a 0.5% code size decrease, a surprising 17% speed increase (from correctly deallocating resources in the presence of exceptions), and more consistent behavior.
- Advisor. Beware: 10 common web application security risks. Technical Report Doc 11756, Security Advisor Portal, Jan. 2003.Google Scholar
- G. Alonso, C. Hagen, D. Agrawal, A. E. Abbadi, and C. Mohan. Enhancing the fault tolerance of workflow management systems. IEEE Concurrency, 8(3):74--81, July 2000. Google ScholarDigital Library
- G. Ammons, R. Bodik, and J. R. Larus. Mining specifications. In ACM Symposium on Principles of Programming Languages, pages 4--16, 2002. Google ScholarDigital Library
- P. Baldwin, S. Kohli, E. A. Lee, X. Liu, and Y. Zhao. Modeling of sensor nets in Ptolemy II. In Proceedings of Information Processing in Sensor Networks, Apr. 2004. Google ScholarDigital Library
- H.-J. Boehm. Destructors, finalizers and synchronization. In ACM Symposium on Principles of Programming Languages. ACM, Jan. 2003. Google ScholarDigital Library
- A. Borg, W. Blau, W. Graetsch, F. Herrmann, and W. Oberle. Fault tolerance under UNIX. ACM Transactions on Computer Systems, 7(1), Feb. 1989. Google ScholarDigital Library
- A. Brown and D. Patterson. Undo for operators: Building an undoable e-mail store. In USENIX Annual Technical Conference, 2003. Google ScholarDigital Library
- G. Candea, M. Delgado, M. Chen, and A. Fox. Automatic failure-path inference: A generic introspection technique for internet applications. In IEEE Workshop on Internet Applications. San Jose, California, June 2003. Google ScholarDigital Library
- L. Cardelli and R. Davies. Service combinators for web computing. Software Engineering, 25(3):309--316, 1999. Google ScholarDigital Library
- T. Cargill. Exception handling: a false sense of security. C++ Report, 6(9), 1994.Google Scholar
- M. Chen, E. Kiciman, E. Fratkin, E. Brewer, and A. Fox. Pinpoint: Problem determination in large, dynamic, internet services. In International Conference on Dependable Systems and Networks, Washington D.C., 2002. Google ScholarDigital Library
- F. Cristian. Exception handling. Technical Report RJ5724, IBM Research, 1987.Google Scholar
- M. Das, S. Lerner, and M. Seigle. Esp: path-sensitive program verification in polynomial time. SIGPLAN Not., 37(5):57--68, 2002. Google ScholarDigital Library
- U. Dayal, M. Hsu, and R. Ladin. Organizing long-running activities with triggers and transactions. In Proceedings of ACM SIGMOD, pages 204--214. Atlantic City, May 1990. Google ScholarDigital Library
- R. DeLine and M. Fähndrich. Enforcing high-level protocols in low-level software. In ACM Conference on Programming Language Design and Implementation, pages 59--69, 2001. Google ScholarDigital Library
- B. Demsky and M. C. Rinard. Automatic data structure repair for self-healing systems. In ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications, 2003.Google Scholar
- C. Dony. A fully object-oriented exception handling system. In Advances in Exception Handling Techniques, volume 2022 of Lecture Notes in Computer Science, pages 18--38, 2001. Google ScholarDigital Library
- D. Engler, B. Chelf, A. Chou, and S. Hallem. Checking system rules using system-specific, programmer-written compiler extensions. In Symposium on Operating Systems Design and Implementation, 2000. Google ScholarDigital Library
- D. R. Engler, D. Y. Chen, and A. Chou. Bugs as deviant behavior: A general approach to inferring errors in systems code. In Symposium on Operating Systems Principles, pages 57--72, 2001. Google ScholarDigital Library
- M. Fähndrich and R. DeLine. Adoption and focus: Practical linear types for imperative programming. In ACM Conference on Programming Language Design and Implementation, June 2002. Google ScholarDigital Library
- H. Garcia-Molina and K. Salem. Sagas. In ACM Conference on Management of Data, pages 249--259, 1987. Google ScholarDigital Library
- D. Gay and A. Aiken. Memory management with explicit regions. In ACM Conference on Programming Language Design and Implementation, pages 313--323, 1998. Google ScholarDigital Library
- J. B. Goodenough. Exception handling: issues and a proposed notation. Communications of the ACM, 18(12):683--696, 1975. Google ScholarDigital Library
- J. Gosling, B. Joy, and G. L. Steele. The Java Language Specification. The Java Series. Addison-Wesley, Reading, MA, USA, 1996. Google ScholarDigital Library
- J. Gray. The transaction concept: virtues and limitations. In International Conference on Very Large Data Bases, pages 144--154. Cannes, France, Sept. 1981.Google Scholar
- C. Hagen and G. Alonso. Flexible exception handling in the OPERA process support system. In International Conference on Distributed Computing Systems, pages 526--533, 1998. Google ScholarDigital Library
- C. Hagen and G. Alonso. Exception handling in workflow management systems. IEEE Transactions on Software Engineering, 26(9):943--959, Sept. 2000. Google ScholarDigital Library
- S. Hangal and M. S. Lam. Tracking down software bugs using automatic anomaly detection. In International Conference on Software Engineering, May 2002. Google ScholarDigital Library
- G. A. Kildall. A unified approach to global program optimization. In Proceedings of the 1st annual ACM SIGACT-SIGPLAN symposium on Principles of programming languages, pages 194--206. ACM Press, 1973. Google ScholarDigital Library
- H. F. Korth, E. Levy, and A. Silberschatz. A formal approach to recovery by compensating transactions. In The VLDB Journal, pages 95--106, 1990. Google ScholarDigital Library
- R. Levin. Program structures for exceptional condition handling. PhD thesis, Carnegie Mellon University, June 1977. Google ScholarDigital Library
- B. Liskov and R. Scheifler. Guardians and actions: Linguistic support for robust, distributed programs. ACM Transactions on Programming Languages and Systems, 5(3):381--404, July 1983. Google ScholarDigital Library
- C. Liu, M. E. Orlowska, X. Lin, and X. Zhou. Improving backward recovery in workflow systems. In Conference on Database Systems for Advanced Applications, Apr. 2001. Google ScholarDigital Library
- D. E. Lowell, S. Chandra, and P. M. Chen. Exploring failure transparency and the limits of generic recovery. In USENIX Symposium on Operating Systems Design and Implementation, Oct. 2000. Google ScholarDigital Library
- D. E. Lowell and P. M. Chen. Discount checking: transparent, low-overhead recovery for general applications. Technical Report CSE-TR-410-99, University of Michigan, Nov. 1998.Google Scholar
- R. Miller and A. Tripathi. Issues with exception handling in object-oriented systems. In Object-Oriented Programming, 11th European Conference (ECOOP), pages 85--103, 1997.Google Scholar
- M. Odersky and P. Wadler. Pizza into Java: Translating theory into practice. In ACM Symposium on Principles of Programming Languages, pages 146--159, 1997. Google ScholarDigital Library
- M. P. Robillard and G. C. Murphy. Regaining control of exception handling. Technical Report TR-99-14, Dept. of Computer Science, University of British Columbia, 1, 1999. Google Scholar
- M. I. Seltzer, Y. Endo, C. Small, and K. A. Smith. Dealing with disaster: Surviving misbehaved kernel extensions. In Symposium on Operating Systems Design and Implementation, pages 213--227, Seattle, Washington, 1996. Google ScholarDigital Library
- J. S. Shapiro, J. M. Smith, and D. J. Farber. EROS: a fast capability system. In Symposium on Operating Systems Principles, pages 170--185, 1999. Google ScholarDigital Library
- SourceForge.net. About SourceForge.net (document A1). http://sourceforge.net. Technical report, 2003.Google Scholar
- Sun Microsystems. Java pet store 1.1.2 blueprint application. http://java.sun.com/blueprints/code/. Technical report, 2001.Google Scholar
- M. Tofte and J.-P. Talpin. Region-based memory management. Information and Computation, 1997. Google ScholarDigital Library
- G. Valetto and G. Kaiser. A case study in software adaptation. In ACM Workshop on Self-Healing Systems (WOSS '02), pages 73--78, Nov. 2002. Google ScholarDigital Library
- S. Yemini and D. Berry. A modular verifiable exception handling mechanism. ACM Transactions on Programming Languages and Systems, 7(2), Apr. 1985. Google ScholarDigital Library
Index Terms
- Finding and preventing run-time error handling mistakes
Recommendations
Error handling as an aspect
BPAOSD '07: Proceedings of the 2nd workshop on Best practices in applying aspect-oriented software developmentOne of the fundamental motivations for employing exception handling in the development of robust applications is to lexically separate error handling code from the normal code so that they can be independently modified. However, experience has shown ...
Finding and preventing run-time error handling mistakes
OOPSLA '04It is difficult to write programs that behave correctly in the presence of run-time errors. Existing programming language features often provide poor support for executing clean-up code and for restoring invariants in such exceptional situations. We ...
Exceptions and exception handling in computerized information processes
Exceptions, situations that cannot be correctly processed by computer systems, occur frequently in computer-based information processes. Five perspectives on exceptions provide insights into why exceptions occur and how they might be eliminated or more ...
Comments