 Yeah, so put this in your pocket I'm going to eat this I'm sorry about that Hmm Okay, then I'll start eating An excel? We're going to continue later We're going to do the talk now No, that should be fine It's okay Okay, so I have the very hard task to keep you awake for the next 10 minutes So just to introduce a bit myself, I'm Nicolas Peru I work at Sunarsos, which is a company behind SunarCube I don't know if some of you know or use it I'm a developer in the language team So I work mainly on analyzers and mainly the Java analyzer And you can find me cycling around the limo or at the Geneva jug So the Java user group Okay, what I'm going to talk about is a bit the backstory of how we came up We've actually been developing some analyzers at Sunarsos And what we did to develop them So just to understand a bit the context At Sunarsos we have this product called SunarCube Which helps you to track issues over time on your project So which bugs, how do you fix them and everything And track metrics as well And the project started somehow as an aggregator of all intors And at one point in time there was the decision And the fact that, okay, we need to develop our own analyzers Because it was not so easy to contribute back And the technology, there was some limitation in existing intors That we at least thought we were trying to be able to fix Or to overcome So we said, okay, cool No, we want to have a static analyzer in Java How do we do that? So I'm going to explain and work you through How do we develop a static analyzer There's quite some stuff that we already explained In previous presentations So that's going to be quick on some parts So the main challenge here is to get the language So guess what the first thing is? We start to do some parsing So that's a recurring thing here in this room, right? So as we do exactly as Federico described In his presentation before So we have this lexical analysis Then we have the syntax analysis We end up with a syntax tree We describe the language on which we can work We have a bunch of tools already We can implement with that, mainly Rules about formatting, kind of what we call somehow code smells So problems That's what we call them So many problems around like Is this if on the right line? Is this token on the wrong line? Is this commented enough? Everything, the syntactic equivalence That was described also by those other guys this afternoon Like do we have the same operands on both sides of an operator? Is that probably an issue? So we can already work with that and have some rules Then we have another layer We go for semantic analysis So we resolve all the symbols So this is not always easy in Java This is the easy part Then we enter the realm of generics And type inference which is just so nice So much fun And the good thing is that All what I've said, all what I've mentioned You can use that to actually write your own checks For SonarCube and to have your own Java checks Available to analyze for your project So please use And please let us know how bad is our IAPI So we can improve it But that's not all That's the nice part We can do all code smell Pretty advanced code smell We can start to try to take some bug with this But we implemented also symbolic execution To be able to detect some bugs And you might wonder What actually is symbolic execution And that's going to be the main part Of this very short talk To explain a bit to you What we are doing with that So the main goal is to try to detect This very complicated hidden new pointer exception here And to be sure that it's a new pointer We want to be really accurate We don't want to raise too many issues When we raise an issue We want to be sure it's an issue We don't want to raise false positives So that's really why we are using symbolic execution To reduce the amount of false positives So how do we do that? So we start by having this project This source file, sorry It's all works within the method And so we start by saying Okay, we have a state of the program Where we know that here by definition We assign something So this my object is not null Then we go along the execution We simulate somehow the execution And when we reach a condition We actually have two possible outcomes We don't know about the condition a So either a is false And so my object is still not null As we started Or a is true And then my object is null So we now have two possible states Of the program And so we continue the exploration So continuing the exploration We reach the second condition So it's not a So then we start with the first state And we say, okay, a is false So there is one state that is possible The true We can actually go into that condition It's not really interesting Let's move on And the second part We can't reach it a is false That's not possible Okay, cool Nothing interesting No more to see here Let's look at the other state The other state We have my object which is null a is true So the first The true part of the if is actually not feasible So we don't explore anything And on the second part We actually have my object which is null a is true And hold on With the reference my object It's null We have an issue here And so we're able to detect The new pointer exception like that And we are context sensitive We follow those paths as well And that helps us to Find those issues This is really an interesting technique It gives a lot of It gives a lot of very nice results It has some drawbacks of course Drawbacks many are when you have Really really complex condition Because obviously as you have all computed In your head right now This is always true And so you end up in the realm Of satisfiability Solvers and everything And so this is really a challenge We have to face at one point Right now we don't handle ints And so that's one thing We didn't address yet Who knows maybe soon Another problem is also Explosion of states Here we had only one if So that's already two states You can imagine that if you nest A lot of conditions A lot of loops and everything The number of states to actually Keep track of can quickly grow And so then you have the problem Of how many computation You will have to do So you have a lot of techniques To try to optimize this To reduce the number of states Find some equivalence Between some states of the program So that's a challenge And another challenge as well Is that this is only Intraprocedural So it's only within a method So how do you actually try To find some bugs that can be Between methods And so this is actually We started a bit with this On cross-procedural And it's not actually We're still working on that And what we have For some plan in the future Oh okay, sorry I forgot about that one So just a small example Of what we can detect That is interesting So this is taken from Apache Visper So it's an open source project I actually have no idea What it does But we found this nice bug So basically we have This subject here This condition here Is such that We know that if we don't Reach it If we don't reach it If we don't enter this part here We know that The variable 2 Is not equal to server entity So which means here This assignment This value here Is always false So that condition Is basically useless So there's probably Something wrong here So it's actually Quite nice finding And we can find Some stuff like that And for the future We want to try to address State analysis So trying to find some Vulnerability issues Between files A bit, a lot Like what Jules described In fair talk previously This afternoon I'm not going into details Here So Narsos is recruiting So send your CVs And if you have questions It's time now I think I'm on time Ten minutes is awfully short Please Did you use Java parser for that Or did you write your own? No, we have our own We have our own Oh, sorry Did we use Java parser Or Java or anything No, we have our own stack Of parsing It's all open source All available on GitHub There's the link on the Talk That's a very good question So the example I showed Was it Did something happen to it On this very specific case I don't know But we reported it as well We reported also We have the same kind of technology Also applied on .NET On C-sharp code But for that They use actually a front-end Which is Roslin Which is open source And actually find bugs in Roslin Using Roslin And they report it back to Roslin Which is fun