PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for...

37
1 Static Analysis Applications Software Analysis © 2008 Jonathan Aldrich 1 PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan Aldrich Static Analysis Applications 2 Software Analysis © 2008 Jonathan Aldrich Lecture Objectives Analyze Microsoft’s PREfix as a practical example of effective static analysis Big Ideas Symbolic execution Path sensitivity Interprocedural analysis

Transcript of PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for...

Page 1: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

1

Static Analysis Applications Software Analysis© 2008 Jonathan Aldrich

1

PREfix

Reading: A Static Analyzer for Finding Dynamic Programming Errors

17-654/17-765

Analysis of Software Artifacts

Jonathan Aldrich

Static Analysis Applications 2Software Analysis© 2008 Jonathan Aldrich

Lecture Objectives

• Analyze Microsoft’s PREfix as a

practical example of effective static

analysis

• Big Ideas• Symbolic execution

• Path sensitivity

• Interprocedural analysis

Page 2: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

2

Static Analysis Applications 3Software Analysis© 2008 Jonathan Aldrich

Find the Bugs!

char *f(int size) {

char * result;

if (size > 0)

result = (char *)malloc(size);

if (size == 1)

return NULL;

result[0] = 0; // result may be uninitialized

return result;

}

Static Analysis Applications 4Software Analysis© 2008 Jonathan Aldrich

Find the Bugs!

char *f(int size) {

char * result;

if (size > 0)

result = (char *)malloc(size);

if (size == 1)

return NULL; // memory leak

result[0] = 0; // result may be uninitialized

// malloc may have failed

return result;

}

Page 3: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

3

Static Analysis Applications 5Software Analysis© 2008 Jonathan Aldrich

Motivation

• Finding programming errors• invalid pointers

• storage allocation errors

• uninitialized memory

• improper operations on resources

Static Analysis Applications 6Software Analysis© 2008 Jonathan Aldrich

Can’t we just test?

• 90% of errors involve interactions of

multiple functions• Is this why the original developer didn’t find

them?

• Occur in unusual or error conditions• Often hard to exercise with testing

Page 4: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

4

Static Analysis Applications 7Software Analysis© 2008 Jonathan Aldrich

Challenges for Analysis

• False Negatives• Looking only in one function and miss

errors across functions

• False Positives• Reporting errors that can’t really occur

• Engineering effort (e.g. ESC/Java)• Requiring extensive program specifications

• Execution overhead• Monitoring program may be impractical• Only as good as your test suite

Static Analysis Applications 8Software Analysis© 2008 Jonathan Aldrich

Goals of PREfix

• Handle hard aspects of C-like languages• Pointers, arrays, unions, libraries, casts…

• Don't require user annotations• Build on language semantics

• Avoid false positives• Use path-sensitive analysis

• Give the user good feedback• Why might an error occur? Show the user

an example execution

Page 5: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

5

Static Analysis Applications 9Software Analysis© 2008 Jonathan Aldrich

PREfix Analysis

• Explore paths through function

• For each path:• Symbolically execute path

• Determine facts true along the path

• Compute a guard• What must be true for the path to be taken

• Compute constraints• Preconditions for successful execution of path

• Compute result• What is true of the return value?

Static Analysis Applications 10Software Analysis© 2008 Jonathan Aldrich

PREfix: Analysis Example(syntax slightly de-LISP-ified)

char *f(int size) {

char * ptr;

if (size > 0)

ptr=(char*)malloc(size);

if (size == 1)

return NULL;

ptr[0] = 0;

return ptr;

}

f (param size)

alternate 0

Page 6: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

6

Static Analysis Applications 11Software Analysis© 2008 Jonathan Aldrich

PREfix: Analysis Example(syntax slightly de-LISP-ified)

char *f(int size) {

char * ptr;

if (size > 0)

ptr=(char*)malloc(size);

if (size == 1)

return NULL;

ptr[0] = 0;

return ptr;

}

f (param size)

alternate 0

guard size <= 0

constraint initialized(size)

Static Analysis Applications 12Software Analysis© 2008 Jonathan Aldrich

PREfix: Analysis Example(syntax slightly de-LISP-ified)

char *f(int size) {

char * ptr;

if (size > 0)

ptr=(char*)malloc(size);

if (size == 1)

return NULL;

ptr[0] = 0;

return ptr;

}

f (param size)

alternate 0

guard size <= 0

constraint initialized(size)

Page 7: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

7

Static Analysis Applications 13Software Analysis© 2008 Jonathan Aldrich

PREfix: Analysis Example(syntax slightly de-LISP-ified)

char *f(int size) {

char * ptr;

if (size > 0)

ptr=(char*)malloc(size);

if (size == 1)

return NULL;

ptr[0] = 0;

return ptr;

}

f (param size)

alternate 0

guard size <= 0

constraint initialized(size)

ARRAY ACCESS ERROR: ptr not initialized

Static Analysis Applications 14Software Analysis© 2008 Jonathan Aldrich

PREfix: Analysis Example(syntax slightly de-LISP-ified)

char *f(int size) {

char * ptr;

if (size > 0)

ptr=(char*)malloc(size);

if (size == 1)

return NULL;

ptr[0] = 0;

return ptr;

}

f (param size)

alternate 0

guard size <= 0

constraint initialized(size)

ARRAY ACCESS ERROR: ptr not initialized

alternate 1

guard size > 0

constraint initialized(size)

Page 8: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

8

Static Analysis Applications 15Software Analysis© 2008 Jonathan Aldrich

PREfix: Analysis Example(syntax slightly de-LISP-ified)

char *f(int size) {

char * ptr;

if (size > 0)

ptr=(char*)malloc(size);

if (size == 1)

return NULL;

ptr[0] = 0;

return ptr;

}

f (param size)

alternate 0

guard size <= 0

constraint initialized(size)

ARRAY ACCESS ERROR: ptr not initialized

alternate 1

guard size > 0

constraint initialized(size)

fact ptr==memory_new(size)

Static Analysis Applications 16Software Analysis© 2008 Jonathan Aldrich

PREfix: Analysis Example(syntax slightly de-LISP-ified)

char *f(int size) {

char * ptr;

if (size > 0)

ptr=(char*)malloc(size);

if (size == 1)

return NULL;

ptr[0] = 0;

return ptr;

}

f (param size)

alternate 0

guard size <= 0

constraint initialized(size)

ARRAY ACCESS ERROR: ptr not initialized

alternate 1

guard size == 1

constraint initialized(size)

fact ptr==memory_new(size)

Page 9: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

9

Static Analysis Applications 17Software Analysis© 2008 Jonathan Aldrich

PREfix: Analysis Example(syntax slightly de-LISP-ified)

char *f(int size) {

char * ptr;

if (size > 0)

ptr=(char*)malloc(size);

if (size == 1)

return NULL;

ptr[0] = 0;

return ptr;

}

f (param size)

alternate 0

guard size <= 0

constraint initialized(size)

ARRAY ACCESS ERROR: ptr not initialized

alternate 1

guard size == 1

constraint initialized(size)

fact ptr==memory_new(size)

result return==NULL

Static Analysis Applications 18Software Analysis© 2008 Jonathan Aldrich

PREfix: Analysis Example(syntax slightly de-LISP-ified)

char *f(int size) {

char * ptr;

if (size > 0)

ptr=(char*)malloc(size);

if (size == 1)

return NULL;

ptr[0] = 0;

return ptr;

}

f (param size)

alternate 0

guard size <= 0

constraint initialized(size)

ARRAY ACCESS ERROR: ptr not initialized

alternate 1

guard size == 1

constraint initialized(size)

fact ptr==memory_new(size)

result return==NULL

MEMORY LEAK ERROR:

memory pointed to by ptr is not reachable

through externally visible state

Page 10: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

10

Static Analysis Applications 19Software Analysis© 2008 Jonathan Aldrich

PREfix: Analysis Example(syntax slightly de-LISP-ified)

char *f(int size) {

char * ptr;

if (size > 0)

ptr=(char*)malloc(size);

if (size == 1)

return NULL;

ptr[0] = 0;

return ptr;

}

f (param size)

alternate 0

guard size <= 0

constraint initialized(size)

ARRAY ACCESS ERROR: ptr not initialized

alternate 1

guard size == 1

constraint initialized(size)

fact ptr==memory_new(size)

result return==NULL

MEMORY LEAK ERROR:

memory pointed to by ptr is not reachable

through externally visible state

alternate 2

guard size > 0

constraint initialized(size)

Static Analysis Applications 20Software Analysis© 2008 Jonathan Aldrich

PREfix: Analysis Example(syntax slightly de-LISP-ified)

char *f(int size) {

char * ptr;

if (size > 0)

ptr=(char*)malloc(size);

if (size == 1)

return NULL;

ptr[0] = 0;

return ptr;

}

f (param size)

alternate 0

guard size <= 0

constraint initialized(size)

ARRAY ACCESS ERROR: ptr not initialized

alternate 1

guard size == 1

constraint initialized(size)

fact ptr==memory_new(size)

result return==NULL

MEMORY LEAK ERROR:

memory pointed to by ptr is not reachable

through externally visible state

alternate 2

guard size > 0

constraint initialized(size)

fact ptr==NULL

Page 11: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

11

Static Analysis Applications 21Software Analysis© 2008 Jonathan Aldrich

PREfix: Analysis Example(syntax slightly de-LISP-ified)

char *f(int size) {

char * ptr;

if (size > 0)

ptr=(char*)malloc(size);

if (size == 1)

return NULL;

ptr[0] = 0;

return ptr;

}

f (param size)

alternate 0

guard size <= 0

constraint initialized(size)

ARRAY ACCESS ERROR: ptr not initialized

alternate 1

guard size == 1

constraint initialized(size)

fact ptr==memory_new(size)

result return==NULL

MEMORY LEAK ERROR:

memory pointed to by ptr is not reachable

through externally visible state

alternate 2

guard size > 1

constraint initialized(size)

fact ptr==NULL

Static Analysis Applications 22Software Analysis© 2008 Jonathan Aldrich

PREfix: Analysis Example(syntax slightly de-LISP-ified)

char *f(int size) {

char * ptr;

if (size > 0)

ptr=(char*)malloc(size);

if (size == 1)

return NULL;

ptr[0] = 0;

return ptr;

}

f (param size)

alternate 0

guard size <= 0

constraint initialized(size)

ARRAY ACCESS ERROR: ptr not initialized

alternate 1

guard size == 1

constraint initialized(size)

fact ptr==memory_new(size)

result return==NULL

MEMORY LEAK ERROR:

memory pointed to by ptr is not reachable

through externally visible state

alternate 2

guard size > 1

constraint initialized(size)

fact ptr==NULL

ARRAY ACCESS ERROR: ptr is NULL

Page 12: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

12

Static Analysis Applications 23Software Analysis© 2008 Jonathan Aldrich

PREfix: Analysis Example(syntax slightly de-LISP-ified)

char *f(int size) {

char * ptr;

if (size > 0)

ptr=(char*)malloc(size);

if (size == 1)

return NULL;

ptr[0] = 0;

return ptr;

}

f (param size)

alternate 0

guard size <= 0

constraint initialized(size)

ARRAY ACCESS ERROR: ptr not initialized

alternate 1

guard size == 1

constraint initialized(size)

fact ptr==memory_new(size)

result return==NULL

MEMORY LEAK ERROR:

memory pointed to by ptr is not reachable

through externally visible state

alternate 2

guard size > 1

constraint initialized(size)

fact ptr==NULL

ARRAY ACCESS ERROR: ptr is NULL

alternate 3

guard size > 1

constraint initialized(size)

Static Analysis Applications 24Software Analysis© 2008 Jonathan Aldrich

PREfix: Analysis Example(syntax slightly de-LISP-ified)

char *f(int size) {

char * ptr;

if (size > 0)

ptr=(char*)malloc(size);

if (size == 1)

return NULL;

ptr[0] = 0;

return ptr;

}

f (param size)

alternate 0

guard size <= 0

constraint initialized(size)

ARRAY ACCESS ERROR: ptr not initialized

alternate 1

guard size == 1

constraint initialized(size)

fact ptr==memory_new(size)

result return==NULL

MEMORY LEAK ERROR:

memory pointed to by ptr is not reachable

through externally visible state

alternate 2

guard size > 1

constraint initialized(size)

fact ptr==NULL

ARRAY ACCESS ERROR: ptr is NULL

alternate 3

guard size > 1

constraint initialized(size)

fact ptr==memory_new(size)

Page 13: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

13

Static Analysis Applications 25Software Analysis© 2008 Jonathan Aldrich

PREfix: Analysis Example(syntax slightly de-LISP-ified)

char *f(int size) {

char * ptr;

if (size > 0)

ptr=(char*)malloc(size);

if (size == 1)

return NULL;

ptr[0] = 0;

return ptr;

}

f (param size)

alternate 0

guard size <= 0

constraint initialized(size)

ARRAY ACCESS ERROR: ptr not initialized

alternate 1

guard size == 1

constraint initialized(size)

fact ptr==memory_new(size)

result return==NULL

MEMORY LEAK ERROR:

memory pointed to by ptr is not reachable

through externally visible state

alternate 2

guard size > 1

constraint initialized(size)

fact ptr==NULL

ARRAY ACCESS ERROR: ptr is NULL

alternate 3

guard size > 1

constraint initialized(size)

fact ptr==memory_new(size)

Static Analysis Applications 26Software Analysis© 2008 Jonathan Aldrich

PREfix: Analysis Example(syntax slightly de-LISP-ified)

char *f(int size) {

char * ptr;

if (size > 0)

ptr=(char*)malloc(size);

if (size == 1)

return NULL;

ptr[0] = 0;

return ptr;

}

f (param size)

alternate 0

guard size <= 0

constraint initialized(size)

ARRAY ACCESS ERROR: ptr not initialized

alternate 1

guard size == 1

constraint initialized(size)

fact ptr==memory_new(size)

result return==NULL

MEMORY LEAK ERROR:

memory pointed to by ptr is not reachable

through externally visible state

alternate 2

guard size > 1

constraint initialized(size)

fact ptr==NULL

ARRAY ACCESS ERROR: ptr is NULL

alternate 3

guard size > 1

constraint initialized(size)

fact ptr==memory_new(size)

fact ptr[0] == 0

Page 14: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

14

Static Analysis Applications 27Software Analysis© 2008 Jonathan Aldrich

PREfix: Analysis Example(syntax slightly de-LISP-ified)

char *f(int size) {

char * ptr;

if (size > 0)

ptr=(char*)malloc(size);

if (size == 1)

return NULL;

ptr[0] = 0;

return ptr;

}

f (param size)

alternate 0

guard size <= 0

constraint initialized(size)

ARRAY ACCESS ERROR: ptr not initialized

alternate 1

guard size == 1

constraint initialized(size)

fact ptr==memory_new(size)

result return==NULL

MEMORY LEAK ERROR:

memory pointed to by ptr is not reachable

through externally visible state

alternate 2

guard size > 1

constraint initialized(size)

fact ptr==NULL

ARRAY ACCESS ERROR: ptr is NULL

alternate 3

guard size > 1

constraint initialized(size)

fact ptr==memory_new(size)

fact ptr[0] == 0

result return == memory_new(size) && return[0] == 0

Static Analysis Applications 28Software Analysis© 2008 Jonathan Aldrich

PREfix: Analysis Example(syntax slightly de-LISP-ified)

char *f(int size) {

char * ptr;

if (size > 0)

ptr=(char*)malloc(size);

if (size == 1)

return NULL;

ptr[0] = 0;

return ptr;

}

f (param size)

alternate 0

guard size <= 0

constraint initialized(size)

ARRAY ACCESS ERROR: ptr not initialized

alternate 1

guard size == 1

constraint initialized(size)

fact ptr==memory_new(size)

result return==NULL

MEMORY LEAK ERROR:

memory pointed to by ptr is not reachable

through externally visible state

alternate 2

guard size > 1

constraint initialized(size)

fact ptr==NULL

ARRAY ACCESS ERROR: ptr is NULL

alternate 3

guard size > 1

constraint initialized(size)

fact ptr==memory_new(size)

fact ptr[0] == 0

result return == memory_new(size) && return[0] == 0

alternate 4…

Page 15: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

15

Static Analysis Applications 29Software Analysis© 2008 Jonathan Aldrich

Big Ideas

• Symbolic execution• Explore a subset of possible program executions• May not find all errors, but still useful• Carefully constructed to cover more functionality

than most testing strategies can

• Path sensitivity• Avoids reporting errors that occur on control-flow

paths that can’t really be taken

• Interprocedural analysis• Looks at how the behavior of a callee affects the

caller

Static Analysis Applications 30Software Analysis© 2008 Jonathan Aldrich

Motivation: Path Sensitivity

[z := 0]1if [b]2[z := 10]3;

[x := 100]4;

if [b]5[x := x / z]6;

• Does this code have a bug?

• What would zero analysis say?

after pp z

0 MZ

1 Z

2 Z

3 NZ

4 MZ

5 MZWarning: possible divide by zero

MZ

Z NZ

Page 16: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

16

Static Analysis Applications 31Software Analysis© 2008 Jonathan Aldrich

Path Sensitive Analysis

[z := 0]1if [b]2[z := 10]3;

[x := 100]4;

if [b]5[x := x / z]6;

Analysis value after statement0: [z↦MZ, b↦unknown]1: [z↦Z, b↦unknown]2: Split path into p and q on b

2p: [z↦Z, b↦true], take branch3p: [z↦NZ, b↦true]4p: [z↦NZ, x↦NZ, b↦true]5p: [z↦NZ, x↦NZ, b↦true], take branch6p: [z↦NZ, x↦NZ, b↦true]No error

MZ

Z NZ

unknown

true false

Static Analysis Applications 32Software Analysis© 2008 Jonathan Aldrich

Path Sensitive Analysis

[z := 0]1if [b]2[z := 10]3;

[x := 100]4;

if [b]5[x := x / z]6;

Analysis value after statement0: [z↦MZ, b↦unknown]1: [z↦Z, b↦unknown]2: Split path into p and q on b

2q: [z↦Z, b↦false], skip branch

4q: [z↦Z, x↦NZ, b↦false]5q: [z↦Z, x↦NZ, b↦false], skip branch

No error

MZ

Z NZ

unknown

true false

Page 17: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

17

Static Analysis Applications 33Software Analysis© 2008 Jonathan Aldrich

Path Sensitive Analysis

Analyzes each feasible program path separately

• Benefit• Increased precision from eliminating infeasible paths

• Cost• Exponential number of paths

• Loops• Infinite number of paths—cannot explore them all

Static Analysis Applications 34Software Analysis© 2008 Jonathan Aldrich

Path Sensitivity:

Addressing the Cost

• How does PREfix deal with• Exponential path blowup?

• Explore up to a fixed number of paths

• Merge paths with identical results

• Loops?• Explore up to a fixed number of iterations

Page 18: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

18

Static Analysis Applications 35Software Analysis© 2008 Jonathan Aldrich

What if you miss a path?

char *f(int size) {

char * ptr;

if (size > 0)

ptr=(char*)malloc(size);

if (size == 1)

return NULL;

ptr[0] = 0;

return ptr;

}

f (param size)

alternate 0

guard size <= 0

constraint initialized(size)

ARRAY ACCESS ERROR: ptr not initialized

alternate 1

guard size == 1

constraint initialized(size)

fact ptr==memory_new(size)

result return==NULL

MEMORY LEAK ERROR:

memory pointed to by ptr is not reachable

through externally visible state

alternate 2

guard size > 1

constraint initialized(size)

fact ptr==NULL

ARRAY ACCESS ERROR: ptr is NULL

alternate 3

guard size > 1

constraint initialized(size)

fact ptr==memory_new(size)

fact ptr[0] == 0

result return == memory_new(size) && return[0] == 0

alternate 4…

Static Analysis Applications 36Software Analysis© 2008 Jonathan Aldrich

Soundness for PREfix

• Exploring only some paths is unsound• Might miss bugs on paths not explored

• Sound alternatives• Explore a fixed set of paths/iterations• Merge all other paths together using dataflow analysis to reach a fixed point

• Cost• May yield too many false positive error reports• PREfix chooses unsoundness to avoid false positives

Page 19: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

19

Static Analysis Applications 37Software Analysis© 2008 Jonathan Aldrich

Motivation:

Interprocedural Analysis

void exercise_deref() {

int v = 5;

int x = deref(&v);

int y = deref(NULL);

int z = deref((int *) 5);

}

• Are there errors in this code?

Static Analysis Applications 38Software Analysis© 2008 Jonathan Aldrich

Motivation:

Interprocedural Analysis

void exercise_deref() {

int v = 5;

int x = deref(&v);

int y = deref(NULL);

int z = deref((int *) 5);

}

• Are there errors in this code?• Depends on what the function does• Second call: error if dereference w/o NULL check• Third call: error if any dereference

Page 20: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

20

Static Analysis Applications 39Software Analysis© 2008 Jonathan Aldrich

Interprocedural Analysis

• Any analysis where the analysis

results for a caller depend on the

results for a callee, or vice versa

Static Analysis Applications 40Software Analysis© 2008 Jonathan Aldrich

Summaries

• Summarize what a function does• Maps arguments to results

• May case-analyze on argument information

• Simulateable• Given information about arguments, will yield:

• Any errors

• Information about results

Page 21: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

21

Static Analysis Applications 41Software Analysis© 2008 Jonathan Aldrich

PREfix: Building a Summary(syntax slightly de-LISP-ified)

int deref(int *p) {

if (p == NULL)

return NULL;

return *p;

}

• Begin

deref (param p)

Static Analysis Applications 42Software Analysis© 2008 Jonathan Aldrich

PREfix: Building a Summary(syntax slightly de-LISP-ified)

int deref(int *p) {

if (p == NULL)

return NULL;

return *p;

}

• Use of p

deref (param p)

constraint initialized(p)

Page 22: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

22

Static Analysis Applications 43Software Analysis© 2008 Jonathan Aldrich

PREfix: Building a Summary(syntax slightly de-LISP-ified)

int deref(int *p) {

if (p == NULL)

return NULL;

return *p;

}

• Split path on value of p

deref (param p)

alternate return_0

guard p==NULL

constraint initialized(p)

Static Analysis Applications 44Software Analysis© 2008 Jonathan Aldrich

PREfix: Building a Summary(syntax slightly de-LISP-ified)

int deref(int *p) {

if (p == NULL)

return NULL;

return *p;

}

• Return statement

deref (param p)

alternate return_0

guard p==NULL

constraint initialized(p)

result return==NULL

Page 23: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

23

Static Analysis Applications 45Software Analysis© 2008 Jonathan Aldrich

PREfix: Building a Summary(syntax slightly de-LISP-ified)

int deref(int *p) {

if (p == NULL)

return NULL;

return *p;

}

• Consider other path

deref (param p)

alternate return_0

guard p==NULL

constraint initialized(p)

result return==NULL

alternate return_X

guard p != NULL

constraint initialized(p)

Static Analysis Applications 46Software Analysis© 2008 Jonathan Aldrich

PREfix: Building a Summary(syntax slightly de-LISP-ified)

int deref(int *p) {

if (p == NULL)

return NULL;

return *p;

}

• Dereference of p

deref (param p)

alternate return_0

guard p==NULL

constraint initialized(p)

result return==NULL

alternate return_X

guard p != NULL

constraint initialized(p)

constraint valid_ptr(p)

Page 24: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

24

Static Analysis Applications 47Software Analysis© 2008 Jonathan Aldrich

PREfix: Building a Summary(syntax slightly de-LISP-ified)

int deref(int *p) {

if (p == NULL)

return NULL;

return *p;

}

• Use of *p

deref (param p)

alternate return_0

guard p==NULL

constraint initialized(p)

result return==NULL

alternate return_X

guard p != NULL

constraint initialized(p)

constraint valid_ptr(p)

constraint initialized(*p)

Static Analysis Applications 48Software Analysis© 2008 Jonathan Aldrich

PREfix: Building a Summary(syntax slightly de-LISP-ified)

int deref(int *p) {

if (p == NULL)

return NULL;

return *p;

}

• Return statement

deref (param p)

alternate return_0

guard p==NULL

constraint initialized(p)

result return==NULL

alternate return_X

guard p != NULL

constraint initialized(p)

constraint valid_ptr(p)

constraint initialized(*p)

result return==*p

Page 25: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

25

Static Analysis Applications 49Software Analysis© 2008 Jonathan Aldrich

PREfix: Using a Summary(syntax slightly de-LISP-ified)

void exercise_deref(int v) {

int v = 5;

int x = deref(&v);

int y = deref(NULL);

int z = deref((int *) 5);

}

deref (param p)

alternate return_0

guard p==NULL

constraint initialized(p)

result return==NULL

alternate return_X

guard p != NULL

constraint initialized(p)

constraint valid_ptr(p)

constraint initialized(*p)

result return==*p

• Begin

exercise_deref

Static Analysis Applications 50Software Analysis© 2008 Jonathan Aldrich

PREfix: Using a Summary(syntax slightly de-LISP-ified)

void exercise_deref(int v) {

int v = 5;

int x = deref(&v);

int y = deref(NULL);

int z = deref((int *) 5);

}

deref (param p)

alternate return_0

guard p==NULL

constraint initialized(p)

result return==NULL

alternate return_X

guard p != NULL

constraint initialized(p)

constraint valid_ptr(p)

constraint initialized(*p)

result return==*p

• Evaluate v = 5

exercise _deref

fact initialized(v), v==5

Page 26: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

26

Static Analysis Applications 51Software Analysis© 2008 Jonathan Aldrich

PREfix: Using a Summary(syntax slightly de-LISP-ified)

void exercise_deref(int v) {

int v = 5;

int x = deref(&v);

int y = deref(NULL);

int z = deref((int *) 5);

}

deref (param p)

alternate return_0

guard p==NULL

constraint initialized(p)

result return==NULL

alternate return_X

guard p != NULL

constraint initialized(p)

constraint valid_ptr(p)

constraint initialized(*p)

result return==*p

• Evaluate &v

exercise _deref

fact initialized(v), v==5

fact initialized(&v), valid_ptr(&v)

Static Analysis Applications 52Software Analysis© 2008 Jonathan Aldrich

PREfix: Using a Summary(syntax slightly de-LISP-ified)

void exercise_deref(int v) {

int v = 5;

int x = deref(&v);

int y = deref(NULL);

int z = deref((int *) 5);

}

deref (param p)

alternate return_0

guard p==NULL

constraint initialized(p)

result return==NULL

alternate return_X

guard p != NULL

constraint initialized(p)

constraint valid_ptr(p)

constraint initialized(*p)

result return==*p

• Apply summary

exercise _deref

fact initialized(v), v==5

fact initialized(&v), valid_ptr(&v)

Page 27: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

27

Static Analysis Applications 53Software Analysis© 2008 Jonathan Aldrich

PREfix: Using a Summary(syntax slightly de-LISP-ified)

void exercise_deref(int v) {

int v = 5;

int x = deref(&v);

int y = deref(NULL);

int z = deref((int *) 5);

}

deref (param p)

alternate return_0

guard p==NULL

constraint initialized(p)

result return==NULL

alternate return_X

guard p != NULL

constraint initialized(p)

constraint valid_ptr(p)

constraint initialized(*p)

result return==*p

• Apply summary

exercise _deref

fact initialized(v), v==5

fact initialized(&v), valid_ptr(&v)

• only return_X applies

Static Analysis Applications 54Software Analysis© 2008 Jonathan Aldrich

PREfix: Using a Summary(syntax slightly de-LISP-ified)

void exercise_deref(int v) {

int v = 5;

int x = deref(&v);

int y = deref(NULL);

int z = deref((int *) 5);

}

deref (param p)

alternate return_0

guard p==NULL

constraint initialized(p)

result return==NULL

alternate return_X

guard p != NULL

constraint initialized(p)

constraint valid_ptr(p)

constraint initialized(*p)

result return==*p

• Apply summary

exercise _deref

fact initialized(v), v==5

fact initialized(&v), valid_ptr(&v)

• only return_X applies• constraint initialized(&v) -- PASS

Page 28: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

28

Static Analysis Applications 55Software Analysis© 2008 Jonathan Aldrich

PREfix: Using a Summary(syntax slightly de-LISP-ified)

void exercise_deref(int v) {

int v = 5;

int x = deref(&v);

int y = deref(NULL);

int z = deref((int *) 5);

}

deref (param p)

alternate return_0

guard p==NULL

constraint initialized(p)

result return==NULL

alternate return_X

guard p != NULL

constraint initialized(p)

constraint valid_ptr(p)

constraint initialized(*p)

result return==*p

• Apply summary

exercise _deref

fact initialized(v), v==5

fact initialized(&v), valid_ptr(&v)

• only return_X applies• constraint initialized(&v) – PASS• constraint valid_ptr(&v) -- PASS

Static Analysis Applications 56Software Analysis© 2008 Jonathan Aldrich

PREfix: Using a Summary(syntax slightly de-LISP-ified)

void exercise_deref(int v) {

int v = 5;

int x = deref(&v);

int y = deref(NULL);

int z = deref((int *) 5);

}

deref (param p)

alternate return_0

guard p==NULL

constraint initialized(p)

result return==NULL

alternate return_X

guard p != NULL

constraint initialized(p)

constraint valid_ptr(p)

constraint initialized(*p)

result return==*p

• Apply summary

exercise _deref

fact initialized(v), v==5

fact initialized(&v), valid_ptr(&v)

• only return_X applies• constraint initialized(&v) – PASS• constraint valid_ptr(&v) – PASS• constraint initialized(*&v) – PASS

Page 29: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

29

Static Analysis Applications 57Software Analysis© 2008 Jonathan Aldrich

PREfix: Using a Summary(syntax slightly de-LISP-ified)

void exercise_deref(int v) {

int v = 5;

int x = deref(&v);

int y = deref(NULL);

int z = deref((int *) 5);

}

deref (param p)

alternate return_0

guard p==NULL

constraint initialized(p)

result return==NULL

alternate return_X

guard p != NULL

constraint initialized(p)

constraint valid_ptr(p)

constraint initialized(*p)

result return==*p

• Apply summary

exercise _deref

fact initialized(v), v==5

fact initialized(&v), valid_ptr(&v)

fact x==5

• only return_X applies• constraint initialized(&v) – PASS• constraint valid_ptr(&v) – PASS• constraint initialized(*&v) – PASS• apply result

Static Analysis Applications 58Software Analysis© 2008 Jonathan Aldrich

PREfix: Using a Summary(syntax slightly de-LISP-ified)

void exercise_deref(int v) {

int v = 5;

int x = deref(&v);

int y = deref(NULL);

int z = deref((int *) 5);

}

deref (param p)

alternate return_0

guard p==NULL

constraint initialized(p)

result return==NULL

alternate return_X

guard p != NULL

constraint initialized(p)

constraint valid_ptr(p)

constraint initialized(*p)

result return==*p

• Apply summary

exercise _deref

fact initialized(v), v==5

fact initialized(&v), valid_ptr(&v)

fact x==5

Page 30: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

30

Static Analysis Applications 59Software Analysis© 2008 Jonathan Aldrich

PREfix: Using a Summary(syntax slightly de-LISP-ified)

void exercise_deref(int v) {

int v = 5;

int x = deref(&v);

int y = deref(NULL);

int z = deref((int *) 5);

}

deref (param p)

alternate return_0

guard p==NULL

constraint initialized(p)

result return==NULL

alternate return_X

guard p != NULL

constraint initialized(p)

constraint valid_ptr(p)

constraint initialized(*p)

result return==*p

• Apply summary

exercise _deref

fact initialized(v), v==5

fact initialized(&v), valid_ptr(&v)

fact x==5

• only return_0 applies

Static Analysis Applications 60Software Analysis© 2008 Jonathan Aldrich

PREfix: Using a Summary(syntax slightly de-LISP-ified)

void exercise_deref(int v) {

int v = 5;

int x = deref(&v);

int y = deref(NULL);

int z = deref((int *) 5);

}

deref (param p)

alternate return_0

guard p==NULL

constraint initialized(p)

result return==NULL

alternate return_X

guard p != NULL

constraint initialized(p)

constraint valid_ptr(p)

constraint initialized(*p)

result return==*p

• Apply summary

exercise _deref

fact initialized(v), v==5

fact initialized(&v), valid_ptr(&v)

fact x==5

• only return_0 applies• constraint initialized(p) -- PASS

Page 31: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

31

Static Analysis Applications 61Software Analysis© 2008 Jonathan Aldrich

PREfix: Using a Summary(syntax slightly de-LISP-ified)

void exercise_deref(int v) {

int v = 5;

int x = deref(&v);

int y = deref(NULL);

int z = deref((int *) 5);

}

deref (param p)

alternate return_0

guard p==NULL

constraint initialized(p)

result return==NULL

alternate return_X

guard p != NULL

constraint initialized(p)

constraint valid_ptr(p)

constraint initialized(*p)

result return==*p

• Apply summary

exercise _deref

fact initialized(v), v==5

fact initialized(&v), valid_ptr(&v)

fact x==5

fact y==NULL

• only return_0 applies• constraint initialized(p) – PASS• apply result

Static Analysis Applications 62Software Analysis© 2008 Jonathan Aldrich

PREfix: Using a Summary(syntax slightly de-LISP-ified)

void exercise_deref(int v) {

int v = 5;

int x = deref(&v);

int y = deref(NULL);

int z = deref((int *) 5);

}

deref (param p)

alternate return_0

guard p==NULL

constraint initialized(p)

result return==NULL

alternate return_X

guard p != NULL

constraint initialized(p)

constraint valid_ptr(p)

constraint initialized(*p)

result return==*p

• Evaluate (int *) 5

exercise _deref

fact initialized(v), v==5

fact initialized(&v), valid_ptr(&v)

fact x==5

fact y==NULL

fact !valid_ptr((int *) 5), (int *) 5 != NULL

Page 32: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

32

Static Analysis Applications 63Software Analysis© 2008 Jonathan Aldrich

PREfix: Using a Summary(syntax slightly de-LISP-ified)

void exercise_deref(int v) {

int v = 5;

int x = deref(&v);

int y = deref(NULL);

int z = deref((int *) 5);

}

deref (param p)

alternate return_0

guard p==NULL

constraint initialized(p)

result return==NULL

alternate return_X

guard p != NULL

constraint initialized(p)

constraint valid_ptr(p)

constraint initialized(*p)

result return==*p

• Apply summary

exercise _deref

fact initialized(v), v==5

fact initialized(&v), valid_ptr(&v)

fact x==5

fact y==NULL

fact !valid_ptr((int *) 5), (int *) 5 != NULL

Static Analysis Applications 64Software Analysis© 2008 Jonathan Aldrich

PREfix: Using a Summary(syntax slightly de-LISP-ified)

void exercise_deref(int v) {

int v = 5;

int x = deref(&v);

int y = deref(NULL);

int z = deref((int *) 5);

}

deref (param p)

alternate return_0

guard p==NULL

constraint initialized(p)

result return==NULL

alternate return_X

guard p != NULL

constraint initialized(p)

constraint valid_ptr(p)

constraint initialized(*p)

result return==*p

• Apply summary

exercise _deref

fact initialized(v), v==5

fact initialized(&v), valid_ptr(&v)

fact x==5

fact y==NULL

fact !valid_ptr((int *) 5), (int *) 5 != NULL

• return_0 does not apply

Page 33: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

33

Static Analysis Applications 65Software Analysis© 2008 Jonathan Aldrich

PREfix: Using a Summary(syntax slightly de-LISP-ified)

void exercise_deref(int v) {

int v = 5;

int x = deref(&v);

int y = deref(NULL);

int z = deref((int *) 5);

}

deref (param p)

alternate return_0

guard p==NULL

constraint initialized(p)

result return==NULL

alternate return_X

guard p != NULL

constraint initialized(p)

constraint valid_ptr(p)

constraint initialized(*p)

result return==*p

• Apply summary

exercise _deref

fact initialized(v), v==5

fact initialized(&v), valid_ptr(&v)

fact x==5

fact y==NULL

fact !valid_ptr((int *) 5), (int *) 5 != NULL

• return_0 does not apply

• return_X does apply

Static Analysis Applications 66Software Analysis© 2008 Jonathan Aldrich

PREfix: Using a Summary(syntax slightly de-LISP-ified)

void exercise_deref(int v) {

int v = 5;

int x = deref(&v);

int y = deref(NULL);

int z = deref((int *) 5);

}

deref (param p)

alternate return_0

guard p==NULL

constraint initialized(p)

result return==NULL

alternate return_X

guard p != NULL

constraint initialized(p)

constraint valid_ptr(p)

constraint initialized(*p)

result return==*p

• Apply summary

exercise _deref

fact initialized(v), v==5

fact initialized(&v), valid_ptr(&v)

fact x==5

fact y==NULL

fact !valid_ptr((int *) 5), (int *) 5 != NULL

• return_0 does not apply

• return_X does apply• constraint initialized((int *) 5) –

PASS

Page 34: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

34

Static Analysis Applications 67Software Analysis© 2008 Jonathan Aldrich

PREfix: Using a Summary(syntax slightly de-LISP-ified)

void exercise_deref(int v) {

int v = 5;

int x = deref(&v);

int y = deref(NULL);

int z = deref((int *) 5);

}

deref (param p)

alternate return_0

guard p==NULL

constraint initialized(p)

result return==NULL

alternate return_X

guard p != NULL

constraint initialized(p)

constraint valid_ptr(p)

constraint initialized(*p)

result return==*p

• Apply summary

exercise _deref

fact initialized(v), v==5

fact initialized(&v), valid_ptr(&v)

fact x==5

fact y==NULL

fact !valid_ptr((int *) 5), (int *) 5 != NULL

• return_0 does not apply

• return_X does apply• constraint initialized((int *) 5) – PASS• constraint valid_ptr((int *) 5) –

FAIL• Generate error

Static Analysis Applications 68Software Analysis© 2008 Jonathan Aldrich

PREfix Scaleability

• Analysis cost = 2x-5x build cost• Scales linearly

• Probably due to fixed cutoff on number of paths

Page 35: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

35

Static Analysis Applications 69Software Analysis© 2008 Jonathan Aldrich

Value of Interprocedural Analysis

• 90% of errors require models

(summaries)

Static Analysis Applications 70Software Analysis© 2008 Jonathan Aldrich

You don’t need every path

• Get most of the warnings with 100 paths

Page 36: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

36

Static Analysis Applications 71Software Analysis© 2008 Jonathan Aldrich

Empirical Observations

• PREfix finds errors off the main code paths• Main-path errors caught by careful coding and

testing

• UI is essential• Text output is hard to read

• Need tool to visualize paths, sort defect reports

• Noise warnings• Real errors that users don’t care about

• E.g., memory leaks during catastrophic shutdown

Static Analysis Applications 72Software Analysis© 2008 Jonathan Aldrich

PREfix Summary

• PREfix: Great tool to find errors• Can’t guarantee that it finds them all

• Role for other tools

• Complements testing by analyzing uncommon

paths

• Focuses on low-level errors, not logic/functionality

errors• Role for functional testing

• Huge impact• Used widely within Microsoft

• Lightweight version is part of new Visual Studio

Page 37: PREfix - Carnegie Mellon School of Computer Science · PREfix Reading: A Static Analyzer for Finding Dynamic Programming Errors 17-654/17-765 Analysis of Software Artifacts Jonathan

37

Static Analysis Applications 73Software Analysis© 2008 Jonathan Aldrich

Further Reading

• William R. Bush, Jonathan D. Pincus, and

David J. Sielaff. A Static Analyzer for

Finding Dynamic Programming Errors.

Software—Practice and Experience, 30:775-

802, 2000.


Prefix Hijacking Mitigation · Prefix Hijacking 101 • Announce someone else's prefix • Announce a more specific of a someone else's prefix NANOG 46 – June 2009 • Synopsis:

Prefix Hijacking Mitigation · Prefix Hijacking 101 • Announce someone else's prefix • Announce a more specific of a someone else's prefix NANOG 46 – June 2009 • Synopsis:

G.s.deluna prefix

G.s.deluna prefix

prefix hijacked

prefix hijacked

Tool Evaluation – Lattix LDMaldrich/courses/654-sp09/tools/... · Tool Evaluation – Lattix LDM Mini Project 17-654 Analysis of Software Artifacts April 2006 Team OverHEAD Karim

Tool Evaluation – Lattix LDMaldrich/courses/654-sp09/tools/... · Tool Evaluation – Lattix LDM Mini Project 17-654 Analysis of Software Artifacts April 2006 Team OverHEAD Karim

Mahesh 654

Mahesh 654

Breeder Education -Prefix Examination - DogsWest · Breeder Education -Prefix Examination 1 Version 6.0 - 18th February 2019 Breeder Education -Prefix Examination NOTE: If a Prefix

Breeder Education -Prefix Examination - DogsWest · Breeder Education -Prefix Examination 1 Version 6.0 - 18th February 2019 Breeder Education -Prefix Examination NOTE: If a Prefix

Prefix ber-

Prefix ber-

Pap Grohmann 654

Pap Grohmann 654

Bearing Prefix

Bearing Prefix

Campus 654

Campus 654

Prefix ter

Prefix ter

Hoare Logic: Proving Programs Correctaldrich/courses/654-sp07/slides/7-hoare.pdf · 2007-02-14 · 1 Hoare Logic: Proving Programs Correct 17-654/17-765 Analysis of Software Artifacts

Hoare Logic: Proving Programs Correctaldrich/courses/654-sp07/slides/7-hoare.pdf · 2007-02-14 · 1 Hoare Logic: Proving Programs Correct 17-654/17-765 Analysis of Software Artifacts

Installing and Extending OOF2 - NIST€¦ · python setup.py build python setup.py install --prefix=prefix No: python setup.py build --skip-swig install--prefix=prefix See the README

Installing and Extending OOF2 - NIST€¦ · python setup.py build python setup.py install --prefix=prefix No: python setup.py build --skip-swig install--prefix=prefix See the README

654 zenin-cats

654 zenin-cats

PLS 454/654

PLS 454/654

-arg;. 654-2322 653-6121 654-2301 654-2443 654-2533 653-0253 … · 2007-01-24 · 653-0253 654-2534 656-2410 656-2350 657-3830 Z*2434 um 1919 . I +390—4 +3èù4-. 3000 2000 o 1000

-arg;. 654-2322 653-6121 654-2301 654-2443 654-2533 653-0253 … · 2007-01-24 · 653-0253 654-2534 656-2410 656-2350 657-3830 Z*2434 um 1919 . I +390—4 +3èù4-. 3000 2000 o 1000

Metric prefix

Metric prefix

KMBT 654-20151106095215 · 2015. 11. 9. · Prefixes Meaning "Together/' The prefixes co and syn mean "together." However, the prefix syn changes the spelling to syl when it is used

KMBT 654-20151106095215 · 2015. 11. 9. · Prefixes Meaning "Together/' The prefixes co and syn mean "together." However, the prefix syn changes the spelling to syl when it is used

4EB0_01_que_20120307,qwndkjbq65 654

4EB0_01_que_20120307,qwndkjbq65 654

Prefix "Me"

Prefix "Me"