Optimistic Bug Finding David Gupta and Junfeng Yang.

Slides:



Advertisements
Similar presentations
Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Advertisements

Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………
Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.
ECE 454 Computer Systems Programming Compiler and Optimization (I) Ding Yuan ECE Dept., University of Toronto
SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.
Proofs from Tests Nels E. Beckman Aditya V. Nori Sriram K. Rajamani Robert J. Simmons Carnegie Mellon UniversityMicrosoft Research India Carnegie Mellon.
1 Automatic Predicate Abstraction of C Programs Parts of the slides are from
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Artificial Intelligence in Game Design Introduction to Learning.
Algorithm Strategies Nelson Padua-Perez Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.
Checking and Inferring Local Non-Aliasing Alex AikenJeffrey S. Foster UC BerkeleyUMD College Park John KodumalTachio Terauchi UC Berkeley.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
Scalable Error Detection using Boolean Satisfiability 1 Yichen Xie and Alex Aiken Stanford University.
Aliases in a bug finding tool Benjamin Chelf Seth Hallem June 5 th, 2002.
Game Playing CSC361 AI CSC361: Game Playing.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]
Synergy: A New Algorithm for Property Checking
Speeding Up Dataflow Analysis Using Flow- Insensitive Pointer Analysis Stephen Adams, Tom Ball, Manuvir Das Sorin Lerner, Mark Seigle Westley Weimer Microsoft.
Prof. Bodik CS 164 Lecture 171 Register Allocation Lecture 19.
1  2004 Morgan Kaufmann Publishers Chapter Six. 2  2004 Morgan Kaufmann Publishers Pipelining The laundry analogy.
4/25/08Prof. Hilfinger CS164 Lecture 371 Global Optimization Lecture 37 (From notes by R. Bodik & G. Necula)
Register Allocation (via graph coloring)
Register Allocation (via graph coloring). Lecture Outline Memory Hierarchy Management Register Allocation –Register interference graph –Graph coloring.
CS 280 Data Structures Professor John Peterson. Big O Notation We use a mathematical notation called “Big O” to talk about the performance of an algorithm.
Overview of program analysis Mooly Sagiv html://
1 Liveness analysis and Register Allocation Cheng-Chia Chen.
“A System and Language for Building System-Specific, Static Analyses” CMSC 631 – Fall 2003 Seth Hallem, Benjamin Chelf, Yichen Xie, and Dawson Engler (presented.
Recursion. Definitions I A recursive definition is a definition in which the thing being defined occurs as part of its own definition Example: A list.
 Main Idea/Point-of-View  Specific Detail  Conclusion/Inference  Extrapolation  Vocabulary in Context.
Evaluating Hypotheses Reading: Coursepack: Learning From Examples, Section 4 (pp )
Access Path Selection in a Relational Database Management System Selinger et al.
Aditya V. Nori, Sriram K. Rajamani Microsoft Research India.
Type Systems CS Definitions Program analysis Discovering facts about programs. Dynamic analysis Program analysis by using program executions.
Introduction to Data Structures and Algorithms CS 110: Data Structures and Algorithms First Semester,
Honors Track: Competitive Programming & Problem Solving Optimization Problems Kevin Verbeek.
Christopher Moh 2005 Competition Programming Analyzing and Solving problems.
Lazy Annotation for Program Testing and Verification Speaker: Chen-Hsuan Adonis Lin Advisor: Jie-Hong Roland Jiang November 26,
“Isolating Failure Causes through Test Case Generation “ Jeremias Rößler Gordon Fraser Andreas Zeller Alessandro Orso Presented by John-Paul Ore.
Sorting: Implementation Fundamental Data Structures and Algorithms Klaus Sutner February 24, 2004.
Compiler Optimizations ECE 454 Computer Systems Programming Topics: The Role of the Compiler Common Compiler (Automatic) Code Optimizations Cristiana Amza.
13 Aug 2013 Program Verification. Proofs about Programs Why make you study logic? Why make you do proofs? Because we want to prove properties of programs.
Optimization Problems
Random Interpretation Sumit Gulwani UC-Berkeley. 1 Program Analysis Applications in all aspects of software development, e.g. Program correctness Compiler.
Testing CSE 160 University of Washington 1. Testing Programming to analyze data is powerful It’s useless (or worse!) if the results are not correct Correctness.
Computer Organization CS224 Fall 2012 Lessons 41 & 42.
Week 5-6 MondayTuesdayWednesdayThursdayFriday Testing III No reading Group meetings Testing IVSection ZFR due ZFR demos Progress report due Readings out.
Using Sequential Containers Lecture 8 Hartmut Kaiser
CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.
/ PSWLAB Evidence-Based Analysis and Inferring Preconditions for Bug Detection By D. Brand, M. Buss, V. C. Sreedhar published in ICSM 2007.
Recursion. Definitions I A recursive definition is a definition in which the thing being defined occurs as part of its own definition Example: A list.
Automated Adaptive Bug Isolation using Dyninst Piramanayagam Arumuga Nainar, Prof. Ben Liblit University of Wisconsin-Madison.
CompSci Today’s Topics Computer Science Noncomputability Upcoming Special Topic: Enabled by Computer -- Decoding the Human Genome Reading Great.
SOFTWARE TESTING LECTURE 9. OBSERVATIONS ABOUT TESTING “ Testing is the process of executing a program with the intention of finding errors. ” – Myers.
Optimization Problems
Code Optimization.
Software Testing.
CSCI1600: Embedded and Real Time Software
CSE 311 Foundations of Computing I
Optimization Problems
What to do when you don’t know anything know nothing
EA C461 – Artificial Intelligence
CSSE463: Image Recognition Day 30
Logic Coverage for Source Code CS 4501 / 6501 Software Testing
CSSE463: Image Recognition Day 30
Predicate Abstraction
Algebra: Variables and Expressions
CS 416 Artificial Intelligence
CSCI1600: Embedded and Real Time Software
Pointer analysis John Rollinson & Kaiyuan Li
Carrier Phase Tracking, Timing Synchronization, Equalization
Presentation transcript:

Optimistic Bug Finding David Gupta and Junfeng Yang

Basic Idea Undecidability Problem with Path Sensitivity: Undecidability Problem with Path Sensitivity: –Aliasing –Undetermined inputs –Unknown source code (library functions) Assumption: Correct branches usually have fewer bugs Assumption: Correct branches usually have fewer bugs Solution: Choose the branches with fewest bugs based on global analysis Solution: Choose the branches with fewest bugs based on global analysis Difference: Avoiding hard analysis by making clever inferences Difference: Avoiding hard analysis by making clever inferences

Example Foo (p, q, x) { A: If (p) lock(x); … B: If (q) unlock(x); } If x is locked at A, p should be false and q should be true If x is unlocked, p and q should both be true or false

Example(cont.) Foo(p, q, x) { A: If(p) lock(x); … B: If(q) unlock(x); C: } /* end of the program */ program */ Solution for x == unlocked: No errors A == true and B == true Or A == false and B == false Solution for x == locked: No errors A == false and B == true

The Algorithm eL min_errors(pP p, st s, {(pP, st)} S) { eL L, L1, L2; While (!is_predicate (p)) { L += errors (p, s); s = next_state (p, s); } If ((p, s) belongs_to S) return L; L1 = min_errors(true_branch(p), s, S + (p, s)); L2 = min_errors(false_branch(p), s, S + (p, s)); L +=min(L1, L2); Return L; }

First Step Don’t track values Don’t track values Assume all the predicates are uncorrelated Assume all the predicates are uncorrelated Why do we think this will work? Why do we think this will work? We think the algorithm can automatically figure out what is correlated In the previous example, the relation between p and q is implied in the solution

Other Steps Optimize (Caching?) Optimize (Caching?) Keep track of the values Keep track of the values –False path pruning in Metal –Simple alias analysis Try to find the correlation between predicates Try to find the correlation between predicates e.g. (x (x (x < 5) (p == true) -> (p == true) (p == true) -> (p == true)

Evaluation Method Compare results of Metal, FirstStep and OtherSteps. Compare results of Metal, FirstStep and OtherSteps. Interesting questions Interesting questions –Are the errors reported by our algorithm real errors? –Do we miss too many errors? –How many false positives can we eliminate? –Can we find some errors not found by Metal? –Is it slow? (Can we do some optimization?)

Related Work Metal Metal –Caching –False path pruning –Bugs as Deviant Behavior ESP ESP –Path sensitive only for interesting properties SLAM SLAM –Unknown values

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.