What Went Wrong? Alex Groce Carnegie Mellon University Willem Visser NASA Ames Research Center
Java PathFinder void add(Object o) { buffer[head] = o; head = (head+1)%size; } Object take() { … tail=(tail+1)%size; return buffer[tail]; } Java Code JAVACJVM 0: iconst_0 1: istore_2 2: goto#39 5: getstatic 8: aload_0 9: iload_2 10: aaload Bytecode Special JVM Model Checker
Counterexamples When the model checker finds a bug, it reports a counterexample. However, even an exact trace of the program failing is not what we really want for most bugs.
Counterexamples How can we get more information from a counterexample? –Perhaps if we had some successful runs to compare to, or other failing runs in which to look for common elements… A common way of debugging by hand Except we can automate it using the model checker
Counterexamples The Error
Counterexamples “The Error” Real cause
Counterexamples “The Error” Real cause Idea: generate other traces that can give you more information about what is going wrong. How?
Positives and Negatives Real cause assert (x < 5); (and x = 8) “The Error”
Positives and Negatives “The Error” Real cause Same location, same error: NEGATIVE (-) Real cause assert (x < 5); (and x = 10) An Error assert (x < 5); (and x = 8)
Positives and Negatives Real cause Same control flow location, no error condition: POSITIVE (+) Same location, same error: NEGATIVE (-) Real cause assert (x < 5); (and x = 3) assert (x < 5); (and x = 10) “The Error”An Error assert (x < 5); (and x = 8) No Error
The Basic Search “The Error” Real cause
The Basic Search Real cause
The Basic Search Real cause
The Basic Search Real cause
The Basic Search Real cause
The Basic Search Real cause
The Basic Search Real cause
The Basic Search
The Search in Detail “The Error” Real cause Depth limit PositivesNegatives
The Search “The Error” Real cause Depth limit Already visited PositivesNegatives
The Search “The Error” Real cause Depth limit PositivesNegatives
The Search “The Error” Real cause Depth limit PositivesNegatives “push-through”
The Search “The Error” Real cause Depth limit Already visited PositivesNegatives
After the Search “The Error” Real cause Positives that are prefixes of some negative are removed While negatives are a true subset of complete negatives, positives are an approximation based on observed behavior This can be useful: in some reactive systems, every trace can be extended into an error trace
Analysis of the Traces Now what do we do with these? Report on code that appears – only in positives/negatives – in all positives/negatives – only and all positives/negatives (causal) Transform positives into negatives Find difference in invariants across positives and negatives PositivesNegatives
Analysis by Code Lines For our example trace, the line(s) in the real cause will be: –in all negative traces and –only appear in negative traces –thus will be identified as genuine cause Includes which thread executed the code and any nondeterministic choices made Can custom define equivalences to allow for looser definition of “the same code” “The Error” Real cause Automatically identified
Common Ground “The Error” Real cause (Can set a minimum shared prefix or suffix size) Shared prefix Shared suffix (control flow only) Transformation “How to make it break”
Transformation Analysis Sorted so that minimal way to break (transformation from each positive to nearest negative) is identified Rerun code line analysis over transformation code only (very useful in some cases) Can identify type of error: –If any positive can be transformed into a negative by only altering thread scheduling, the error is essentially concurrency based
Invariant Differences Pick certain control locations at which to observe data values in our traces Run a dynamic invariant detection algorithm to compute invariants across these locations for all negatives and then all positives Compare the discovered invariants
A Stack Example public IntStack (int s) { stack = new int[s]; top = 0; } public void push (int i) { stack[top++] = i; } public int pop () { top--; return stack[top]; }
A Stack Example public IntStack (int s) { stack = new int[s]; top = 0; } public void push (int i) { stack[top++] = i; } public int pop () { top--; return stack[top]; } A simple stack with an interface that initializes the stack to a random maximum size then randomly pushes and pops data.
A Stack Example public IntStack (int s) { stack = new int[s]; top = 0; } public void push (int i) { stack[top++] = i; } public int pop () { top--; return stack[top]; } A simple stack with an interface that initializes the stack to a random maximum size then randomly pushes and pops data. ORIGINAL COUNTEREXAMPLE: Stack overflow for stack size 1 (array out of bounds on stack)
A Stack Example public IntStack (int s) { stack = new int[s]; top = 0; } public void push (int i) { stack[top++] = i; } public int pop () { top--; return stack[top]; } A simple stack with an interface that initializes the stack to a random maximum size then randomly pushes and pops data. ORIGINAL COUNTEREXAMPLE: Stack overflow for stack size 1 (array out of bounds on stack) Run analysis with a search depth of 50 and compute invariants.
A Stack Example Code line analysis Code in the push method appears in all negatives. public IntStack (int s) { stack = new int[s]; top = 0; } public void push (int i) { stack[top++] = i; } public int pop () { top--; return stack[top]; }
A Stack Example Invariant analysis For positives, on entry to the push method, this invariant holds: stack.length > top For negatives, however the invariant is: stack.length >= top public IntStack (int s) { stack = new int[s]; top = 0; } public void push (int i) { stack[top++] = i; } public int pop () { top--; return stack[top]; }
A Stack Example Transformations from positive to negative Change stack size from 3 to 1 … Change stack size from 4 to 2 Insert a push … Remove a pop … public IntStack (int s) { stack = new int[s]; top = 0; } public void push (int i) { stack[top++] = i; } public int pop () { top--; return stack[top]; }
DEOS Error Analysis DEOS –Real time operating system –Allows threads to be created and deleted –Has time budgets for various threads
DEOS Error Analysis DEOS –Real time operating system –Allows threads to be created and deleted –Has time budgets for various threads Original counterexample –Assertion about the time budget of a thread fails
DEOS Error Analysis DEOS –Real time operating system –Allows threads to be created and deleted –Has time budgets for various threads Original counterexample –Assertion about the time budget of a thread fails Run analysis with size limit of 10
DEOS Error Analysis Transformations Change a wait until next period into a thread deletion Insert an interrupt and system clock ticks (before a deletion already in the positive) Change a wait until next period into an interrupt and system clock ticks and afterwards a deletion … The DEOS error requires deletion (which appears in the set of code found in all negatives) but also relies upon specific timing, as indicated by the transformations.
Related Work “Fate and Free Will in Error Traces” (TACAS 02) SLAM group independently investigated very similar concepts this summer (submitted to POPL) –Approach quite similar in spirit, lacks invariants and transformation approaches, but has some niceties with respect to source code analysis Andreas Zeller: work on isolating error-causing thread schedules and cause-effect chains
Future Work More efficient algorithms for generation of the traces (try bounded model checking) Different approaches to analysis: –Generation of automata –Characterization of error classes –Checking of causality…