Combining Static and Dynamic Reasoning for Bug Detection Yannis Smaragdakis and Christoph Csallner Elnatan Reisner – April 17, 2008.

Slides:



Advertisements
Similar presentations
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 8.
Omnibus: A clean language and supporting tool for integrating different assertion-based verification techniques Thomas Wilson, Savi Maharaj, Robert G.
De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.
Korat Automated Testing Based on Java Predicates Chandrasekhar Boyapati, Sarfraz Khurshid, Darko Marinov MIT ISSTA 2002 Rome, Italy.
Extended Static Checking for Haskell (ESC/Haskell) Dana N. Xu University of Cambridge advised by Simon Peyton Jones Microsoft Research, Cambridge.
Finding bugs: Analysis Techniques & Tools Comparison of Program Analysis Techniques CS161 Computer Security Cho, Chia Yuan.
JML and ESC/Java2: An Introduction Karl Meinke School of Computer Science and Communication, KTH.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Atomicity in Multi-Threaded Programs Prachi Tiwari University of California, Santa Cruz CMPS 203 Programming Languages, Fall 2004.
An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft.
Proof-system search ( ` ) Interpretation search ( ² ) Main search strategy DPLL Backtracking Incremental SAT Natural deduction Sequents Resolution Main.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
COMP2001 Testing. Aims of Testing To achieve a correct system producing correct results with a variety of input data.
Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Michael Ernst, page 1 Improving Test Suites via Operational Abstraction Michael Ernst MIT Lab for Computer Science Joint.
1 Advanced Material The following slides contain advanced material and are optional.
Well-cooked Spaghetti: Weakest-Precondition of Unstructured Programs Mike Barnett and Rustan Leino Microsoft Research Redmond, WA, USA.
Cormac Flanagan University of California, Santa Cruz Hybrid Type Checking.
Jonathan Kuhn Robin Mange EPFL-SSC Compaq Systems Research Center Flanagan, Leino, Lillibridge, Nelson, Saxe and Stata.
CS527: (Advanced) Topics in Software Engineering Overview of Software Quality Assurance Tao Xie ©D. Marinov, T. Xie.
Unit Testing & Defensive Programming. F-22 Raptor Fighter.
Software Quality Assurance Lecture #8 By: Faraz Ahmed.
DySy: Dynamic Symbolic Execution for Invariant Inference.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
1 Testing, Abstraction, Theorem Proving: Better Together! Greta Yorsh joint work with Thomas Ball and Mooly Sagiv.
Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.
SWE 619 © Paul Ammann Procedural Abstraction and Design by Contract Paul Ammann Information & Software Engineering SWE 619 Software Construction cs.gmu.edu/~pammann/
Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.
Extended Static Checking for Java  ESC/Java finds common errors in Java programs: null dereferences, array index bounds errors, type cast errors, race.
Introduction to Software Testing. Types of Software Testing Unit Testing Strategies – Equivalence Class Testing – Boundary Value Testing – Output Testing.
CSE403 Software Engineering Autumn 2001 More Testing Gary Kimura Lecture #10 October 22, 2001.
Applications of extended static checking K. Rustan M. Leino Compaq SRC K. Rustan M. Leino Compaq SRC Systems Research Center Invited talk, SAS’01, Paris,
CS Data Structures I Chapter 2 Principles of Programming & Software Engineering.
© Andrew IrelandDependable Systems Group Static Analysis and Program Proof Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University.
1 Test Selection for Result Inspection via Mining Predicate Rules Wujie Zheng
Reasoning about programs March CSE 403, Winter 2011, Brun.
Scientific Debugging. Errors in Software Errors are unexpected behaviors or outputs in programs As long as software is developed by humans, it will contain.
© 2006 Pearson Addison-Wesley. All rights reserved 2-1 Chapter 2 Principles of Programming & Software Engineering.
Demo of Scalable Pluggable Types Michael Ernst MIT Dagstuhl Seminar “Scalable Program Analysis” April 17, 2008.
Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata.
Verificare şi Validarea Sistemelor Soft Tem ă Laborator 1 ESC/Java2 Extended Static Checker for Java Dat ă primire laborator: Lab 1 Dat ă predare laborator:
Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 1 Static Checking  note for.
Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.
1 Contractual Consistency Between BON Static and Dynamic Diagrams Ali Taleghani July 30, 2004.
Introduction to Software Analysis CS Why Take This Course? Learn methods to improve software quality – reliability, security, performance, etc.
Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata Compaq Systems.
/ PSWLAB Evidence-Based Analysis and Inferring Preconditions for Bug Detection By D. Brand, M. Buss, V. C. Sreedhar published in ICSM 2007.
ESCJ 14: ESC/Java Project Review Slides March 6th, 1997.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 10: Programming Exceptionally.
Testing Overview Software Reliability Techniques Testing Concepts CEN 4010 Class 24 – 11/17.
Jeremy Nimmer, page 1 Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science Joint work with.
Verificare şi Validarea Sistemelor Soft Tem ă Laborator 1 Tools for JML jmlc & jmlrac Dat ă primire laborator: Lab 1 Dat ă predare laborator: Lab 2.
PREPARED BY G.VIJAYA KUMAR ASST.PROFESSOR
Testing Tutorial 7.
Automatic Generation of Program Specifications
Chapter 8 – Software Testing
Accessible Formal Methods A Study of the Java Modeling Language
Eclat: Automatic Generation and Classification of Test Inputs
Programming Languages 2nd edition Tucker and Noonan
Mock Object Creation for Test Factoring
Hoare-style program verification
Programming Languages 2nd edition Tucker and Noonan
Programming Languages 2nd edition Tucker and Noonan
Presentation transcript:

Combining Static and Dynamic Reasoning for Bug Detection Yannis Smaragdakis and Christoph Csallner Elnatan Reisner – April 17, 2008

Motivation Both testing and static analysis are useful But both have drawbacks Testing –Focuses on finding bugs –Without guidance, many tests will be useless Static analysis –Focuses on certifying correctness –Without guidance, many false warnings How can we combine these two approaches?

Outline Thoughts on static vs. dynamic Language- and user-level Tools: ESC/Java and JCrasher Making static checking ‘sound for incorrectness’ Improving this to user-level soundness Experimental case study

Thoughts on static vs. dynamic Somewhat arbitrary distinction More relevant dichotomy: –Try to prove program correct: ‘Sound’ here means no undetected errors ‘If I say there’s no bug, there’s no bug.’ –Try to find bugs ‘Sound’ here means no false alarms ‘If I say there’s a bug, there’s a bug.’ Why prove programs incorrect?

Language- vs. user-level But what’s a bug? Language-level: it is possible for the code to exhibit the behavior –Here’s a ‘bug’ that is not language-level sound: User-level: a user might actually encounter the bug

ESC/Java ‘Extended Static Checker’ Modular checking – context-insensitive Annotations (similar to JML) aid analysis –Specify preconditions, postconditions, etc. Uses Simplify theorem prover to ensure –No null dereference –Annotations obeyed Generates warnings (and counterexample contexts) when it finds potential bugs –But it is unsound in both senses

JCrasher Generates JUnit tests which crash program –Random inputs based on type information –Tests public methods Heuristically classifies exceptions as invalid test or actual bug Warnings are language-level sound (for incorrectness) –The program actually crashed!

Check ‘n‘ Crash: language-level soundness Idea: Combine ESC/Java and JCrasher Procedure –Run ESC/Java –Use warnings to find potential crashing inputs –Use JCrasher to create and run JUnit test cases Result: Focused testing + language-level soundness

DSD-Crasher: user-level soundness Heuristic for generating ‘normal’ input –Run Daikon on an existing test suite Finds conditions that code exhibits in all observed executions –Use generated invariants as preconditions to filter ESC/Java warnings Limiting inputs to ‘normal’ cases eliminates user-level unsound bug reports Dynamic-Static-Dynamic

Experimental case study Compared JCrasher, Check ‘n‘ Crash, and DSD-Crasher on Groovy (a scripting language) More bugs found with fewer test cases –But longer total running time

Conclusions Combining static and dynamic techniques can find more bugs with fewer tests Questions: –What is the time tradeoff in general? –Is user-level soundness the right goal? Security exploits use abnormal inputs

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.