/ PSWLAB Evidence-Based Analysis and Inferring Preconditions for Bug Detection By D. Brand, M. Buss, V. C. Sreedhar published in ICSM 2007.

Slides:



Advertisements
Similar presentations
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Advertisements

Semantics Static semantics Dynamic semantics attribute grammars
Chapter 9 Code optimization Section 0 overview 1.Position of code optimizer 2.Purpose of code optimizer to get better efficiency –Run faster –Take less.
1 CS 201 Compiler Construction Lecture 3 Data Flow Analysis.
Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.
Adapted from Scott, Chapter 6:: Control Flow Programming Language Pragmatics Michael L. Scott.
White Box and Black Box Testing Tor Stålhane. What is White Box testing White box testing is testing where we use the info available from the code of.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.
Data Abstraction II SWE 619 Software Construction Last Modified, Spring 2009 Paul Ammann.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
FIT FIT1002 Computer Programming Unit 19 Testing and Debugging.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN Chapter 3 Describing Syntax and Semantics.
CS 355 – Programming Languages
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.
Dynamically Discovering Likely Program Invariants to Support Program Evolution Michael D. Ernst, Jake Cockrell, William G. Griswold, David Notkin Presented.
Ch6: Software Verification. 1 Statement coverage criterion  Informally:  Formally:  Difficult to minimize the number of test cases and still ensure.
Dr. Muhammed Al-Mulhem 1ICS ICS 535 Design and Implementation of Programming Languages Part 1 Fundamentals (Chapter 4) Axiomatic Semantics ICS 535.
Overview of program analysis Mooly Sagiv html://
1 Advanced Material The following slides contain advanced material and are optional.
Testing an individual module
Describing Syntax and Semantics
Chapter 18 Testing Conventional Applications
Handouts Software Testing and Quality Assurance Theory and Practice Chapter 5 Data Flow Testing
Software Testing and QA Theory and Practice (Chapter 4: Control Flow Testing) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.
Software Testing Sudipto Ghosh CS 406 Fall 99 November 9, 1999.
Verification and Validation Yonsei University 2 nd Semester, 2014 Sanghyun Park.
1/20 Symbolic Execution and Program Testing Charngki PSWLAB Symbolic Execution and Program Testing James C.King IBM Thomas J.Watson Research Center.
Presented By Dr. Shazzad Hosain Asst. Prof., EECS, NSU
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
CSC 480 Software Engineering Lecture 14 Oct 16, 2002.
1 Chapter 4: Selection Structures. In this chapter, you will learn about: – Selection criteria – The if-else statement – Nested if statements – The switch.
Aditya V. Nori, Sriram K. Rajamani Microsoft Research India.
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
CS 363 Comparative Programming Languages Semantics.
White-box Testing.
Coverage Estimating the quality of a test suite. 2 Code Coverage A code coverage model calls out the parts of an implementation that must be exercised.
CS Data Structures I Chapter 2 Principles of Programming & Software Engineering.
Reasoning about programs March CSE 403, Winter 2011, Brun.
Chapter 3 Part II Describing Syntax and Semantics.
Semantics In Text: Chapter 3.
13 Aug 2013 Program Verification. Proofs about Programs Why make you study logic? Why make you do proofs? Because we want to prove properties of programs.
Testing CSE 160 University of Washington 1. Testing Programming to analyze data is powerful It’s useless (or worse!) if the results are not correct Correctness.
SOFTWARE TESTING. Introduction Software Testing is the process of executing a program or system with the intent of finding errors. It involves any activity.
Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.
Automated Debugging with Error Invariants TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A AA A A Chanseok Oh.
Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata Compaq Systems.
/ PSWLAB Thread Modular Model Checking by Cormac Flanagan and Shaz Qadeer (published in Spin’03) Hong,Shin Thread Modular Model.
CSC3315 (Spring 2009)1 CSC 3315 Languages & Compilers Hamid Harroud School of Science and Engineering, Akhawayn University
4 - Conditional Control Structures CHAPTER 4. Introduction A Program is usually not limited to a linear sequence of instructions. In real life, a programme.
SOFTWARE TESTING LECTURE 9. OBSERVATIONS ABOUT TESTING “ Testing is the process of executing a program with the intention of finding errors. ” – Myers.
CS223: Software Engineering Lecture 26: Software Testing.
A Review of Software Testing - P. David Coward
Software Testing.
Weakest Precondition of Unstructured Programs
Control Flow Testing Handouts
Handouts Software Testing and Quality Assurance Theory and Practice Chapter 4 Control Flow Testing
Outline of the Chapter Basic Idea Outline of Control Flow Testing
Structural testing, Path Testing
Programming Languages 2nd edition Tucker and Noonan
Chapter 15 Debugging.
Chapter8: Statement-Level Control Structures April 9, 2019
The Zoo of Software Security Techniques
Assertions References: internet notes; Bertrand Meyer, Object-Oriented Software Construction; 4/25/2019.
Programming Languages 2nd edition Tucker and Noonan
Software Testing and QA Theory and Practice (Chapter 5: Data Flow Testing) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.
Presentation transcript:

/ PSWLAB Evidence-Based Analysis and Inferring Preconditions for Bug Detection By D. Brand, M. Buss, V. C. Sreedhar published in ICSM rd Oct, 2008 Hong,Shin Evidence-Based Analysis and Inferring Preconditions for Bug Detection

/ PSWLAB Contents Introduction Falsification Condition Assigning Evidence Interprocedural Evidence-Based Analysis Experience Conclusion Evidence-Based Analysis and Inferring Preconditions for Bug Detection 2

/ PSWLAB Introduction 1/2 Static analysis tools are promising for detecting program errors. In software developers perspective, it is important to address two problems for gaining wider acceptance of static analysis tools: –Minimizing false alarms –Minimizing program specification Therefore, it is important for tools to improve their accuracy in face of very little or even no user-provided specifications.  Tools should infer specification from the code. Evidence Based Analysis The tool reports a fault only if the tool can find evidence that the fault can be reached during execution that started with legal inputs Evidence-Based Analysis and Inferring Preconditions for Bug Detection 3

/ PSWLAB Introduction 2/2 int foo(int * x) { return *x ; } /* version 1 */ Evidence-Based Analysis and Inferring Preconditions for Bug Detection 4 We have no document for foo() and know nothing about its potential callers. Should we report that foo() is incorrect? - It may differ from project to project. Should we report that foo() version 2 is incorrect? - foo() version 2 has an evidence that x might be NULL. int foo(int * x) { if (x != NULL) bar() ; return *x ; } /* version 2*/

/ PSWLAB Falsification Condition 1/7 Software verification technique –Prove the absence of errors in a program with respect to a given specification of the program. Evidence-based analysis –Prove the presence of errors without requiring specification. –Extract specifications from a program code first and then verify the absence of errors in the program with the extracted specifications Evidence-Based Analysis and Inferring Preconditions for Bug Detection 5

/ PSWLAB Falsification Condition 2/7 Software verification A program is a set of global variables and procedures. A procedure is represented by a control flow graph(CFG). –Nodes represent program statements. –Edges represent flow of control. Edges have labels representing conditions that need to be satisfied in order for the edge to be traversed. A path in a CFG through a program is an alternating sequence of nodes and edges Evidence-Based Analysis and Inferring Preconditions for Bug Detection 6

/ PSWLAB Falsification Condition 3/7 A path P is assumed to have its pre-condition precondition ( P ) and its post-condition postcondition ( P ). The pre-condition is in terms of special symbols representing the initial values of variables, denoted by a vector x. The post- condition and all the expressions appearing along the path are in terms of program variables. We can replace values of program variables with their contents, which are symbolic expressions in terms of the initial values of x (by symbolic execution). As a result, each edge e has attached a predicate pred e, which is a boolean expression in terms of the initial values x Evidence-Based Analysis and Inferring Preconditions for Bug Detection 7

/ PSWLAB Falsification Condition 4/7 Verification condition The verification condition of a path P is valid if and only if for all initial values x the post-condition must be true whenever the precondition and all the predicates on the path are true Evidence-Based Analysis and Inferring Preconditions for Bug Detection 8 Falsification condition A valid falsification of a path implies the reachability of an error when the path is exercised with legal inputs. In verification condition, precondition ( P ) defines legal input of P. However, in falsification condition, valid input has to be accomplished without knowing its precondition.  Extract information from source codes.

/ PSWLAB Falsification Condition 5/7 The Information of pre-condition of a path is represented by associating evidence, evid e, with each edge e along the path. Each evidence evid e is one of three values: admissible, inadmissible, or asserted. In an effort to convict an error site, prosecution asserts an asserted evidence and then calls witnesses that are edges along particular path. In order to convict the asserted evidence, the prosecution must collect enough admissible evidences to imply the assertion Evidence-Based Analysis and Inferring Preconditions for Bug Detection 9

/ PSWLAB Falsification Condition 6/7 The falsification condition of a path P is satisfiable if and only if all the predicates along P are satisfiable Evidence-Based Analysis and Inferring Preconditions for Bug Detection 10 The falsification condition of a path P is valid if and only if it is satisfiable and all the admissible predicates imply all the asserted predicates. and 9 e 2 P. evid e = admissible

/ PSWLAB Falsification Condition 7/ Evidence-Based Analysis and Inferring Preconditions for Bug Detection 11 Example int foo(int * x) { if (x != NULL) bar() ; return *x ; } Path P For path P, 8 x{ x == NULL ! x == NULL} admissible part asserted part

/ PSWLAB Assigning Evidence 1/4 The idea is based on that it is unusual for programmers to intentionally write useless code. For each language construct, we assign evidence values to inform that the predicates related to the construct might be admissible evidences of legal input, or evidence of possible errors. –For example, for a if-statement, both then-predicate and else- predicate would be admissible evidences. –However, for a loop-statement, the edge for zero iteration might not be admissible evidence. However, the assignments should depend on coding standards of an individual project and human psychology Evidence-Based Analysis and Inferring Preconditions for Bug Detection 12

/ PSWLAB Assigning Evidence 2/4 Error node Error nodes are generated in the process of translating given source code into the control flow graph. We assign asserted evidence to the incoming edge of error node. By inserting an error nod, we can transform the reachability of the error by the falsification condition of the path to the error node. Error nodes for null pointer dereference, divide by zero, array out of bound can be automatically inserted Evidence-Based Analysis and Inferring Preconditions for Bug Detection 13

/ PSWLAB Assigning Evidence 3/4 If and switch statement The then-branch and else-branch of an if-statement should be assigned admissible evidence. (the same for the case-branches of a switch statement) For cascaded-if statement (and omitting default case for a switch statement) Evidence-Based Analysis and Inferring Preconditions for Bug Detection 14 int a[3] ; int is_i_out_of_range(unsigned i) { int r ; if (i == 0) r = 0 ; else if (i == 1) r = 1 ; else if (i == 2) r = 2 ; return a[i] ; } /* example 1 */ int a[3] ; int is_i_out_of_range(unsigned i) { int r ; if (i == 0) r = 0 ; else if (i == 1) r = 1 ; else if (i == 2) r = 2 ; return r ; } /* example 2 */ i != 0 && i != 1 && i != 2 ? uninitialized i != 0 && i != 1 && i != 2 admssible

/ PSWLAB Assigning Evidence 4/4 Loops It can be accomplished by assigning inadmissible evidence to the false- branch of the loop condition the very first time it is evaluated, while assigning admissible evidence thereafter. Example 1Example 2 For a if-statement inside a loop, we assign admissible evidence only if it does not relate with variables modified by the loop Evidence-Based Analysis and Inferring Preconditions for Bug Detection 15

/ PSWLAB Interprocedural Evidence-Based Analysis The purpose of interprocedural analysis is to propagate information calculated in the body of one procedure to those calling it. In the form of procedure summaries, information is propagated from callees to callers. A procedure summary is the generated preconditions (admissible evidences). For a procedural call, the caller first finds a procedure summary of the callee. Callers are then check to see if they pass illegal inputs to callee. If there is not enough evidence inside the caller to prove that the inputs are illegal, the caller gets another summary expressing its legal inputs Evidence-Based Analysis and Inferring Preconditions for Bug Detection 16

/ PSWLAB ev-0: edges leading to error nodes and all edges inside callees have asserted evidence; all other edges have inadmissible evidence ev-1: same as ev-0, except in the caller then-branches of if-statements have admissible evidence ev-2: same as ev-1, except in the caller else-branches of simple if-statements have admissible evidence ev-3: same as ev-2, except in the caller else-branches of cascaded if-statements have admissible evidence … ev-9: same as ev-8, except inside callees edges have admissible evidence Experience 1/2 The method has been implemented in an IBM internal tool called BEAM. The tool has flexibility of changing evidence settings. Moreover, it supports 10 levels of evidence settings. The number of error reported becomes tolerable even with the highest evidence setting for real users Evidence-Based Analysis and Inferring Preconditions for Bug Detection 17

/ PSWLAB Experience 2/2 A reported error found in firestorm mesg_initlog(tv, code, buf) contains the expression mesg_str[code] where the size of mesg_str is 6. However, mesg_initlog() does not contain enough evidence to report the possibility of code being out of range. Therefore, instead, a precondition is generated for the function mesg_initlog ; 0 <= code < 6. Then inside another function mesg(code, fmt, …) there is a call mesg_initlog(&tv, code, buf) ; In addition, there is a statement if (code > 6) code = 0 ;. The tool have enough admissible evidence to falsify the generated precondition of mesg_initlog(tv, code, buf) so that this cause the tool to report an index-out-of-range error Evidence-Based Analysis and Inferring Preconditions for Bug Detection 18

/ PSWLAB Conclusion This approach determine whether a program will fail in an intended invocation environment without requiring any preconditions defining the intended environment. This approach reduces the incidence of false positives by reporting only those errors that happen for legal inputs. General user acceptance of the tool is an indication that it leads to improved software quality Evidence-Based Analysis and Inferring Preconditions for Bug Detection 19

/ PSWLAB Reference [1]Evidence-Based Analysis and Inferring Preconditions for Bug Detection / D.Brand, M.Buss, V.C.Sreedhar / ICSM Evidence-Based Analysis and Inferring Preconditions for Bug Detection 20

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.