Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Efficient Runtime for Detecting Defects in Deployed Systems Matt ArnoldMartin VechevEran Yahav.

Published byBarnaby Cooper Modified over 8 years ago

Similar presentations

Presentation on theme: "An Efficient Runtime for Detecting Defects in Deployed Systems Matt ArnoldMartin VechevEran Yahav."— Presentation transcript:

1 An Efficient Runtime for Detecting Defects in Deployed Systems Matt ArnoldMartin VechevEran Yahav

2 The Bigger Picture Synthesis Static Software Quality Dynamic

3 SAFE: Scalable and Flexible Error-detection and Verification  Lightweight verification for (real) Java programs  Typestate properties  e.g., “don’t read from a file after it has been closed”  Typestate verification in presence of aliasing [ISSTA’06]  Static Specification Mining [ISSTA’07]  Modular Typestate [POPL’08]  Verifying Dereference Safety via Expanding-Scope Analysis [ISSTA’08] …… Chandra, Dor, Fink, Geay, Loginov, Pistoia, Ramalingam, Shoham, Yorsh

4 Challenges  Millions of lines of code?  What properties should we check?  How can we get specifications?

5 Make writing specs more rewarding Mother Teresa

6 Make writing specs more rewarding  Enable developer to write runtime checks without having to worry about performance impact  Expressive assertions  beyond what is (naturally/efficiently) expressible in the programming language  Monitoring of global properties  Collection of debug information when a property is violated

7 Making your specs pay off PhaseDefect Removal Cost Multiplier Requirements1 Design3 Code,Unit Test5 Function/System Test 12 User Acceptance Test 32 Production95

8 Challenges  Predictable overhead  Expressive assertions  Helping find a fix

9 QVM: Quality-aware VM  Leverage available system resources for software quality checks  Adaptive overhead management  QVM monitors overhead it incurs, adapts analyses to meet user specified target overhead  No free lunches – allow “unknown” result  Support a variety of analysis clients  Typestate properties  Heap probes  Java assertions  Improve Diagnosability  Collect (sampled) debug information

10 Motivating Example: Azureus Over 160 million downloads

11 QVM: GDI Resource Leaks QVM ERROR: [Resource_not_disposed] object [0x98837030] of class [org/eclipse/swt/graphics/Image] allocated at site ID 2742 in method [com/aelitis/azureus/.../ListView.handleResize(Z)V] died in state [UNDISPOSED] with last QVM method [org/.../Image.isDisposed()Z].

12

13

14 Example Leaking Code class ListView extends... { private Image imgView = null; //... protected void handleResize(boolean bForce) { //... if (imgView == null || bForce) { imgView = new Image(listCanvas.getDisplay(), clientArea); lastBounds = new Rectangle(0, 0, 0, 0); bNeedsRefresh = true; } else { //... } //... } imgView OS Resources OS Resources

15 Possible Fix protected void handleResize(boolean bForce) { //... if (imgView == null || bForce) { if(imgView != null && !imgView.isDisposed()) { assert(!QVM.isShared (imgView)); imgView.dispose(); } imgView = new Image(listCanvas.getDisplay(), clientArea); lastBounds = new Rectangle(0, 0, 0, 0); bNeedsRefresh = true; } else { //... } //... } imgView OS Resources OS Resources

16 Execution Engine event filters event callbacks VM Core Clients typestate client assertions client heap probes client QVM Application typestate specs violations report specified overhead adjust sampling rates OHM observed overhead QVM Architecture QVMI

17  Key: filtering on the VM side QVMI: The QVM Interface Execution Engine JVMTI event filters event callbacks Execution Engine QVMI event filters event callbacks VM agent

18 Overhead Manager (OHM) OHM Execution Engine adjust sampling rates observed overhead QVMI event filters event callbacks VM Core specified overhead  Monitoring: measure overhead incurred by clients  Sampling strategy: separate sampling rates for different origins  Controller: adjust strategy per origin based on measured overhead

19 Overhead Manager assert (…) T t = new T() assert(…) Average time per origin (cycles) 6 8 16 Sampling Information 5 3 2 resetcnt

20 Object Centric Sampling assert (…) T t = new T() assert(…) tracked

21 Clients  Typestate Properties  With debug information (typestate histories)  Including times  Heap Probes & Operations  Check ownership/sharing/shape properties  Runtime support for transfer of ownership  Java Assertions  Overhead of all clients managed by OHM

22 Typestate Properties undisposed err disposed else Object death * * dispose* | release*

23 Typestate History

24

25 Heap Probes & Operations  Heap Probes  Ownership and sharing properties  Reachability…  Heap Operations  Runtime support for transfer of ownership  Use components of a parallel GC to evaluate heap queries

26 Heap Probes: isHeap T1 Stack x Shared Memory AB C T2 Stack z w isHeap(x) = falseisHeap(z) = true isHeap(w) = true y

27 Heap Probes: isHeapShared T1 Stack x Shared Memory AB C T2 Stack z w isHeapShared(x) = falseisHeapShared(z) = false isHeapShared(w) = true y

28 Heap Probes: isThreadOwned T1 Stack x Shared Memory AB C T2 Stack z w isThreadOwned(T1,x) = trueisThreadOwned(T2,z) = false isThreadOwned(T2,w) = false y E D F isThreadOwned(T1,y) = true

29 Heap Probes: isUniqueOwner T1 Stack x Shared Memory AB C T2 Stack z w isUniqueOwner(T1,x) = falseisUniqueOwner(T2,z) = false isUniqueOwner(T2,w) = false y E D F isUniqueOwner(T1,y) = true

30 SWT Example canvas.addDisposeListener(new DisposeListener() { public void widgetDisposed(DisposeEvent arg0) { if (img != null && !img.isDisposed()) assert (QVM.isObjectOwned (img)); img.dispose(); } });

31 Transfer of Ownership public class SimpleWebServer... { public void run() { while (_running) { Socket wsocket = _serverSocket.accept(); RequestThread rt = new RequestThread(wsocket,_rootDir); wsocket = null; rt.start(); } public class RequestThread { private Socket _socket;... public RequestThread(Socket socket, File rootDir) { _socket = socket; _rootDir = rootDir; } public void run() { assert (QVM.isThreadOwned(_socket));... } QVM.unique(w) q = z.f q.foo() SWS Stack wsocket Shared Memory (some objects not shown) S RT Stack _socket _rootdir rt

32 QVM.unique(w) q = z.f q.foo() Transfer of Ownership  Unique – invalidates all other references to the object  Future dereference of invalidated references yields exception T1 Stack x Shared Memory AB C T2 Stack z w y ff g q

33 Transfer of Ownership: unique public class SimpleWebServer... { public void run() { while (_running) { Socket wsocket = _serverSocket.accept(); RequestThread rt = new RequestThread(wsocket,_rootDir); rt.start(); } public class RequestThread { private Socket _socket;... public RequestThread(Socket socket, File rootDir) { _socket = socket; QVM.unique(_socket); _rootDir = rootDir; } public void run() { … } SWS Stack wsocket Shared Memory (some objects not shown) S RT Stack _socket _rootdir rt

34 Experimental Evaluation

35 Overhead Manager: stabilization

36 Overhead Manager

37 Leak Detection Results ApplicationSWT Resources IOStreamsHigh Frequency Fixed Azureus11045 Etrader17020 Feednread1700 Goim3013 IBMapp10000 IBM app23200 Jcommander9000 Juploader0100 nomadpim2000 Rssowl8300 Tvbrowser0500 Tvla0400 Virgoftp6006 Total6022714

38 Sampling coverage (5% budget)

39 Sampling coverage (typestate) overhead budget Benchmark1%2%5%10%20%50%100% db100 mpegaudio98100 jess6376858795100 jack2237455271100 javac0.4149314149 compress100 mtrt39466683909394 antlr13193468679298 eclipse471228446667 luindex551799799 100 hsqldb7131630433175 chart100 fop47704266100 bloat100 pmd8199 100

40 Summary  Recap  Adaptive overhead controller  Clients: typestate, assertions, heap probes  Collection of debug information  Future Work  Heap assertions  Concurrent evaluation (snapshot algorithm)  Evaluation on a separate core  Overhead manager  Tighter overhead guarantees

41 The End

42 Invited Questions 1) How hard would it be to find these defects with standard testing? 2) Can I find these defects with static analysis? 3) Is QVM open-source? 4) Why muck with the VM? 5) Related Work?

43 Related Work  Aspect Oriented Programming  “Monitoring Oriented Programming”  DITTO  Your-favorite-VM-hack here

44 Backup Slides

45 GDI Resource Leaks Problems like this are a death by a thousand cuts. Each plug-in may only have one or two tiny leaks, and a handful of global images and colors, so it doesn't feel like a pressing problem. Scale this up to hundreds or thousands of plug ins, and you have a stop ship defect that can make Eclipse-based applications unusable. --Eclipse developers mailing list

46 Overhead Manager: precision

47 Overhead Manager

48 Sampling Coverage (Typestate)

Download ppt "An Efficient Runtime for Detecting Defects in Deployed Systems Matt ArnoldMartin VechevEran Yahav."

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu www.list.gmu.edu.

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
Automatic Memory Management Noam Rinetzky Schreiber 123A 2015/seminar/seminar1415a.html.

Automatic Memory Management Noam Rinetzky Schreiber 123A /seminar/seminar1415a.html.
Runtime Verification Ali Akkaya Boğaziçi University.

Runtime Verification Ali Akkaya Boğaziçi University.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Runtime checking of expressive heap assertions Greta Yorsh, Martin Vechev, Eran Yahav, Bard Bloom.

Runtime checking of expressive heap assertions Greta Yorsh, Martin Vechev, Eran Yahav, Bard Bloom.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
1 U NIVERSITY OF M ASSACHUSETTS, A MHERST School of Computer Science P REDATOR : Predictive False Sharing Detection Tongping Liu*, Chen Tian, Ziang Hu,

1 U NIVERSITY OF M ASSACHUSETTS, A MHERST School of Computer Science P REDATOR : Predictive False Sharing Detection Tongping Liu*, Chen Tian, Ziang Hu,
Probabilistic Calling Context Michael D. Bond Kathryn S. McKinley University of Texas at Austin.

Probabilistic Calling Context Michael D. Bond Kathryn S. McKinley University of Texas at Austin.
1 Maximize Java Performance by using YOURKIT with uPortal development Faizan Ahmed – Sr. Application Developer.

1 Maximize Java Performance by using YOURKIT with uPortal development Faizan Ahmed – Sr. Application Developer.
CORK: DYNAMIC MEMORY LEAK DETECTION FOR GARBAGE- COLLECTED LANGUAGES A TRADEOFF BETWEEN EFFICIENCY AND ACCURATE, USEFUL RESULTS.

CORK: DYNAMIC MEMORY LEAK DETECTION FOR GARBAGE- COLLECTED LANGUAGES A TRADEOFF BETWEEN EFFICIENCY AND ACCURATE, USEFUL RESULTS.
Heap Shape Scalability Scalable Garbage Collection on Highly Parallel Platforms Kathy Barabash, Erez Petrank Computer Science Department Technion, Israel.

Heap Shape Scalability Scalable Garbage Collection on Highly Parallel Platforms Kathy Barabash, Erez Petrank Computer Science Department Technion, Israel.
Free-Me: A Static Analysis for Individual Object Reclamation Samuel Z. Guyer Tufts University Kathryn S. McKinley University of Texas at Austin Daniel.

Free-Me: A Static Analysis for Individual Object Reclamation Samuel Z. Guyer Tufts University Kathryn S. McKinley University of Texas at Austin Daniel.
Aarhus University, 2005Esmertec AG1 Implementing Object-Oriented Virtual Machines Lars Bak & Kasper Lund Esmertec AG

Aarhus University, 2005Esmertec AG1 Implementing Object-Oriented Virtual Machines Lars Bak & Kasper Lund Esmertec AG
Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.

Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.
Turning Eclipse Against Itself: Finding Errors in Eclipse Sources Benjamin Livshits Stanford University.

Turning Eclipse Against Itself: Finding Errors in Eclipse Sources Benjamin Livshits Stanford University.
Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.

Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.
Taking Off The Gloves With Reference Counting Immix

Taking Off The Gloves With Reference Counting Immix
Using Runtime Information for Adapting Enterprise Java Beans Application Servers Mircea Trofin *, John Murphy ** Performance Engineering Laboratory * DCU,

Using Runtime Information for Adapting Enterprise Java Beans Application Servers Mircea Trofin *, John Murphy ** Performance Engineering Laboratory * DCU,
Scalable Defect Detection Manuvir Das, Zhe Yang, Daniel Wang Center for Software Excellence Microsoft Corporation.

Scalable Defect Detection Manuvir Das, Zhe Yang, Daniel Wang Center for Software Excellence Microsoft Corporation.
Chapter 10 Introduction to Components. Process Phases Discussed in This Chapter Requirements Analysis Design Implementation ArchitectureFramework Detailed.

Chapter 10 Introduction to Components. Process Phases Discussed in This Chapter Requirements Analysis Design Implementation ArchitectureFramework Detailed.

Similar presentations

Ads by Google