Pruning Dynamic Slices With Confidence Original by: Xiangyu Zhang Neelam Gupta Rajiv Gupta The University of Arizona Presented by: David Carrillo

Dynamic Slicing Dynamic slice is the set of statements that did affect the value of a variable at a program point for a specific program execution. [Korel and Laski, 1988 ] …… 10. A = … B = …… 30. P = 31. If (P<0) { A = A } 37. B=B+1 …… 40. Error(A) Dynamic Slice = {10, 30, 31, 35, 40}

Effectiveness of Dynamic Slicing Dynamic slicing is very effective in containing the faulty statement, however it usually produces over- sized slices -- [AADEBUG’05]. Problem: How to automatically prune dynamic slices? Many Approaches: This paper presents: Fine-grained pruning of a backward slice by using confidence analysis.

Types of Evidence Used in Pruning Buggy Execution output_x  Classical dynamic slicing algorithms investigate bugs through the evidence of the wrong output. input0 input_x input2 output2 predicate_x output0 output1 predicate_x  Literature contains use of many different types of evidence, this paper studies “Partially correct output”.  Benefits of more evidence Narrow the search for faulty statement. Broaden the applicability of the tool.

Fine-grained Pruning by Exploiting Correct Outputs …… 10. A = 1 (Correct: A=3) … B = A % 2 …… 30. C = A + 2 …… 40. Print (B) 41. Print (C)  Correct outputs produced in addition to wrong output.  DS(O wrong ) – DS (O correct ) are all the statements that create wrong output and not correct output. {10, 30, 41} {10, 20, 40} = {30,41}  What happens when a statement affects both correct and incorrect output?

Confidence Analysis  Value produced at node n can reach only wrong output nodesn There is no evidence that n is correct, so it should be in the pruned slice. Should we include n in the slice?? Confidence(n)=0 Confidence(n)=?; 0 ≤ ? ≤ 1  Value produced at node n can reach both the correct and wrong output nodes.nnn Confidence(n)=1  Value produced at n can reach only correct outputs There is no evidence of incorrectness of n. Therefore it cannot be in the slice.

Confidence Analysisnn Range(n)={ a, b, c, d, e, f, g } Alt(n)={ a } Value(n) = a Value(n) = b Value(n) = c, c When |Alt(n)|==1, we have the highest confidence (=1) on the correctness of n; When |Alt(n)|==|Range(n)|, we have the lowest confidence (=0). |Range(n)| >= |Alt(n)|>=1 Alt(n) is a set of possible values of the variable defined by n, that when propagated through the dynamic dependence graph, produce the same values for correct outputs. Experimentally determined function. Range(n) is all values taken by n during the buggy run.

Confidence Analysis: Example …… 10. A =... … B = A % 2 …… 30. C = A + 2 …… 40. Print (B) 41. Print (C) A+2 is a one-to-one mapping. A%2 is a one-to-many (2) mapping.

Confidence Analysis: Two Problems  How to decide the Range of values for a node n? Based on variable type (e.g., Integer). Static range analysis. Our choice:  Dynamic analysis based on value profiles (Range of values for a statement is the set of values defined by all of the execution instances of the statement during the program run).  How to compute Alt(n)? Consider the set of correct output values as constraints. Compute Alt(n) by backward propagation of constraints through the dynamic dependence subgraph corresponding to the slice.

Computing Alt(n) Along Data Dependence S1: T=...9 S2: X=T+110 S3: Y=T%30 (X,T)= (6,5) (9,8) (10,9) (T,...)= (1,...) (3,...) (5,...) (8,...) (9,...) (Y,T)= (0,3) (0,9) (1,1) (2,5) (2,8) alt(S1) = ∩ alt = {9} alt(S2)={10} alt(S3)={0,1}

Computing Alt(n) Along Control Dependence S1: if (P) …True S2: X=T+110 S3: Y=T%30 (X,T)= (6,5) (9,8) (10,9) (Y,T)= (0,3) (0,9) (1,1) (2,5) (2,8) alt(S1) = {True} alt(S2)={10} alt(S3)={0,1}

Characteristics of Siemens Suite Programs ProgramDescriptionLOCVersionsTests print_tokensLexical analyzer print_tokens2Lexical analyzer replacePattern replacement schedulePriority scheduler schedule2Priority scheduler gzipUnix utility flexUnix utility Each faulty version has a single manually injected error. All the versions are not included:  No output is produced.  Faulty statement is not contained in the backward slice. For each version three tests were selected.

Results of Pruning ProgramDSPDS max PDS max / DS PDS min %Missed by PDS min print_tokens %350% print_tokens %550% replace %4338.1% schedule %5620% schedule %500% gzip %10100% flex %250% On average, PDS max = 41.1% of DS

Confidence Based Prioritization DD – dependence distance CV – confidence values Executed statement instances examined (%) Prior work have shown that Dependence Distance is an effective way to prioritize statements in order to locate faulty code. Experimentation in this paper shows that Prioritizing by Confidence Values outperforms Dependence Distance.

The Potential of Confidence Analysis (1) Dynamic Slicer With Confidence Pruned Slices User Verified Statements as correct Buggy Code Input  Interactive Pruning. Incorporate user input into pruning.

The Potential of Confidence Analysis (2)  Relevant slicing (gzip v3 run r1) Potential dep. Data dep. Dynamic slices does not capture bugs where data dependency is incorrect due to incorrect control flow. Relevant slicing do, but generates Dynamic Slices that are too large. It may be effective with effective pruning.

Conclusions  Confidence analysis - exploits the correct output values produced in an execution to prune the dynamic slice of an incorrect output.  This novel dynamic analysis based implementation of confidence analysis effectively pruned backward dynamic slices in our experiments. Pruned Slices = 41.1% Dynamic Slices, and still contain the faulty statement.  Our study shows that confidence analysis has additional applications beyond pruning – prioritization, interactive pruning & relevant slicing.

Discussion  Creation alternatives relies on known mapping for each type of statement. i.e. X = Y + 1 is one-to-one. i.e. X = X % 3 is one-to-many. How extensible is this approach?? (floats, objects, etc.)  This approach assumes that: There is only one error (detected). The error is detected before it propagates into its dependencies. How realistic are this assumptions in real scenarios with incomplete test coverage?

The End