1. Specification-Based Error Localization Brian Demsky Cristian Cadar Daniel Roy Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute of Technology

2. Problem Error Introduced Execution with Broken Data Structure Crash or Unexpected Result Have to trace symptom back to cause Error may be present but not visible in test suite

3. Problem Goal is to discover bugs when they corrupt data not when effect becomes visible Perform frequent consistency checks Bug localized between first unsuccessful check and last successful check Error Introduced Execution with Broken Data Structure Crash or Unexpected Result

4. Our Approach Specification of Data Structure Consistency Properties Archie Compiler Efficient Consistency Checker Program Instrumented Program with Early Data Structure Corruption Detection +

5. Architecture Concrete Data Structure Abstract Model Model Definition Rules Model Consistency Constraints

6. Architecture Rationale Why use the abstract model? Model construction separates objects into sets Reachability properties Field values Different constraints for objects in different sets Appropriate division of complexity Data structure representation complexity encapsulated in model definition rules Consistency property complexity encapsulated in (clean, uniform) model constraint language

7. List Example structure node { node *next; value *data; } structure value { int data; } node * head;

8. Sets and Relations in Model Sets of objects set NODE of node set VALUE of value Relations between objects – values of object fields, referencing relationships between objects relation NEXT : NODE -> NODE relation DATA : NODE -> VALUE

9. Model Translation Bits translated to sets and relations in abstract model using statements of the form: Quantifiers, Condition  Inclusion Constraint true  head in NODE for n in NODE, !n.next = NULL  n.next in NODE for n in NODE, !n.next = NULL   n,n.next  in NEXT for n in NODE, !n.data = NULL  n.data in VALUE for n in NODE, !n.data = NULL   n,n.data  in DATA

10. Generated Model NODE VALUE DATA NEXT

11. Consistency Properties Quantifiers, Body Body is first-order property of basic propositions Inequality constraints on numeric fields Cardinality constraints on sizes of sets Referencing relationships for each object Set and relation inclusion constraints Example: for n in NODE, size(NEXT.n)<=1 for v in VALUE, size(DATA.v)=1

12. Consistency Violations Evaluate consistency properties for v in VALUE, size(DATA.v)=1 NODE VALUE DATA NEXT

13. Consistency Violations Evaluate consistency properties for v in VALUE, size(DATA.v)=1 NODE VALUE DATA NEXT Inconsistency Found!!!

14. Default Instrumentation void copynode(struct node *n) { struct node * newnode= malloc(sizeof(struct node)); newnode.data=n.data; newnode.next=n.next; n.next=newnode; } Insert check here

15. Instrumentation void copynode(struct node *n) { struct node * newnode= malloc(sizeof(struct node)); newnode.data=n.data; newnode.next=n.next; n.next=newnode; } Insert check here Failed Pass

16. Instrumentation void copynode(struct node *n) { struct node * newnode= malloc(sizeof(struct node)); newnode.data=n.data; newnode.next=n.next; n.next=newnode; } Insert check here Failed Pass

17. Performance is a Key Issue Would like to perform checks as often as possible Performance of consistency checking limits how frequently program can check Have developed compiler optimizations Fixed point elimination Relation elimination Set elimination Key idea: Perform checks directly on data structures (eliminating model when possible)

18. Fixed Point Elimination Evaluation of model definition rules requires fixed point computation Replace fixed point computation with more efficient traversal when possible Compute dependence graph for model definition rules Compute strongly connected components (SCCs) Topologically sort SCCs Eliminate fixed point computation for SCCs with no cyclic dependences

19. Relation Elimination

20. _

21. Model Definition Rules: for i in 0..C, true  f[i] in S for s in S, !s.q=NULL   s,s.q  in Q for s in S, !s.q=NULL  s.q in T Model Definition Rule Inlining

22. Model Definition Rules: for i in 0..C, true  f[i] in S !f[i].q=NULL   f[i],f[i].q  in Q !f[i].q=NULL  f[i].q in T Model Definition Rule Inlining

23. Model Definition Rules: for i in 0..C, true  f[i] in S !f[i].q=NULL   f[i],f[i].q  in Q !f[i].q=NULL  f[i].q in T Model Constraints: for s in S, MIN<=s.r and s.r<=MAX for t in T, (Q.t).r!=K Constraint Inlining

24. Model Definition Rules: for i in 0..C, true  f[i] in S !f[i].q=NULL   f[i],f[i].q  in Q !f[i].q=NULL  f[i].q in T MIN<=f[i].r and f[i].r<=MAX Model Constraints: for t in T, (Q.t).r!=K Constraint Inlining

25. Model Definition Rules: for i in 0..C, true  f[i] in S !f[i].q=NULL   f[i],f[i].q  in Q !f[i].q=NULL  f[i].q in T MIN<=f[i].r and f[i].r<=MAX Model Constraints: for t in T, (Q.t).r!=K Set Elimination

26. Model Definition Rules: for i in 0..C, true  f[i] in S !f[i].q=NULL   f[i],f[i].q  in Q !f[i].q=NULL  f[i].q in T MIN<=f[i].r and f[i].r<=MAX Model Constraints: for t in T, (Q.t).r!=K Set Elimination

27. Freeciv Benchmark Multiplayer Client/Server based online game Available at www.freeciv.org Looked at the server Server contains 73,000 lines of code Added 750 instrumentation sites 20,000 consistency checks performed in our sample execution

28. Performance Evaluation Fixed point elimination (47x speedup) Relation construction elimination (110x speedup) Set construction elimination (820x speedup) Bottom line Baseline compiled version 5,100 times slower than uninstrumented Optimized version 6 times slower than uninstrumented Optimized version can be used interactively

29. User Study Designed to answer following question: Does inconsistency detection help developers to more quickly localize and correct detected data structure corruption errors?

30. User Study Created three buggy version of Freeciv Two groups of three developers One used conventional tools One used specification-based consistency checking Each participant was asked to spend at least one hour on each version Both populations given an instrumented version of Freeciv

31. Results

32. Extension: Data Structure Repair Do not stop program with inconsistent data Instead, use consistency specification to repair data structure and keep executing! Input: inconsistent data structure Output: consistent data structure “Automatic detection and repair of errors in data structures” (Demsky, Rinard OOPSLA 2003) Repair enables continued execution All programs execute successfully after repair

33. Related Work Specification languages such as UML or Alloy Specification-based testing Korat (Boyapati et. al. ISSTA 2002) Testera (Marinov and Khurshid ASE 2001) Eiffel (Meyer 1992) Invariant inference and checking Daikon (Ernst et. al. ICSE 1999) DIDUCE (Hangal and Lam ICSE 2002) Carrot (Pytlik et. al. 2003) Debugging tools AskIgor (Zeller FSE 2002) Debugging Backwards in Time (Lewis AADEBUG 2003)

34. Conclusion Consistency checking to localize data structure corruption bugs Optimizations for good performance Experimental confirmation that consistency checking may be useful Data structure repair

35. Results Case study shows benefit from approach With tool All developers found and fixed all bugs Mean of 9 minutes required Without tool Three developers found total of one bug (out of nine developer/bug combinations) Others spent hour debugging (unsuccessfully)

36. Bugs Introduced Actual errors in buggy versions First error creates invalid terrain values (violates valid terrain property) Second causes two tiles to refer to the same city (violates single reference property) Third causes a city to be placed on ocean (violates cities not in ocean property)

37. Consistency Properties Map exists size(MAP)=1 Grid of tiles exists size(GRID)=1 Tiles have valid terrain values for t in TILE, MIN <= t.TERRAIN and t.TERRAIN<=MAX Each city has exactly one reference from the grid for c in CITY, size(CITYMAP.c)=1 Cities are not in the ocean for c in CITY, !(CITYMAP.c).TERRAIN=OCEAN