Presentation is loading. Please wait.

Presentation is loading. Please wait.

Improving Software Reliability via Static and Dynamic Analysis Tao Xie, Automated Software Engineering Group Department of Computer Science North Carolina.

Published byHomer Barton Modified over 9 years ago

Similar presentations

Presentation on theme: "Improving Software Reliability via Static and Dynamic Analysis Tao Xie, Automated Software Engineering Group Department of Computer Science North Carolina."— Presentation transcript:

1 Improving Software Reliability via Static and Dynamic Analysis Tao Xie, Automated Software Engineering Group Department of Computer Science North Carolina State University http://ase.csc.ncsu.edu/

2 Group Overview Inputs: Current funding support –NSF CyberTrust (3 yrs), NSF SoD (3 yrs), ARO (3 yrs), NIST supplement, IBM Faculty Award, Microsoft Research, ABB Research Collaboration with agencies and industry –NIST, NASA, DOE Lab, Army division, Microsoft Research, IBM Rational, ABB Research Current student team –6 Ph.D. students, 1 M.S. student, 5 probation-staged grad students

3 Group Overview cont. Outputs: Research around two major themes: –Automated Software Testing; Mining Software Engineering Data Industry impact –We found Parasoft Jtest 4.5 generated 90% redundant tests [ASE 04] –Agitar AgitarOne used a similar technique as our Jov [ASE 03] –MSR and NASA adopted Symstra technique [TACAS 05] –MSR Pex adopted our recent techniques Research publications –2008: TOSEM, ICSE, 3*ASE, SIGMETRIC, ISSRE, ICSM, SRDS, ACSAC, … –2007: ICSE, FSE, 4*ASE, WWW, ICSM, … –…

4 Major Research Collaboration Areas Mining textual SE data Mining program code data Automated testing

5 Mining Textual SE data Bug reports [ICSE 08] –Detecting duplicate bug reports –Classifying bug reports API documentation Project documentation

6 Two duplicate bug reports in Firefox - using only natural language information may fail Bug-260331: After closing Firefox, the process is still running. Cannot reopen Firefox after that, unless the previous process is killed manually Bug-239223: (Ghostproc) – [Meta] firefox.exe doesn't always exit after closing all windows; session-specific data retained

7 Two non-duplicate bug reports in Firefox - using only execution information may fail Bug-244372: "Document contains no data" message on continuation page of NY Times article Bug-219232: random "The Document contains no data." Alerts Proposed solution [ICSE 08]: mining both textual information of bug reports and execution information of their failing tests

8 Classification of Bug Reports Bugs related to security issues Bugs related to design problems Bugs related to insufficient unit testing … Manually label a subset of bug reports with their categories Apply classification algorithms on unlabeled bug reports to predict their categories Benefit: reduce manual labeling efforts

9 Example API Docs javax.resource.cci.Connection createInteraction(): “Creates an interaction associated with this connection”  action-resource pair: create-connection getMetaData(): “Gets the information on the underlying EIS instance represented through an active connection”  action-resource pair: get-connection close(): “Initiates close of the connection handle at the application level”  action-resource pair: close-connection

10 Mining Properties from API Docs

11 Potential Collaboration Ideas on Text Mining Documents submitted by device manufacturers are in NL and are too many or long for manual inspection Classification problem –Train learning tools with some labeled documents Clustering problem –Without labeling, group documents based on similarity Selection problem –Similar to duplicate bug report detection

12 Potential Collaboration Ideas on Text Mining – Possible Examples Extract safety-related requirements from documents  manually extract some and then tools recommend some more based on manually extracted ones Classify incident reports (e.g., with ontology)  manually classify some and then tools recommend categories for the rest Detect correlations among incident reports  similar to duplicate bug report detection Other pre-market textual documents Other post-market textual documents …

13 Major Research Collaboration Areas Mining textual SE data Mining program code data Automated testing

14 Motivation

15 Problem Software system verification: given properties, verification tools can be used to detect whether the system violates the properties –Example: malloc return check However, these properties often do not exist –Who write these property? –How often these property are written? –How often these property are known? Objective: Mine API properties for static verification from the API client code in existing system code bases

16 Artifacts in Code Mining Data: usage info from various code locations of using APIs such as malloc, seteuid, and execl Patterns: sequencing constraints among collected API invocation sequences and condition checks Anomalies: violations of these patterns as potential defects

17 Approach Overview System Code Bases 1 2 N … For each external API 2.Trace/ Search MOPS Trace/Search source files that use each external API from existing code … Usage Info Around APIs... … 3.Analyze Analyze collected traces/files to extract usage info around APIs Input System 1.Extract Internal APIs External APIs Extract external APIs from the input system Detected Violations as Bugs 5.Verify Verify the input system against these properties to detect bugs Frequent Patterns around APIs 4.Mine Mine frequent usage patterns around APIs as API properties

18 Example Target Defect Types Neglected-condition defects Error-handling defects Exception-handling defects These defect types can result in –Critical security, robustness, reliability issues –Performance degradation Example: Failure to release a resource may decrease the performance

19 Mined Neglected Condition From Grass open source GIS project Developer confirmed “I believe this issue has uncovered a bug: the pointer returned by the fopen () call isn't checked at all. The code responsible for this particular issue is surprisingly short, to make it a good example on how not to write the code” $ nl -ba main.c... 71 fp = fopen("dumpfile", "w"); 72 BM_file_write(fp, map); 73 fclose(fp);... $

20 Mined Patterns of Error Handling From Redhat 9.0 routed-0.17-14 Error-check specifications Multiple-API specifications close() should be called after socket() If violated, defects are detected

21 Mined Patterns of Exception Handling If missing resource cleanup, defects are detected Resource creation Resource manipulation Resource cleanup

22 Potential Collaboration Ideas on Code Mining Address problems similar to ones targeted by FDA’s previous work on “Static Analysis of Medical Device Software using CodeSonar” by Jetley, Jones, and Anderson Benefits of our new techniques –Don’t require the code to be compilable (using partial program analysis) –Don’t require properties to be manually written down –Can accumulate knowledge (API usages) within or across devices or manufacturers (or even open source world) –May ask manufacturers to submit API usages (if not code itself?)

23 Potential Collaboration Ideas on Code Mining cont. Our tool development status Neglected condition bugs: tools for Java and C are ready; tool for C# is being developed Error-handling bugs: tool for C is ready Exception-handling bugs: tool for Java is ready and tool for C# is being developed Working on tools for framework reuse bugs

24 Major Research Collaboration Areas Mining textual SE data Mining program code data Automated testing

25 Dynamic Symbolic Execution Dynamic symbolic execution combines static and dynamic analysis: Execute program multiple times with different inputs –build abstract representation of execution path on the side –plug in concrete results of operations which cannot be reasoned about symbolically Use constraint solver to obtain new inputs –solve constraint system that represents an execution path not seen before

26 Test Inputs Constraint System Execution Path Known Paths Run Test and Monitor Record Path Condition Choose an Uncovered Path Solve Whole-program, white-box code analysis Initially, choose Arbitrary

27 Test Inputs Constraint System Execution Path Known Paths Run Test and Monitor Record Path Condition Choose an Uncovered Path Solve Whole-program, white-box code analysis Initially, choose Arbitrary a[0] = 0; a[1] = 0; a[2] = 0; a[3] = 0; … a[0] = 0; a[1] = 0; a[2] = 0; a[3] = 0; …

28 Test Inputs Constraint System Execution Path Known Paths Run Test and Monitor Record Path Condition Choose an Uncovered Path Solve Initially, choose Arbitrary Path Condition: … ⋀ magicNum != 0x95673948 Whole-program, white-box code analysis

29 Test Inputs Constraint System Execution Path Known Paths Run Test and Monitor Record Path Condition Choose an Uncovered Path Solve Initially, choose Arbitrary … ⋀ magicNum != 0x95673948 … ⋀ magicNum == 0x95673948 Whole-program, white-box code analysis

30 Test Inputs Constraint System Execution Path Known Paths Run Test and Monitor Record Path Condition Choose an Uncovered Path Solve a[0] = 206; a[1] = 202; a[2] = 239; a[3] = 190; a[0] = 206; a[1] = 202; a[2] = 239; a[3] = 190; Initially, choose Arbitrary Whole-program, white-box code analysis

31 Test Inputs Constraint System Execution Path Known Paths Run Test and Monitor Record Path Condition Choose an Uncovered Path Solve Initially, choose Arbitrary Whole-program, white-box code analysis

32 Potential Collaboration Ideas on Automated Testing Address problems similar to ones targeted by FDA’s previous work on “Static Analysis of Medical Device Software using CodeSonar” by Jetley, Jones, and Anderson Benefits of our new techniques (also in contrast to existing testing techniques) –No false positives. Each reported issue is a REAL one –Much more powerful than existing commercial tools (Parasoft C#Test, Parasoft Jtest, Agitar AgitarOne, …)

33 Potential Collaboration Ideas on Automated Testing cont. Our tool development status Most mature/powerful for C# testing (built around MSR Pex by collaborating with MSR Researchers) Java testing tools based on NASA Java Pathfinder, jCUTE, C testing tools based on Crest and Splat

34 Potential Collaboration Ideas on Automated Testing cont. Regression test generation/differential testing: Given two versions, try to find test inputs to show different behavior –Possible idea 1: given a buggy version and claimed fixed version submitted by manufacturers, generate test inputs to show different behaviors –Possible idea 2: change impact analysis on models or code submitted by manufacturers Use code mining to find targets to violate by testing –Address false positive issues

35 Other Research Areas Mining program execution to aid program understanding, debugging, … Mining version histories Security policy testing Attack generation Design testing Web app/service testing DB app testing Performance testing …

36 Major Research Collaboration Areas Mining textual SE data Mining program code data Automated testing

Download ppt "Improving Software Reliability via Static and Dynamic Analysis Tao Xie, Automated Software Engineering Group Department of Computer Science North Carolina."

Similar presentations

Verification and Validation

Verification and Validation
1 VLDB 2006, Seoul Mapping a Moving Landscape by Mining Mountains of Logs Automated Generation of a Dependency Model for HUG’s Clinical System Mirko Steinle,

1 VLDB 2006, Seoul Mapping a Moving Landscape by Mining Mountains of Logs Automated Generation of a Dependency Model for HUG’s Clinical System Mirko Steinle,
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
SMU SRG reading by Tey Chee Meng: Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications by David Brumley, Pongsin Poosankam,

SMU SRG reading by Tey Chee Meng: Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications by David Brumley, Pongsin Poosankam,
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
Kai Pan, Xintao Wu University of North Carolina at Charlotte Generating Program Inputs for Database Application Testing Tao Xie North Carolina State University.

Kai Pan, Xintao Wu University of North Carolina at Charlotte Generating Program Inputs for Database Application Testing Tao Xie North Carolina State University.
Department of Software Engineering Faculty of Mathematics and Physics CHARLES UNIVERSITY IN PRAGUE Czech Republic Extracting Zing Models from C Source.

Department of Software Engineering Faculty of Mathematics and Physics CHARLES UNIVERSITY IN PRAGUE Czech Republic Extracting Zing Models from C Source.
SBSE Course 3. EA applications to SE Analysis Design Implementation Testing Reference: Evolutionary Computing in Search-Based Software Engineering Leo.

SBSE Course 3. EA applications to SE Analysis Design Implementation Testing Reference: Evolutionary Computing in Search-Based Software Engineering Leo.
(Quickly) Testing the Tester via Path Coverage Alex Groce Oregon State University (formerly NASA/JPL Laboratory for Reliable Software)

(Quickly) Testing the Tester via Path Coverage Alex Groce Oregon State University (formerly NASA/JPL Laboratory for Reliable Software)
SE 450 Software Processes & Product Metrics Reliability: An Introduction.

SE 450 Software Processes & Product Metrics Reliability: An Introduction.
EE694v-Verification-Lect5-1- Lecture 5 - Verification Tools Automation improves the efficiency and reliability of the verification process Some tools,

EE694v-Verification-Lect5-1- Lecture 5 - Verification Tools Automation improves the efficiency and reliability of the verification process Some tools,
Winter Retreat - 2003 Connecting the Dots: Using Runtime Paths for Macro Analysis Mike Chen, Emre Kıcıman, Anthony Accardi, Armando Fox, Eric Brewer

Winter Retreat Connecting the Dots: Using Runtime Paths for Macro Analysis Mike Chen, Emre Kıcıman, Anthony Accardi, Armando Fox, Eric Brewer
Department of Computer Science & Engineering College of Engineering Dr. Betty H.C. Cheng, Laura A. Campbell, Sascha Konrad The demand for distributed real-time.

Department of Computer Science & Engineering College of Engineering Dr. Betty H.C. Cheng, Laura A. Campbell, Sascha Konrad The demand for distributed real-time.
Swami NatarajanJuly 14, 2015 RIT Software Engineering Reliability: Introduction.

Swami NatarajanJuly 14, 2015 RIT Software Engineering Reliability: Introduction.
High Level: Generic Test Process (from chapter 6 of your text and earlier lesson) Test Planning & Preparation Test Execution Goals met? Analysis & Follow-up.

High Level: Generic Test Process (from chapter 6 of your text and earlier lesson) Test Planning & Preparation Test Execution Goals met? Analysis & Follow-up.
Automated Tests in NICOS Nightly Control System Alexander Undrus Brookhaven National Laboratory, Upton, NY 11973 Software testing is a difficult, time-consuming.

Automated Tests in NICOS Nightly Control System Alexander Undrus Brookhaven National Laboratory, Upton, NY Software testing is a difficult, time-consuming.
1CMSC 345, Version 4/04 Verification and Validation Reference: Software Engineering, Ian Sommerville, 6th edition, Chapter 19.

1CMSC 345, Version 4/04 Verification and Validation Reference: Software Engineering, Ian Sommerville, 6th edition, Chapter 19.
LÊ QU Ố C HUY ID: QLU13069 1. OUTLINE  What is data mining ?  Major issues in data mining 2.

LÊ QU Ố C HUY ID: QLU OUTLINE  What is data mining ?  Major issues in data mining 2.
This chapter is extracted from Sommerville’s slides. Text book chapter 29 1 1.

This chapter is extracted from Sommerville’s slides. Text book chapter
OOSE 01/17 Institute of Computer Science and Information Engineering, National Cheng Kung University Member:Q76001074 薛弘志 P76014020 蔡文豪 F74982155 周詩御.

OOSE 01/17 Institute of Computer Science and Information Engineering, National Cheng Kung University Member:Q 薛弘志 P 蔡文豪 F 周詩御.

Similar presentations

Ads by Google