Presentation is loading. Please wait.

Presentation is loading. Please wait.

Strauss: A Specification Miner Glenn Ammons Department of Computer Sciences University of Wisconsin-Madison.

Published byLucinda Atkinson Modified over 9 years ago

Similar presentations

Presentation on theme: "Strauss: A Specification Miner Glenn Ammons Department of Computer Sciences University of Wisconsin-Madison."— Presentation transcript:

1

2 Strauss: A Specification Miner Glenn Ammons Department of Computer Sciences University of Wisconsin-Madison

3 2 How should programs behave? Strauss mines temporal specifications for example, always call free after malloc Why? To debug To verify To test To modify To understand

4 3 How should programs behave? Strauss mines temporal specifications for example, always call free after malloc Why? To debug To verify To test To modify To understand Specs constrain programs like structured programming, types, etc.

5 4 Strauss output Spec. says what programs should do: What order of calls? What values in calls? X := socket() Y := accept(sock = X) close(sock = Y) read(sock = Y) write(sock = Y) start end For all calls Y := accept(sock = X):

6 5 Strauss inputs... socket(domain = 2, type = 1, proto = 0, return = 7))... Traces... socket(domain = 2, type = 1, proto = 0, return = 7))... 7 := socket(domain = 2, type = 1, proto = 0)... Strauss Library Client programs Interface (e.g., sockets)

7 6 Strauss inputs... socket(domain = 2, type = 1, proto = 0, return = 7))... Traces... socket(domain = 2, type = 1, proto = 0, return = 7))... 7 := socket(domain = 2, type = 1, proto = 0)... Strauss Library Client programs Interface (e.g., sockets) Scenario criterion accept State transition model (STM) def socket() close(def use sock) def accept(use sock) read(use sock) write(use sock)

8 7 My contributions A dynamic approach to mining analyze communication, not source code A tool for mining specifications practical: scalable and mostly automatic temporal specs may refer to multiple data values requires little info about code New method for debugging specifications Birds of a feather flock together (concept analysis) Found specifications and bugs

9 8 Summary of results Mined 17 specs. for X11 example: XInternAtom should only be called during initialization, not in the event loop. Found 199 bugs In widely distributed programs wish (Tk), xpdf, xpilot,... Included races, leaks, logic errors, and performance bugs By verifying dynamically (on traces)

10 9 Related work: obtaining specs. By hand From programmers Types Specification languages and annotations From analysts, testers Abstraction tools (Bandera [Dwyer et al.]) With specification mining

11 10 Comparing spec. miners Strauss Specs: temporal, multiple objects, arbitrary NFAs Mining: from traces, local, no code necessary Goal: specs. for interfaces Other work Concurrent work FSMs for Java objects [Whaley, Martin, and Lam] Simple templates [Metacompilation] Loop invariants [ESC/Java] Earlier work Arithmetic properties [Daikon] Cliches [Programmer’s Apprentice] Communicating processes [Verisoft]

12 11 Overview of Strauss Strauss Programs and interface Instrumented programs Training traces STM and scenario criterion Unvalidated specification Preprocess Mine Debug Developer’s judgement Specification Scenarios Tracer Run on test inputs Scenario extractor Learner Cable

13 12 Trace + STM = Semantic trace 1 7 := socket(domain = 2, type = 1, proto = 0) 2 0x100 := malloc(size = 23) 3 8 := accept(sock = 7, addr = 0x40, addr_len = 0x50) 4 23 := write(sock = 8, buf = 0x100, len = 23) 5 0 := close(sock = 8)... State transition model (STM) def socket() close(def use sock) def accept(use sock) read(use sock) write(use sock) Semantic trace Vars: v7, v8 1 v7 := socket() 2 skip 3 v8 := accept(sock = v7) 4 write(sock = v8) 5 v8 := close(sock = v8)...

14 13 Trace + STM = Semantic trace State transition model (STM) def socket() close(def use sock) def accept(use sock) read(use sock) write(use sock) Semantic trace Vars: v7, v8 1 v7 := socket() 2 skip 3 v8 := accept(sock = v7) 4 write(sock = v8) 5 v8 := close(sock = v8)... domain = 2, 1 7 := socket(domain = 2, type = 1, type = 1, proto = 0 proto = 0) 0x100 := malloc(size = 23) 2 0x100 := malloc(size = 23), 3 8 := accept(sock = 7, addr = 0x40, addr_len = 0x50 addr_len = 0x50), 4 23 := write(sock = 8, buf = 0x100, buf = 0x100, len = 23 len = 23) 0 := 5 0 := close(sock = 8)...

15 14 Trace + STM = Semantic trace State transition model (STM) def socket() close(def use sock) def accept(use sock) read(use sock) write(use sock) Semantic trace Vars: v7, v8 1 v7 := socket() 2 skip 3 v8 := accept(sock = v7) 4 write(sock = v8) 5 v8 := close(sock = v8)... domain = 2, 1 7 := socket(domain = 2, type = 1, type = 1, proto = 0 proto = 0) 0x100 := malloc(size = 23) 2 0x100 := malloc(size = 23), 3 8 := accept(sock = 7, addr = 0x40, addr_len = 0x50 addr_len = 0x50), 4 23 := write(sock = 8, buf = 0x100, buf = 0x100, len = 23 len = 23) 0 := 5 0 := close(sock = 8)...

16 15 A different STM State transition model (STM) def malloc() free(def p) read(use buf) write(use buf) Semantic trace Var: v0x100 1 skip 2 v0x100 := malloc() 3 skip 4 write(buf = v0x100) 5 skip... 1 7 := socket(domain = 2, type = 1, proto = 0) 2 0x100 := malloc(size = 23) 3 8 := accept(sock = 7, addr = 0x40, addr_len = 0x50) 4 23 := write(sock = 8, buf = 0x100, len = 23) 5 0 := close(sock = 8)...

17 16 A different STM State transition model (STM) def malloc() free(def p) read(use buf) write(use buf) Semantic trace Var: v0x100 1 skip 2 v0x100 := malloc() 3 skip 4 write(buf = v0x100) 5 skip... 7 := socket(domain = 2, 1 7 := socket(domain = 2, type = 1, type = 1, proto = 0) proto = 0) size = 23 2 0x100 := malloc(size = 23) 8 := accept(sock = 7, 3 8 := accept(sock = 7, addr = 0x40, addr = 0x40, addr_len = 0x50 addr_len = 0x50) 23 :=sock = 8, 4 23 := write(sock = 8,, buf = 0x100, len = 23 len = 23) 0 := close(sock = 8) 5 0 := close(sock = 8)...

18 17 From dependences to scenarios Pick a seed Slice forwards Slice backwards Chop each pair

19 18 From dependences to scenarios Pick a seed Slice forwards Slice backwards Chop each pair

20 19 From dependences to scenarios Pick a seed Slice forwards Slice backwards Chop each pair

21 20 From dependences to scenarios Pick a seed Slice forwards Slice backwards Chop each pair

22 21 From dependences to scenarios Pick a seed Slice forwards Slice backwards Chop each pair

23 22 Extracting scenarios: example Vars: v7, v8 1 v7 := socket 2 v8 := accept(sock = v7) 3 write(sock = v8) 4 v8 := close(sock = v8) 5 v7 := close(sock = v7)

24 23 Extracting scenarios: example Pick a seed Vars: v7, v8 1 v7 := socket 2 v8 := accept(sock = v7) 3 write(sock = v8) 4 v8 := close(sock = v8) 5 v7 := close(sock = v7)

25 24 Extracting scenarios: example Pick a seed Slice forwards Vars: v7, v8 1 v7 := socket 2 v8 := accept(sock = v7) 3 write(sock = v8) 4 v8 := close(sock = v8) 5 v7 := close(sock = v7)

26 25 Extracting scenarios: example Pick a seed Slice forwards Slice backwards Vars: v7, v8 1 v7 := socket 2 v8 := accept(sock = v7) 3 write(sock = v8) 4 v8 := close(sock = v8) 5 v7 := close(sock = v7)

27 26 Extracting scenarios: example Pick a seed Slice forwards Slice backwards Chop each pair Vars: v7, v8 1 v7 := socket 2 v8 := accept(sock = v7) 3 write(sock = v8) 4 v8 := close(sock = v8) 5 v7 := close(sock = v7)

28 27 Overview of Strauss Strauss Programs and interface Instrumented programs Training traces STM and scenario criterion Unvalidated specification Preprocess Mine Debug Developer’s judgement Specification Scenarios Tracer Run on test inputs Scenario extractor Learner Cable

29 28 Overview of learning standardize Scenarios (dep. graphs) ACEGBACEGB ACEGBACEGB ACEGBACEGB Strings NFA Learn NFA Scenario standardize NFA Scenario acceptor (SA) String Yes or no Specification = (SA, STM, scenario criterion)

30 29 Standardizing scenarios v7 := socket() v8 := accept(sock = v7) write(sock = v8) read(sock = v8) v8 := close(sock = v8) v7 := close(sock = v7) v2 := socket() v3 := accept(sock = v2) v2 := close(sock = v2) read(sock = v3) write(sock = v3) v3 := close(sock = v3)

31 30 Standardizing scenarios v7 := socket() v8 := accept(sock = v7) v7 := close(sock = v7) read(sock = v8) write(sock = v8) v8 := close(sock = v8) v2 := socket() v3 := accept(sock = v2) v2 := close(sock = v2) read(sock = v3) write(sock = v3) v3 := close(sock = v3)

32 31 Standardizing scenarios X := socket() Y := accept(sock = X) X := close(sock = X) read(sock = Y) write(sock = Y) Y := close(sock = Y) X := socket() Y := accept(sock = X) X:= close(sock = X) read(sock = Y) write(sock = Y) Y := close(sock = Y)

33 32 Standard scenario = string X := socket() Y := accept(sock = X) X := close(sock = X) read(sock = Y) write(sock = Y) Y := close(sock = Y) X := socket() Y := accept(sock = X) X:= close(sock = X) read(sock = Y) write(sock = Y) Y := close(sock = Y) ABCDEFABCDEF

34 33 Overview of learning standardize Scenarios (dep. graphs) ACEGBACEGB ACEGBACEGB ACEGBACEGB Strings NFA Learn NFA Scenario standardize NFA Scenario acceptor (SA) String Yes or no Specification = SA + STM + scenario criterion

35 34 Raman’s PFSA algorithm 1.Build a weighted retrieval tree 2.Merge similar states

36 35 Raman’s PFSA algorithm 1.Build a weighted retrieval tree 2.Merge similar states socket accept read write read write 100 5 5 95 70 25 5 end 70 5 25

37 36 Raman’s PFSA algorithm 1.Build a weighted retrieval tree 2.Merge similar states socket accept read write read write 100 5 5 95 70 25 5 end 70 5 25

38 37 Raman’s PFSA algorithm 1.Build a weighted retrieval tree 2.Merge similar states socket accept read write read write 100 5 5 95 70 25 5 end 100 25

39 38 Raman’s PFSA algorithm 1.Build a weighted retrieval tree 2.Merge similar states socket accept read write read write 100 5 95 70 25 end 100 25 5 75

40 39 Raman’s PFSA algorithm 1.Build a weighted retrieval tree 2.Merge similar states socket accept read write read write 100 5 95 70 25 end 100 25 5 75

41 40 Overview of Strauss Strauss Programs and interface Instrumented programs Training traces STM and scenario criterion Unvalidated specification Preprocess Mine Debug Developer’s judgement Specification Scenarios Tracer Run on test inputs Scenario extractor Learner Cable

42 41 Overview of Debugging Cable Debugged specification Specification ACEGBACEGB ACEGBACEGB ACEGBACEGB Classified scenarios Learner Scenarios

43 42 Classifying scenarios b0 b2 b1 G0 g0 g1

44 43 Classifying scenarios b0 b2 b1 G0 b0 b2 b1 G0 g0 g1 g0 g1

45 44 Classifying scenarios b0 b2 b1g0 g1 G0 b0 b2 b1 g0 g1 G0 g0 g1 G0

46 45 Concept analysis: mammals 4-leggedhairysmartmarinethumbed catsyes dogsyes dolphinsyes gibbonsyes humansyes whales yes

47 46 Concept analysis: mammals 4-leggedhairysmartmarinethumbed catsyes dogsyes dolphinsyes gibbonsyes humansyes whales yes

48 47 Cable method: good pets Good pets: Bad pets:

49 48 Cable method: good pets cats gibbons dogs dolphins humans whales {} Good pets: Bad pets:

50 49 Cable method: good pets hairy cats gibbons dogs Good pets: Bad pets:

51 50 Cable method: good pets 4-legged hairy cats dogs Good pets: Bad pets:

52 51 Cable method: good pets 4-legged hairy cats dogs Good pets: cats, dogs Bad pets:

53 52 Cable method: good pets Good pets: cats, dogs Bad pets: gibbons dolphins humans whales smart

54 53 Cable method: good pets Good pets: cats, dogs Bad pets: gibbons dolphins humans whales gibbons dolphins humans whales smart

55 54 Concept analysis: scenarios Takes transition 0 Takes transition 1 Takes transition 2 Takes transition 3 Takes transition 4 Scen. 0yes Scen. 1yes Scen. 2yes Scen. 3yes Scen. 4yes Scen. 5 yes

56 55 Cable method: good scenarios Good scenarios: Bad scenarios:

57 56 Cable method: good scenarios scen. 0 scen. 1 scen. 2 scen. 3 scen. 4 scen. 5 {} Good scenarios: Bad scenarios:

58 57 Cable method: good scenarios scen. 0 scen. 1 scen. 2 Takes transition 1 Good scenarios: Bad scenarios:

59 58 Cable method: good scenarios scen. 0 scen. 2 Takes transition 0 Takes transition 1 Good scenarios: Bad scenarios:

60 59 Cable method: good scenarios scen. 0 scen. 2 Takes transition 0 Takes transition 1 Good scenarios: 0, 2 Bad scenarios:

61 60 Cable method: good scenarios Takes transition 2 Takes transition 3 Takes transition 4 Good scenarios: 0, 2 Bad scenarios: scen. 1 scen. 3 scen. 4 scen. 5

62 61 Cable method: good scenarios Takes transition 2 Takes transition 3 Takes transition 4 Good scenarios: 0, 2 Bad scenarios: 1, 3, 4, 5 scen. 1 scen. 3 scen. 4 scen. 5

63 62 Experimental results Where to find bugs? in programs (static verification)? or in traces (dynamic verification)? Specifications and bugs

64 63 How Strauss verifies a spec extract scenarios Scenario acceptor... socket(domain = 2, type = 1, proto = 0, return = 7))... socket(domain = 2, type = 1, proto = 0, return = 7))... socket(domain = 2, type = 1, proto = 0, return = 7))... socket(...) accept(...) read(...) write(...) close(...) socket(...) accept(...) read(...) write(...) close(...) socket(...) accept(...) read(...) write(...) close(...) Traces Scenarios (dep. graphs) Positive specifications: Accept trace iff every seed has a scenario that the SA accepts. Negative specifications: Accept trace iff every seed has no scenario that the SA accepts. Yes or no

65 64 Experimental results 90 traces 72 programs 7 “book” rules 10 “graph” rules

66 65 1. X11 selection protocol specs.: Found 17 bugs total. English spec is buggy! 2. Performance: XInternAtom should not be called in the event loop 42 buggy programs (out of 72); degree varied 3. XPutImage spec. (more on this later) 2 different bugs! But, also 2 false positives. 4. Other bugs: 138 total (resource errors) Bugs found

67 66 Cable was useful Cost = concepts visited + concepts labeled

68 67 XSetSelectionOwner English: Pass XSetSelectionOwner the timestamp from the last event. For all calls XSetSelectionOwner(time = X) XSetSelectionOwner(time = X) (event.time = X) := XNextEvent() XFilterEvent(event.time = X) XtDispatchEvent(event.time = X) (event.time = X) := XCheckWindowEvent() cb_XtActionProc(event.time = X)

69 68 XInternAtom English: Don’t call XInternAtom in the event loop. For no calls XInternAtom(display = X) cb_XtEventHandler(event.display = X) cb_XtActionProc(event.display = X) (event.display = X) := XtAppNextEvent() (event.display = X) := XNextEvent() XFilterEvent(event.display = X) XtCallActionProc(event.display = X) (event.display = X) := XWindowEvent XtDispatchEvent(event.display = X) (event.display = X) := XCheckWindowEvent() XInternAtom(display = X)

70 69 XPutImage English: The image and GC passed to XPutImage must have been created on the same display. For all calls XPutImage(display = X, image = Y, gc = Z) Z := XCreateGC(display = X) Y := XCreateImage(display = X) Y := XShmCreateImage(display = X) XPutImage(display = X, image = Y, gc = Z)

71 70 Conclusions Strauss is local scalable dynamic Strauss finds real specs. real bugs Does Strauss generalize well? work for others? do too much or too little?

72 71 Suggestions for future work Increasing automation Exploiting patterns Exploiting labels Beyond mining from traces Static; hybrids (profile-based) More expressive models Structured heaps; arithmetic properties Other domains Program understanding; testing

73 72 My publications On Strauss. Debugging temporal specifications with concept analysis. With Rastislav Bodik, James R. Larus, and David Mandelin. PLDI03. Mining specifications. With Rastislav Bodik and James R. Larus. POPL02. Path profiling Improving data-flow analysis with path profiles. With James R. Larus. PLDI98. Selected for 20 Years of PLDI (1979-1999). Exploiting hardware performance counters with flow and context sensitive profiling. With Tom Ball and James R. Larus. PLDI97.

74 73 End of talk

75 74 Classifying scenarios b0 b2 b1g0 g1 G0 b0 b2 b1 g0 g1 G0 g0 g1 G0

76 75 Overview of Strauss Traces and STM apply STM extract scenarios socket(...) accept(...) read(...) write(...) close(...) Trace programs (with PDGs) socket(...) accept(...) read(...) write(...) close(...) socket(...) accept(...) read(...) write(...) close(...) Seed pattern Scenarios Classify and learn Specification X := socket() Y := accept(so = X) close(so = Y)close(so = X) read(so = Y) write(so = Y) start end..

77 76 Overview of Strauss Traces and STM apply STM extract scenarios socket(...) accept(...) read(...) write(...) close(...) Trace programs (with PDGs) socket(...) accept(...) read(...) write(...) close(...) socket(...) accept(...) read(...) write(...) close(...) Seed pattern Scenarios Classify and learn Specification X := socket() Y := accept(so = X) close(so = Y)close(so = X) read(so = Y) write(so = Y) start end..

78 77 Strauss inputs... socket(domain = 2, type = 1, proto = 0, return = 7))... Traces... socket(domain = 2, type = 1, proto = 0, return = 7))... 7 := socket(domain = 2, type = 1, proto = 0)... State transition model (STM) def socket() close(def use sock) def accept(use sock) read(use sock) write(use sock) Strauss Library Client programs Interface (e.g., sockets)

Download ppt "Strauss: A Specification Miner Glenn Ammons Department of Computer Sciences University of Wisconsin-Madison."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Runtime Techniques for Efficient and Reliable Program Execution Harry Xu CS 295 Winter 2012.

Runtime Techniques for Efficient and Reliable Program Execution Harry Xu CS 295 Winter 2012.
Ditto: Speeding Up Runtime Data Structure Invariant Checks AJ Shankar and Ras Bodik UC Berkeley.

Ditto: Speeding Up Runtime Data Structure Invariant Checks AJ Shankar and Ras Bodik UC Berkeley.
Mining Specifications Glenn Ammons, Dept. Computer Science University of Wisconsin Rastislav Bodik, Computer Science Division University of California,

Mining Specifications Glenn Ammons, Dept. Computer Science University of Wisconsin Rastislav Bodik, Computer Science Division University of California,
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Identification of Distributed Features in SOA Anis Yousefi, PhD Candidate Department of Computing and Software McMaster University July 30, 2010 1.

Identification of Distributed Features in SOA Anis Yousefi, PhD Candidate Department of Computing and Software McMaster University July 30,
Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol.

Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
Building a Better Backtrace: Techniques for Postmortem Program Analysis Ben Liblit & Alex Aiken.

Building a Better Backtrace: Techniques for Postmortem Program Analysis Ben Liblit & Alex Aiken.
Building a Better Backtrace: Techniques for Postmortem Program Analysis Ben Liblit & Alex Aiken.

Building a Better Backtrace: Techniques for Postmortem Program Analysis Ben Liblit & Alex Aiken.
Background for “KISS: Keep It Simple and Sequential” cs264 Ras Bodik spring 2005.

Background for “KISS: Keep It Simple and Sequential” cs264 Ras Bodik spring 2005.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Chapter 2- Visual Basic Schneider1 Chapter 2 Problem Solving.

Chapter 2- Visual Basic Schneider1 Chapter 2 Problem Solving.
Bug Isolation via Remote Program Sampling Ben Liblit, Alex Aiken, Alice X.Zheng, Michael I.Jordan Presented by: Xia Cheng.

Bug Isolation via Remote Program Sampling Ben Liblit, Alex Aiken, Alice X.Zheng, Michael I.Jordan Presented by: Xia Cheng.
Software Model Checking for Embedded Systems PIs: Matthew Dwyer 1, John Hatcliff 1, and George Avrunin 2 Post-docs: Steven Seigel 2, Radu Iosif 1 Students:

Software Model Checking for Embedded Systems PIs: Matthew Dwyer 1, John Hatcliff 1, and George Avrunin 2 Post-docs: Steven Seigel 2, Radu Iosif 1 Students:
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.

Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.

Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]

Similar presentations

Ads by Google