jsat (java safety analysis tool)aldrich/courses/654-sp06/slides/tools-day-2.pdfintroduction to jsat...
TRANSCRIPT
1
Analysis of Software Artifacts -Spring 2006
1
JSAT (Java Safety Analysis Tool)
Team: THEORACTICESangjin HanKangwoon HongHyungchoul KimAndrew O. Mellinger
Project Presentation17-654: Analysis of Software Artifacts
Analysis of Software Artifacts -Spring 2006
2
Agenda
• Introduction
• Background
• Benefits
• Specification Syntax
• Experiment & Result
• Why JSAT?
• Future Works
2
Analysis of Software Artifacts -Spring 2006
3
Introduction to JSAT
• Built on Crystal2 framework
• Analyze Java source code statically
• Check temporal safety property(i.e. check specification conformance of method implementation)
• Modifiable and re-distributable(royalty-free… )
Analysis of Software Artifacts -Spring 2006
4
The JSAT System
Syntax AnalyzerSyntax AnalyzerParser + Safety Checker
(JSAT)
Parser + Safety Checker(JSAT)
Java Source Code(*.java files)
Java Source Code(*.java files)
Specification(*.sm files)
Specification(*.sm files)
True or FalseTrue or False
3
Analysis of Software Artifacts -Spring 2006
5
Theoretical Background
• Dataflow analysis
• Finite state machine
• Modular reasoning
Analysis of Software Artifacts -Spring 2006
6
Benefits
• Easier to code than writing own analysis.
• Specification can be kept in separate file (i.e. don't need access to source code.)
• Can track any number of variables or functions easily.
• Light-weight and easy to write specifications(terms are based on UML statechart diagram)
4
Analysis of Software Artifacts -Spring 2006
7
Core Specification Syntax (1)::
| ,
:: ,
| ,
| , ,
::
::
| & &
StateVariable a
a StateVariable
Event Pattern Guard
Pattern Action
Pattern Guard Action
Pattern MethodInvocation
Guard Predicate
Predicate Guard
=
=
=
=
Analysis of Software Artifacts -Spring 2006
8
Core Specification Syntax (2)::
| !
|
|
|
|
::
| ,
::
::
|
Predicate a e
a e
a e
a e
a e
a e
Action Assignment
Assignment Action
Assignment a e
e a
c
variable a
value c
= ===
<><=>=
=
= ==
5
Analysis of Software Artifacts -Spring 2006
9
Experiment & Resultglobal int lockStatus = 0;
event {pattern { smInit(); }action { lockStatus = 0; }
}
event {pattern { smLock(); }guard { lockStatus == 0 }action { lockStatus = 1; }
}
event {pattern { smUnlock(); }guard { lockStatus == 1 }action { lockStatus = 0; }
}
public class Device {int nPackets;
public void doWork() {smInit();
if (nPackets >= 1) {
smLock();
smWritePacket();
smUnlock();}
}
public Device(int i) {nPackets = i;
}LockUnlock.sm (Specification) Device.java (Java Source Code)
TRUE
Analysis of Software Artifacts -Spring 2006
10
Why JSAT ?ESC/JAVA
Fluid
PREfix
Metal
Fugue
Daikon
Echelon
Blast
JSAT
ESC/JAVA
Fluid
JSAT
[YES]
Is
Annotation
Separate
From Source
Code
Can Analyze Java
Source Code ?
Can Analyze
Statically ?
ESC/JAVA
Fluid
JSAT
[YES]
JSAT
[YES]
6
Analysis of Software Artifacts -Spring 2006
11
Future Works
• Extend pattern type
• Accept more complex predicates
• Allow symbolic state
Analysis of Software Artifacts -Spring 2006
12
7
Analysis of Software Artifacts -Spring 2006
13
Application of Eclat
SerendipityMajid AlMeshariLucia de LascurainSteven LawranceRicardo VazquezHyunwoo Kim
Project Presentation17-654: Analysis of Software Artifacts
Analysis of Software Artifacts -Spring 2006
14
Agenda
• Motivation• How does Eclat work?• Our Studio project• Our experiments• Analysis of experimental data• Lessons learned• Next steps• Questions
8
Analysis of Software Artifacts -Spring 2006
15
Motivation
• Writing test cases manually• Is time consuming• Requires deep understanding of the
system’s invariants
• Eclat generates test cases automatically by discovering system’s invariants
Analysis of Software Artifacts -Spring 2006
16
How does Eclat work? (1)
9
Analysis of Software Artifacts -Spring 2006
17
How does Eclat work? (2)
Analysis of Software Artifacts -Spring 2006
18
Our Studio project
• Objective: calculate security sensor positions in a 3D blueprint to maximize coverage and follow security rules.
• To design our architecture, we developed experiments that calculate the coverage of sensors.
• We used this code to analyze Eclat, as it is representative of our project.
10
Analysis of Software Artifacts -Spring 2006
19
Our Experiments
• Inject five defects into our code• Incorrect variable assignment• Incorrect guard, e.g. if ( y < z_size )• Protocol violation• Incorrect parameter assignment• Off-by-one problem
• Experiments• Run Eclat with partial test cases • Run Eclat with full test cases• Code review
Analysis of Software Artifacts -Spring 2006
20
Sample: Off-by-one problem (1)
• Fault injected source code
vox = (Voxel)enu.nextElement();while (enu.hasMoreElements()){
if (vox.getRed()==red && vox.getGreen()==green &&vox.getBlue()==blue && vox.getAlpha()==alpha)
volume++;vox = (Voxel)enu.nextElement();
}
11
Analysis of Software Artifacts -Spring 2006
21
Sample: Off-by-one problem (2)
• Input test case• VoxelSpace voxelSpace = new VoxelSpace(2, 2, 2, 2.2);• voxelSpace.color(248, 40, 241, 128, 0, 0, 0);• voxelSpace.color(248, 40, 241, 128, 0, 0, 1);• voxelSpace.color(248, 40, 241, 128, 1, 0, 0);• voxelSpace.color(248, 40, 241, 128, 1, 0, 1);• voxelSpace.color(248, 40, 241, 128, 0, 1, 0);• … // nothing that affects (248, 40, 241, 128)’s coordinates• voxelSpace.color(248, 40, 240, 128, 0, 1, 0);• assertTrue(voxelSpace.getVolume(248, 40, 241, 128) == 4);
• Assertion Failure
(r,g,b,a) color (x,y,z) coordinate
Analysis of Software Artifacts -Spring 2006
22
Sample: Off-by-one problem (3)
• Eclat-generated test case• cmu.voxeltoy.VoxelSpace var180 = new
cmu.voxeltoy.VoxelSpace(2, 2, 1, (double)-5.0);• … // nothing that sets a voxel’s color• int var422 = var180.getVolume(0, 0, 0, 0);
• NoSuchElementException
12
Analysis of Software Artifacts -Spring 2006
23
Sample: Off-by-one problem (4)
• Manually-constructed test case• Found the case where the returned volume
is off by one due to failure to include the last voxel
• Eclat-generated test case• Found the case where an empty voxel
space throws an exception instead of returning zero
• Eclat found a test case that a seemingly-comprehensive test suite missed
Analysis of Software Artifacts -Spring 2006
24
Analysis of Experimental Data
044Unexpected errors found
202False negatives
010False positives
N/A8529Generated test cases
N/A102Input test cases
Code reviewEclat: full test cases
Eclat: Partial test cases
13
Analysis of Software Artifacts -Spring 2006
25
Bugs Found by Eclat
• Fault revealing inputs• Important for making our project robust and
scalable.• Example:
In the getVolume() method, we weren’t checking for the inputs to be positive and not null.
• Order of calls• Example:
If getVolume() is called before any voxel is created by calling color(), then an exception is thrown.
Analysis of Software Artifacts -Spring 2006
26
Lessons learned (1)
• Benefits• Saves tester’s time by generating extensive
test cases• Finds common errors that a developer
overlooks such as null dereferencing• Explores extensive set of inputs• Ensures program invariants• Shortens test process by selecting an
optimized set of test cases
14
Analysis of Software Artifacts -Spring 2006
27
Lessons learned (2)
• Drawbacks• Dependency on coverage of input test
cases• Analysis of the outputs takes long time due
to the number of test cases generated• False positives due to imprecise discovery
of invariants
Analysis of Software Artifacts -Spring 2006
28
Conclusion
• Good combination between analysis techniques and traditional techniques
• Very useful for software engineers like us
• Outputs might be hard to understand for testers with no knowledge of invariants, pre and post-conditions
15
Analysis of Software Artifacts -Spring 2006
29
Next steps
• Will we continue using Eclat?• Yes.
• Why?• It creates test cases that cover
combinations of inputs that we might miss by code reviews or our test cases.
• It finds invariants in our code.
Analysis of Software Artifacts -Spring 2006
30
Questions
?
16
Analysis of Software Artifacts -Spring 2006
63
DaikonDaikon: Invariant Detection of N: Invariant Detection of NEMOEMO
OMPArchitectabilityOMPArchitectabilityMinHo Jeung, Kyu Hou, Varun Dutt, Eun-young Cho, Monica Page
Project Presentation17-654: Analysis of Software Artifacts
Analysis of Software Artifacts -Spring 2006
64
ContentsContents
• NEMO’s Group Management• How does Daikon work?• What Daikon does & does not do?• Daikon & Group Management• Evaluation: Precision, Soundness, Performance &
Static (ESC Java) vs. Dynamic (Daikon) Analysis• The Bottom Line: Use of Daikon on NEMO?
17
Analysis of Software Artifacts -Spring 2006
65
NEMONEMO’’ss Group ManagementGroup Management
Client ServerNetwork Connection Router Request for Join
Legend
InternetReply
Request for joinInform nearest node
Request for joinAccept the request
Analysis of Software Artifacts -Spring 2006
66
How does How does DaikonDaikon Work?Work?
NEMO
.dtrace.gz
Port no. 1045~1050.dtrace.gz
chicory.inv.gz
java daikon.Chicory MulticastAgent
java daikon.Daikon MulticastAgent.dtrace.gz
Allocation View? Deployment Style??
* Picture is taken from MIT’s Daikon website
18
Analysis of Software Artifacts -Spring 2006
67
What What DaikonDaikon Does & Does not do?Does & Does not do?
• Daikon does not…• Report bugs in your code• Report errors• Report defects (according to Pressman, defects
are reported by customers and errors are found by developers!)
• Daikon does…• Provide pre & post condition in terms of invariants• Execute the code based on test cases• Detect invariants at runtime• Allow program annotation (only for single package
Java programs)
Analysis of Software Artifacts -Spring 2006
68
DaikonDaikon and Groupand Group ManagementManagement
• Nodes configuration
▲
O
co-leader
leader
element
Cluster Node
Link
Layer
this.config.degree == this.config.crewSize
this.config.degree == this.nodeId.id.id[this.config.numStreams]
4 4 4
19
Analysis of Software Artifacts -Spring 2006
69
• Precision or confidence• Invariants are determined based on test cases
• NEMO: • Port numbers 1045 – 1050• Did the test cases insure the quality of invariants detected?• Did the test cases insure full code coverage?
• Invariants are empirical, and may not show the true picture• NEMO:
• The cases of “degree” had false positive results
• Invariants become precise as the number of “relevant” test cases increase • Relevant test cases:
• Test cases with more code coverage andTest cases greater in number
• The invariants detected could be more in number?• Did the test cases all of them? (Very difficult to say…)
this.config.degree == this.config.crewSize
this.config.degree == this.nodeId.id.id[this.config.numStreams]
Evaluation: PrecisionEvaluation: Precision
Analysis of Software Artifacts -Spring 2006
70
• Soundness• There may be false negatives as if the test cases do not cover a
section of code, there would not be any invariants detected in that section! – Unsound!• NEMO:
• Covered 1 out of 3 cases and thus produced invariants only for that case – Join and Leave invariants may still be unsound
• The Invariant templates may not be enough for the section of the code covered – One may need to define custom invariants• NEMO:
• Time did not allow us to do so!
Evaluation: SoundnessEvaluation: Soundness
20
Analysis of Software Artifacts -Spring 2006
71
• Static (ESC/Java) - Sound• Statically check code and annotate• Reason about possible executions without
observation• NEMO: Not possible for an entire code size of
NEMO (~1.3MB)
• Dynamic (Daikon) – Unsound• Capture invariants on variable traces of test cases
• NEMO: Possible as it executes NEMO but may be unsound
Evaluation: Static Vs Evaluation: Static Vs DaikonDaikon
Analysis of Software Artifacts -Spring 2006
72
Bottom Line: Use of Bottom Line: Use of DaikonDaikon on NEMO?on NEMO?
• Moderately helpful as…• One could test Multicast Protocol Project NEMO
• Discovered invariants increased understanding of NEMO
However,
• The test cases may not have provided good code coverage
• The team finds Daikon lukewarm in analysis on account of its unsound character on a stiff performance related project
21
Analysis of Software Artifacts -Spring 2006
73
QuestionsQuestions
????
Analysis of Software Artifacts -Spring 2006
74
Performance
• Time = O (( |vars|3 χ falsetime + |trueinvs| χ |testsuit|) χ |program|)
vars: Number of variables at a program pointfalsetime: Small constant time to falsify a potential invarianttrueinvs: Small number of true invariantstestsuit: Size of the test suite
program: Number of instrumented program points