Ongoing projects in the Program Analysis Group

Marcelo d’Amorim

Informatics Center, Federal University of Pernambuco (UFPE)

Belo Horizonte, MG-Brazil, UFMG, 2010

Our approach is to explore best of each verification technique.

Our goal is to find errors in software as opposed to prove their correctness.

http://pan.cin.ufpe.br

Student members

Elton is a first year MS student interested in automated debugging

* MS=Master Student, URI=Undergraduate Research Initiation.

Student members

Mateus Borges and Matheus Souza are URI students interested in constraint solving for automated testing

* MS=Master Student, URI=Undergraduate Research Initiation.

Active projects Improved precision for lightweight debugging

Elton Alves (MS) Improved solving of complex constraints

Mateus Borges and Matheus Souza (URI) Other projects…

Goal of this talk is to present our

areas of interest and approach

Improved precision for lightweight debugging

People involved: Elton Alves (UFPE) Milos Gligoric, and Vilas

Jagananth (University of Illinois)

Context and Problem Context

Debugging is important. Manual debugging is time-consuming.

Lightweight debugging (LD) has been proposed to complement precise but more expensive automated debuggers (e.g., DD)

Problem Lightweight debugging can be rather imprecise

Precision measured with

number of statements the user needs to

inspect.

Quick outlook: TARANTULA* Identify which

statements contribute more to failures

These statements

appear relatively more in failing runs than in

passing

* J. Jones et al. Empirical Evaluation of test information to assist fault localization. ICSE 2002.

Quick outlook: TARANTULA Identify which

statements contribute more to failures

These statements

appear relatively more in failing runs than in

passing

Precision of debugging

measured with the position of *

in this rank

Observation Two approaches to improve precision of LD

Use evolution information Discard statements

covered but unrelated to bug

Filter changed code (lossy)

Observation Two approaches to improve precision of LD

Use evolution information Discard statements

covered but unrelated to bug

Dynamic slice the code (sound)

Filter changed code (lossy)

Quick outlook: Dynamic Slicing* Identify which statements influence the

evaluation of variables at specific points

* Agrawal and Horgan. Dynamic Progam Slicing. PLDI 1990.

class Foo { int x,y,z; .. void method bar() { if (x > y) { y = 20; z = 10; } }}

@Testvoid test() { Foo foo = new Foo(10,5); foo.bar(); assert(foo.z > 10);}

class Foo { .. void method bar() { if (x > y) { y = 20; z = 10; } }}

Proposal Change-aware forward slicing

computation A statement is related if it appears in the slice. It

is relevant if it is related and depends on changed code.

Number of lines

Approach: Modify Forward Dynamic Slicing A set is relevant only if it depends on a modified

location Set union can ignore irrelevant sets!

covered (baseline) > related >relevant

Improved solving of complex constraints

People involved: Mateus Borges and

Matheus Souza (UFPE) Corina Pasareanu

(NASA/CMU)

Context and Problem Context

Symbolic execution (SE) Problem

Execution

engine

foo($x)

Solverfoo(10)

foo(0)

foo(int x) { x = x + 1; if (x > 10) { // PC: $x + 1 > 10 } else { // PC: $x + 1 <= 10 }}

PC: $x + 1 > 10

PC: $x + 1 <= 10

Context and Problem Context

Symbolic execution (SE) Problem

Execution

engine

foo($x)

Solver foo(?)foo(?)

foo(double x) { x = x + 1; if (x > Math.pow(Math.sin(x),2)){ // PC: $x + 1>($x + 1)^2 } else { // PC: $x + 1<=($x + 1)^2 }}

PC: $x + 1 > sin($x + 1)^2

PC: $x + 1 <= sin($x + 1)^2

Context and Problem Context

Symbolic execution (SE) Problem

Inability to deal with complex constraints!

Execution

engine

foo($x)

Solver foo(?)foo(?)

foo(double x) { x = x + 1; if (x > Math.pow(Math.sin(x),2)){ // PC: $x + 1>($x + 1)^2 } else { // PC: $x + 1<=($x + 1)^2 }}

PC: $x + 1 > sin($x + 1)^2

PC: $x + 1 <= sin($x + 1)^2

constraints are non-linear and use mathematical functions!

Proposal Use heuristic search to find solutions to path

constraints Path constraint: AND [b1,…, bn] Fitness function: weighted sum of clause scores

Score measures distance to satisfaction. Range is 0.0..1.0.

Status Particle Swarm Optimization search performed

best Compared CORAL with CVC3, Choco, and Yices Two case studies from NASA Integrated with NASA’s Symbolic PathFinder

Future Projects Evaluation of set implementations for dynamic

slicing Interactive constraint solving FindBugs + Java PathFinder Static Symbolic Execution

New Recife

• ~1.5 million people• ~77F (25C) avg. temp.• Intl. airport with flights to major cities

Old Recife

Informatics Center (CIn) on Federal University of Pernambuco (UFPE)

http://pan.cin.ufpe.br