Embed Size (px)
Citation preview
What Went Wrong?
Alex GroceCarnegie Mellon University
Willem VisserNASA Ames Research Center
Java PathFinder
void add(Object o) { buffer[head] = o; head = (head+1)%size;}
Object take() { … tail=(tail+1)%size; return buffer[tail];}
Java Code
JAVAC JVM
0: iconst_01: istore_22: goto #395: getstatic 8: aload_09: iload_210: aaload
Bytecode
Special JVM
Model Checker
Counterexamples
• When the model checker finds a bug, it reports a counterexample.
• However, even an exact trace of the program failing is not what we really want for most bugs.
Counterexamples
• How can we get more information from a counterexample?
– Perhaps if we had some successful runs to compare to, or other failing runs in which to look for common elements…
• A common way of debugging by hand
• Except we can automate it using the model checker
Counterexamples
The Error
Counterexamples
“The Error”
Real cause
Counterexamples
“The Error”
Real cause
• Idea: generate other traces that can give you more information about what is going wrong.
• How?
Positives and Negatives
Real cause
assert (x < 5);
(and x = 8)
“The Error”
Positives and Negatives
“The Error”
Real cause
Same location, same error:NEGATIVE (-)
Real cause
assert (x < 5);
(and x = 10)
An Error
assert (x < 5);
(and x = 8)
Positives and Negatives
Real cause
Same control flow location,no error condition:
POSITIVE (+)
Same location, same error:NEGATIVE (-)
Real cause
assert (x < 5);
(and x = 3)assert (x < 5);
(and x = 10)
“The Error” An Error
assert (x < 5);
(and x = 8)
No Error
The Basic Search
“The Error”
Real cause
The Basic Search
Real cause
The Basic Search
Real cause
The Basic Search
Real cause
The Basic Search
Real cause
The Basic Search
Real cause
The Basic Search
Real cause
The Basic Search
The Basic Search
The Basic Search
The Basic Search
The Search in Detail
“The Error”
Real cause
Depth limit
Positives Negatives
The Search
“The Error”
Real cause
Depth limit
Alreadyvisited
Positives Negatives
The Search
“The Error”
Real cause
Depth limit
Positives Negatives
The Search
“The Error”
Real cause
Depth limit
Positives Negatives
“push-through”
The Search
“The Error”
Real cause
Depth limit
Alreadyvisited
Positives Negatives
After the Search
“The Error”
Real cause
• Positives that are prefixes of some negative are removed
• While negatives are a true subset of complete negatives, positives are an approximation based on observed behavior
• This can be useful: in some reactive systems, every trace can be extended into an error trace
Analysis of the Traces
Now what do we do with these?
• Report on code that appears – only in positives/negatives– in all positives/negatives– only and all positives/negatives (causal)
• Transform positives into negatives• Find difference in invariants across positives and negatives
Positives Negatives
Analysis by Code Lines
• For our example trace, the line(s) in the real cause will be:– in all negative traces and – only appear in negative traces– thus will be identified as genuine cause
• Includes which thread executed the code and any nondeterministic choices made
• Can custom define equivalences to allow for looser definition of “the same code”
“The Error”
Real cause
Automaticallyidentified
Common Ground
“The Error”
Real cause
(Can set a minimum shared prefixor suffix size)
Shared prefix
Shared suffix(control flow only)
Transformation“How to make it break”
Transformation Analysis
• Sorted so that minimal way to break (transformation from each positive to nearest negative) is identified
• Rerun code line analysis over transformation code only (very useful in some cases)
• Can identify type of error:– If any positive can be transformed into a negative by
only altering thread scheduling, the error is essentially concurrency based
Invariant Differences
• Pick certain control locations at which to observe data values in our traces
• Run a dynamic invariant detection algorithm to compute invariants across these locations for all negatives and then all positives
• Compare the discovered invariants
A Stack Examplepublic IntStack (int s) { stack = new int[s]; top = 0;}
public void push (int i) { stack[top++] = i;}
public int pop () { top--; return stack[top];}
A Stack Examplepublic IntStack (int s) { stack = new int[s]; top = 0;}
public void push (int i) { stack[top++] = i;}
public int pop () { top--; return stack[top];}
A simple stack with an interfacethat initializes the stack to a randommaximum size then randomlypushes and pops data.
A Stack Examplepublic IntStack (int s) { stack = new int[s]; top = 0;}
public void push (int i) { stack[top++] = i;}
public int pop () { top--; return stack[top];}
A simple stack with an interfacethat initializes the stack to a randommaximum size then randomlypushes and pops data.
ORIGINAL COUNTEREXAMPLE:Stack overflow for stack size 1(array out of bounds on stack)
A Stack Examplepublic IntStack (int s) { stack = new int[s]; top = 0;}
public void push (int i) { stack[top++] = i;}
public int pop () { top--; return stack[top];}
A simple stack with an interfacethat initializes the stack to a randommaximum size then randomlypushes and pops data.
ORIGINAL COUNTEREXAMPLE:Stack overflow for stack size 1(array out of bounds on stack)
Run analysis with a search depth of 50 and compute invariants.
A Stack Example
Code line analysis
Code in the push method appears in all negatives.
public IntStack (int s) { stack = new int[s]; top = 0;}
public void push (int i) { stack[top++] = i;}
public int pop () { top--; return stack[top];}
A Stack Example
Invariant analysis
For positives, on entry to the push method, this invariant holds:
stack.length > top
For negatives, however the invariant is:
stack.length >= top
public IntStack (int s) { stack = new int[s]; top = 0;}
public void push (int i) { stack[top++] = i;}
public int pop () { top--; return stack[top];}
A Stack Example
Transformations from positive to negative
Change stack size from 3 to 1
…
Change stack size from 4 to 2
Insert a push
…
Remove a pop
…
public IntStack (int s) { stack = new int[s]; top = 0;}
public void push (int i) { stack[top++] = i;}
public int pop () { top--; return stack[top];}
DEOS Error Analysis
• DEOS– Real time operating system– Allows threads to be created and deleted– Has time budgets for various threads
DEOS Error Analysis
• DEOS– Real time operating system– Allows threads to be created and deleted– Has time budgets for various threads
• Original counterexample– Assertion about the time budget of a thread fails
DEOS Error Analysis
• DEOS– Real time operating system– Allows threads to be created and deleted– Has time budgets for various threads
• Original counterexample– Assertion about the time budget of a thread fails
• Run analysis with size limit of 10
DEOS Error Analysis
Transformations
Change a wait until next period into a thread deletionInsert an interrupt and system clock ticks (before a deletion already in the positive)Change a wait until next period into an interrupt and system clock ticks and afterwards a deletion…
The DEOS error requires deletion (which appears in the set of code found in all negatives) but also relies upon specific timing, as indicated by the transformations.
Related Work
• “Fate and Free Will in Error Traces” (TACAS 02)
• SLAM group independently investigated very similar concepts this summer (submitted to POPL)– Approach quite similar in spirit, lacks invariants and
transformation approaches, but has some niceties with respect to source code analysis
• Andreas Zeller: work on isolating error-causing thread schedules and cause-effect chains
Future Work
• More efficient algorithms for generation of the traces (try bounded model checking)
• Different approaches to analysis:– Generation of automata– Characterization of error classes– Checking of causality…
