automatic generation of program specifications
play

Automatic Generation of Program Specifications Jeremy Nimmer MIT - PowerPoint PPT Presentation

Apr 05, 2023 •188 likes •485 views

Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science http://pag.lcs.mit.edu/ Joint work with Michael Ernst Jeremy Nimmer, page 1 Synopsis Specifications are useful for many tasks Use of specifications

  1. Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science http://pag.lcs.mit.edu/ Joint work with Michael Ernst Jeremy Nimmer, page 1

  2. Synopsis Specifications are useful for many tasks • Use of specifications has practical difficulties Dynamic analysis can capture specifications • Recover from existing code • Infer from traces • Results are accurate (90%+) • Specification matches implementation Jeremy Nimmer, page 2

  3. Outline • Motivation • Approach: Generate and check specifications • Evaluation: Accuracy experiment • Conclusion Jeremy Nimmer, page 3

  4. Advantages of specifications • Describe behavior precisely • Permit reasoning using summaries • Can be verified automatically Jeremy Nimmer, page 4

  5. Problems with specifications • Describe behavior precisely • Tedious and difficult to write and maintain • Permit reasoning using summaries • Must be accurate if used in lieu of code • Can be verified automatically • Verification may require uninteresting annotations Jeremy Nimmer, page 5

  6. Solution Automatically generate and check specifications from the code Code Specification Generator myStack.isEmpty() = false myStack.push(elt); Proof Checker Q.E.D. Jeremy Nimmer, page 6

  7. Solution scope • Generate and check “complete” specifications • Very difficult • Generate and check partial specifications • Nullness, types, bounds, modification targets, ... • Need not operate in isolation • User might have some interaction • Goal: decrease overall effort Jeremy Nimmer, page 7

  8. Outline • Motivation • Approach: Generate and check specifications • Evaluation: Accuracy experiment • Conclusion Jeremy Nimmer, page 8

  9. Previous approaches Code Generation: Specification Generator myStack.push(elt); myStack.isEmpty() = false • By hand Proof Checker • Static analysis Q.E.D. Checking • By hand • Non-executable models Jeremy Nimmer, page 9

  10. Our approach Code Specification Generator myStack.push(elt); myStack.isEmpty() = false Proof Checker Q.E.D. • Dynamic detection proposes likely properties • Static checking verifies properties • Combining the techniques overcomes the weaknesses of each • Ease annotation • Guarantee soundness Jeremy Nimmer, page 10

  11. Daikon: Dynamic invariant detection Original Instrumented program program Data trace Invariants database Detect Instrument Run invariants Test suite Look for patterns in values the program computes: • Instrument the program to write data trace files • Run the program on a test suite • Invariant detector reads data traces, generates potential invariants, and checks them Jeremy Nimmer, page 11

  12. ESC/Java: Invariant checking • ESC/Java: Extended Static Checker for Java • Lightweight technology: intermediate between type-checker and theorem-prover; unsound • Intended to detect array bounds and null dereference errors, and annotation violations /*@ requires x != null */ /*@ ensures this.a[this.top] == x */ void push(Object x); • Modular: checks, and relies on, specifications Jeremy Nimmer, page 12

  13. Integration approach Code Specification Daikon myStack.push(elt); myStack.isEmpty() = false Proof ESC/Java Q.E.D. Run Daikon over target program Insert results into program as annotations Run ESC/Java on the annotated program All steps are automatic. Jeremy Nimmer, page 13

  14. Stack object invariants public class StackAr { Object[] theArray; theArray A E I O U Y int topOfStack; topOfStack /*@ invariant theArray != null; invariant theArray != null; invariant \typeof(theArray) == \type(Object[]); invariant \typeof(theArray) == \type(Object[]); invariant topOfStack >= -1; invariant topOfStack >= -1; invariant topOfStack < theArray.length; invariant topOfStack < theArray.length; invariant theArray[0..topOfStack] != null; invariant theArray[0..topOfStack] != null; invariant theArray[topOfStack+1..] == null; invariant theArray[topOfStack+1..] == null; */ ... Jeremy Nimmer, page 14

  15. Stack push method theArray A E I O U Y W topOfStack /*@ requires x != null; /*@ requires x != null; requires topOfStack < theArray.length - 1; requires topOfStack < theArray.length - 1; modifies topOfStack, theArray[*]; modifies topOfStack, theArray[*]; ensures topOfStack == \old(topOfStack) + 1; ensures topOfStack == \old(topOfStack) + 1; ensures x == theArray[topOfStack]; ensures x == theArray[topOfStack]; ensures theArray[0..\old(topOfStack)]; ensures theArray[0..\old(topOfStack)]; == \old(theArray[0..topOfStack]); */ == \old(theArray[0..topOfStack]); */ public void push( Object x ) { ... } Jeremy Nimmer, page 15

  16. Stack summary • ESC/Java verified all 25 Daikon invariants • Reveal properties of the implementation (e.g., garbage collection of popped elements) • No runtime errors if callers satisfy preconditions • Implementation meets generated specification Jeremy Nimmer, page 16

  17. Outline • Motivation • Approach: Generate and check specifications • Evaluation: Accuracy experiment • Conclusion Jeremy Nimmer, page 17

  18. Accuracy experiment • Dynamic generation is potentially unsound • How accurate are its results in practice? • Combining static and dynamic analyses should produce benefits • But perhaps their domains are too dissimilar? Jeremy Nimmer, page 18

  19. Programs studied • 11 programs from libraries, assignments, texts • Total 2449 NCNB LOC in 273 methods • Test suites • Used program’s test suite if provided (9 did) • If just example calls, spent <30 min. enhancing • ~70% statement coverage Jeremy Nimmer, page 19

  20. Accuracy measurement • Compare generated specification to a verifiable specification invariant theArray != null; invariant topOfStack >= -1; invariant topOfStack < theArray.length; invariant theArray[0..length-1] == null; invariant theArray[0..topOfStack] != null; invariant theArray[topOfStack+1..] == null; • Standard measures from info ret [Sal68, vR79] • Precision (correctness) : 3 / 4 = 75% • Recall (completeness) : 3 / 5 = 60% Jeremy Nimmer, page 20

  21. Experiment results • Daikon reported 554 invariants • Precision: 96 % of reported invariants verified • Recall: 91 % of necessary invariants were reported Jeremy Nimmer, page 21

  22. Causes of inaccuracy • Limits on tool grammars • Daikon: May not propose relevant property • ESC: May not allow statement of relevant property • Incompleteness in ESC/Java • Always need programmer judgment • Insufficient test suite • Shows up as overly-strong specification • Verification failure highlights problem; helpful in fixing • System tests fared better than unit tests Jeremy Nimmer, page 22

  23. Experiment conclusions • Our dynamic analysis is accurate • Recovered partial specification • Even with limited test suites • Enabled verifying lack of runtime exceptions • Specification matches the code • Results should scale • Larger programs dominate results • Approach is class- and method-centric Jeremy Nimmer, page 23

  24. Value to programmers Generated specifications are accurate • Are the specifications useful? • How much does accuracy matter? • How does Daikon compare with other annotation assistants? Answers at FSE'02 Jeremy Nimmer, page 24

  25. Outline • Motivation • Approach: Generate and check specifications • Evaluation: Accuracy experiment • Conclusion Jeremy Nimmer, page 25

  26. Conclusion • Specifications via dynamic analysis • Accurately produced from limited test suites • Automatically verifiable (minor edits) • Specification characterizes the code • Unsound techniques useful in program development Jeremy Nimmer, page 26

  27. Questions? Jeremy Nimmer, page 27

  28. Formal specifications • Precise, mathematical desc. of behavior [LG01] • (Another type of spec: requirements documents) • Standard definition; novel use • Generated after implementation • Still useful to produce [PC86] • Many specifications for a program • Depends on task • e.g. runtime performance Jeremy Nimmer, page 28

  29. Effect of bugs • Case 1: Bug is exercised by test suite • Falsifies one or more invariants • Weaker specification • May cause verification to fail • Case 2: Bug is not exercised by test suite • Not reflected in specification • Code and specification disagree • Verifier points out inconsistency Jeremy Nimmer, page 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Automatic Testing of Symbolic Execution Engines via Program Generation and Differential Testing

Automatic Testing of Symbolic Execution Engines via Program Generation and Differential Testing

Automatic Testing of Symbolic Execution Engines via Program Generation and Differential Testing Timotej Kapus, Cristian Cadar Department of Computing Imperial College London if (x &gt; 2294967295) { assert(false); } printf(&quot;x:

1.08k views • 45 slides
Eclat: Automatic Generation and Classification of Test Inputs Carlos Pacheco and Michael Ernst

Eclat: Automatic Generation and Classification of Test Inputs Carlos Pacheco and Michael Ernst

Eclat: Automatic Generation and Classification of Test Inputs Carlos Pacheco and Michael Ernst Program Analysis Group MIT The Problem Suppose you have a program that works It passes an existing test suite Its observable behavior

812 views • 50 slides
AUTOMATIC PROGRAM REPAIR USING GENETIC PROGRAMMING CLAIRE LE GOUES APRIL 22, 2013 1

AUTOMATIC PROGRAM REPAIR USING GENETIC PROGRAMMING CLAIRE LE GOUES APRIL 22, 2013 1

AUTOMATIC PROGRAM REPAIR USING GENETIC PROGRAMMING CLAIRE LE GOUES APRIL 22, 2013 1 http://www.clairelegoues.com GENPROG STOCHASTIC SEARCH + TEST CASE GUIDANCE = AUTOMATIC, EXPRESSIVE, SCALABLE PATCH GENERATION 2 Claire Le Goues

1.32k views • 72 slides
Fully Automatic Adaptation of Software Components Based on Semantic Specifications Christian

Fully Automatic Adaptation of Software Components Based on Semantic Specifications Christian

Fully Automatic Adaptation of Software Components Based on Semantic Specifications Christian Haack 2 , Brian Howard 1 , Allen Stoughton 1 , and J. B. Wells 2 1 Kansas State University http://www.cis.ksu.edu/santos/ 2 Heriot-Watt University

336 views • 15 slides
Multidimensional Ontology-Based Personalization Modeling for Automatic Generation of Mashups in

Multidimensional Ontology-Based Personalization Modeling for Automatic Generation of Mashups in

Multidimensional Ontology-Based Personalization Modeling for Automatic Generation of Mashups in Next-Generation Portals Fedor Bakalov University of Jena Birgitta Knig-Ries Andreas Nauerz IBM Research and Development Martin Welsch

263 views • 22 slides
Automatic Generation of Efficient Dynamic Binary Translators Fr ed eric P etrot, Luc

Automatic Generation of Efficient Dynamic Binary Translators Fr ed eric P etrot, Luc

Introduction DBT principle Design flow Intermediate Representation Generation Conclusion Automatic Generation of Efficient Dynamic Binary Translators Fr ed eric P etrot, Luc Michel and Nicolas Fournel Tima Laboratory , Grenoble,

686 views • 25 slides
A Framework for Automatic Generation A Framework for Automatic Generation of Configuration Files

A Framework for Automatic Generation A Framework for Automatic Generation of Configuration Files

A Framework for Automatic Generation A Framework for Automatic Generation of Configuration Files for a Custom of Configuration Files for a Custom Hardware/Software RTOS Hardware/Software RTOS Jaehwan Lee* Lee* Jaehwan Kyeong Keol Keol Ryu

702 views • 29 slides
Automatic Generation of 100 Gbps Packet Parsers from P4 Description cek 1 s 1 a 2 Pavel Ben a

Automatic Generation of 100 Gbps Packet Parsers from P4 Description cek 1 s 1 a 2 Pavel Ben a

Automatic Generation of 100 Gbps Packet Parsers from P4 Description cek 1 s 1 a 2 Pavel Ben a Viktor Pu Hana Kub atov 1 Liberouter CESNET 2 Faculty of Information Technology Czech Technical University in Prague H 2 RC Workshop,

130 views • 12 slides
Context Generation from Formal Specifications for C Analysis Tools Michele Alberti 1 Julien

Context Generation from Formal Specifications for C Analysis Tools Michele Alberti 1 Julien

Context Generation from Formal Specifications for C Analysis Tools Michele Alberti 1 Julien Signoles 2 1 TrustInSoft 2 CEA LIST, Software Reliability and Security Laboratory LOPSTR 2017, Namur, Belgium 1 Code Analysis Tools Effective enough

575 views • 35 slides
Automatic Synthesizer Preset Generation with PresetGen Kvan Tatar, Matthieu Macret, Philippe

Automatic Synthesizer Preset Generation with PresetGen Kvan Tatar, Matthieu Macret, Philippe

Automatic Synthesizer Preset Generation with PresetGen Kvan Tatar, Matthieu Macret, Philippe Pasquier ENGAGING THE WORLD The preset generation problem Modern synthesizers are very powerful and have many parameters resulting in a vast

543 views • 12 slides
ON THE AUTOMATIC GENERATION OF RECURSIVE ATTITUDE DETERMINATION ALGORITHMS Presented at the AAS

ON THE AUTOMATIC GENERATION OF RECURSIVE ATTITUDE DETERMINATION ALGORITHMS Presented at the AAS

ON THE AUTOMATIC GENERATION OF RECURSIVE ATTITUDE DETERMINATION ALGORITHMS Presented at the AAS GN&amp;C Conference in Breckenridge, CO, on February the 7th, 2017 by Tucker McClure @ An Uncommon Lab WHAT ARE THE GOALS? EXAMINE

775 views • 29 slides
Specifications and formal program development in-the-large What are specifications for? For

Specifications and formal program development in-the-large What are specifications for? For

Specifications and formal program development in-the-large What are specifications for? For the system user: specification captures the properties of the system the user can rely on. For the system developer: specification captures all the

297 views • 26 slides
Languages, Ontologies and automatic grammar generation Pedro Rangel Henriques (M Joo

Languages, Ontologies and automatic grammar generation Pedro Rangel Henriques (M Joo

Languages, Ontologies and automatic grammar generation Pedro Rangel Henriques (M Joo Varanda Pereira) Dep. de Informtica Centro Algoritmi Universidade do Minho, Braga-Portugal UCM Madrid, 2016-07-12 Motivation This talk is about:

1.03k views • 63 slides
Automatic Generation of Efficient Accelerator Designs for Reconfigurable Hardware David

Automatic Generation of Efficient Accelerator Designs for Reconfigurable Hardware David

Automatic Generation of Efficient Accelerator Designs for Reconfigurable Hardware David Koeplinger Raghu Prabhakar Yaqi Zhang Christina Delimitrou Christos Kozyrakis Kunle Olukotun Stanford University ISCA 2016 FPGAs in Data Centers

299 views • 26 slides
Automatic Generation of I/O Kernels for HPC Applications Babak Behzad 1 , Hoang-Vu Dang 1 , Farah

Automatic Generation of I/O Kernels for HPC Applications Babak Behzad 1 , Hoang-Vu Dang 1 , Farah

Automatic Generation of I/O Kernels for HPC Applications Babak Behzad 1 , Hoang-Vu Dang 1 , Farah Hariri 1 , Weizhe Zhang 2 , Marc Snir 1 , 3 1 University of Illinois at Urbana-Champaign, 2 Harbin Institue of Technology, 3 Argonne National

537 views • 33 slides
Automatic generation of MedDRA terms groupings using an ontology Gunnar DECLERCK a , Cdric

Automatic generation of MedDRA terms groupings using an ontology Gunnar DECLERCK a , Cdric

Automatic generation of MedDRA terms groupings using an ontology Gunnar DECLERCK a , Cdric BOUSQUET a,b and Marie Christine JAULENT a a INSERM, UMRS 872 EQ20, Universit Paris Descartes, France. b Department of Public Health, CHU University

547 views • 27 slides
DySy Dynamic Symbolic Execution for Invariant Inference April 28th 2009 Lukas Schwab

DySy Dynamic Symbolic Execution for Invariant Inference April 28th 2009 Lukas Schwab

Seminar in Software Engineering DySy Dynamic Symbolic Execution for Invariant Inference April 28th 2009 Lukas Schwab lschwab@student.ethz.ch The authors Christoph Csallner - College of Computing, Georgia Tech Nikolai Tillmann -

750 views • 25 slides
DySy: Dynamic Symbolic Execution for Invariant Inference C. Csallner N. Tillmann Y.

DySy: Dynamic Symbolic Execution for Invariant Inference C. Csallner N. Tillmann Y.

DySy: Dynamic Symbolic Execution for Invariant Inference C. Csallner N. Tillmann Y. Smaragdakis Marc Egg Invariant Inference Object top() { if(Empty) return null; return theArray[topOfStack]; } Invariant Inference Tool

465 views • 20 slides
Searching for Program Invariants using Genetic Programming and Mutation Testing Sam Ratcliff,

Searching for Program Invariants using Genetic Programming and Mutation Testing Sam Ratcliff,

Searching for Program Invariants using Genetic Programming and Mutation Testing Sam Ratcliff, David R. White and John A. Clark. The 13th CREST Open Workshop Thursday 12 May 2011 Outline Invariants Using GP to find Invariants Identifying

417 views • 38 slides
Daikon: Dynamic Analysis for Inferring Likely Invariants Reading: Dynamically Discovering Likely

Daikon: Dynamic Analysis for Inferring Likely Invariants Reading: Dynamically Discovering Likely

Daikon: Dynamic Analysis for Inferring Likely Invariants Reading: Dynamically Discovering Likely Program Invariants to Support Program Evolution 17-654/17-765 Analysis of Software Artifacts Jonathan Aldrich What is an Invariant? A

361 views • 22 slides
An Empirical Comparison of Automated Generation and Classification Techniques for

An Empirical Comparison of Automated Generation and Classification Techniques for

An Empirical Comparison of Automated Generation and Classification Techniques for Object-Oriented Unit Testing Marcelo dAmorim (UIUC) Carlos Pacheco (MIT) Tao Xie (NCSU) Darko Marinov (UIUC) Michael D. Ernst (MIT) Automated Software

513 views • 33 slides
Extending Dynamic Constraint Detection with Disjunctive Constraints Nadya Kuzmina John Paul

Extending Dynamic Constraint Detection with Disjunctive Constraints Nadya Kuzmina John Paul

Extending Dynamic Constraint Detection with Disjunctive Constraints Nadya Kuzmina John Paul Ruben Gamboa James Caldwell University of Wyoming Dynamic Constraint Detection Fixed grammar of universal properties. Serves well for the

500 views • 27 slides
Method Specifications using primitive data x = 6 x {2, 5, 30} x &lt; y y = 5x + 10 z =

Method Specifications using primitive data x = 6 x {2, 5, 30} x &lt; y y = 5x + 10 z =

Detecting Anomalies Andreas Zeller 1 Whats abnormal? Suppose we determine common properties of all passing runs. Now we examine a run which fails the test. Any difference in properties correlates with failure and is likely to

460 views • 14 slides
An integrated approach to P systems formal verification Marian Gheorghe 1,2 , Florentin Ipate 2 ,

An integrated approach to P systems formal verification Marian Gheorghe 1,2 , Florentin Ipate 2 ,

An integrated approach to P systems formal verification Marian Gheorghe 1,2 , Florentin Ipate 2 , Raluca Lefticaru 2 , Ciprian Dragomir 1 1 University of Sheffield 2 University of Pitesti Summary Integrated formal verification approach

497 views • 16 slides

More recommend