Extending Dynamic Constraint Detection with Disjunctive Constraints - - PowerPoint PPT Presentation

extending dynamic constraint detection with disjunctive
SMART_READER_LITE
LIVE PREVIEW

Extending Dynamic Constraint Detection with Disjunctive Constraints - - PowerPoint PPT Presentation

Sep 05, 2022 212 likes •504 views

Extending Dynamic Constraint Detection with Disjunctive Constraints Nadya Kuzmina John Paul Ruben Gamboa James Caldwell University of Wyoming Dynamic Constraint Detection Fixed grammar of universal properties. Serves well for the

slide-1
SLIDE 1

Extending Dynamic Constraint Detection with Disjunctive Constraints

Nadya Kuzmina John Paul Ruben Gamboa James Caldwell University of Wyoming

slide-2
SLIDE 2

Dynamic Constraint Detection

Fixed grammar of universal properties.

Serves well for the discovery of a well-defined

set of problem-specific, but program- independent properties.

Does not allow to capture the logic of a

particular program.

Goal: enable constraint detection to

capture the subtle essential properties of a program under analysis.

slide-3
SLIDE 3

State Space Partitioning Technique (SSPT)

Combines static and dynamic program

analysis.

Automatically specializes the language of

constraint detection.

Adds program-specific disjunctive

properties.

slide-4
SLIDE 4

State space: Three disjoint subspaces, or abstract states:

Introduction: State Space Partitions

} 2 , 2 , {

31 31

< ≤ − y x y x

3 2 1

, , P P P

slide-5
SLIDE 5

Types of Disjunctive Constraints

Object Invariant

Properties a and b are mutually exclusive:

Use cases for a method m

Method m was called when abstract states s or w hold:

Transitions between abstract states induced by a method

m,

p is an abstract state on variables at precondition of m q is a disjunction of abstract states on variables at postcondition

  • f m

Daikon-inferred implications for a method m,

p is an abstract state on variables at precondition of m t is an instantiated template

b a

¬ ¬ ∨

q p⇒

t p⇒ w s∨

slide-6
SLIDE 6

The Calculator Example

slide-7
SLIDE 7

State Spaces for the Calculator Example

newNumber newNumber } , {

2 1 2 1 1

¬ ≡ ≡ ≡ Π P P P P

g subtractin adding g subtractin adding adding } , , {

3 2 1 3 2 1 2

¬ ∧ ¬ ≡ ∧ ¬ ≡ ≡ ≡ Π Q Q Q Q Q Q

slide-8
SLIDE 8

Constraints for Calculator

newNumber newNumber } , {

2 1 2 1 1

¬ ≡ ≡ ≡ Π P P P P

g subtractin adding g subtractin adding adding } , , {

3 2 1 3 2 1 2

¬ ∧ ¬ ≡ ∧ ¬ ≡ ≡ ≡ Π Q Q Q Q Q Q

slide-9
SLIDE 9

SSPT:Overview

Form disjoint partitions of the state spaces of the

program variables involved in expressing the i f -

t hen- el se tests.

i f ( addi ng) … el se i f ( subt r act i ng) …

g subtractin adding g subtractin adding adding } , , {

3 2 1 3 2 1 2

¬ ∧ ¬ ≡ ∧ ¬ ≡ ≡ ≡ Π Q Q Q Q Q Q

slide-10
SLIDE 10

SSPT: Hypothesized Constraints

Let

Preconditions: Postconditions: Object invariants: check whether the tests of the

corresponding i f - t hen- el se statement are mutually exclusive.

For the Calculator example

i f ( addi ng) … el se i f ( subt r act i ng) …

n

P P P ∨ ∨ ∨ ...

2 1

} ..., , , {

2 1 n

P P P = Π

] .. 1 [ , , , n k j i P P P

k j i

∈ ∨ ⇒

) g subtractin adding ( ) g subtractin adding ( ) g subtractin adding ( ¬ ∧ ¬ ∨ ∧ ¬ ∨ ¬ ∧

slide-11
SLIDE 11

Let Notation: for

  • abstract state over variable values at precondition
  • abstract state over variable values at postcondition

SSPT: Constraint Approximation Algorithm

} , , {

3 2 1

P P P = Π

pre i

P

i

P

post i

P

i

P ] 3 .. 1 [ ∈ i

slide-12
SLIDE 12

SSPT: Constraint Approximation Algorithm

slide-13
SLIDE 13

SSPT: Constraint Approximation Algorithm

Intuition behind the algorithm: Let i = 1 and after step 2, let S = {1, 3}. Then, are consistent with the observed data. is true by construction. The transition follows by propositional logic.

post pre post pre

P P P P

3 1 1 1

and

¬ ¬

⇒ ⇒

post post post

P P P

3 2 1

∨ ∨

post pre

P P

2 1

slide-14
SLIDE 14

ContExt: Implementation

Lightweight static analysis of Java source

code for abstract state extraction.

Dynamic analysis tasks are delegated to

Daikon.

ContExt combines the constraints inferred

by our approach with those inferred by Daikon in its output.

slide-15
SLIDE 15

Transitional Constraint Inference

A splitting condition (splitter) is a boolean

expression in terms of some program variables.

Let T be a program point which has all the

variables involved in a splitter a.

a partitions the data trace into two mutually

exclusive subsets:

  • : contains the data values that satisfy a
  • : contains the data values on which a does not

hold.

Each abstract state from a space is used

as a splitter on the data trace at postcondition program points of the enclosing class.

Convenient checks when and both hold.

Π

pre i

P

pre i

P

post j

P

a

T

a

slide-16
SLIDE 16

Limitations

Our approach is primarily a dynamic analysis.

The reported constraints are unsound. Potentially stronger constraints are reported.

Increase in the number of accidental constraints

reported and loss of precision.

Given the same test suite, our approach may not

infer some unconditional constraints that Daikon would.

Requires the presence of source code. The technique has been applied to only one

class at a time.

slide-17
SLIDE 17

Evaluation Challenge

Quantitative measurement of the quality of

inferred constraints is challenging.

Propose a methodology for a quantitative

evaluation of constraint inference techniques based on a modeling language Alloy.

Concentrate on recall. Apply it to comparatively evaluate Daikon

and ContExt on two examples.

slide-18
SLIDE 18

Evaluation Methodology

slide-19
SLIDE 19

Case Study 1: Puzzle

The Puzzle class represents an environment

with an agent.

slide-20
SLIDE 20

Puzzle Specification

slide-21
SLIDE 21

Puzzle Evaluation

slide-22
SLIDE 22

Case Study 2: Employee Example

slide-23
SLIDE 23

Related Work

Csallner et al. employ a dynamic symbolic execution

technique to obtain program-specific constraints.

performs symbolic execution over an existing test suite.

Engler et al. and Yang et al. focus on recovering a

relatively small number of error-revealing properties.

Dallmaier et al. use a combination of static and dynamic

analysis to construct state machines that represent an

  • bject’s behavior in terms of its inspector and mutator

methods.

Arumuga Nainar et al. are interested in finding relevant

boolean formulae.

The formulae partition the program state space into only two

subspaces, one in which a bug is exibited, and the other one in which it is not.

slide-24
SLIDE 24

Conclusions

State Space Partitioning Technique

combines lightweight static and dynamic analysis to provide for the inference of program-specific disjunctive properties.

Proposed an evaluation methodology for the

quality of inferred constraints based on the Alloy modeling language.

slide-25
SLIDE 25

Comparative Complexity

Generalized disjunctive template:

  • , where k is the number of hypothesized

non-disjunctive constraints.

k

2

slide-26
SLIDE 26

Comparative Complexity

P Number of program points in the target program. C Number of hypothesized constraints at a program point. L Number of data samples observed.

Daikon (approximated with those of the simple incremental algorithm) :

Space complexity: S = O(P * C) Time complexity: T = O (P * C * L)

slide-27
SLIDE 27

Comparative Complexity

P Number of program points in the target program. C Number of hypothesized constraints at a program point. L Number of data samples observed. m Number of class-scoped partitions. n The maximum number of states per class-scoped partition.

ContExt:

  • Space complexity:

Time complexity: C n m C P n m P + = ′ = ′ * , * * )) ( * ( ) * C mn mnP O C P O( S + = ′ ′ = ) * ) ( * ( ) * * ( L C mn mnP O L C P O T + = ′ ′ =