Large-Scale API Protocol Mining for Automated Bug Detection Michael - - PowerPoint PPT Presentation

1

Large-Scale API Protocol Mining for Automated Bug Detection

Michael Pradel Department of Computer Science ETH Zurich

2

Motivation

LinkedList pinConnections = ...; Iterator i = pinConnections.iterator (); while ( i.hasNext () ) { PinLink curr = (PinLink) i.next (); if ( ... ) { pinConnections.remove(curr); } }

(from DaCapo benchmarks)

2

Motivation

LinkedList pinConnections = ...; Iterator i = pinConnections.iterator (); while ( i.hasNext () ) { PinLink curr = (PinLink) i.next (); if ( ... ) { pinConnections.remove(curr); } }

(from DaCapo benchmarks)

Don’t modify a collection while iterating over it!

3

API Usage Constraints

call x before y eventually call x don’t call x while calling y and z

Constraints Program API

3

API Usage Constraints

call x before y eventually call x don’t call x while calling y and z

Protocols!

x y z

Constraints Program API

4

Protocol Mining

Problem: No protocols specified

API Training Programs

4

Protocol Mining

Problem: No protocols specified

x y z

Mining

API Training Programs

4

Protocol Mining

Problem: No protocols specified

x y z Target Program

Mining Bug finding

API Training Programs

5

Big Picture

Protocol mining Bug finding

5

Big Picture

Protocol mining Bug finding Other applications

5

Big Picture

Protocol mining Bug finding Other applications

5

Big Picture

Protocol mining Bug finding Other applications

static vs. dynamic API-based vs. client-based single- vs. multi-object

5

Big Picture

Protocol mining Bug finding Other applications

static vs. dynamic API-based vs. client-based single- vs. multi-object static dynamic

verification testing verification testing

5

Big Picture

Protocol mining Bug finding Other applications

static vs. dynamic API-based vs. client-based single- vs. multi-object static dynamic

verification testing verification testing

6

Part 1: Protocol Mining

7

Protocol Mining - Overview

Execution trace Subtraces Protocols Program & Input

7

Protocol Mining - Overview

Execution trace Subtraces Protocols Program & Input

8

Execution Traces

List l = new LinkedList (); l.add(new Foo ()); Iterator i = l.iterator (); OutputStream s = new FileOutputStream("f"); while (i.hasNext ()) { Foo f = i.next (); if (f.isOK ()) s.write(f.getData ()); } s.close ();

8

Execution Traces

List l = new LinkedList (); l.add(new Foo ()); Iterator i = l.iterator (); OutputStream s = new FileOutputStream("f"); while (i.hasNext ()) { Foo f = i.next (); if (f.isOK ()) s.write(f.getData ()); } s.close ();

AspectJ instrumentation

8

Execution Traces

List l = new LinkedList (); l.add(new Foo ()); Iterator i = l.iterator (); OutputStream s = new FileOutputStream("f"); while (i.hasNext ()) { Foo f = i.next (); if (f.isOK ()) s.write(f.getData ()); } s.close ();

new LinkedList → 1 1.add(2) → 3 1.iterator → 4 new FileOS(6) → 5 4.hasNext 4.next 5.write(7) 4.hasNext 5.close

AspectJ instrumentation

9

Protocol Mining - Overview

Execution trace Subtraces Protocols Program & Input

9

Protocol Mining - Overview

Execution trace Subtraces Protocols Program & Input

10

Subtraces

new LinkedList → 1 1.add(2) → 3 1.iterator → 4 new FileOS(6) → 5 4.hasNext 4.next 5.write(7) 4.hasNext 5.close

10

Subtraces

Different API usages intermingled!

new LinkedList → 1 1.add(2) → 3 1.iterator → 4 new FileOS(6) → 5 4.hasNext 4.next 5.write(7) 4.hasNext 5.close

10

Subtraces

Core object x:

Calls to x Calls to parameters

passed to x

Calls to objects

returned by x

new LinkedList → 1 1.add(2) → 3 1.iterator → 4 new FileOS(6) → 5 4.hasNext 4.next 5.write(7) 4.hasNext 5.close

10

Subtraces

new LinkedList → 1 1.add(2)→3 1.iterator→4 4.hasNext 4.next 4.hasNext 4.hasNext 4.next 4.hasNext new FileOS(6) → 5 5.write(7) 5.close

new LinkedList → 1 1.add(2) → 3 1.iterator → 4 new FileOS(6) → 5 4.hasNext 4.next 5.write(7) 4.hasNext 5.close

11

Protocol Mining - Overview

Execution trace Subtraces Protocols Program & Input

11

Protocol Mining - Overview

Execution trace Subtraces Protocols Program & Input

12

Group Subtraces

LinkedList, Iterator Iterator FileOS

Group by set of involved types

13

Generate Protocols

Finite state machine

Method → state Consecutive call → transition

13

Generate Protocols

Finite state machine

Method → state Consecutive call → transition

new LinkedList → l l.add l.add l.add l.add l.iterator → i i.hasNext i.hasNext i.hasNext i.next l.add

13

Generate Protocols

Finite state machine

Method → state Consecutive call → transition

new LinkedList → l l.add l.add l.add l.iterator → i i.hasNext i.hasNext i.next

14

Scalability

Bottleneck: Large execution traces

14

Scalability

Bottleneck: Large execution traces Pass 1: Find core

• bjects and

associated

• bjects

14

Scalability

Bottleneck: Large execution traces Pass 1: Find core

• bjects and

associated

• bjects

Pass 2: Extract calls for each subtrace

14

Scalability

Bottleneck: Large execution traces Pass 1: Find core

• bjects and

associated

• bjects

Pass 2: Extract calls for each subtrace Mine millions of events in a few minutes

15

Examples

new ZipFile → f f.entries → e e.hasMore Elements e.hasMore Elements e.hasMore Elements e.next Element f.close

ZipFile and Enumeration

16

Examples

new URL → u u.openStream → s s.close

URL and InputStream

17

Evaluation

Are examples convincing enough?

OK/ Not OK 20+ mining approaches Use for some task

17

Evaluation

Are examples convincing enough? Neither reproducible nor comparable!

OK/ Not OK 20+ mining approaches Use for some task

18

Evaluation Framework

Precision and recall ? OK

18

Evaluation Framework

Precision and recall ? OK Method constraint groups

19

Example

Formatter format close close locale, out, ioException flush ioException format, locale, out, ioException println Formatter format close println

Mined protocol M Reference protocol

19

Example

Formatter format close close locale, out, ioException flush ioException format, locale, out, ioException println Formatter format close println

Mined protocol M Reference protocol

Precision: How much of M is correct? → 23%

19

Example

Formatter format close close locale, out, ioException flush ioException format, locale, out, ioException println Formatter format close println

Mined protocol M Reference protocol

Recall: How complete is M? → 9%

20

Results

12 training programs 32 reference protocols

21

Learn More from Many Teachers?

Empirical study: How does mining more programs influence the results? ...

12 programs

. . .

22

API Coverage

Types and methods covered in mined protocols

22

API Coverage

Types and methods covered in mined protocols More programs ↓ Higher coverage

23

Recall

Recall of mined protocols

23

Recall

Recall of mined protocols More programs ↓ Higher recall

24

Part 2: Bug Finding

25

Bug Finding

x y z Target Program

Mining Bug finding

API Training Programs

25

Bug Finding

x y z Target Program

Mining Bug finding

API Training Programs

26

Overview

Analysis

26

Overview

Analysis Runtime verification Static checking

26

Overview

Analysis Runtime verification Static checking What is a protocol violation?

26

Overview

Analysis Runtime verification Static checking What is a protocol violation?

27

Incomplete Specifications

Protocols = Incomplete specifications

new LinkedList → l l.add l.add l.add l.iterator → i i.hasNext i.hasNext i.next

27

Incomplete Specifications

Protocols = Incomplete specifications

new LinkedList → l l.add l.add l.add l.iterator → i i.hasNext i.hasNext i.next

?

i.hasNext

28

What is a Protocol Violation?

new LinkedList → l l.add l.add l.add l.iterator → i i.hasNext i.hasNext i.next

Setup phase:

bind parameters

Liable phase:

all parameters bound violation: take non-existing transition end in non-final state

29

State Partitioning

Protocol transformation: Setup states vs. liable states

new LinkedList → l l.add l.add l.add l.iterator → i i.hasNext i.hasNext i.next

29

State Partitioning

Protocol transformation: Setup states vs. liable states

setup

new LinkedList → l l.add l.add l.add l.iterator → i i.hasNext i.hasNext i.next

29

State Partitioning

Protocol transformation: Setup states vs. liable states

liable

new LinkedList → l l.add l.add l.add l.iterator → i i.hasNext i.hasNext i.next

29

State Partitioning

Protocol transformation: Setup states vs. liable states

ambiguous → split

new LinkedList → l l.add l.add l.add l.iterator → i i.hasNext i.hasNext i.next

29

State Partitioning

Protocol transformation: Setup states vs. liable states

new LinkedList → l l.add l.iterator → i i.hasNext i.hasNext i.next l.add l.add l.add

29

State Partitioning

Protocol transformation: Setup states vs. liable states

new LinkedList → l l.add l.iterator → i i.hasNext i.hasNext i.next l.add l.add l.add

setup liable

30

Overview

Analysis Runtime verification Static checking

30

Overview

Analysis Runtime verification Static checking

31

Dynamic Protocol Checking

Runtime verification (JavaMOP) Input

31

Dynamic Protocol Checking

Challenge 1: Check many different execution paths Runtime verification (JavaMOP) Input

31

Dynamic Protocol Checking

Challenge 1: Check many different execution paths Challenge 2: Monitoring mined protocols Runtime verification (JavaMOP) Input

32

Randomly Generated Input

Challenge 1: Check many different execution paths

Input

32

Randomly Generated Input

Challenge 1: Check many different execution paths

Random test generation Input

32

Randomly Generated Input

Challenge 1: Check many different execution paths

Random test generation Call sequences that trigger an exception Input

32

Randomly Generated Input

Challenge 1: Check many different execution paths

Random test generation Call sequences that trigger an exception Non-exceptional sequences Input

33

Protocol Monitoring

new LinkedList → l i.iterator → i i.hasNext i.next

Challenge 2: Monitoring mined protocols

l = new LinkedList ()

33

Protocol Monitoring

l

new LinkedList → l i.iterator → i i.hasNext i.next

Challenge 2: Monitoring mined protocols

l = new LinkedList ()

33

Protocol Monitoring

l

new LinkedList → l i.iterator → i i.hasNext i.next

Challenge 2: Monitoring mined protocols

l = new LinkedList ()

33

Protocol Monitoring

l

new LinkedList → l i.iterator → i i.hasNext i.next

Challenge 2: Monitoring mined protocols

l = new LinkedList ()

Violation!?

33

Protocol Monitoring

l = new LinkedList () i1 = l.iterator () i2.next()

l

new LinkedList → l i.iterator → i i.hasNext i.next

Challenge 2: Monitoring mined protocols

33

Protocol Monitoring

l = new LinkedList () i1 = l.iterator () i2.next()

(l,i1)

new LinkedList → l i.iterator → i i.hasNext i.next

Challenge 2: Monitoring mined protocols

33

Protocol Monitoring

l = new LinkedList () i1 = l.iterator () i2.next()

i2 (l,i1)

new LinkedList → l i.iterator → i i.hasNext i.next

Challenge 2: Monitoring mined protocols

33

Protocol Monitoring

l = new LinkedList () i1 = l.iterator () i2.next()

Violation!? (l,i1)

new LinkedList → l i.iterator → i i.hasNext i.next

i2 Challenge 2: Monitoring mined protocols

33

Protocol Monitoring

l = new LinkedList () i1 = l.iterator () i2.next()

Violation!? (l,i1)

new LinkedList → l i.iterator → i i.hasNext i.next

i2 Challenge 2: Monitoring mined protocols Naive approach gives too many violations

34

Explicit Fail Transitions

Fail only in liable states

new LinkedList → l i.iterator → i i.hasNext i.next

F

i.next i.hasNext

34

Explicit Fail Transitions

Fail only in liable states

Violation:

Reach fail state End in non-final, liable state

new LinkedList → l i.iterator → i i.hasNext i.next

F

i.next i.hasNext

35

Evaluation

Questions

Find relevant issues by monitoring

mined protocols?

How useful is generated input?

Setup: DaCapo benchmarks, 1.6 MLOC Java

36

Results

Protocol violations Program Test cases Total Relevant avrora 15,753 5 4 batik 3,477 daytrader 32,446 eclipse 816 fop 6,536 52 50 h2 7,584 14 7 lucene 1,985 pmd 1,286 sunflow 4,300 1 tomcat 14,627 1 1 xalan 21,083 1 1 Sum 160,857 74 63

Randomly generated Bug (exception, unexpected behavior)

• r

code smell (perfor- mance/maintainability problem)

36

Results

Protocol violations Program Test cases Total Relevant avrora 15,753 5 4 batik 3,477 daytrader 32,446 eclipse 816 fop 6,536 52 50 h2 7,584 14 7 lucene 1,985 pmd 1,286 sunflow 4,300 1 tomcat 14,627 1 1 xalan 21,083 1 1 Sum 160,857 74 63

Randomly generated Bug (exception, unexpected behavior)

• r

code smell (perfor- mance/maintainability problem)

85% true positives

37

Examples

try { is = u.openStream (); r = new InputStreamReader(is, "UTF

• 8");

br = new BufferedReader(r); } finally { if ( is != null ){ try { is.close (); } catch ( IOException ignored ){} is = null; } if ( r != null ){ try{ r.close (); } catch ( IOException ignored ){} r = null; } if ( br == null ){ try{ br.close (); } catch ( IOException ignored ){} br = null; } }

37

Examples

try { is = u.openStream (); r = new InputStreamReader(is, "UTF

• 8");

br = new BufferedReader(r); } finally { if ( is != null ){ try { is.close (); } catch ( IOException ignored ){} is = null; } if ( r != null ){ try{ r.close (); } catch ( IOException ignored ){} r = null; } if ( br == null ){ try{ br.close (); } catch ( IOException ignored ){} br = null; } }

Reader never closed

38

Examples

Iterator i = pinConnections.iterator (); PinLink currLink = (PinConnect.PinLink) i.next (); currLink.propagateSignals (); while (i.hasNext ()) { currLink = (PinConnect.PinLink) i.next (); currLink.propagateSignals (); }

38

Examples

Iterator i = pinConnections.iterator (); PinLink currLink = (PinConnect.PinLink) i.next (); currLink.propagateSignals (); while (i.hasNext ()) { currLink = (PinConnect.PinLink) i.next (); currLink.propagateSignals (); }

Incorrect iterator usage

39

Normal vs. Generated Input

40

Overview

Analysis Runtime verification Static checking

40

Overview

Analysis Runtime verification Static checking

41

State of the Art

Typestate checking + specification Anomaly detection

41

State of the Art

+ Precise

• Needs specification

+ Automatic

• Imprecise

Typestate checking + specification Anomaly detection

41

State of the Art

+ Precise

• Needs specification

+ Automatic

• Imprecise

Combine both! Precise checker for mined multi-object protocols Typestate checking + specification Anomaly detection

42

Static Protocol Checking

Joint work with Ciera Jaspan and Jonathan Aldrich (ISR, CMU)

Fusion analysis f() ✓ g() ✗ h() ✗ f() g() h() Pruning Relationship constraints

@Constraint( requires="..." )

43

Fusion

• C. Jaspan and J. Aldrich

Checking Framework Interactions with Relationships ECOOP ’09

Static analysis to check API usages Good match with mined protocols:

Reasons about interacting objects Distinguishes setup from checking

44

Relationship-based Analysis

void m() { .. }

Effects: Add/remove objects Requirements: Check before call

Relationships = Tuples of objects

44

Relationship-based Analysis

void m() { .. }

Effects: Add/remove objects Requirements: Check before call

Relationships = Tuples of objects

Keep track of protocol execution (e.g., current state) Check protocol constraints if in liable state

45

Example

LinkedList l = new LinkedList (); Iterator i = l.iterator (); i.next ();

new LinkedList → l i.iterator → i i.hasNext i.next

1 2 3 4

45

Example

LinkedList l = new LinkedList (); Iterator i = l.iterator (); i.next ();

new LinkedList → l i.iterator → i i.hasNext i.next

1 2 3 4 l ∈ rstate2, l ∈ riterator

45

Example

LinkedList l = new LinkedList (); Iterator i = l.iterator (); i.next ();

new LinkedList → l i.iterator → i i.hasNext i.next

1 2 3 4 l ∈ rstate2, l ∈ riterator l ∈ rstate3, i ∈ rstate3, i ∈ rhasNext, (l, i) ∈ rprotocol

45

Example

LinkedList l = new LinkedList (); Iterator i = l.iterator (); i.next ();

new LinkedList → l i.iterator → i i.hasNext i.next

1 2 3 4 l ∈ rstate2, l ∈ riterator l ∈ rstate3, i ∈ rstate3, i ∈ rhasNext, (l, i) ∈ rprotocol

i / ∈ rnext

46

Results

Program Warnings Total Bugs Code smells True pos. avrora 13 9 69% batik 1 0% daytrader — eclipse 15 2 1 20% fop 13 8 1 69% h2 1 0% jython 7 2 1 43% lucene 13 3 3 46% pmd 15 2 8 67% sunflow — tomcat 2 0% xalan 1 1 100% Total 81 26 15 51% exception or unexpected behavior maintainability

• r performance

issue

46

Results

Program Warnings Total Bugs Code smells True pos. avrora 13 9 69% batik 1 0% daytrader — eclipse 15 2 1 20% fop 13 8 1 69% h2 1 0% jython 7 2 1 43% lucene 13 3 3 46% pmd 15 2 8 67% sunflow — tomcat 2 0% xalan 1 1 100% Total 81 26 15 51% exception or unexpected behavior maintainability

• r performance

issue

Few false positives!

47

Examples

LinkedList pinConnections = ...; Iterator i = pinConnections.iterator (); while ( i.hasNext () ) { PinLink curr = (PinLink) i.next (); if ( ... ) { pinConnections.remove(curr); } }

47

Examples

LinkedList pinConnections = ...; Iterator i = pinConnections.iterator (); while ( i.hasNext () ) { PinLink curr = (PinLink) i.next (); if ( ... ) { pinConnections.remove(curr); } }

Concurrent modification

48

Examples

BufferedReader in = null; try { in = new BufferedReader (...); ... in.close (); } finally { if (in != null) { try { in.close (); } catch (IOException e) { ... } } }

48

Examples

BufferedReader in = null; try { in = new BufferedReader (...); ... in.close (); } finally { if (in != null) { try { in.close (); } catch (IOException e) { ... } } }

Duplicate close

49

Summary: Bug Finding

Clear definition of protocol violation

liable setup

Static and dynamic checking:

Both are practical Complement each other

50

Conclusion

An attractive tool to help programmers

understand large systems pinpoint problem areas

Supplements other approaches:

Reveals multi-object bugs Easy to use

51

Thank you!

michael@binaervarianz.de

52

53

What is a Violation?

next next

Positive protocols Negative protocols vs.

new Writer close write next hasNext hasNext

53

What is a Violation?

next next

Positive protocols Negative protocols vs.

new Writer close write next hasNext hasNext

Reaching final state Taking non-existing

transition

Not reaching final

state

54

Related Work (Mining)

Gabel & Su, FSE 2008 Language learning algorithm with

pre-defined micro-patterns

Don’t consider dataflow Lee, Chen & Rosu, ICSE 2011 First, learn related events; then, mine

sliced trace with PFSA learner

Require unit tests for first step

55

Template

56

Template

57

Template

58

Template

59

Template

60