Motivation. Overview. Scalable Dynamic Analysis for Automated Fault Location and Avoidance. Rajiv Gupta. Program Execution
|
|
- Kimberly Todd
- 5 years ago
- Views:
Transcription
1 Motivation Scalable Dynamic Analysis for Automated Fault Location and Avoidance Rajiv Gupta Funded by NSF grants from CPA, CSR, & CRI programs and grants from Microsoft Research Software bugs cost the U.S. economy about $59.5 billion each year [NIST 02]. Embedded Systems Mission Critical / Safety Critical Tasks A failure can lead to Loss of Mission/Life. (Ariane 5) arithmetic overflow led to shutdown of guidance computer. (Mars Climate Orbiter) missed unit conversion led to faulty navigation data. (Mariner I) missing superscripted bar in the specification for the guidance program led to its destruction 29 seconds after launch. (Mars Pathfinder) priority inversion error causing system reset. (Boeing ) loss of engine & flight displays while in flight. (Toyota hybrid Prius) VSC, gasoline-powered engine shut off. (Therac-25) wrong dosage during radiation therapy.. Overview Fault Location Long-running Multi-threaded Program Execution Scalability Tracing + Logging Goal: Assist the programmer in debugging by automatically narrowing the fault to a small section of the code. Fault Dynamic Information Data dependences Control dependences Values Fault Location Dynamic Slicing Offline Fault Avoidance Environment Faults Online Execution Runs One failed execution & Its perturbations
2 Dynamic Information Approach Program Execution Dynamic Dependence Graph Detect execution of statement s such that Faulty code Affects the value computed by s; or Faulty code is Affected-by the value computed by s Data Control through a chain of dependences. Estimate the set of potentially faulty statements from s: Affects: statements from which s is reachable in the dynamic dependence graph. (Backward ) Affected-by: statements that are reachable from s in the dynamic dependence graph. (Forward ) è Intersect slices to obtain a smaller fault candidate set. Backward & Forward s Backward & Forward s Backward Failure inducing Input Failure Inducing Input Erroneous Output [Korel&Laski,1988] Forward [ASE-05] Erroneous Output [ASE-05] è For memory bugs the number of statements is very small (< 5).
3 Bidirectional s Pruning s Critical Predicate: An execution instance of a predicate such that changing its outcome repairs the program state. Found critical predicates in 12 out of 15 bugs Search for critical predicate: Brute force: 2 predicates to 155K predicates; After Filtering and Ordering: 1 to 7K predicates. Backward of CP + Bidirectional Combined Forward of [ICSE-0] CP û v û Confidence in v C(v): [0,1] 1 - any change in v will change 0 - all values of v produce same How? Value profiles. 1 û 1 1 [PLDI-0] Test Programs Dynamic Sizes Real Reported Bugs Injected Bugs Buggy Runs BS FS BiS flex 2.5.1(a) Nine logical bugs (incorrect ouput) Unix utilities grep 2.5, grep 2.5.1, flex 2.5.1, make.80. Six memory bugs (program crashes) Unix utilities gzip, ncompress, polymorph, tar, bc, tidy. Siemens Suite (numerous versions) schedule, schedule2, replace, print_tokens.. Unix utilities gzip, flex flex 2.5.1(b) NA flex 2.5.1(c) NA grep 2.5 NA grep 2.5.1(a) NA grep 2.5.1(b) NA 599 NA grep 2.5.1(c) NA make.80(a) make.80(b) gzip ncompress polymorph tar bc tidy
4 Combined s Evaluation of Pruning Buggy Runs BS BS^FS^BiS (%BS) flex 2.5.1(a) (.9%) flex 2.5.1(b) (7.5%) flex 2.5.1(c) 50 5 (10%) grep 2.5 NA 8 (7.4%*EXEC) grep 2.5.1(a) NA 25 (4.9%*EXEC) grep 2.5.1(b) NA 599 (5.%*EXEC) grep 2.5.1(c) NA 12 (0.9%*EXEC) make.80(a) (81.4%) make.80(b) (75.%) gzip (8.8%) ncompress (14.%) polymorph (14.%) tar (42.9%) bc (50%) tidy (29.1%) Siemen s Suite Program Description LOC Versions Tests print_tokens Lexical analyzer print_tokens2 Lexical analyzer replace Pattern replacement schedule Priority scheduler schedule2 Priority scheduler gzip Unix utility flex Unix utility Single error is injected in each version. All the versions are not included: No output or the very first output is wrong; Root cause is not contained in the BS (code missing error). Evaluation of Pruning Effectiveness Program BS Pruned Pruned / BS print_tokens % Backward [AADEBUG-05] 1% of Executed Statements print_tokens % replace % schedule % Erroneous output Failure inducing input Critical predicate Confidence Analysis schedule % gzip % flex % Combined [ASE-05,ICSE-0] % of Backward 11% of Exec. Pruned [PLDI-0] 41% of Backward 1% of Exec.
5 Effectiveness Execution Omission Errors Program-bug Inspected Stmts. mutt heap overflow 8 X= X= pine stack overflow pine heap overflow 10 mc stack overflow 2 squid heap overflow 5 bc heap overflow X= A = A<0 A = A<0 Inspect pruned slice. Dynamically detect an Implicit dependence. Incrementally expand the pruned slice. [PLDI-07] Slicing is effective in locating faults. No more than 10 static statements had to be inspected. =X Implicit dependence =X Scalability of Tracing Trace Sizes & Collection Overheads Dynamic Information Needed Dynamic Dependences for all slicing Values for Confidence Analysis for pruning slices è annotates the static program representation Whole Execution Trace (WET) Trace Size 15 Bytes / Instruction Program Running Time Dep. Trace Collection Time mysql 1 s 21 GB 288 s prozilla 8 s GB 240 s proxyc 10 s 45 MB 880 s mc 10 s 55 GB 418 s mutt 20 s 88 GB 28 s pine 14 s 15 GB 2088 s squid 15 s 88 GB 112 s Trace sizes are very large for even 10s of execution.
6 Compacting Whole Execution Traces Dependence Graph Representation Explicitly remember dynamic control flow trace. Infer as many dynamic dependences as possible from control flow (94%), remember the remaining dependences explicitly ( %). è Specialized graph representation to enable inference. Explicitly remember value trace. Use context-based method to compress dynamic control flow, value, and address trace. è Bidirectional traversal with equal ease [MICRO-04, TACO-05] 1: z=0 2: a=0 : b=2 4: p=&b 5: for i = 1 to N do : if ( i %2 == 0) then 7: p=&a endif endfor 8: a=a+1 9: z=2*(*p) 10: print(z) Input: N=2 1 1 : z=0 2 1 : a=0 1 : b=2 4 1 : p=&b 5 1 : for I=1 to N do 1 : if (i%2==0) then 8 1 : a=a : z=2*(*p) 5 2 : for I=1 to N do 2 : if (i%2==0) then 7 1 : p=&a 8 2 : a=a : z=2*(*p) 10 1 : print(z) Dependence Graph Representation Transform: Traces of Blocks T Input: N=2 1 1 : z=0 2 1 : a=0 1 : b=2 4 1 : p=&b 5 1 : for i = 1 to N do 1 : if ( i %2 == 0) then 8 1 : a=a : z=2*(*p) 5 2 : for i = 1 to N do 2 : if ( i %2 == 0) then 7 1 : p=&a 8 2 : a=a : z=2*(*p) 10 1 : print(z) <2,7> <5,><9,10> 1: z=0 2: a=0 : b=2 4: p=&b 5:for i=1 to N T <,8> F <4,8> <10,11> :if (i%2==0) then T F <5,7><9,12> 7: p=&a <7,12> <11,1> 8: a=a+1 <12,1> <5,8><9,1> 9: z=2*(*p) <1,14> 10: print(z)
7 Infer: Local Dependence Labels Transform: Local Dep. Labels (...,20)... (20,20) (20,20) 10,20,0 (10,10) (20,20) (0,0) (20,21)... =Y 10,20 (10,10) 21 Transform: Local Dep. Labels Group: Non-Local Dep. Edges 10,20 (10,10) (10,11) (20,21) =Y (20,20) (10,11) (20,21) 20 Y = Y = = Y = X 10 Y = (20,11) (20,11) (10,21) Y = (10,21) = Y = X Y = (20,11) Y = = Y = X (10,21) =Y 11,21 11,21 11,21
8 Compacted WET Sizes Slicing Times Program Statements Executed (Millions) WET Size (MB) Before / Before After After 00.twolf 90 10, bzip , vortex 09 8, parser 181.mcf ,70 10, gzip 50 9, li , gcc 5 5, go 85 10, Average 47 9, Bits / Instruction 41. [PLDI-04] vs. [ICSE-0] Dep. Graph Generation Times Reducing Online Overhead Offline post-processing after collecting address and control flow traces è 5x of execution time Online techniques [ICSM 2007] è Information Flow: 9x to18x slowdown è Basic block Opt.: x to10x slowdown è Trace level Opt.: 5.5x to 7.5x slowdown è Dual Core: 1.5x slowdown Online Filtering techniques è Forward slice of all inputs è User-guided bypassing of functions Record non-deterministic events online Less than 2x overhead Deterministic replay of executions Trace faulty executions off-line Replay the execution Switch on tracing Collect and inspect traces Trace analysis is still a problem The traces correspond to huge executions Off-line overhead of trace collection is still significant
9 Reducing Trace Sizes Beyond Tracing Checkpointing Schemes Trace from the most recent checkpoint Checkpoints are of the order of minutes. Better but the trace sizes are still very large. Checkpoint: capture memory image. Execute and Record (log) Events. [ISSTA-07] x Exploiting Program Characteristics Multithreaded and server-like [ISSTA-07, FSE-0] Examples : mysql, apache. Each request spawns a new thread. Do not trace irrelevant threads. Checkpoint log Upon Crash, Rollback to checkpoint. Reduce log and Replay execution using reduced log. Turn on tracing during replay. Reduced log x Trace è Applicable to Multithreaded Programs An Example Example Execution and log file A mysql bug load command will crash the server if database is not specified sql/mysql_load.cc: int mysql_load (THD *thd,...) { 150 if( 151 +strlen(thd->db) + < 152 FN_REFLEN)... } Without typing use database_name, thd->db is Null. Run mysql server User 1 connects to the server User 2 connects to the server User 1: show databases User 2: use test select * from b Time open path=/etc/my.cnf Wait for connection Create Thread 1 Wait for command Create Thread 2 Wait for command Recv show databases Handle command Recv use test; select * from b Handle command Recv load data Blue T0 Red T1 Green T2 Gray - Scheduler User 1: load data into table1 Handle -- (server crashes)
10 Execution Replay using Reduced log Execution Reduction Run mysql server User 1 connects to the server Time open path=/etc/my.cnf Wait for connection Create Thread 1 Effects of Reduction Irrelevant Threads Replay-only vs. Replay & Trace User 2 connects to the server Recv load data Handle -- (server crashes) How? By identifying Inter-thread Dependences Event Dependences - found using the log File Dependences - found using the log Shared-Memory Dependences - found using replay User 1: show databases User 2: show databases select * from b Naïve approach requires thread id of last writer of each address Space and time efficient detection o Memory Regions: Non-shared vs shared o Locality of References to Regions è Space requirement reduced by 4x è Time requirement reduced by 2x User 1: load data into table1 Experimental Results Experimental Results Program-bug Original Optimized Trace Sizes Num. of dependences
11 Experimental Results Debugging System Program-bug Orig. Logging OPT. Static Binary Analyzer Diablo Execution Times (seconds) Checkpoint + log Record Replay Jockey Control Dependence Application binary Slicing Module WET s Reduced Log Execution Engine Valgrind Instrument code Traces Compressed Trace Input Output Fault Avoidance Experiments Large number of faults in server programs are caused by the environment. 5 % of faults in Apache server. Types of Faults Handled Atomicity Violation Faults. Try alternate scheduling decisions. Heap Buffer Overflow Faults. Pad memory requests. Bad User Request Faults. Drop bad requests. Avoidance Strategy Recover first time, Prevent later. Record the change that avoided the fault. Program Type of Bug Env. Change # of Trials mysql-1 Atomicity Violn. Scheduler 1 10 mysql-2 Atomicity Violn. Scheduler 1 5 mysql- Atomicity Violn. Scheduler 1 5 mysql-4 Buffer Overflow. Mem. Padding pine-1 Buffer Overflow. Mem. Padding 1 25 pine-2 Buffer Overflow. Mem. Padding mutt-1 Bad User Req. Drop Req. 205 bc-1 Bad User Req. Drop Req. 290 bc-2 Bad User Req. Drop Req. 195 Time taken (secs.)
12 Summary Long-running Multi-threaded Program Execution Scalability Tracing + Logging Fault Fault Location Dynamic Slicing Offline Fault Avoidance Environment Faults Online
Locating Faults Through Automated Predicate Switching
Locating Faults Through Automated Predicate Switching Authored by Xiangyu Zhang, Neelam Gupta, Rajiv Gupta The University of Arizona ICSE 2006 Presented by Jing Pu Authors 1 Neelam Gupta The University
More informationFault Location and Avoidance in Long-Running Multithreaded Applications
Fault Location and Avoidance in Long-Running Multithreaded Applications Item type Authors Publisher Rights text; Electronic Dissertation Tallam, Sriraman Madapusi The University of Arizona. Copyright is
More informationPrototyping Architectural Support for Program Rollback Using FPGAs
Prototyping Architectural Support for Program Rollback Using FPGAs Radu Teodorescu and Josep Torrellas http://iacoma.cs.uiuc.edu University of Illinois at Urbana-Champaign Motivation Problem: Software
More informationAnalyzing Concurrency Bugs using Dual Slicing
Analyzing Concurrency Bugs using Dual Slicing Dasarath Weeratunge Xiangyu Zhang William N. Sumner and Suresh Jagannathan Dept. of Computer Science, Purdue University West Lafayette, IN 47907, USA {dweeratu,xyzhang,wsumner,suresh@cs.purdue.edu
More informationBasic Definitions: Testing
Basic Definitions: Testing l What is software testing? Running a program In order to find faults a.k.a. defects a.k.a. errors a.k.a. flaws a.k.a. faults a.k.a. BUGS 1 Bugs Hopper s bug (moth stuck in a
More informationCost Effective Dynamic Program Slicing
Cost Effective Dynamic Program Slicing Xiangyu Zhang Rajiv Gupta Department of Computer Science The University of Arizona Tucson, Arizona 87 {xyzhang,gupta}@cs.arizona.edu ABSTRACT Although dynamic program
More informationHARDWARE SUPPORT FOR SOFTWARE DEBUGGING IS CRITICAL. HARDWARE SUPPORT IS NECESSARY TO OBSERVE AND CAPTURE, WITH LITTLE OR NO
BUGNET: RECORDING APPLICATION-LEVEL EXECUTION FOR DETERMINISTIC REPLAY DEBUGGING WITH SOFTWARE S INCREASING COMPLEXITY, PROVIDING EFFICIENT HARDWARE SUPPORT FOR SOFTWARE DEBUGGING IS CRITICAL. HARDWARE
More informationFault Localization Using Value Replacement
Fault Localization Using Value Replacement Dennis Jeffrey (1) jeffreyd@cs.ucr.edu Neelam Gupta guptajneelam@gmail.com Rajiv Gupta (1) gupta@cs.ucr.edu (1) Univ. of California at Riverside, CSE Department,
More informationA Serializability Violation Detector for Shared-Memory Server Programs
A Serializability Violation Detector for Shared-Memory Server Programs Min Xu Rastislav Bodík Mark Hill University of Wisconsin Madison University of California, Berkeley Serializability Violation Detector:
More informationLightweight Fault Detection in Parallelized Programs
Lightweight Fault Detection in Parallelized Programs Li Tan UC Riverside Min Feng NEC Labs Rajiv Gupta UC Riverside CGO 13, Shenzhen, China Feb. 25, 2013 Program Parallelization Parallelism can be achieved
More informationSoftware Quality. What is Good Software?
Software Quality CS A470 What is Good Software? Depends on your point of view Five perspectives Transcendental view. Quality can be recognized but hard to define User view. Fitness for purpose Often adopted
More informationHARDFS: Hardening HDFS with Selective and Lightweight Versioning
HARDFS: Hardening HDFS with Selective and Lightweight Versioning Thanh Do, Tyler Harter, Yingchao Liu, Andrea C. Arpaci-Dusseau, and Remzi H. Arpaci-Dusseau Haryadi S. Gunawi 1 Cloud Reliability q Cloud
More informationProduction-Run Software Failure Diagnosis via Hardware Performance Counters. Joy Arulraj, Po-Chun Chang, Guoliang Jin and Shan Lu
Production-Run Software Failure Diagnosis via Hardware Performance Counters Joy Arulraj, Po-Chun Chang, Guoliang Jin and Shan Lu Motivation Software inevitably fails on production machines These failures
More informationWho is our rival? Upcoming. Testing. Ariane 5 rocket (1996) Ariane 5 rocket 3/8/18. Real programmers need no testing!
Upcoming Homework 3 posted; due March 22 Literature review due March 20 Testing Paper presentation instructions posted: http://people.cs.umass.edu/~brun/class/2018spring/cs621/paperpresentation/paperpresentation.pdf
More informationExperimental Evaluation of Using Dynamic Slices for Fault Location
Experimental Evaluation of Using Dynamic Slices for Fault Location Xiangyu Zhang Haifeng He Neelam Gupta Rajiv Gupta Department of Computer Science The University of Arizona Tucson, Arizona 85721 {xyzhang,hehf,ngupta,gupta}@cs.arizona.edu
More informationProbabilistic Diagnosis of Performance Faults in Large-Scale Parallel Applications
International Conference on Parallel Architectures and Compilation Techniques (PACT) Minneapolis, MN, Sep 21th, 2012 Probabilistic Diagnosis of Performance Faults in Large-Scale Parallel Applications Ignacio
More informationEffective Memory Protection Using Dynamic Tainting
Effective Memory Protection Using Dynamic Tainting James Clause Alessandro Orso (software) and Ioanis Doudalis Milos Prvulovic (hardware) College of Computing Georgia Institute of Technology Supported
More informationAutomatically Finding Patches Using Genetic Programming. Westley Weimer, Claire Le Goues, ThanVu Nguyen, Stephanie Forrest
Automatically Finding Patches Using Genetic Programming Westley Weimer, Claire Le Goues, ThanVu Nguyen, Stephanie Forrest Motivation Software Quality remains a key problem Over one half of 1 percent of
More informationSecuring Software Applications Using Dynamic Dataflow Analysis. OWASP June 16, The OWASP Foundation
Securing Software Applications Using Dynamic Dataflow Analysis Steve Cook OWASP June 16, 2010 0 Southwest Research Institute scook@swri.org (210) 522-6322 Copyright The OWASP Foundation Permission is granted
More informationAnalyzing Concurrency Bugs Using Dual Slicing
Purdue University Purdue e-pubs Department of Computer Science Technical Reports Department of Computer Science 2010 Analyzing Concurrency Bugs Using Dual Slicing Dasarath Weeratunge Purdue University,
More informationCFix. Automated Concurrency-Bug Fixing. Guoliang Jin, Wei Zhang, Dongdong Deng, Ben Liblit, and Shan Lu. University of Wisconsin Madison
CFix Automated Concurrency-Bug Fixing Guoliang Jin, Wei Zhang, Dongdong Deng, Ben Liblit, and Shan Lu. University of Wisconsin Madison 1 Bugs Need to be Fixed Buggy software is an unfortunate fact; There
More informationFixD : Fault Detection, Bug Reporting, and Recoverability for Distributed Applications
FixD : Fault Detection, Bug Reporting, and Recoverability for Distributed Applications Cristian Ţăpuş, David A. Noblet California Institute of Technology {crt,dnoblet}@cs.caltech.edu Abstract Model checking,
More informationWriting better code Loop invariants Correctness. John Edgar 2
Writing better code Loop invariants Correctness John Edgar 2 Not all code is equal Correct and reliable code is one of our goals Is a new car correct or reliable? Other characteristics of good code Affordable
More informationChapter 10. Improving the Runtime Type Checker Type-Flow Analysis
122 Chapter 10 Improving the Runtime Type Checker The runtime overhead of the unoptimized RTC is quite high, because it instruments every use of a memory location in the program and tags every user-defined
More informationStatic Analysis of Embedded Systems
Static Analysis of Embedded Systems Xavier RIVAL rival@di.ens.fr Outline Case study Certification of embedded softwares Demo Static Analysisof Embedded Systems p.2/12 Ariane 5 Flight 501 Ariane 5: sattelite
More informationChimera: Hybrid Program Analysis for Determinism
Chimera: Hybrid Program Analysis for Determinism Dongyoon Lee, Peter Chen, Jason Flinn, Satish Narayanasamy University of Michigan, Ann Arbor - 1 - * Chimera image from http://superpunch.blogspot.com/2009/02/chimera-sketch.html
More informationDebugging Reinvented: Asking and Answering Why and Why Not Questions about Program Behavior
Debugging Reinvented: Asking and Answering Why and Why Not Questions about Program Behavior Andrew J. Ko and Brad A. Myers School of Computer Science, Carnegie Mellon University Presenter: Shaosong Li
More information18-642: Race Conditions
18-642: Race Conditions 10/30/2017 Race Conditions Anti-Patterns for Race Conditions: Unprotected access to shared variables Shared variables not declared volatile Not accounting for interrupts and task
More informationHeapMD: Identifying Heap-based Bugs using Anomaly Detection
HeapMD: Identifying Heap-based Bugs using Anomaly Detection Trishul M. Chilimbi Microsoft Research Redmond, WA trishulc@microsoft.com Vinod Ganapathy University of Wisconsin Madison, WI vg@cs.wisc.edu
More informationCost and Precision Tradeoffs of Dynamic Data Slicing Algorithms
Cost and Precision Tradeoffs of Dynamic Data Slicing Algorithms XIANGYU ZHANG and RAJIV GUPTA The University of Arizona and YOUTAO ZHANG University of Texas at Dallas Dynamic slicing algorithms are used
More informationConfinement (Running Untrusted Programs)
Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs Untrusted Application Entire Application untrusted Part of application untrusted Modules
More informationDecoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor
Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor Hari Kannan, Michael Dalton, Christos Kozyrakis Computer Systems Laboratory Stanford University Motivation Dynamic analysis help
More informationCauses of Software Failures
Causes of Software Failures Hardware Faults Permanent faults, e.g., wear-and-tear component Transient faults, e.g., bit flips due to radiation Software Faults (Bugs) (40% failures) Nondeterministic bugs,
More informationA Scalable Approach to User-session-based Testing of Web Applications through Concept Analysis
A Scalable Approach to User-session-based Testing of Web Applications through Concept Analysis Sreedevi Sampath, University of Delaware Valentin Mihaylov, Drexel University Amie Souter, Drexel University
More information1. Introduction to Concurrent Programming
1. Introduction to Concurrent Programming A concurrent program contains two or more threads that execute concurrently and work together to perform some task. When a program is executed, the operating system
More informationIntFlow: Integer Error Handling With Information Flow Tracking
mpomonis@cs.columbia.edu IntFlow Columbia University 1 / 29 IntFlow: Integer Error Handling With Information Flow Tracking Marios Pomonis Theofilos Petsios Kangkook Jee Michalis Polychronakis Angelos D.
More informationOverview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas
CS 6V81.005 Automatic Exploit Generation (AEG) Matthew Stephen Department of Computer Science University of Texas at Dallas February 20 th, 2012 Outline 1 Overview Introduction Considerations 2 AEG Challenges
More informationBuilding a Reactive Immune System for Software Services
Building a Reactive Immune System for Software Services Tobias Haupt January 24, 2007 Abstract In this article I summarize the ideas and concepts of the paper Building a Reactive Immune System for Software
More informationAnders Fröberg TDDD80 STORAGE AND TESTING
Anders Fröberg anders.froberg@liu.se TDDD80 STORAGE AND TESTING 1 Agenda: Test Unit testing vs Traditional Testing Debugging and Refactoring Deployment (Test Driven Development (TDD)) (Acceptance Test
More informationYuxi Chen, Shu Wang, Shan Lu, and Karthikeyan Sankaralingam *
Yuxi Chen, Shu Wang, Shan Lu, and Karthikeyan Sankaralingam * * 2 q Synchronization mistakes in multithreaded programs Thread 1 Thread 2 If(ptr){ tmp = *ptr; ptr = NULL; } Segfault q Common q Hard to diagnose
More informationLeveraging the Short-Term Memory of Hardware to Diagnose Production-Run Software Failures. Joy Arulraj, Guoliang Jin and Shan Lu
Leveraging the Short-Term Memory of Hardware to Diagnose Production-Run Software Failures Joy Arulraj, Guoliang Jin and Shan Lu Production-Run Failure Diagnosis Goal Figure out root cause of failure on
More informationDeterministic Replay and Reverse Debugging for QEMU
Deterministic Replay and Reverse Debugging for QEMU P. Dovgalyuk Novgorod State University Institute for System Programming of the Russian Academy of Sciences Our projects Working on QEMU projects since
More informationDeterministic Replay and Data Race Detection for Multithreaded Programs
Deterministic Replay and Data Race Detection for Multithreaded Programs Dongyoon Lee Computer Science Department - 1 - The Shift to Multicore Systems 100+ cores Desktop/Server 8+ cores Smartphones 2+ cores
More informationA State Alteration and Inspection-based Interactive Debugger
A State Alteration and Inspection-based Interactive Debugger Yan Wang CSE Department, UC Riverside wangy@cs.ucr.edu Min Feng NEC Laboratories America mfeng@nec-labs.com Rajiv Gupta Iulian Neamtiu CSE Department,
More informationWarm-Up Problem. Let be a set of well-formed Predicate logic formulas. Let be well-formed Predicate logic formulas. Prove or disprove the following.
Warm-Up Problem Let be a set of well-formed Predicate logic formulas Let be well-formed Predicate logic formulas Prove or disprove the following If then 1/35 Program Verification Carmen Bruni Lecture 18
More informationHardware Support for Software Debugging
Hardware Support for Software Debugging Mohammad Amin Alipour Benjamin Depew Department of Computer Science Michigan Technological University Report Documentation Page Form Approved OMB No. 0704-0188 Public
More informationTransparent Pointer Compression for Linked Data Structures
Transparent Pointer Compression for Linked Data Structures lattner@cs.uiuc.edu Vikram Adve vadve@cs.uiuc.edu June 12, 2005 MSP 2005 http://llvm.cs.uiuc.edu llvm.cs.uiuc.edu/ Growth of 64-bit computing
More information5) I want to get this done fast, testing is going to slow me down.
Testing Real Programmers need no Testing! The Top Five List 5) I want to get this done fast, testing is going to slow me down. 4) I started programming when I was 2. Don t insult me by testing my perfect
More informationBoundless Memory Blocks
Boundless Memory Blocks Cristian Cadar Massachusetts Institute of Technology (now Stanford University) M. Rinard, D. Dumitran D. Roy, T. Leu Massachusetts Institute of Technology Annual Computer Security
More informationModel Checking. Automatic Verification Model Checking. Process A Process B. when not possible (not AI).
Sérgio Campos scampos@dcc.ufmg.br Why? Imagine the implementation of a complex hardware or software system: A 100K gate ASIC perhaps 100 concurrent modules; A flight control system dozens of concurrent
More informationCSE 403: Software Engineering, Fall courses.cs.washington.edu/courses/cse403/16au/ Unit Testing. Emina Torlak
CSE 403: Software Engineering, Fall 2016 courses.cs.washington.edu/courses/cse403/16au/ Unit Testing Emina Torlak emina@cs.washington.edu Outline Software quality control Effective unit testing Coverage
More informationSupporting Operating System Kernel Data Disambiguation using Points-to Analysis
Supporting Operating System Kernel Data Disambiguation using Points-to Analysis Amani Ibriham, James Hamlyn-Harris, John Grundy & Mohamed Almorsy Center for Computing and Engineering Software Systems Swinburne
More informationEmpowering Software Debugging Through Architectural Support for Program Rollback
Empowering Software Debugging Through Architectural Support for Program Rollback Radu Teodorescu and Josep Torrellas Department of Computer Science University of Illinois at Urbana-Champaign http://iacoma.cs.uiuc.edu
More informationModular and Verified Automatic Program Repairs
Modular and Verified Automatic Program Repairs from Francesco Logozzo and Thomas Ball at Microsoft Research, Redmond presenter name(s) removed for FERPA considerations Introduction Your programs will have
More informationSCALABLE STATISTICAL BUG ISOLATION
SCALABLE STATISTICAL BUG ISOLATION Paper by Ben Liblit, Mayur Naik, Alice X. Zheng, Alex Aiken, Michael I. Jordan Presented by Ben Mishkanian 2/5/2015 Statistical Debugging Idea: Use dynamic statistical
More informationRuntime Defenses against Memory Corruption
CS 380S Runtime Defenses against Memory Corruption Vitaly Shmatikov slide 1 Reading Assignment Cowan et al. Buffer overflows: Attacks and defenses for the vulnerability of the decade (DISCEX 2000). Avijit,
More informationWish Branch: A New Control Flow Instruction Combining Conditional Branching and Predicated Execution
Wish Branch: A New Control Flow Instruction Combining Conditional Branching and Predicated Execution Hyesoon Kim Onur Mutlu Jared Stark David N. Armstrong Yale N. Patt High Performance Systems Group Department
More informationSoftware Security II: Memory Errors - Attacks & Defenses
1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow
More informationProfile-Guided Program Simplification for Effective Testing and Analysis
Profile-Guided Program Simplification for Effective Testing and Analysis Lingxiao Jiang Zhendong Su Program Execution Profiles A profile is a set of information about an execution, either succeeded or
More informationSymbolic Execution, Dynamic Analysis
Symbolic Execution, Dynamic Analysis http://d3s.mff.cuni.cz Pavel Parízek CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Symbolic execution Pavel Parízek Symbolic Execution, Dynamic Analysis
More informationDo you have to reproduce the bug on the first replay attempt?
Do you have to reproduce the bug on the first replay attempt? PRES: Probabilistic Replay with Execution Sketching on Multiprocessors Soyeon Park, Yuanyuan Zhou University of California, San Diego Weiwei
More informationArtemis: Practical Runtime Monitoring of Applications for Errors
Purdue University Purdue e-pubs ECE Technical Reports Electrical and Computer Engineering 2-1-2005 Artemis: Practical Runtime Monitoring of Applications for Errors Long Fei Samuel P. Midkiff Follow this
More informationShengyue Wang, Xiaoru Dai, Kiran S. Yellajyosula, Antonia Zhai, Pen-Chung Yew Department of Computer Science & Engineering University of Minnesota
Loop Selection for Thread-Level Speculation, Xiaoru Dai, Kiran S. Yellajyosula, Antonia Zhai, Pen-Chung Yew Department of Computer Science & Engineering University of Minnesota Chip Multiprocessors (CMPs)
More informationHow to Sandbox IIS Automatically without 0 False Positive and Negative
How to Sandbox IIS Automatically without 0 False Positive and Negative Professor Tzi-cker Chiueh Computer Science Department Stony Brook University chiueh@cs.sunysb.edu 1/10/06 Blackhat Federal 2006 1
More informationAutomated Software Testing in the Absence of Specifications
Automated Software Testing in the Absence of Specifications Tao Xie North Carolina State University Department of Computer Science Nov 2005 http://www.csc.ncsu.edu/faculty/xie/ Why Automate Testing? Software
More information(In columns, of course.)
CPS 310 first midterm exam, 10/9/2013 Your name please: Part 1. Fun with forks (a) What is the output generated by this program? In fact the output is not uniquely defined, i.e., it is not always the same.
More informationDiagnosing Production-Run Concurrency-Bug Failures. Shan Lu University of Wisconsin, Madison
Diagnosing Production-Run Concurrency-Bug Failures Shan Lu University of Wisconsin, Madison 1 Outline Myself and my group Production-run failure diagnosis What is this problem What are our solutions CCI
More informationNPTEL Course Jan K. Gopinath Indian Institute of Science
Storage Systems NPTEL Course Jan 2012 (Lecture 39) K. Gopinath Indian Institute of Science Google File System Non-Posix scalable distr file system for large distr dataintensive applications performance,
More informationLearning Universal Probabilistic Models for Fault Localization
Learning Universal Probabilistic Models for Fault Localization Min Feng Rajiv Gupta University of California at Riverside, CSE Department, Riverside CA, 92521 {mfeng, gupta}@cs.ucr.edu Abstract Recently
More informationSecure Software Development: Theory and Practice
Secure Software Development: Theory and Practice Suman Jana MW 2:40-3:55pm 415 Schapiro [SCEP] *Some slides are borrowed from Dan Boneh and John Mitchell Software Security is a major problem! Why writing
More informationTRIPS: Extending the Range of Programmable Processors
TRIPS: Extending the Range of Programmable Processors Stephen W. Keckler Doug Burger and Chuck oore Computer Architecture and Technology Laboratory Department of Computer Sciences www.cs.utexas.edu/users/cart
More informationUsing Execution Paths to Evolve Software Patches
Using Execution Paths to Evolve Software Patches ThanhVu Nguyen*, Westley Weimer**, Claires Le Gouges**, Stephanie Forrest* * University of New Mexico ** University of Virginia Tuesday, March 31, 2009
More informationAutomated Debugging In Data Intensive Scalable Computing Systems
Automated Debugging In Data Intensive Scalable Computing Systems Muhammad Ali Gulzar 1, Matteo Interlandi 3, Xueyuan Han 2, Mingda Li 1, Tyson Condie 1, and Miryung Kim 1 1 University of California, Los
More informationRuntime Support for Scalable Task-parallel Programs
Runtime Support for Scalable Task-parallel Programs Pacific Northwest National Lab xsig workshop May 2018 http://hpc.pnl.gov/people/sriram/ Single Program Multiple Data int main () {... } 2 Task Parallelism
More informationNoise Injection Techniques to Expose Subtle and Unintended Message Races
Noise Injection Techniques to Expose Subtle and Unintended Message Races PPoPP2017 February 6th, 2017 Kento Sato, Dong H. Ahn, Ignacio Laguna, Gregory L. Lee, Martin Schulz and Christopher M. Chambreau
More informationAccMon: Automatically Detecting Memory-related Bugs via Program Counter-based Invariants
AccMon: Automatically Detecting Memory-related Bugs via Program Counter-based Invariants Pin Zhou, Wei Liu, Long Fei, Shan Lu, Feng Qin, Yuanyuan Zhou, Samuel Midkiff and Josep Torrellas Department of
More informationDowsing for overflows: a guided fuzzer to find buffer boundary violations
Dowsing for overflows: a guided fuzzer to find buffer boundary violations István Haller, Asia Slowinska, Matthias Neugschwandtner, Herbert Bos Usenix Security 2013 August 14, 2013 1 / 22 Bugs, bugs everywhere
More informationIntroduction to CS 270 Math Foundations of CS
Introduction to CS 270 Math Foundations of CS Verification of Computer Systems Jeremy Johnson Drexel University Course Description Emphasizes analytic problem-solving and introduction of mathematical material
More informationAutomatically Finding Patches Using Genetic Programming
Automatically Finding Patches Using Genetic Programming Westley Weimer, Stephanie Forrest, Claire Le Goues, ThanVu Nguyen, Ethan Fast, Briana Satchell, Eric Schulte Motivation Software Quality remains
More informationApplications. Cloud. See voting example (DC Internet voting pilot) Select * from userinfo WHERE id = %%% (variable)
Software Security Requirements General Methodologies Hardware Firmware Software Protocols Procedure s Applications OS Cloud Attack Trees is one of the inside requirement 1. Attacks 2. Evaluation 3. Mitigation
More informationOptimistic Shared Memory Dependence Tracing
Optimistic Shared Memory Dependence Tracing Yanyan Jiang1, Du Li2, Chang Xu1, Xiaoxing Ma1 and Jian Lu1 Nanjing University 2 Carnegie Mellon University 1 powered by Understanding Non-determinism Concurrent
More informationTowards a Globally Scalable Semantics-based Static Analysis
Towards a Globally Scalable Semantics-based Static Analysis School of Computer Science & Engineering Seoul National University 11/15/2010 @ CSE, HKUST (co-work with my students and postdocs) A Fundamental
More informationAutomatically Classifying Benign and Harmful Data Races Using Replay Analysis
Automatically Classifying Benign and Harmful Data Races Using Replay Analysis Satish Narayanasamy, Zhenghao Wang, Jordan Tigani, Andrew Edwards, Brad Calder Microsoft University of California, San Diego
More information18-600: Recitation #3
18-600: Recitation #3 Bomb Lab & GDB Overview September 12th, 2017 1 Today X86-64 Overview Bomb Lab Introduction GDB Tutorial 2 3 x86-64: Register Conventions Arguments passed in registers: %rdi, %rsi,
More informationHeckaton. SQL Server's Memory Optimized OLTP Engine
Heckaton SQL Server's Memory Optimized OLTP Engine Agenda Introduction to Hekaton Design Consideration High Level Architecture Storage and Indexing Query Processing Transaction Management Transaction Durability
More informationTopics on Compilers Spring Semester Christine Wagner 2011/04/13
Topics on Compilers Spring Semester 2011 Christine Wagner 2011/04/13 Availability of multicore processors Parallelization of sequential programs for performance improvement Manual code parallelization:
More informationIntroduction & Formal Methods
Introduction & Formal Methods http://d3s.mff.cuni.cz Jan Kofroň CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Introduction to dependable systems NSWE 002 What you learn: Dependable systems
More informationUNIVERSITY OF CALIFORNIA RIVERSIDE. Dynamic State Alteration Techniques for Automatically Locating Software Errors
UNIVERSITY OF CALIFORNIA RIVERSIDE Dynamic State Alteration Techniques for Automatically Locating Software Errors A Dissertation submitted in partial satisfaction of the requirements for the degree of
More informationAutomated Test-Input Generation
Automated Test-Input Generation Tao Xie North Carolina State University Department of Computer Science Nov 2005 http://www.csc.ncsu.edu/faculty/xie/ Why Automate Testing? Software testing is important
More informationEXPLODE: a Lightweight, General System for Finding Serious Storage System Errors. Junfeng Yang, Can Sar, Dawson Engler Stanford University
EXPLODE: a Lightweight, General System for Finding Serious Storage System Errors Junfeng Yang, Can Sar, Dawson Engler Stanford University Why check storage systems? Storage system errors are among the
More informationSamsara: Efficient Deterministic Replay in Multiprocessor. Environments with Hardware Virtualization Extensions
Samsara: Efficient Deterministic Replay in Multiprocessor Environments with Hardware Virtualization Extensions Shiru Ren, Le Tan, Chunqi Li, Zhen Xiao, and Weijia Song June 24, 2016 Table of Contents 1
More informationReliable Computing I
Instructor: Mehdi Tahoori Reliable Computing I Lecture 9: Concurrent Error Detection INSTITUTE OF COMPUTER ENGINEERING (ITEC) CHAIR FOR DEPENDABLE NANO COMPUTING (CDNC) National Research Center of the
More informationLecture 4 September Required reading materials for this class
EECS 261: Computer Security Fall 2007 Lecture 4 September 6 Lecturer: David Wagner Scribe: DK Moon 4.1 Required reading materials for this class Beyond Stack Smashing: Recent Advances in Exploiting Buffer
More informationBe Conservative: Enhancing Failure Diagnosis with Proactive Logging
Be Conservative: Enhancing Failure Diagnosis with Proactive Logging Ding Yuan, Soyeon Park, Peng Huang, Yang Liu, Michael Lee, Xiaoming Tang, Yuanyuan Zhou, Stefan Savage University of California, San
More informationA Correctness Proof for a Practical Byzantine-Fault-Tolerant Replication Algorithm
Appears as Technical Memo MIT/LCS/TM-590, MIT Laboratory for Computer Science, June 1999 A Correctness Proof for a Practical Byzantine-Fault-Tolerant Replication Algorithm Miguel Castro and Barbara Liskov
More informationBuffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
More informationPractical Techniques for Regeneration and Immunization of COTS Applications
Practical Techniques for Regeneration and Immunization of COTS Applications Lixin Li Mark R.Cornwell E.Hultman James E. Just R. Sekar Stony Brook University Global InfoTek, Inc (Research supported by DARPA,
More informationWhen Embedded Systems Attack. Unit 22. Therac-25. Therac-25. Embedded Failures. Embedded systems can fail for a variety of reasons
22.1 22.2 When Embedded Systems Attack Unit 22 Embedded Failures Embedded systems can fail for a variety of reasons Electrical problems Mechanical problems Errors in the programming Incorrectly specified
More informationInlining Java Native Calls at Runtime
Inlining Java Native Calls at Runtime (CASCON 2005 4 th Workshop on Compiler Driven Performance) Levon Stepanian, Angela Demke Brown Computer Systems Group Department of Computer Science, University of
More informationRubicon: Scalable Bounded Verification of Web Applications
Joseph P. Near Research Statement My research focuses on developing domain-specific static analyses to improve software security and reliability. In contrast to existing approaches, my techniques leverage
More information