Leveraging Test Generation and Specification Mining for Automated Bug Detection without False Positives

Size: px

Start display at page:

Download "Leveraging Test Generation and Specification Mining for Automated Bug Detection without False Positives"

Lynn Richard
5 years ago
Views:

1 Leveraging Test Generation and Specification Mining for Automated Bug Detection without False Positives Michael Pradel and Thomas R. Gross Department of Computer Science ETH Zurich 1

2 Motivation API usage Class X API 2

3 Motivation API usage Client Class X API 2

4 Motivation API usage Client Class X API X must ensure safe API usage 2

5 Example from Apache Xalan class X { private Stack s = new Stack(); public String report() { return get().tostring(); private Object get() { s.peek(); 3

6 Example from Apache Xalan Stack has a... class X { private Stack s = new Stack(); public String report() { return get().tostring(); private Object get() { s.peek(); 3

7 Example from Apache Xalan Stack has a but X fails to ensure it: class X { private Stack s = new Stack(); public String report() { return get().tostring(); private Object get() { s.peek(); X x = new X(); x.report(); EmptyStackException 3

8 Unsafe API Usage API usage Client Class X API 4

9 Unsafe API Usage API usage Client Class X API exception 4

10 Unsafe API Usage API usage Client Class X API exception exception Unsafe API usage: X exposes client to unexpected exception 4

11 Unsafe API Usage API usage Client Class X exception exception API How to find unsafe API usages? Unsafe API usage: X exposes client to unexpected exception 4

12 Goal Program Tool Unsafe API usages 5

13 Goal Program Tool Unsafe API usages Automatic and precise bug detection 5

14 Goal Tests Program Formal specs Tool Unsafe API usages False positives Automatic and precise bug detection 5

15 State of the Art (1) (Tests) Program Anomaly detection Unsafe API usages False positives Nguyen et al. 09 Wasylkowski + Zeller 09 Thummalapenta + Xie 09 Monperrus et al. 10 Gabel + Su 10 6

16 State of the Art (2) Program Formal specs Type state checking Unsafe API usages False positives DeLine + Fähndrich 04 Bierhoff + Aldrich 07 Fink et al. 08 Naeem + Lhotak 08 Bodden 10 7

17 State of the Art (3) Program Static code checker (Unsafe API usages) False positives FindBugs PMD 8

18 Goal Program Tool Unsafe API usages Automatic and precise bug detection 9

19 Approach Test generation Dynamic mining Runtime verification 10

20 Approach Test generation Dynamic mining Runtime verification provides s requires input to run program 10

21 Approach Test generation Dynamic mining Runtime verification provides s requires input to run program finds violations requires s and input 10

22 Approach Test generation provides input requires test oracle to find bugs Dynamic mining Runtime verification provides s requires input to run program finds violations requires s and input 10

23 Approach Program Test generation tests tests Dynamic mining s Runtime verification Unsafe API usages 10

24 Approach Program Test generation tests tests Dynamic mining s Runtime verification Unsafe API usages 10

25 Test Generation Feedback-directed, random test generation [Randoop, Pacheco2007] Two kinds of tests: class Test {... Failing (exception or assertion violation) class Test {... Passing 11

26 Approach Program Test generation tests tests Dynamic mining s Runtime verification Unsafe API usages 12

27 Approach Program Test generation tests tests Dynamic mining s Runtime verification Unsafe API usages 12

28 Protocol Mining class Test {... Execution trace Dynamic mining API usage [ASE 09 and ICSM 10, Pradel et al.] 13

29 Example new Stack() s s.push() s.push() s.pop() s.peek() s.removeallelements() 14

30 Approach Program Test generation tests tests Dynamic mining s Runtime verification Unsafe API usages 15

31 Approach Program Test generation tests tests Dynamic mining s Runtime verification Unsafe API usages 15

32 Runtime Protocol Verification class Test {... Execution trace Runtime verification Protocol violations Check all instances of Warn if non-existing transition is taken 16

33 Example Test: X x = new X(); x.report(); class X { private Stack s = new Stack(); public String report() { return get().tostring(); private Object get() { s.peek(); new Stack() s.push() s s.removeallelements() s.push() s.pop() s.peek() 17

34 Example Test: X x = new X(); x.report(); class X { private Stack s = new Stack(); public String report() { return get().tostring(); private Object get() { s.peek(); new Stack() s.push() s s.removeallelements() s.push() s.pop() s.peek() 17

35 Example Test: X x = new X(); x.report(); class X { private Stack s = new Stack(); public String report() { return get().tostring(); private Object get() { s.peek(); new Stack() s.push() s s.removeallelements() s.push() s.pop() s.peek() 17

36 Example Test: X x = new X(); x.report(); Protocol violation class X { private Stack s = new Stack(); public String report() { return get().tostring(); private Object get() { s.peek(); new Stack() s.push() s s.removeallelements() s.push() s.pop() s.peek() 17

37 False Positives Challenge: Incomplete s (depend on mining) new Stack() s.push() s s.removeallelements() s.push() s.pop() s.peek() 18

38 False Positives Challenge: Incomplete s (depend on mining) new Stack() s.push() s s.removeallelements() s.push() s.pop() s.peek() Program: Stack s = new Stack(); s.push(..); s.push(..); 18

39 False Positives Challenge: Incomplete s (depend on mining) new Stack() s.push() s s.removeallelements() s.push() s.pop() s.peek() Program: Stack s = new Stack(); s.push(..); s.push(..); False positive violation 18

40 False Positives Challenge: Incomplete s (depend on mining) new Stack() s.push() Protocol s 1 2 violation 3 Bug s.pop() s.removeallelements() s.push() s.peek() Program: Stack s = new Stack(); s.push(..); s.push(..); False positive violation 18

41 Warnings without False Positives Protocol violation Program crash Undeclared exception 19

42 Warnings without False Positives Protocol violation Program crash May be due to incomplete Undeclared exception 19

43 Warnings without False Positives Protocol violation Program crash May be due to illegal use of class Undeclared exception 19

44 Warnings without False Positives Protocol violation Program crash Warnings to report Undeclared exception 19

45 Warnings without False Positives (2) Only report problem if: violated and -violating call fails the test and -violating method does not declare the exception 20

46 Example (again) new Stack() s.push() s s.removeallelements() s.push() s.pop() s.peek() Program: Stack s = new Stack(); s.push(..); s.push(..); No warning, since violation doesn t raise exception 21

47 Approach Program Test generation tests tests Dynamic mining s Runtime verification Unsafe API usages 22

48 Evaluation Implemented into fully automatic tool Main questions: 1. Effectiveness in finding unsafe API usages 2. Comparison with existing work 3. Performance 23

49 Setup Programs: DaCapo benchmarks (5,012 classes) APIs: Collection+Iterator Vector+Enumeration including subclasses Stopping criterion: Generate 10,000 tests per program 24

50 Unsafe API Usages 54 unsafe API usages 0 false positives 25

51 Example from Jython public class X { protected Iterator iter; public void _begincanonical() { iter = classes.values().iterator(); public Object _next() { if (iter.hasnext()) return iter.next(); else return null; public void _flushcurrent() { iter.remove(); 26

52 Example from Jython public class X { protected Iterator iter; public void _begincanonical() { iter = classes.values().iterator(); public Object _next() { if (iter.hasnext()) return iter.next(); else return null; public void _flushcurrent() { iter.remove(); 26

53 Example from Jython public class X { protected Iterator iter; public void _begincanonical() { iter = classes.values().iterator(); public Object _next() { if (iter.hasnext()) return iter.next(); else return null; public void _flushcurrent() { iter.remove(); Safe API usage 26

54 Example from Jython public class X { protected Iterator iter; public void _begincanonical() { iter = classes.values().iterator(); public Object _next() { if (iter.hasnext()) return iter.next(); else return null; public void _flushcurrent() { iter.remove(); Protocol violation Crash through exception Not declared 26

55 Kinds of Bugs Diverse kinds of unsafe API usages Invalid indexing of lists and vectors Iterators: Illegal next() and remove() Accessing non-existing elements: E.g., pop() All unsafe API usages for download: 27

56 Comparison with Prior Work JDK-API usage in DaCapo: OCD [Gabel+Su, ICSE 10] Our approach 1 potential bug 54 crashing bugs 2 false positives 0 false positives 28

57 Comparison with Prior Work JDK-API usage in DaCapo: OCD [Gabel+Su, ICSE 10] Our approach 1 potential bug 54 crashing bugs 2 false positives 0 false positives DaCapo input vs. generated input 28

58 Comparison with Prior Work JDK-API usage in DaCapo: OCD [Gabel+Su, ICSE 10] Our approach 1 potential bug 54 crashing bugs 2 false positives 0 false positives Avoid false positives by construction 28

59 Performance Between less then a minute and several minutes per program-api pair Optimization: Find bugs with 5x less tests Static analysis: Prioritize methods Guide random test generator towards API-relevant parts of program 29

60 Summary Program Automatic and precise analysis Unsafe API usages Benefits of dynamic analysis without providing input Find bugs with mined specifications without false positives Guide test generator towards API 30

61 Conclusion Don t waste precious developer time Lots of testing with little effort Photo: Alfonso Silóniz 31

62 Leveraging Test Generation and Specification Mining for Automated Bug Detection without False Positives Michael Pradel, Thomas R. Gross Department of Computer Science ETH Zurich Thank you! 32

Large-Scale API Protocol Mining for Automated Bug Detection

Large-Scale API Protocol Mining for Automated Bug Detection Michael Pradel Department of Computer Science ETH Zurich 1 Motivation LinkedList pinconnections =...; Iterator i = pinconnections.iterator();