CS 267: Automated Verification. Lecture 18, Part 2: Data Model Analysis for Web Applications. Instructor: Tevfik Bultan

Transcription

1 CS 267: Automated Verification Lecture 18, Part 2: Data Model Analysis for Web Applications Instructor: Tevfik Bultan

2 Web Application Depability 2

3 Web Application Depability 3

4 Web Application Depability President Obama: I want to go in and fix myself, but I don't write code"

5 Web Application Depability TRACKS: A todo list applica2on Context Recurring Todo Feed the Dog EDIT 5

6 Web Application Architecture Data Model OOP ORM Rel Db RESTful Controller View Model View Controller (MVC) pa;ern: Ruby on Rails, Z for PHP, CakePHP, Struts for Java, Django for Python, Object Rela2onal Mapping (ORM) Ac2veRecord, Hibernate, 6

7 An Example Rails Data Model Static Data Model class User < ActiveRecord::Base has_many :todos has_many :projects class Project < ActiveRecord::Base belongs_to :user has_many :todos has_many :notes class Todo < ActiveRecord::Base belongs_to :user belongs_to :project class Note < ActiveRecord::Base belongs_to :project Data Model Updates: Actions class ProjectsController < ApplicationController def = do note respond_to(...) 7

8 Static Data Model Ac2veRecord class declara2ons sets of objects Ac2veRecord associa2on declara2ons has_one, has_many, belongs_to, has_and_belongs_to_many Associa2on declara2ons can be used to declare the three basic types of rela2ons between classes one-to-one one-to-many many-to-many 8

9 Extensions to Static Data Model :through Op2on To express rela2ons which are composi2on of other rela2ons :condi2ons Op2on To relate a subset of objects to another class :polymorphic Op2on To express polymorphic rela2onships :depent Op2on On delete, this op2on expresses whether to delete the associated objects or not 9

10 The :through Option class User < ActiveRecord::Base has_one :profile has_many :photos, :through => :profile class Profile < ActiveRecord::Base belongs_to :user has_many :photos class Photo < ActiveRecord::Base belongs_to :profile Profile * User 1 * Photo 10

11 The :depent Option class User < ActiveRecord::Base has_one :profile, :depent => :destroy class Profile < ActiveRecord::Base belongs_to :user has_many :photos, :depent => :destroy User Profile * Photo :delete directly delete the associated objects without looking at its depencies :destroy first checks whether the associated objects themselves have associa2ons with the :depent op2on set 11

12 Data Model Formalize the sta2c data model as A set of classes A set of rela2ons between those classes A set of constraints on the rela2ons that are imposed by the associa2on declara2ons Given a formal data model we can automa2cally check if a given property holds for the data model Automated verifica2on determines: Do the constraints of the data model imply the property? 12

13 Data Model Ac+veRecord Bound n Model Extrac2on Property BOUNDED VERIFICATION bound formal data model + property UNBOUNDED VERIFICATION Alloy Analyzer formula Alloy Encoder SMT-LIB Encoder formula SMT Solver instance or unsat Results Interpreter Results Interpreter instance or unsat or unknown 13 Property Verified Property Failed + Counterexample Unknown

14 How Automated is Automated All except one step: Property specifica2on Example: It is possible to have a User who does not have any Photos. In Alloy: pred prop { all s: PreState some u: User all p: Photo (p not in (s.photo_user).u) } In SMT-LIB: (assert (exists ((a PolymorphicClass)) (forall ((p Photo)) (and (isuser a) (not (= p (a user_photo p)))) ))) Can we make it easier? 14

15 Property Templates Property templates for property specifica2on Language-neutral Do not require familiarity with SMT-LIB and Alloy Example property template: noorphans[classa, classb] To check that dele2ng an object from classa does not cause related objects in classb to be orphaned Easily rerun tool and switch the verifica2on technique, without having to rewrite the property We developed seven property templates for the most common data model proper2es 15

16 Can We Do More?

17 Automatic Property Inference Automa2cally infer proper2es based on data model schema Data model schema: A directed, annotated graph that represents the rela2ons Look for pa;erns in the data model schema and infer a property if a pa;ern that corresponds to a property appears For example, orphan preven2on n 17

18 Can Automated We Do Even Data More? Model Repair noorphans(x, Y) property failing means dele2ng an object from class X creates an orphan chain that starts with associated object in class Y Repair: Set :depent op2on to :destroy on associa2on declara2on in class X and on remaining rela2ons in the chain that starts with class Y... X Y... N Set :depent => :destroy on all relations in chain 18

19 Summary Formal Data Model Formal Data Model + Proper2es Ac2ve Records Verifica2on Results Model Extrac2on Property Inference Verifica2on for failing proper2es Data Model Repair 19

20 Experiment Results Applica+on Property Type # Inferred # Timeout # Failed deletepropagates LovdByLess noorphans transi2ve deletepropagates Substruct noorphans transi2ve deletepropagates Tracks noorphans transi2ve deletepropagates FatFreeCRM noorphans transi2ve deletepropagates OSR noorphans transi2ve TOTAL

21 Property Type # Data Model & Applica+on Errors # Data Model Errors # Failures Due to Rails Limita+ons # False Posi+ves deletepropagates noorphans transi2ve deletepropagates noorphans transi2ve deletepropagates noorphans transi2ve deletepropagates noorphans transi2ve deletepropagates noorphans transi2ve TOTAL

22 What About Data Model Actions? Static Data Model class User < ActiveRecord::Base has_many :todos has_many :projects class Project < ActiveRecord::Base belongs_to :user has_many :todos has_many :notes class Todo < ActiveRecord::Base belongs_to :user belongs_to :project class Note < ActiveRecord::Base belongs_to :project Data Model Updates: Actions class ProjectsController < ApplicationController def = do note respond_to(...) 22

23 of Data Model Actions 23

24 Abstract Data Stores Rails class User has_many :todos has_many :projects class Project belongs_to :user has_many :todos has_many :notes class Todo belongs_to :user belongs_to :project class Note belongs_to :project Abstract Data Store class User { 0+ Todo todos inverseof user 0+ Project projects inverseof user } class Project { 0..1 User user 0+ Todo todos inverseof project 0+ Note notes inverseof project } class Todo { 0..1 User user 0..1 Project project } class Note { 0..1 Project project } 24

25 Abstract Data Stores def = Project.find( do note respond_to(...) action project_destroy() { at_project = oneof(allof(project)) foreach note: at_project.notes { delete note } delete at_project } invariant(forall{ project!project.user.empty? }) invariant(forall{ user user.projects.todos.include? (user) }) forall(project project: not empty(project.user) ) forall(user user: user in user.projects.todos.users ) 25 Our library allows developers to specify invariants in native Ruby

26 Extraction Extrac2on is hard for ac2ons Dynamic type system Metaprogramming Eval Ghost Methods such as: User.find_by_name( Rob ) Observa2ons The schema is sta2c Ac2on declara2ons are sta2c ORM classes and methods do not change their seman2c during execu2on even if the implementa2on code is generated dynamically 26

27 Extraction via Instrumented Execution Boot-up the Rails run2me in a simulated environment Without opening sockets or connec2ng to the database Prepare ac2on methods for extrac2on ORM opera2ons will record their invoca2on instead of communica2ng with the database Method calls propagate instrumenta2on just before execu2on Extrac2on is path insensi2ve, execu2ng both branches subsequently Trigger an HTTP request that triggers an ac2on 27

28 via Translation to FOL A predicate is generated for each class and associa2on User(o) means that o is an instance of User Project_user(t) means that t represents an associa2on between a Project object and User object Type system constraints become axioms u: User(u) (Project(u) Todo(u)...) Cardinality of associa2ons is expressed through axioms eg. 0..1: t 1, t 2 : (Project_user(t 1 ) Project_user(t 2 ) Project_user_lhs(t 1 ) = Project_user_lhs(t 2 )) Project_user_rhs(t 1 ) = Project_user_rhs(t 2 ) 28

29 Translation of Statements to FOL An ac2on is a sequen2al composi2on of statements. Statements A state is represented with a predicate deno2ng all en22es that exist in a state A statement is a migra2on between states e.g., a create Note statement: pre_state(newly_created()) t: post_state(t) Note_project_lhs(t) = newly_created() o: (post_state(o) (pre_state(o) o = newly_created())) 29

30 Translation of Loops to FOL We only support ForEach loops (for now) They correspond to universal quan2fica2on Statements can execute mul2ple 2mes in loops Contexts to differen2ate itera2ons Ordering of itera2ons Itera2on interdepence 30

31 Inductive Inv(s) is a formula deno2ng that all invariants hold in state s Ac3on(s, s ) is a formula deno2ng that the ac2on may transi2on from state s to state s Check if: s, s : Inv(s) Ac2on(s, s ) Inv(s ) 31

32 Experiments Experimented on 3 open source Rails applica2ons FatFreeCRM, Tracks, Kandan 272 actions, 23 invariants Iden2fied 4 bugs Reported to original developers All immediately confirmed and, since, fixed Missed by previous verifica2on efforts on these applica2ons 32

33 Experiments 33

34 Publications Jaideep Nijjar and Tevfik Bultan. Bounded Verifica+on of Ruby on Rails Data Models. In Proc. Interna3onal Symposium on So>ware Tes3ng and Analysis (ISSTA), pages 67 77, Jaideep Nijjar and Tevfik Bultan. Unbounded Data Model Verifica+on Using SMT Solvers. In Proc. 27th IEEE/ACM Int. Conf. Automated So>ware Engineering (ASE), pages , Jaideep Nijjar, Ivan Bocic and Tevfik Bultan. An Integrated Data Model Verifier with Property Templates. In Proc. 1st FME Workshop on Formal Methods in So>ware Engineering (FormaliSE 2013). Jaideep Nijjar and Tevfik Bultan. Data Model Property Inference and Repair. In Proc. Interna3onal Symposium on So>ware Tes3ng and Analysis (ISSTA), pages , Ivan Bocic, and Tevfik Bultan. Induc+ve Verifica+on of Data Model Invariants for Web Applica+ons. In Proc. Interna3onal Conference on So>ware Engineering (ICSE), 2014 Jaideep Nijjar, Ivan Bocic, and Tevfik Bultan. Data Model Property Inference, Verifica+on and Repair for Web Applica+ons. (Submi;ed to ACM Transla3ons on So>ware Engineering and Methodology). 34