Symbolic execution for software testing has witnessed renewed interest in the recent years due to its ability to generate high-coverage test suites and find deep errors in software systems. In this talk, I will give an overview of a modern symbolic execution technique, called concolic testing, discuss its key challenges in terms of path exploration, and introduce MultiSE, a new technique for tackling the path exploration challenge.
{"title":"Concolic testing: a decade later (keynote)","authors":"Koushik Sen","doi":"10.1145/2823363.2823364","DOIUrl":"https://doi.org/10.1145/2823363.2823364","url":null,"abstract":"Symbolic execution for software testing has witnessed renewed interest in the recent years due to its ability to generate high-coverage test suites and find deep errors in software systems. In this talk, I will give an overview of a modern symbolic execution technique, called concolic testing, discuss its key challenges in terms of path exploration, and introduce MultiSE, a new technique for tackling the path exploration challenge.","PeriodicalId":256833,"journal":{"name":"Proceedings of the 13th International Workshop on Dynamic Analysis","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-10-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129531307","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Bug-finding tools based on dynamic analysis (DA), such as Valgrind or the compiler sanitizers provided by Clang and GCC, have become ubiquitous during software development. These analyses are precise but incur a large performance overhead (often several times slower than native execution), which makes them prohibitively expensive to use in production. In this work, we investigate the exciting possibility of deploying such dynamic analyses in production code, using a multi-version execution approach.
{"title":"Towards deployment-time dynamic analysis of server applications","authors":"Luís Pina, Cristian Cadar","doi":"10.1145/2823363.2823372","DOIUrl":"https://doi.org/10.1145/2823363.2823372","url":null,"abstract":"Bug-finding tools based on dynamic analysis (DA), such as Valgrind or the compiler sanitizers provided by Clang and GCC, have become ubiquitous during software development. These analyses are precise but incur a large performance overhead (often several times slower than native execution), which makes them prohibitively expensive to use in production. In this work, we investigate the exciting possibility of deploying such dynamic analyses in production code, using a multi-version execution approach.","PeriodicalId":256833,"journal":{"name":"Proceedings of the 13th International Workshop on Dynamic Analysis","volume":"28 2 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-10-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131216176","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The PHP AiR framework is currently being developed to support software metrics, empirical software engineering, and program analysis for real-world PHP systems. While most of the work on program analysis has focused on static analysis, to help address the dynamic nature of the language we have also started to extend PHP AiR with support for dynamic program analysis. This extended abstract highlights two parts of this support: integration with xdebug for trace analysis, and instrumentation of an open-source PHP interpreter with a focus on supporting string origins, allowing us to explore how strings are created in security-sensitive areas such as database calls and HTML generation.
{"title":"Supporting PHP dynamic analysis in PHP AiR","authors":"M. Hills","doi":"10.1145/2823363.2823373","DOIUrl":"https://doi.org/10.1145/2823363.2823373","url":null,"abstract":"The PHP AiR framework is currently being developed to support software metrics, empirical software engineering, and program analysis for real-world PHP systems. While most of the work on program analysis has focused on static analysis, to help address the dynamic nature of the language we have also started to extend PHP AiR with support for dynamic program analysis. This extended abstract highlights two parts of this support: integration with xdebug for trace analysis, and instrumentation of an open-source PHP interpreter with a focus on supporting string origins, allowing us to explore how strings are created in security-sensitive areas such as database calls and HTML generation.","PeriodicalId":256833,"journal":{"name":"Proceedings of the 13th International Workshop on Dynamic Analysis","volume":"29 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-10-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125972268","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Maarten Vandercammen, Jens Nicolay, Stefan Marr, Joeri De Koster, T. D'Hondt, Coen De Roover
Trace-based JIT compilers identify frequently executed program paths at run-time and subsequently record, compile and optimize their execution. In order to improve the performance of the generated machine instructions, JIT compilers heavily rely on dynamic analysis of the code. Existing work treats the components of a JIT compiler as a monolithic whole, tied to particular execution semantics. We propose a formal framework that facilitates the design and implementation of a tracing JIT compiler and its accompanying dynamic analyses by decoupling the tracing, optimization, and interpretation processes. This results in a framework that is more configurable and extensible than existing formal tracing models. We formalize the tracer and interpreter as two abstract state machines that communicate through a minimal, well-defined interface. Developing a tracing JIT compiler becomes possible for arbitrary interpreters that implement this interface. The abstract machines also provide the necessary hooks to plug in custom analyses and optimizations.
{"title":"A formal foundation for trace-based JIT compilers","authors":"Maarten Vandercammen, Jens Nicolay, Stefan Marr, Joeri De Koster, T. D'Hondt, Coen De Roover","doi":"10.1145/2823363.2823369","DOIUrl":"https://doi.org/10.1145/2823363.2823369","url":null,"abstract":"Trace-based JIT compilers identify frequently executed program paths at run-time and subsequently record, compile and optimize their execution. In order to improve the performance of the generated machine instructions, JIT compilers heavily rely on dynamic analysis of the code. Existing work treats the components of a JIT compiler as a monolithic whole, tied to particular execution semantics. We propose a formal framework that facilitates the design and implementation of a tracing JIT compiler and its accompanying dynamic analyses by decoupling the tracing, optimization, and interpretation processes. This results in a framework that is more configurable and extensible than existing formal tracing models. We formalize the tracer and interpreter as two abstract state machines that communicate through a minimal, well-defined interface. Developing a tracing JIT compiler becomes possible for arbitrary interpreters that implement this interface. The abstract machines also provide the necessary hooks to plug in custom analyses and optimizations.","PeriodicalId":256833,"journal":{"name":"Proceedings of the 13th International Workshop on Dynamic Analysis","volume":"01 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-10-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129695975","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
A common programming mistake is for incompatible variables to interact, e.g., storing euros in a variable that should hold dollars, or using an array index with the wrong array. This paper proposes a novel approach for identifying undesired interactions between program variables. Our approach uses two different mechanisms to identify related variables. Natural language processing (NLP) identifies variables with related names that may have related semantics. Abstract type inference (ATI) identifies variables that interact with each other. Any discrepancies between these two mechanisms may indicate a programming error. We have implemented our approach in a tool called Ayudante. We evaluated Ayudante using two open-source programs: the Exim mail server and grep. Although these programs have been extensively tested and in deployment for years, Ayudante’s first report for grep revealed a programming mistake.
{"title":"Ayudante: identifying undesired variable interactions","authors":"I. Haq, Juan Caballero, Michael D. Ernst","doi":"10.1145/2823363.2823366","DOIUrl":"https://doi.org/10.1145/2823363.2823366","url":null,"abstract":"A common programming mistake is for incompatible variables to interact, e.g., storing euros in a variable that should hold dollars, or using an array index with the wrong array. This paper proposes a novel approach for identifying undesired interactions between program variables. Our approach uses two different mechanisms to identify related variables. Natural language processing (NLP) identifies variables with related names that may have related semantics. Abstract type inference (ATI) identifies variables that interact with each other. Any discrepancies between these two mechanisms may indicate a programming error. We have implemented our approach in a tool called Ayudante. We evaluated Ayudante using two open-source programs: the Exim mail server and grep. Although these programs have been extensively tested and in deployment for years, Ayudante’s first report for grep revealed a programming mistake.","PeriodicalId":256833,"journal":{"name":"Proceedings of the 13th International Workshop on Dynamic Analysis","volume":"45 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-10-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126644053","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
A simple bug in a program can influence a large part of the program execution by spreading throughout the state at runtime. This is known as program infection. The seriousness of bugs is usually measured by studying their external effects. However, such effects essentially derive from internal factors of a program. Our idea is to focus on internal factors, in particular the infection chain, to measure how serious a bug was. This allows reasoning about bugs from a new and potentially insightful perspective.
{"title":"Infection size as a measure of bug severity","authors":"M. R. Azadmanesh, Matthias Hauswirth","doi":"10.1145/2823363.2823370","DOIUrl":"https://doi.org/10.1145/2823363.2823370","url":null,"abstract":"A simple bug in a program can influence a large part of the program execution by spreading throughout the state at runtime. This is known as program infection. The seriousness of bugs is usually measured by studying their external effects. However, such effects essentially derive from internal factors of a program. Our idea is to focus on internal factors, in particular the infection chain, to measure how serious a bug was. This allows reasoning about bugs from a new and potentially insightful perspective.","PeriodicalId":256833,"journal":{"name":"Proceedings of the 13th International Workshop on Dynamic Analysis","volume":"9 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-10-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130490686","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
If we develop a new dynamic analysis tool, how should we expose its functionalities? Through an interactive user interface, a DSL, a specific API, or in some other way? In this paper, we discuss how to use an already existing language familiar to most software engineers, SQL, to perform deep dynamic analyses. The goal is to explore the trade-off between expressiveness and ease-of-use. We use BLAST as the dynamic analysis tool and map its trace information to a relational database. We find that, even though SQL is expressive enough for deep analysis of program executions and information flow, it is not quite straight forward to express some of the queries software engineers might be interested in. However, it removes the burden of learning a new language from scratch, which could make it worthwhile as an option in some cases.
{"title":"SQL for deep dynamic analysis?","authors":"M. R. Azadmanesh, Matthias Hauswirth","doi":"10.1145/2823363.2823365","DOIUrl":"https://doi.org/10.1145/2823363.2823365","url":null,"abstract":"If we develop a new dynamic analysis tool, how should we expose its functionalities? Through an interactive user interface, a DSL, a specific API, or in some other way? In this paper, we discuss how to use an already existing language familiar to most software engineers, SQL, to perform deep dynamic analyses. The goal is to explore the trade-off between expressiveness and ease-of-use. We use BLAST as the dynamic analysis tool and map its trace information to a relational database. We find that, even though SQL is expressive enough for deep analysis of program executions and information flow, it is not quite straight forward to express some of the queries software engineers might be interested in. However, it removes the burden of learning a new language from scratch, which could make it worthwhile as an option in some cases.","PeriodicalId":256833,"journal":{"name":"Proceedings of the 13th International Workshop on Dynamic Analysis","volume":"11 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-10-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125363881","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Concurrent programming has become a necessity in order to benefit from recent advances in processor design. However, implementing correct and scalable synchronization in concurrent code remains a challenge. Dynamic analysis of synchronization behavior is vital to determine where more sophisticated but error-prone synchronization pays off. We examine common approaches that developers use to identify and analyze concurrency bottlenecks in Java applications. We then describe key aspects of our ongoing research on a novel approach to Java synchronization analysis. Our approach provides developers with exhaustive information on the synchronization behavior of their application, but incurs such low overhead that it is feasible to use it for monitoring production systems. Unlike other methods, our approach can precisely show where optimizations have the largest impact.
{"title":"Efficient dynamic analysis of the synchronization performance of Java applications","authors":"Peter Hofer, David Gnedt, H. Mössenböck","doi":"10.1145/2823363.2823367","DOIUrl":"https://doi.org/10.1145/2823363.2823367","url":null,"abstract":"Concurrent programming has become a necessity in order to benefit from recent advances in processor design. However, implementing correct and scalable synchronization in concurrent code remains a challenge. Dynamic analysis of synchronization behavior is vital to determine where more sophisticated but error-prone synchronization pays off. We examine common approaches that developers use to identify and analyze concurrency bottlenecks in Java applications. We then describe key aspects of our ongoing research on a novel approach to Java synchronization analysis. Our approach provides developers with exhaustive information on the synchronization behavior of their application, but incurs such low overhead that it is feasible to use it for monitoring production systems. Unlike other methods, our approach can precisely show where optimizations have the largest impact.","PeriodicalId":256833,"journal":{"name":"Proceedings of the 13th International Workshop on Dynamic Analysis","volume":"9 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-10-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130553114","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Due to resource constraints, tracing production applications often results in incomplete data. Nevertheless, developers ideally want answers to queries about the program's execution beyond data explicitly gathered. For example, a developer may ask whether a particular program statement executed during the run corresponding to a given failure report. In this work, we investigate the problem of determining whether each statement in a program executed, did not execute, or may have executed, given a set of (possibly-incomplete) observations. Using two distinct formalisms, we propose two solutions to this problem. The first formulation represents observations as regular languages, and computes intersections over these languages using finite-state acceptors. The second formulation encodes the problem as a set of Boolean constraints, and uses answer set programming to solve the constraints.
{"title":"Recovering execution data from incomplete observations","authors":"Peter Ohmann, D. Brown, B. Liblit, T. Reps","doi":"10.1145/2823363.2823368","DOIUrl":"https://doi.org/10.1145/2823363.2823368","url":null,"abstract":"Due to resource constraints, tracing production applications often results in incomplete data. Nevertheless, developers ideally want answers to queries about the program's execution beyond data explicitly gathered. For example, a developer may ask whether a particular program statement executed during the run corresponding to a given failure report. In this work, we investigate the problem of determining whether each statement in a program executed, did not execute, or may have executed, given a set of (possibly-incomplete) observations. Using two distinct formalisms, we propose two solutions to this problem. The first formulation represents observations as regular languages, and computes intersections over these languages using finite-state acceptors. The second formulation encodes the problem as a set of Boolean constraints, and uses answer set programming to solve the constraints.","PeriodicalId":256833,"journal":{"name":"Proceedings of the 13th International Workshop on Dynamic Analysis","volume":"45 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-10-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116097907","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Proceedings of the 13th International Workshop on Dynamic Analysis","authors":"","doi":"10.1145/2823363","DOIUrl":"https://doi.org/10.1145/2823363","url":null,"abstract":"","PeriodicalId":256833,"journal":{"name":"Proceedings of the 13th International Workshop on Dynamic Analysis","volume":"266 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115077506","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: