Sylvain Hallé, Taylor Ettema, Chris Bunch, T. Bultan
The enforcement of navigation constraints in web applications is challenging and error prone due to the unrestricted use of navigation functions in web browsers. This often leads to navigation errors, producing cryptic messages and exposing information that can be exploited by malicious users. We propose a runtime enforcement mechanism that restricts the control flow of a web application to a state machine model specified by the developer, and use model checking to verify temporal properties on these state machines. Our experiments, performed on three real-world applications, show that 1) our runtime enforcement mechanism incurs negligible overhead under normal circumstances, and can even reduce server processing time in handling unexpected requests; 2) by combining runtime enforcement with model checking, navigation correctness can be efficiently guaranteed in large web applications.
{"title":"Eliminating navigation errors in web applications via model checking and runtime enforcement of navigation state machines","authors":"Sylvain Hallé, Taylor Ettema, Chris Bunch, T. Bultan","doi":"10.1145/1858996.1859044","DOIUrl":"https://doi.org/10.1145/1858996.1859044","url":null,"abstract":"The enforcement of navigation constraints in web applications is challenging and error prone due to the unrestricted use of navigation functions in web browsers. This often leads to navigation errors, producing cryptic messages and exposing information that can be exploited by malicious users. We propose a runtime enforcement mechanism that restricts the control flow of a web application to a state machine model specified by the developer, and use model checking to verify temporal properties on these state machines. Our experiments, performed on three real-world applications, show that 1) our runtime enforcement mechanism incurs negligible overhead under normal circumstances, and can even reduce server processing time in handling unexpected requests; 2) by combining runtime enforcement with model checking, navigation correctness can be efficiently guaranteed in large web applications.","PeriodicalId":341489,"journal":{"name":"Proceedings of the 25th IEEE/ACM International Conference on Automated Software Engineering","volume":"477 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2010-09-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115675114","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Traceability links between artifacts in a software system aid developers in comprehension, development, and effective management of the system. Traceability systems to date have been confronting the difficulties in retrieving relationships between artifacts with high quality and accuracy, and in visualizing extracted relationships in a natural and intuitive way. This research aims to combine several traceability recovery techniques to make up for each other's weaknesses to extract relationships between artifacts at a high-level accuracy and quality. Moreover, the recovered relationships are visualized in a hierarchical rich graphical tree that can be expanded and contracted to help users easily interact with these links and move easily between artifacts and their related artifacts and vice versa. Our preliminary evaluation demonstrated that integration of several traceability recovery techniques can improve the quality and accuracy of retrieved links.
{"title":"Extraction and visualization of traceability relationships between documents and source code","authors":"Xiaofan Chen","doi":"10.1145/1858996.1859098","DOIUrl":"https://doi.org/10.1145/1858996.1859098","url":null,"abstract":"Traceability links between artifacts in a software system aid developers in comprehension, development, and effective management of the system. Traceability systems to date have been confronting the difficulties in retrieving relationships between artifacts with high quality and accuracy, and in visualizing extracted relationships in a natural and intuitive way. This research aims to combine several traceability recovery techniques to make up for each other's weaknesses to extract relationships between artifacts at a high-level accuracy and quality. Moreover, the recovered relationships are visualized in a hierarchical rich graphical tree that can be expanded and contracted to help users easily interact with these links and move easily between artifacts and their related artifacts and vice versa. Our preliminary evaluation demonstrated that integration of several traceability recovery techniques can improve the quality and accuracy of retrieved links.","PeriodicalId":341489,"journal":{"name":"Proceedings of the 25th IEEE/ACM International Conference on Automated Software Engineering","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2010-09-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123112315","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We present a novel approach for generating syntactically and semantically correct SQL queries as inputs for testing relational databases. We leverage the SAT-based Alloy tool-set to reduce the problem of generating valid SQL queries into a SAT problem. Our approach translates SQL query constraints into Alloy models, which enable it to generate valid queries that cannot be automatically generated using conventional grammar-based generators. Given a database schema, our new approach combined with our previous work on ADUSA, automatically generates (1) syntactically and semantically valid SQL queries for testing, (2) input data to populate test databases, and (3) expected result of executing the given query on the generated data. Experimental results show that not only can we automatically generate valid queries which detect bugs in database engines, but also we are able to combine this work with our previous work on ADUSA to automatically generate input queries and tables as well as expected query execution outputs to enable automated testing of database engines.
{"title":"Automated SQL query generation for systematic testing of database engines","authors":"Shadi Abdul Khalek, S. Khurshid","doi":"10.1145/1858996.1859063","DOIUrl":"https://doi.org/10.1145/1858996.1859063","url":null,"abstract":"We present a novel approach for generating syntactically and semantically correct SQL queries as inputs for testing relational databases. We leverage the SAT-based Alloy tool-set to reduce the problem of generating valid SQL queries into a SAT problem. Our approach translates SQL query constraints into Alloy models, which enable it to generate valid queries that cannot be automatically generated using conventional grammar-based generators. Given a database schema, our new approach combined with our previous work on ADUSA, automatically generates (1) syntactically and semantically valid SQL queries for testing, (2) input data to populate test databases, and (3) expected result of executing the given query on the generated data. Experimental results show that not only can we automatically generate valid queries which detect bugs in database engines, but also we are able to combine this work with our previous work on ADUSA to automatically generate input queries and tables as well as expected query execution outputs to enable automated testing of database engines.","PeriodicalId":341489,"journal":{"name":"Proceedings of the 25th IEEE/ACM International Conference on Automated Software Engineering","volume":"88 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2010-09-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114668195","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Large-scale software development, for the longest time, has relied heavily on centralized, process-centric approaches, such as CCMI. There are three trends that make applying a traditional approach increasingly infeasible, i.e. the increasing adoption of software product lines, global software development and software ecosystem. Although agile software development methods have removed much of the inefficiencies in small and medium-scale software development, addressing the inefficiencies in large scale software development requires a more compositional approach. The presentation introduces the differences between intra-team and inter-team coordination and presents an architecture-centric approach to large-scale software development that heavily relies on automated tool support.
{"title":"Keynote address: toward compositional software engineering","authors":"J. Bosch","doi":"10.1145/1858996.1858997","DOIUrl":"https://doi.org/10.1145/1858996.1858997","url":null,"abstract":"Large-scale software development, for the longest time, has relied heavily on centralized, process-centric approaches, such as CCMI. There are three trends that make applying a traditional approach increasingly infeasible, i.e. the increasing adoption of software product lines, global software development and software ecosystem. Although agile software development methods have removed much of the inefficiencies in small and medium-scale software development, addressing the inefficiencies in large scale software development requires a more compositional approach. The presentation introduces the differences between intra-team and inter-team coordination and presents an architecture-centric approach to large-scale software development that heavily relies on automated tool support.","PeriodicalId":341489,"journal":{"name":"Proceedings of the 25th IEEE/ACM International Conference on Automated Software Engineering","volume":"116 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2010-09-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115743857","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Software testing has been commonly used in assuring the quality of database applications. It is often prohibitively expensive to manually write quality tests for complex database applications. Automated test generation techniques, such as Dynamic Symbolic Execution (DSE), have been proposed to reduce human efforts in testing database applications. However, such techniques have two major limitations: (1) they assume that the database that the application under test interacts with is accessible, which may not always be true; and (2) they usually cannot create necessary database states as a part of the generated tests. To address the preceding limitations, we propose an approach that applies DSE to generate tests for a database application. Instead of using the actual database that the application interacts with, our approach produces and uses a mock database in test generation. A mock database mimics the behavior of an actual database by performing identical database operations on itself. We conducted two empirical evaluations on both a medical device and an open source software system to demonstrate that our approach can generate, without producing false warnings, tests with higher code coverage than conventional DSE-based techniques.
{"title":"MODA: automated test generation for database applications via mock objects","authors":"Kunal Taneja, Yi Zhang, Tao Xie","doi":"10.1145/1858996.1859053","DOIUrl":"https://doi.org/10.1145/1858996.1859053","url":null,"abstract":"Software testing has been commonly used in assuring the quality of database applications. It is often prohibitively expensive to manually write quality tests for complex database applications. Automated test generation techniques, such as Dynamic Symbolic Execution (DSE), have been proposed to reduce human efforts in testing database applications. However, such techniques have two major limitations: (1) they assume that the database that the application under test interacts with is accessible, which may not always be true; and (2) they usually cannot create necessary database states as a part of the generated tests. To address the preceding limitations, we propose an approach that applies DSE to generate tests for a database application. Instead of using the actual database that the application interacts with, our approach produces and uses a mock database in test generation. A mock database mimics the behavior of an actual database by performing identical database operations on itself. We conducted two empirical evaluations on both a medical device and an open source software system to demonstrate that our approach can generate, without producing false warnings, tests with higher code coverage than conventional DSE-based techniques.","PeriodicalId":341489,"journal":{"name":"Proceedings of the 25th IEEE/ACM International Conference on Automated Software Engineering","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2010-09-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128294368","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We present the CoGenTe tool for automated black-box testing of code generators. A code generator is a program that takes a model in a high-level modeling language as input, and outputs a program that captures the behaviour of the model. Thus, a code generator's input and output are complex objects having not just syntactic structure but execution semantics, too. Hence, traditional test generation methods that take only syntax into account are not effective in testing code generators. CoGenTe amends this by incorporating various coverage criteria over semantics. This enables it to generate test-cases with a higher potential of revealing subtle semantic errors in code generators. CoGenTe has uncovered such issues in widely used real-life code generators: (i) lexical analyzer generators Flex and JFlex, and (ii) The MathWorks' simulator/code generator for Stateflow.
{"title":"CoGenTe: a tool for code generator testing","authors":"A. Rajeev, P. Sampath, K. Shashidhar, S. Ramesh","doi":"10.1145/1858996.1859070","DOIUrl":"https://doi.org/10.1145/1858996.1859070","url":null,"abstract":"We present the CoGenTe tool for automated black-box testing of code generators. A code generator is a program that takes a model in a high-level modeling language as input, and outputs a program that captures the behaviour of the model. Thus, a code generator's input and output are complex objects having not just syntactic structure but execution semantics, too. Hence, traditional test generation methods that take only syntax into account are not effective in testing code generators. CoGenTe amends this by incorporating various coverage criteria over semantics. This enables it to generate test-cases with a higher potential of revealing subtle semantic errors in code generators. CoGenTe has uncovered such issues in widely used real-life code generators: (i) lexical analyzer generators Flex and JFlex, and (ii) The MathWorks' simulator/code generator for Stateflow.","PeriodicalId":341489,"journal":{"name":"Proceedings of the 25th IEEE/ACM International Conference on Automated Software Engineering","volume":"2 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2010-09-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130543909","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
User interface development is a time and resource consuming task. Thus, reusing existing UI components is a desirable approach for rapid UI development. To keep UIs maintainable, those components should be loosely coupled. Composing UIs of heterogeneous components developed with different technologies, on the other hand, is a non-trivial task not supported well by currently existing integration frameworks, and there is only little progress in automatizing the integration step. In this paper, we introduce a framework for UI integration which is capable of handling heterogeneous UI components. It facilitates events annotated with RDF and ontologies for assembling user interfaces from loosely coupled components. With that framework, UIs can be composed semi-automatically, based on logic event processing rules.
{"title":"Seamlessly integrated, but loosely coupled: building user interfaces from heterogeneous components","authors":"Heiko Paulheim","doi":"10.1145/1858996.1859017","DOIUrl":"https://doi.org/10.1145/1858996.1859017","url":null,"abstract":"User interface development is a time and resource consuming task. Thus, reusing existing UI components is a desirable approach for rapid UI development. To keep UIs maintainable, those components should be loosely coupled. Composing UIs of heterogeneous components developed with different technologies, on the other hand, is a non-trivial task not supported well by currently existing integration frameworks, and there is only little progress in automatizing the integration step. In this paper, we introduce a framework for UI integration which is capable of handling heterogeneous UI components. It facilitates events annotated with RDF and ontologies for assembling user interfaces from loosely coupled components. With that framework, UIs can be composed semi-automatically, based on logic event processing rules.","PeriodicalId":341489,"journal":{"name":"Proceedings of the 25th IEEE/ACM International Conference on Automated Software Engineering","volume":"2015 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2010-09-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127744213","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Rémi Mélisson, Philippe Merle, Daniel Romero, Romain Rouvoy, L. Seinturier
SCA (Service Component Architecture) is an OASIS standard for describing service-oriented middleware architectures. In particular, SCA promotes a disciplined way for designing distributed architectures based on a component model and an Architecture Description Language (ADL). However, SCA does not cover the deployment and the run-time management of SCA applications. In this paper, we therefore describe the FraSCAti platform, which provides run-time support, deployment capabilities, and run-time management for SCA. Compared to state-of-the-art platforms, FraSCAti brings a dynamic reflective support to SCA and enables both introspecting and reconfiguring service-oriented architectures at run-time. To achieve this capability, the components are completed by a dedicated container, which is automatically generated by the platform. Furthermore, FraSCAti is a highly configurable platform that can be easily customized by finely selecting the features and functionalities which need to be included. In this way, the platform can be adapted to different application needs and middleware environments.
{"title":"Reconfigurable run-time support for distributed service component architectures","authors":"Rémi Mélisson, Philippe Merle, Daniel Romero, Romain Rouvoy, L. Seinturier","doi":"10.1145/1858996.1859031","DOIUrl":"https://doi.org/10.1145/1858996.1859031","url":null,"abstract":"SCA (Service Component Architecture) is an OASIS standard for describing service-oriented middleware architectures. In particular, SCA promotes a disciplined way for designing distributed architectures based on a component model and an Architecture Description Language (ADL). However, SCA does not cover the deployment and the run-time management of SCA applications. In this paper, we therefore describe the FraSCAti platform, which provides run-time support, deployment capabilities, and run-time management for SCA. Compared to state-of-the-art platforms, FraSCAti brings a dynamic reflective support to SCA and enables both introspecting and reconfiguring service-oriented architectures at run-time. To achieve this capability, the components are completed by a dedicated container, which is automatically generated by the platform. Furthermore, FraSCAti is a highly configurable platform that can be easily customized by finely selecting the features and functionalities which need to be included. In this way, the platform can be adapted to different application needs and middleware environments.","PeriodicalId":341489,"journal":{"name":"Proceedings of the 25th IEEE/ACM International Conference on Automated Software Engineering","volume":"33 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2010-09-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131996354","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We present a semi-automated approach, SECORIA, for analyzing a security runtime architecture for security and for conformance to an object-oriented implementation. Type-checkable annotations describe architectural intent within the code, enabling a static analysis to extract a hierarchical object graph that soundly reflects all runtime objects and runtime relations between them. In addition, the annotations can describe modular, code-level policies. A separate analysis establishes traceability between the extracted object graph and a target architecture documented in an architecture description language. Finally, architectural types, properties, and logic predicates describe global constraints on the target architecture, which will also hold in the implementation. We validate the SECORIA approach by analyzing a 3,000-line pedagogical Java implementation and a runtime architecture designed by a security expert.
{"title":"Analyzing security architectures","authors":"Marwan Abi-Antoun, Jeffrey M. Barnes","doi":"10.1145/1858996.1859001","DOIUrl":"https://doi.org/10.1145/1858996.1859001","url":null,"abstract":"We present a semi-automated approach, SECORIA, for analyzing a security runtime architecture for security and for conformance to an object-oriented implementation. Type-checkable annotations describe architectural intent within the code, enabling a static analysis to extract a hierarchical object graph that soundly reflects all runtime objects and runtime relations between them. In addition, the annotations can describe modular, code-level policies. A separate analysis establishes traceability between the extracted object graph and a target architecture documented in an architecture description language. Finally, architectural types, properties, and logic predicates describe global constraints on the target architecture, which will also hold in the implementation. We validate the SECORIA approach by analyzing a 3,000-line pedagogical Java implementation and a runtime architecture designed by a security expert.","PeriodicalId":341489,"journal":{"name":"Proceedings of the 25th IEEE/ACM International Conference on Automated Software Engineering","volume":"156 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2010-09-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132380651","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
G. Sridhara, Emily Hill, Divya Muppaneni, L. Pollock, Vijay K. Shanker
Studies have shown that good comments can help programmers quickly understand what a method does, aiding program comprehension and software maintenance. Unfortunately, few software projects adequately comment the code. One way to overcome the lack of human-written summary comments, and guard against obsolete comments, is to automatically generate them. In this paper, we present a novel technique to automatically generate descriptive summary comments for Java methods. Given the signature and body of a method, our automatic comment generator identifies the content for the summary and generates natural language text that summarizes the method's overall actions. According to programmers who judged our generated comments, the summaries are accurate, do not miss important content, and are reasonably concise.
{"title":"Towards automatically generating summary comments for Java methods","authors":"G. Sridhara, Emily Hill, Divya Muppaneni, L. Pollock, Vijay K. Shanker","doi":"10.1145/1858996.1859006","DOIUrl":"https://doi.org/10.1145/1858996.1859006","url":null,"abstract":"Studies have shown that good comments can help programmers quickly understand what a method does, aiding program comprehension and software maintenance. Unfortunately, few software projects adequately comment the code. One way to overcome the lack of human-written summary comments, and guard against obsolete comments, is to automatically generate them. In this paper, we present a novel technique to automatically generate descriptive summary comments for Java methods. Given the signature and body of a method, our automatic comment generator identifies the content for the summary and generates natural language text that summarizes the method's overall actions. According to programmers who judged our generated comments, the summaries are accurate, do not miss important content, and are reasonably concise.","PeriodicalId":341489,"journal":{"name":"Proceedings of the 25th IEEE/ACM International Conference on Automated Software Engineering","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2010-09-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130445963","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: