Tracking Down Software Bugs Using Automatic Anomaly Detection- Sudheendra Hangal, Monica S. Lam

1. Tracking Down Software Bugs Using Automatic Anomaly Detection-Sudheendra Hangal, Monica S. Lam Prepared & Presented by -Maifi

2. Overview • Introduces DIDUCE -Dynamic Invariant Detection U Checking Engine • Tool to detect software errors • Start with Strict hypothesis and relax as progress • Implemented for Java programs • Does not need source code to run DIDUCE

3. Difference with Existing tool • Daikon Tool • Detects dynamic invariants • Starts with a specific space of possible program invariants • Fixed set of invariants • Constrained by Quality of test inputs • DIDUCE • Builds and updates invariants dynamically

4. Usage Models for DIDUCE • Debugging programs that fail on some inputs • Debugging failures in long-running programs • Debugging component based software • Testing programs with inputs for which correct outputs are unknown • Assisting in program evolution

5. Instrumented Program points(PP) • PP which r/w to objects • PP which r/w a static variable • Procedure call site

6. Some examples of tracked expressions

7. Invariant Representation • DIDUCE reduces the values (boolean,byte,char etc) of all expressions to integers • String object representing the name of the run time type is converted to integer by computing hashcode

8. Invariant Representation • For each bit position • The first time value for that bit • Whether different values have been observed for that bit position • Associate each expression with tuple of two integers • Initial value V • A Mask M

9. When to report a violation? • The i th bit in M is 1 iff the same bit value has always been observed for that position • Suppose the first value of an expression is W • M=¬0, V:=W • Suppose, later the expression returns W’ • If (W’V)M0 violation is reported And • the invariant is relaxed by : • M= M ¬(W’V)

10. Limitation • The number of violation detected for each expression is limited by the number of bits in a word representing M • Three words storage per tracked expressions • One to store number of times the PP executed • Two to store the invariant

11. Invariant confidence • High confidence in an invariant hypothesis if the expression evaluated many times and little variation in the values observed • For runtime type and first time execution, • user specifies the confidence level that triggers reporting violation

12. How to run? • User specifies a list of class files & which categories of program points to instrument • Instrumented class files go into a DIDUCE JAR file • User inserts this JAR file at the head of the classpath • Run !

13. Modes of operation • Training mode • Does not emit invariant relaxation message • Checking Mode • Emits invariant relaxation message

14. DIDUCE Experiments

15. MAJC Memory System Simulator

16. Mailmanage

17. Contribution • Helps locating Algorithmic errors • Helps user finding errors in inputs, unfamiliar codes and even uninstrumented components • Helps understanding interface errors

18. Limitations • In long running programs they assume that a training set may not be necessary assuming there are no bugs in the early part of the run. This assumption can be deadly. • A program must run correctly on some inputs, or for some duration before DIDUCE can successfully extract meaningful invariants for the program. What if there is no way to train DIDUCE? • They ignore all values of floating point data types as not meaningful with their default representation. • With their representation the number of violations detected for each expression cannot be greater than the number of bits in a word.

19. Thanks!