Powered by
Conference Publishing Consulting

13th International Workshop on Dynamic Analysis (WODA 2015), October 26, 2015, Pittsburgh, PA, USA

WODA 2015 – Proceedings

Contents - Abstracts - Authors

Frontmatter

Title Page

Message from the Chairs
The co-chairs' welcome message.

Keynote

Concolic Testing: A Decade Later (Keynote)
Koushik Sen
(University of California at Berkeley, USA)
Symbolic execution for software testing has witnessed renewed interest in the recent years due to its ability to generate high-coverage test suites and find deep errors in software systems. In this talk, I will give an overview of a modern symbolic execution technique, called concolic testing, discuss its key challenges in terms of path exploration, and introduce MultiSE, a new technique for tackling the path exploration challenge.
Publisher's Version Article Search

Position Papers

SQL for Deep Dynamic Analysis?
Mohammad R. Azadmanesh and Matthias Hauswirth
(University of Lugano, Switzerland)
If we develop a new dynamic analysis tool, how should we expose its functionalities? Through an interactive user interface, a DSL, a specific API, or in some other way? In this paper, we discuss how to use an already existing language familiar to most software engineers, SQL, to perform deep dynamic analyses. The goal is to explore the trade-off between expressiveness and ease-of-use. We use BLAST as the dynamic analysis tool and map its trace information to a relational database. We find that, even though SQL is expressive enough for deep analysis of program executions and information flow, it is not quite straight forward to express some of the queries software engineers might be interested in. However, it removes the burden of learning a new language from scratch, which could make it worthwhile as an option in some cases.
Publisher's Version Article Search
Ayudante: Identifying Undesired Variable Interactions
Irfan Ul Haq, Juan Caballero, and Michael D. Ernst
(IMDEA Software Institute, Spain; University of Washington, USA)
A common programming mistake is for incompatible variables to interact, e.g., storing euros in a variable that should hold dollars, or using an array index with the wrong array. This paper proposes a novel approach for identifying undesired interactions between program variables. Our approach uses two different mechanisms to identify related variables. Natural language processing (NLP) identifies variables with related names that may have related semantics. Abstract type inference (ATI) identifies variables that interact with each other. Any discrepancies between these two mechanisms may indicate a programming error. We have implemented our approach in a tool called Ayudante. We evaluated Ayudante using two open-source programs: the Exim mail server and grep. Although these programs have been extensively tested and in deployment for years, Ayudante’s first report for grep revealed a programming mistake.
Publisher's Version Article Search
Efficient Dynamic Analysis of the Synchronization Performance of Java Applications
Peter Hofer, David Gnedt, and Hanspeter Mössenböck
(JKU Linz, Austria)
Concurrent programming has become a necessity in order to benefit from recent advances in processor design. However, implementing correct and scalable synchronization in concurrent code remains a challenge. Dynamic analysis of synchronization behavior is vital to determine where more sophisticated but error-prone synchronization pays off. We examine common approaches that developers use to identify and analyze concurrency bottlenecks in Java applications. We then describe key aspects of our ongoing research on a novel approach to Java synchronization analysis. Our approach provides developers with exhaustive information on the synchronization behavior of their application, but incurs such low overhead that it is feasible to use it for monitoring production systems. Unlike other methods, our approach can precisely show where optimizations have the largest impact.
Publisher's Version Article Search
Recovering Execution Data from Incomplete Observations
Peter Ohmann, David Bingham Brown, Ben Liblit, and Thomas Reps
(University of Wisconsin-Madison, USA; GrammaTech, USA)
Due to resource constraints, tracing production applications often results in incomplete data. Nevertheless, developers ideally want answers to queries about the program's execution beyond data explicitly gathered. For example, a developer may ask whether a particular program statement executed during the run corresponding to a given failure report. In this work, we investigate the problem of determining whether each statement in a program executed, did not execute, or may have executed, given a set of (possibly-incomplete) observations. Using two distinct formalisms, we propose two solutions to this problem. The first formulation represents observations as regular languages, and computes intersections over these languages using finite-state acceptors. The second formulation encodes the problem as a set of Boolean constraints, and uses answer set programming to solve the constraints.
Publisher's Version Article Search Info
A Formal Foundation for Trace-Based JIT Compilers
Maarten Vandercammen, Jens Nicolay, Stefan Marr, Joeri De Koster, Theo D'Hondt, and Coen De Roover
(Vrije Universiteit Brussel, Belgium; JKU Linz, Austria)
Trace-based JIT compilers identify frequently executed program paths at run-time and subsequently record, compile and optimize their execution. In order to improve the performance of the generated machine instructions, JIT compilers heavily rely on dynamic analysis of the code. Existing work treats the components of a JIT compiler as a monolithic whole, tied to particular execution semantics. We propose a formal framework that facilitates the design and implementation of a tracing JIT compiler and its accompanying dynamic analyses by decoupling the tracing, optimization, and interpretation processes. This results in a framework that is more configurable and extensible than existing formal tracing models. We formalize the tracer and interpreter as two abstract state machines that communicate through a minimal, well-defined interface. Developing a tracing JIT compiler becomes possible for arbitrary interpreters that implement this interface. The abstract machines also provide the necessary hooks to plug in custom analyses and optimizations.
Publisher's Version Article Search

Extended Abstracts

Infection Size as a Measure of Bug Severity
Mohammad R. Azadmanesh and Matthias Hauswirth
(University of Lugano, Switzerland)
A simple bug in a program can influence a large part of the program execution by spreading throughout the state at runtime. This is known as program infection. The seriousness of bugs is usually measured by studying their external effects. However, such effects essentially derive from internal factors of a program. Our idea is to focus on internal factors, in particular the infection chain, to measure how serious a bug was. This allows reasoning about bugs from a new and potentially insightful perspective.
Publisher's Version Article Search
Just-in-Time Data Structures: Towards Declarative Swap Rules
Mattias De Wael
(Vrije Universiteit Brussel, Belgium)
Just-in-Time Data Structures are an attempt to vulgarise the idea that changing the representation (i.e., implementation) of a data structure at runtime can improve the performance of a program compared to its counter part that relies on a single representation. In previous work, we developed a language to develop such Just-in-Time Data Structures. To express ``when'' to change between representations, a dedicated language construct was introduced: the swap rule. A swap rule analyses the state and usage of a just-in-time data structure and reacts as defined by a developer. Opposed to what the name suggest, swap rules are currently implemented as imperative statements woven into the codebase. Their intend, however, is declarative and therefore we think that swap rules should become real declarative rules. This extended abstract presents Just-in-Time Data Structures as a case for applying state-of-the-art in low overhead dynamic analysis. Changing from an imperative to a declarative implementation of swap rules will allow for more efficient execution of our programs by reducing the overhead of continuous analysis.
Publisher's Version Article Search
Towards Deployment-Time Dynamic Analysis of Server Applications
Luís Pina and Cristian Cadar
(Imperial College London, UK)
Bug-finding tools based on dynamic analysis (DA), such as Valgrind or the compiler sanitizers provided by Clang and GCC, have become ubiquitous during software development. These analyses are precise but incur a large performance overhead (often several times slower than native execution), which makes them prohibitively expensive to use in production. In this work, we investigate the exciting possibility of deploying such dynamic analyses in production code, using a multi-version execution approach.
Publisher's Version Article Search
Supporting PHP Dynamic Analysis in PHP AiR
Mark Hills
(East Carolina University, USA)
The PHP AiR framework is currently being developed to support software metrics, empirical software engineering, and program analysis for real-world PHP systems. While most of the work on program analysis has focused on static analysis, to help address the dynamic nature of the language we have also started to extend PHP AiR with support for dynamic program analysis. This extended abstract highlights two parts of this support: integration with xdebug for trace analysis, and instrumentation of an open-source PHP interpreter with a focus on supporting string origins, allowing us to explore how strings are created in security-sensitive areas such as database calls and HTML generation.
Publisher's Version Article Search Info

proc time: 0.2