Topics in Software Engineering

Software Validation and Defect Detection

CS 290G - Winter 2004

Instructor: Professor Cormac Flanagan
Office Hours: Tuesday, 1:30-3PM, BE353A, or by appointment
Class: TuTh 10-11:45am, Porter 241

Schedule -- Outline -- Reading -- Homeworks -- Syllabus -- Presentations -- Grading


NEW: Please use the course web log at http://cmps290g.blogspot.com/ to post reviews and questions.

Schedule

---------------------------- begin schedule

Date

Reading Assignment

Lecture Notes

Homework Due
Tues
1/6 		none Motivation and Overview

Dataflow Analysis

Thurs
1/8 		Type Systems, pages 1-15 Type Checking
Tues
1/13 		Type Systems.
Luca Cardelli.
The Computer Science and Engineering Handbook.

LCLint: A Tool for Using Specifications to Check Code .
David Evans, John Guttag, James Horning, and Yang Meng Tan.
Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering, 1994.

Static Detection of Dynamic Memory Errors .
David Evans.
ACM SIGPLAN Conference on Programming Language Design and Implementation, 1996.

LCLint

Type Inference
Thurs
1/15 		Lackwit: A Program Understanding Tool Based on Type Inference.
Robert O'Callahan and Daniel Jackson.
International Conference on Software Engineering, 1997.

Type-Based Race Detection for Java.
Cormac Flanagan and Stephen N. Freund
ACM SIGPLAN Conference on Programming Language Design and Implementation, 2000.

For now, please write or typeset your summary and questions and hand them in at the end of class.

Representation Analysis and Polymorphism

Type-Based Race Detection for Java
Tues
1/20 		Improving Security Using Extensible Lightweight Static Analysis.
David Evans and David Larochelle.
In IEEE Software, Jan/Feb 2002.

Atomizer: A Dynamic Atomicity Checker for Multithreaded Programs.
Cormac Flanagan and Stephen N. Freund.
ACM SIGPLAN Conference on Principles of Programming Languages, 2004.

Checking Atomicity

Introduction to Testing
Thurs
1/22 		Quickly detecting relevant program invariants.
Michael D. Ernst, Adam Czeisler, William G. Griswold, and David Notkin.
International Conference on Software Engineering, 2000.

What is Software Testing? And Why is it so Hard?
James A. Whittaker
IEEE Software, Jan/Feb 2000.

Dynamically Detecting Invariants

Testing Practice

 Homework 1
Tues
1/27 		Focus on (and review) these two:
Classic Testing Mistakes.
Brian Marick.

An Empirical Study of the Reliability of UNIX Utilities.
Barton P. Miller, Lars Fredriksen, Bryan So.
Communications of the Association for Computing Machinery, 33(12), 1990.

Also consider (but no need to review) these two :
How to Misuse Code Coverage.
Brian Marick.

Test automation.
Carl Nagle.

Testing Research

Atomizer: A Dynamic Atomicity Checker
Thurs
1/29 		Yesterday, my program worked. Today, it does not. Why?.
Andreas Zeller.
Proc. ESEC/FSE 99, 1999, Vol. 1687 of LNCS.

Simplifying Failure Inducing Input.
Ralf Hildebrandt and Andreas Zeller.
Proc. ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2000), 2000.

Delta Debugging
Tues
2/3 		Reflections on the Pentium Division Bug.
Manuel Blum and Hal Wasserman. 1995.

Software Reliability via Run-Time Result-Checking.
Hal Wasserman and Manuel Blum.
Journal of the ACM (1994).

Program Checking
Thurs
2/5 		Purify: Fast Detection of Memory Leaks and Access Errors.
Rational Software, 2000.

Runtime Assurance Based on Formal Specifications.
I. Lee, S. Kannan, M. Kim, O. Sokolsky, and M. Viswanathan.
International Conference on Parallel and Distributed Processing Techniques and Applications, 1999.

Harry Wang on Fuzz

Runtime Assurance and Purify
Tues
2/10 		No reading, just homework Generating Verification Conditions
Thurs
2/12 		Guarded commands, nondeterminacy and formal derivation of programs.
Edsger W. Dijkstra
Communications of the ACM, Volume 18, Issue 8 (August 1975).

Since the homework is long, read the Chaff paper but skip the review.
Chaff: Engineering an Efficient SAT Solver.
Matthew W. Moskewicz, Conor F. Madigan, Ying Zhao, Lintao Zhang, and Sharad Malik
Proceedings of the 38th Design Automation Conference, 2001

VCs and SAT

Talk:
Arnaud Venet and Guillaume Brat
on NASA's C Global Surveyor
in Crown College, room 105, 2-3:45pm.

Homework 2
Tues
2/17 		Theorem Proving using Lazy Proof Explication.
Cormac Flanagan, Rajeev Joshi, Ximming Ou, and James B. Saxe
Computer-Aided Verification, 2003.
Note: If you attend the Venet/Brat talk, then just read sections 1 and 2 of this paper, and skip the review. 		Satisfying Error Conditions
Thurs
2/19 		No reading, just focus on the homework. Satisfying Error Conditions 2

Talk:
Willem Visser
on the Java PathFinder
in Crown College, room 105, 2-3:45pm.

Homework 3
Tues
2/24 		Model Checking Programs.
Willem Visser, Klaus Havelund, Guillaume P. Brat, Seungjoon Park.
International Conference on Automated Software Engineering. September 2000.

Note: If you attend Willem Visser's talk, then please read and reflect on this paper, but you may skip the review.

Dorrit Gordon on Usability Testing

Satisfying Error Conditions 3

Thurs
2/26 		Extended Static Checking for Java.
Cormac Flanagan, K. Rustan M. Leino, Mark Lillibridge, Greg Nelson, James B. Saxe, Raymie Stata.
ACM SIGPLAN Conference on Principles of Programming Languages, 2002. 		Katia Hayati on ESC/Java

Satisfying Error Conditions 4

Talk:
Klaus Havelund from NASA Ames
on Rule-Based Runtime Verification
in Crown College, room 105, 2-3:45pm.

Mon
3/1 		Interview candidate:
Benjamin Liblit
"Cooperative Bug Isolation"
in BE 330 at 11am
Tues
3/2 		Nathan Whitehead on Alloy

Homework 4
Wed
3/3 		Interview candidate:
Ranjit Jhala
in BE 330 at 11am
Thurs
3/4 		Model Checking 2

Talk:
Dimitra Giannakopoulou and Corina Pasareanu from NASA Ames
in Crown College, room 105, 2-3:45pm.

Tues
3/9 		A static analyzer for finding dynamic programming errors.
William R. Bush, Jonathan D. Pincus and David J. Sielaff.
SOFTWARE - PRACTICE AND EXPERIENCE. 2000: 30:775-802. 		Shashi Ramchandani on Aspect Oriented Programming

Model Checking 3 (discuss hw 5)

Thurs
3/11 		Read, but don't review.
Checking System Rules Using System-Specific, Programmer-Written Compiler Extensions .
Dawson Engler, Benjamin Chelf, Andy Chou, and Seth Hallem.
Operating System Design and Implementation, 2000.

Dawson's talk will be on the paper: VMCAI04.pdf

Min Yin on JUnit.

Model Checking 4

Talk:
Dawson Engler from Stanford. Static analysis versus model checking for bug finding.
In Crown College, room 105, 2-3:45pm.

Thurs
3/18 		Homework 5 due by email

Papers for Presentations or possible future reading

For some projects, such as Metal or Alloy, I've list several papers, but a presentation may be based on only some (perhaps one or two) of these.

---------------------------- end schedule

Course Outline

Reliability of computer systems is an important practical issue and researchers have devised numerous techniques and tools aimed at improving the reliability of both software and hardware components.

In this course, we will examine five main approaches to computer system analysis:

The presentation will be mostly in the context of improving the reliability of software and the emphasis will be in exposing the strengths and weaknesses of each technique, along with the similarities and differences between them. The ultimate goal of the course is to gain insight into what kinds of integrations of these formal techniques is possible and beneficial, as well as gaining an understanding of the current state of the art in software validation.

Some experience with concurrent programming (e.g., from an operating systems course) is desirable. Prior knowledge of testing and verification techniques is not required.

Reading Assignments

You will need to read and prepare for an in-class discussion of roughly two research papers per week, and also post a brief overview and some questions to the course web log at http://cmps290g.blogspot.com/. See How to Read an Engineering Research Paper by Bill Griswold for helpful hints on reading these papers. The reading assignments are in the schedule above.

Homeworks

There will be five homeworks, one every two weeks. Think of these as "take home exams."  Homeworks will develop your skills in the more theoretical aspects of the course, though some programming may also be required. The homework assignments are in the schedule above. These homeworks should be handed in on paper at the start of class on the due day.

Syllabus

Type systems: Traditional views of types are as descriptors of data format, e.g. as integers, strings, and pointers. While types in this view have an unquestioned benefit on software dependability, types can be used to also express higher level program invariants. For example, linear type systems can ensure that a program always deallocates resources it allocates, thus preventing leaks. Types can be used to prevent race conditions and deadlock. We will examine a tools and approaches that aim to use types to improve software dependability, including CQual, race-free Java, and others.

Model Checking: Model checking was first popularized as a means to hardware verification, but recent advances have illustrated that it can be effectively applied to software. We will explore the approaches behind model checking, and experiment with freely available tools, like Bogor and JPF. We will also consider the relationship between model checking, testing, and type systems.

Testing and Dynamic analysis: A drawback of all of the static techniques above is that they must assume various levels of conservatism because they consider all possible executions of a program. By contrast, dynamic analysis examines particular runs of a program at a finer granularity. We will examine how dynamic analysis can be used to discover program properties, as in Daikon, or find common classes or errors.

Theorem Proving: A wide variety of tools use automated theorem proving to establish the truth of certain properties in programs. We will examine both the tools that employ theorem provers, like ESC/Java

Program Analysis: We will consider the cost and quality of various tranditional forms of static analysis.

Presentations

Each student will give one lecture about a particular tool or technique, starting at roughly halfway through the quarter. Presentation quality is important: read your papers early and be sure you fully understand them. I will be available for help, if you need it. Be sure that you have prepared a good presentation (consider practicing it beforehand). 

Presentations will be judged based on the following criteria:

Remember that you will likely be able to explain more detail than you can hope to cover in a single lecture. This is one reason that it's hard work to prepare a good presentation: not only do you need to understand the paper, but you need to filter out the irrelevant details and amplify the key arguments. You'll probably have omit entire sections of the paper from your talk -- don't worry about it. Simply mimicking the structure of the paper ("regurgitating it") tends to produce a disconnected sequence of boring facts. A good talk should tell a story; every idea should be motivated, and all facts should fit together in a coherent picture. Telling such a story in a short time often requires creating your own explanations, motivation, and examples.

Grading

The majority of the course will consist of reading and discussing web-available technical papers on the above topics, and in using tools.  The final grade will be computed as follows:

Acknowledgements: Many thanks to Alex Aiken, George Necula, Sriram Rajamani, and John Hatcliff, who provided the original slides for some of these lectures.