scispace - formally typeset
Search or ask a question
Book ChapterDOI

Applying Jlint to Space Exploration Software

Cyrille Artho1, Klaus Havelund2
ETH Zurich1, Ames Research Center2
11 Jan 2004-Vol. 2937, pp 297-308
TL;DR: The results show that a few analysis techniques are sufficient to avoid almost all false positives in the multi-threading warnings, and these techniques include investigating all possible callers and a few code idioms.
Abstract: Java is a very successful programming language which is also becoming widespread in embedded systems, where software correctness is critical. Jlint is a simple but highly efficient static analyzer that checks a Java program for several common errors, such as null pointer exceptions, and overflow errors. It also includes checks for multi-threading problems, such as deadlocks and data races. The case study described here shows the effectiveness of Jlint in finding certain faults, including multi-threading problems. Analyzing the reasons for false positives in the multi-threading warnings gives an insight into design patterns commonly used in multi-threaded code. The results show that a few analysis techniques are sufficient to avoid almost all false positives. These techniques include investigating all possible callers and a few code idioms. Verifying the correct application of these patterns is still crucial, because their correct usage is not trivial.

Summary (2 min read)

Jump to: [1 Introduction][1.2 Related work][13 Outline][2.1 Tool description][I][2.2 Warning review process][3.2 Jlint evaluation][Results:][3.3 Comparison to other projects][4 DS1][4.1 Description of DSI][4.2 Jlint evaluation] and [6 Conclusions]

1 Introduction

  • Therefore an automated tool which can detect faults easily, preferably early in the lifecycle of software, can be very useful to find defects.
  • Among similar tools geared towards Java, it is one of the most suitable with respect to ease of use (no annotations required) and free availability (the tool is Open Source) [I]. . . .

13 Outline

  • This text is organized as follows: Section 2 describes Jlint and how it was used for this project.
  • Sections 3 and 4 show the results of applying Jlint to space exploration program code.
  • Design patterns which are common among these two projects are analyzed in Section 5.
  • Section 6 summarizes the results and concludes.

2.1 Tool description

  • Typical warnings about possible faults issued by Jlint are n u l l pointer dereferences, array bounds overflows, and value overflows.
  • The latter may occur if one multiplies two 32 bit integer values without converting them to 64 bit fist Many warnings that Jlint issues are code guidelines:.

I

  • Jlint also includes many analyses for multi-threaded programs.
  • Some of Jlint's warnings for multi-threaded programs are overly cautious.
  • Possible data race warnings for method calls or variable accesses do not necessarily imply a data race.
  • The reason for such false positives are both difficulties inherent to static analysis, such as pointer aliasing across method calls, and limitations in Jlint itself, where its algorithms could be refined with known techniques.

2.2 Warning review process

  • During the review process, Jlint's warnings were categorized to see whether they refer to the same problem.
  • Such situations constitute calls to the same method from different callers, the same variable used in different contexts, or the same design pattern applied throughout the class.
  • In a separate count, counting the number of distinct problems rather than individual warnings, all such cases were counted once.
  • Furthermore, the time required for this process was recorded.
  • Note that the review activity was often interrupted by other activities such as writing this paper.

3.2 Jlint evaluation

  • The 30 deadlock warnings all referred to the same two classes.
  • There were two sets of warnings, the first set containing ten, the second one 20 warnings.
  • The first ten warnings, all of them false positives, showed incomplete loops in the call graph.
  • Another lock was used that makes a deadlock possible.
  • Therefore these warnings referred to actual faults in the code.

Results:

  • While reviewing the multi-threading warnings was time-consuming due to the complex interactions in the code, it was feasible and helped to highlight the critical parts of the source code.
  • The effort was justifiable for a project of this complexity.

3.3 Comparison to other projects

  • The eleven new bugs found by J h t were a great success, even considering that the seven deadlocks correspond to two classes where other deadlocks have been known to occur.
  • Jlint reported different methods than those reported in otiier analyses.

4 DS1

  • The second case study consisted of an attitude control system and a fault protection system for the Deep Space 1 @SI) space craft.
  • For the DS1 code base, it took 0.17 seconds to check the entire code base on the same PowerPC G4 with a clock frequency of 500 MHz.

4.1 Description of DSI

  • DS1 was a technology-testing mission, which was launched October 24 1998, and which ended its primary mission in September 1999.
  • DS1 contained and tested twelve new kinds of space-travel technologies, for example, ion propulsion and artificial intelligence for autonomous control.
  • The attitudecontrol system monitors and controls the space craft's attitude, that is, its position in 3dimensional space.
  • The fault-protection system monitors the operation of the space craft and initiates corrective actions in case errors occur.
  • The original C code was re-designed in Java, using best practices in object-oriented design.

4.2 Jlint evaluation

  • This study indicates that four design patterns prevail in cases where code is apparently not thread-safe: Synchronization of all callers, use of read-only values, threadlocal copies of data, and the use of thread-safe container classes.
  • Some of the data race warnings for the Rover code pointed out cases where it was attempted to use the read-only pattern, but the use was not carried out consistently throughout the project.
  • Such a small mistake violates the property that guarantees thread-safety.

6 Conclusions

  • An analysis of the false positives showed that in apparently thread-unsafe code, four common design patterns ensure thread-safety in all cases.
  • Static analysis tools should therefore be extended with specific algorithms geared towards these patterns to reduce false positives.
  • Furthermore, these patterns were not always applied correctly and are still a significant source of programming errors.
  • This calls for tools that verify the correct application of these patterns, thereby pointing out even more subtle errors than previously possible.

Did you find this useful? Give us your feedback

Content maybe subject to copyright    Report

Applying Jlint to Space Exploration Software
Cyrille
Artho‘
and Klaus Havelund2
Computer Systems Institute,
ETH
Zurich, Switzerland
Keseel Technology, NASA Ames Research Center, Moffett Field, California USA
Abstract.
Java is a very successful programming language which is also
be-
coming widespread in embedded systems, where software correctness is critical.
Jlint is a simple
but
highly efficient static analyzer that checks a Java program
for several common errors,
such
as
null
pointer exceptions, and overflow er-
rors. It also includes checks for multi-threading problems, such
as
deadlocks and
data races. The case study described here shows the effectiveness
of
Jhnt in find-
false positives in the muIti-threading warnings gives
an
insight
into
design
pat-
terns commonly used
in
multi-threaded code. The results show that a few analy-
sis techniques are sufficient to avoid almost all false positives. These techniques
include investigating all possible callers and a few code idioms. Verifying the
comect application of these patterns is still crucial, because their correct usage
is
not trivial.
k.?g
ccittii
faiiYt,
kc!nding
iiiiiYt-*&-e&ig
piobkiii;.
Analyzing the ieasaiis
fai
1
Introduction
Java is becoming more widespread
in
the
area of embedded systems,
both
as
a
scaled-
down “Micro Edition”
[20]
or
by having real-time extensions
[6,5].
In
such systems,
software failures
are
very costly, because the software cannot always be replaced on a
running system, and failures may have expensive
or
even catastrophic consequences..
These costs
are
obviously prohibitively high when
a
software-related problem causes
the
failure of
a
space craft
[14].
Therefore
an
automated tool which
can
detect faults easily, preferably early
in
the
lifecycle of software, can be very useful
to
find
defects. One tool that allows fault de-
tection easily,
even
in
incomplete systems,
is
Jlint.
Among
similar tools geared towards
Java, it is one of the most suitable with respect to
ease
of use
(no
annotations required)
and free availability (the tool is
Open
Source)
[I].
.
..
1.1
The
Java
programming
langgage
Java is
a
modem, object-oriented programtning language that has had a large success
in
the
past few
years.
It
was
one of
the
first
languages where the source code was not
compiled to machine code, but to a different form,
the
byrecode.
This bytecode
runs
in
a
dedicated environment,
the
virrual
machine.
In
order to guarantee
the
integrity of
the
system,
each
class
file containing bytecode is checked prior to execution
[II,
19,211.
The Java language allows each object
to
have any number offields, which are at-
tributes of
each
object.
These
may
be
static,
Le.,
shared among all instances of a certain
,
class, or dynamic, Le., each instance has its own fields.
In
contrast to that,
local
vari-
ables
are thread-local and only visible within one method.
Java allows inheritance: a method of a given class may be
overridden
by a method
of the same name. Similarly, fields in
a
subclass
shadow
those with the same name
in
the superclass.
In
general, these mechanisms work well for small code examples
but are dangerous in larger projects. Methods overriding other methods must ensure
they do
not
violate invariants of the Superclass. Similar problems occur with variable
shadowing. The programmer is not always aware that a variable with the same name
already exists
on
a different level, such as the superclass.
In
order to prevent incorrect programs from corrupting the system, Java’s virtual
machine has various safety mechanisms built in. Each variable access is guarded against
manipulating memory outside the allocated area.
In
particular, pointers must not
be
null
when dereferenced, and array indices must be in a valid range. If these properties
are violated,
an
exception
is thrown indicating a programming error. This is a highly
undesirable behavior
in
most cases. Ideally, such errors should be prevented by static
analysis, rather than caught at run-time.
Furthermore, Java offers mechanisms to write multi-threaded programs. The two
key mechanisms are locking primitives, using the
synchronized
keyword, and inter-
thread synchronization with the
wait
and
notify
methods.
A
method or block which
is declared
synchronized
is only entered after the exclusive lock for that critical sec-
tion
has
been obtained. Lock usage for shared data is specified by the programmer.
Incorrect lock usage using too many locks may lead to
deud1ock.s.
For
example, if two
threads each wait
on
a lock held by the other thread, both threads cannot continue their
execution.
On
the other hand, if a value is accessed with insufficient lock protection,
data
races
may occur:
two
threads may access the same value concurrently, and the
results
of
the operations are
no
longer deterministic.
Java’s message passing mechanisms for threads also
is
a source of problems.
A
call
to
wait
allows a thread to suspend
until
a condition becomes true, which must
be signaled by
notify
by
another thread. When calling
wait
the calling thread must
ensure that it owns
the
lock it
waits
on,
and
also
release any other locks before the call.
Otherwise, remaining locks held are unavailable to other threads, which may in
turn
block when trying to obtain them. This can prevent them from calling
notify
which
would allow the waiting thread to release
its
lock. This situation is also a deadlock.
1.2
Related
work
Much
effort
has gone into fault-finding in Java programs, single-threaded and multi-
threaded. The approaches can be separated into
static
checkers,
which
check a program
at compile-time and try to approximate its run-time behavior, and
dynamic
checkers,
which
try
to catch and analyze anomaiies during program execution.
Several static analysis tools exist that examine
a
program for faults such as
null
pointer dereferences
or
data races. The ESC/Java
[9]
tool is, like nint,
also
based on
static analysis, or more generally
on
theorem proving- It, however, requires annotation
of
the
program. While it is more precise than Jlint, it is not nearly as fast and requires a
large effort from the user to fully exploit the power of this tool
[9].
2
Dynamic tools have the advantage of having more precise information available
in
the execution trace. The Eraser algorithm [22], which has been implemented in the
Visual Threads tool [12] to analyze
C
and
C++
programs, is an example of
a
such
an
algorithm that examines a program execution trace for locking patterns and variable
accesses in order to predict potential data races. It also checks for deadlocks and several
other errors.
The Java PathExplorer tool (JPaX)
[
161 performs deadlock analysis and the Eraser
data race analysis
on
Java programs. It furthermore recently has been extended with the
high-level data race detection algorithm described in [3]. This algorithm analyzes how
collections
of
variables are accessed by multiple threads.
More heavyweight dynamic approaches include model checking, which explores
all possible schedules
in
a program. Recently, model checkers have been developed
that apply directly to programs (instead of just models thereof).
This
includes the Java
PathFinder system
(JPF)
developed by
NASA
[15,24], and similar systems [lo, 8,17,4,
231. Such systems, however, suffer from the state space explosion problem. In [13] we
describe an extension of Java PathFiider which performs data race analysis (and dead-
lock analysis) in simulation mode, whereafter the model checker
is
used to demonstrate
whether the data race (deadlock) warnings are real or
not.
This paper focuses
on
applying Jlint
[2]
to the software for detecting errors stat-
ically. JLint uses static analysis and abstract interpretation
to
find difficult errors at
compile-time.
A
similar case study with Kit has been made before, applying it to large
projects [2]. The difference to this case study is that the other case study had scalability
in mind. Jlint had been applied to packages containing several hundred thousand lines
of code, generating hundreds of warning messages. Because of this, the warnings had
been evaluated selectively, omitting some hard-to-check deadlock warnings. In
this
case
study, an effort was made to analyze every single warning and also see what kinds of
design patterns cause false positives?
13
Outline
This text is organized
as
follows: Section
2
describes Jlint and how it was used for this
project. Sections
3
and 4 show the results
of
applying Jlint to space exploration program
code. Design patterns which are common among these
two
projects are analyzed
in
Section
5.
Section
6
summarizes the results and concludes.
2
Jlint
2.1
Tool
description
Jlint checks Java code and finds bugs, inconsistencies and synchronization problems
by
performing a data flow analysis, abstract interpretation, and building the lock graph. It
issues warnings about potential problems. These warnings do
not
imply that
an
actual
Design patterns
commonly
denote compositions
of
objects
in
software.
In
this
paper, the notion
of
composition is different.
It
indudes lock patterns
and
sometimes
only
applies to a small part
of
the program.
In
that context, we
also
use the term “code idiom”.
3
error exists. This makes Jlint unsound
as
a program prover. Moreover, Jlint can also
miss errors, making it incomplete. The reason for
this
is that the goal was to make Jlint
practical, scalable, and possible to implement it in
a
short time.
Typical warnings about possible faults issued by Jlint are
null
pointer dereferences,
array bounds overflows, and value overflows. The latter may occur if one multiplies two
32
bit integer values without converting them to
64
bit
fist
Many warnings that Jlint issues are code guidelines:
A
local variable should never
have the same name as a field of the same class or
a
superclass. When a method of a
given name
is
overridden, all its variants should be ovemdden,
in
order to guarantee
a
consistent behavior of the subclass.
I
Jlint also includes many analyses for multi-threaded programs. Some of Jlint’s
warnings for multi-threaded programs are overly cautious. For instance, possible data
race warnings for method calls or variable accesses do not necessarily imply a data
race. The reason for such false positives are both difficulties inherent to static analysis,
such
as
pointer aliasing across method calls, and limitations in Jlint itself, where its
algorithms could be refined with known techniques.
2.2 Warning
review
process
Jlint gives fairly descriptive warnings for each problem found. The context given is
limited to the class
in
which the error occurs,
the
line number, and fields used or meth-
ods called.
This
is always sufficient to find
the
source of simple warnings, which con-
cern
sequentid
properties
such
as
null
pointer dereferences. These warnings are easy
to
review and were considered in a first pass. The other warnings, concerning multi-
threading problems,
take
much more time
to
consider, and were evaluated in a second
phase.
The review process essentially checks whether
the
problems described in the warn-
ings cm actually occur at run-time.
In
simple cases, warnings may be ruled out given
the
algorithmic properties of the program. Complex cases include reviewing callers to
the method in question.
Data race and deadlock warnings fall
in
this
category. They require constructing a
part of
the
call graph including locks owned by callers when a method is called. If it
can be ensured that all calls to non-synchronized shared methods
are
made only through
methods that already employ lock protection then there cannot be
a
data race:
This review process can be rather time-consuming and took up to twelve minutes for
one problem instance in the experiments carried out. Many warnings occur in similar
contexts,
so
warnings referring
to
the same problem can usually be easily confirmed as
duplicates. This part of the review process was not yet automated
in
any way but could
be automated to a large extent with known techniques. Both cases studies were done
without prior knowledge of
the
program code. It can be assumed that the time to review
the
warnings is shorter for the author of
the
code, especially when reviewing data race
or deadlock warnings.
Methods
that
access
a
shared
field
are
also
considered “shared”
in
this
context. The
lock
used
for
ensuring
mutual exclusion
must
be
the
same lock
for
all
calls.
4
During the review process, Jlint’s warnings were categorized to see whether they
refer to the same problem. Such situations constitute calls to the same method from
different callers, the same variable used in different contexts, or the same design pattern
applied throughout the class.
In
a separate count, counting the number of distinct prob-
lems rather than individual warnings,
all
such cases were counted once. Furthermore,
the time required for this process was recorded. Note that the review activity was often
interrupted by other activities such as writing this paper. We believe this reduced the
overall time required because manual code reviews require much attention, and cannot
be canied out in one run without a degradation of the concentration required.
3
First
case
study:
Rover
code
The first case study is a software module, called the Executive, for controlling the move-
ment of the planetary wheeled rover
K9,
developed at NASA Ames Research Center.
The run time for analyzing the code with Jlint was
0.10
seconds
on
a PowerPC
G4
with
a clock frequency of
500
MHz.
3.1
K9
is a hardware platform for experimenting with rover technology for exploration of
the Martian surface. The Executive is
a
software module for controlling the rover, and is
essentially an interpreter
of
plans, where a plan is a special form of a program. Plans are
constructed from high-level constructs, such as sequential composition and condition-
als, but
no
while loops. The effect of while
loops
is achieved by assuming that plans are
generated
on
the fly during rover operation as environment conditions change. The low-
est level nodes of a plan
are
tasks to be directly executed by the rover hardware.
A
node
in
a plan can be further constrained by a set of conditions, which when failing during
exzcution, cailse the Executive
to
abort the execution of the subsequent sibling nodes,
unless specified otherwise through options. Examples of conditions are pre-conditions
and post-conditions, as well
as
invariants to be maintained during the execution of the
node. The examined Executive consists of
7,300
lines of Java code. This code was ex-
tracted by a colleague from the original rover code, written
in
35,000
lines of
Cti-.
The code is highly multi-threaded, and hence provides a risk for concurrency errors.
The Java version of the code was extracted as part of a different project, the purpose of
which was to compare various formal methods, such as model checking, static analysis,
runtime analysis, and simple testing
[7].
The code contained
a
number seeded of errors.
Description
of
the Rover project
3.2
Jlint evaluation
Jlint issues
249
warnings when checking the Rover code. Table
1
summarizes Jlint’s
output. The first
two
columns show how each type
of
problem and how many warnings
Jlint generated for them. The third, forth and fifth column show the result of the manual
source code analysis: how many actual, distinct faults, or at least serious problems,
in the code were found, how many warnings described such actual faults, and how
many were considered
to
be false positives. The last column shows the time spent
on
5
Citations
More filters
Proceedings ArticleDOI
Modeling the Reliability of Existing Software using Static Analysis

[...]

Walter W. Schilling1, Mansoor Alam1
University of Toledo1
07 May 2006
TL;DR: An appropriate software reliability model combining static analysis of existing source code modules, limited testing with path capture, and Bayesian belief networks is presented.
Abstract: Software unreliability represents an increasing risk to overall system reliability. As systems become larger and more complex, mission critical and safety critical systems have had increasing functionality controlled exclusively through software. This change, coupled with generally increasing reliability in hardware modules, has resulted in a shift of the root cause of systems failure from hardware to software. Market forces, including decreased time to market, reduced development team sizes, and other factors, have encouraged projects to reuse existing software as well as to purchase COTS software solutions. This has made the usage of the more than 200 existing software reliability models increasingly difficult. Traditional software reliabilitiy models require significant testing data to be collected during software development in order to estimate software reliability. If this data is not collected in a disciplined manner or is not made available to software engineers, these modeling techniques can not be applied. It is imperative that practical reliability modeling techniques be developed to address these issues. It is on this premise that an appropriate software reliability model combining static analysis of existing source code modules, limited testing with path capture, and Bayesian Belief Networks is presented. Static analysis is used to detect faults within the source code which may lead to failure. Code coverage is used to determine which paths within the source code are executed as well as how often they execute. Finally, Bayesian Belief Network is then used to combine these parameters and estimate the resulting software reliability.

8 citations

Understanding and debugging concurrent programs through visualisation

[...]

Jan Lönnberg
01 Jan 2012
TL;DR: While students appear to understand the dependence graph representation and how to apply it in debugging, they need more support from Atropos for eliding the implementation of data structures in order to examine their use.
Abstract: In this thesis, the development and evaluation of a visualisation system intended to support students in understanding and debugging concurrent programs is presented. The first phase of development consisted of examining how students understand and develop concurrent programs through phenomenographic research. The resulting outcome spaces included the students' understandings of tuple spaces, the purpose of a programming assignment and what developing, debugging and testing a concurrent program involves. The outcome spaces included categories ranging from simple understandings containing only what is necessary to complete the assignments to understandings that placed the program in a larger context beyond the assignment. These outcome spaces were used in a classification of defects in students' concurrent programs. The defects found in the students' programs were classified by the underlying human error and by the type of program failure the defect causes. This analysis of defects was used to determine appropriate measures to support students in avoiding such defects. Many of the students' defects were related to misunderstanding the goals of the assignment, so they were rewritten to clarify the goals. To give the students a more concrete demonstration of the situations their programs had to deal with, test packages were provided to them. Many of the students' defects were related to incorrect use of concurrency. To help students understand and correct these defects and learn from their mistakes, the visualisation system Atropos was developed. Atropos is intended to help students understand concurrent program behaviour in Java. Atropos supports backward debugging of concurrent Java programs through interactive exploration of a dynamic dependence graph. A solution for replay and dynamic dependence analysis of concurrent Java programs that may include data races was devised. Atropos was evaluated through a mixed-methods analysis of the behaviour of pairs of students using Atropos to debug concurrent programs. The results include a description of the ways in which students successfully made use of Atropos and suggestions for how it could be improved to better support their debugging approaches. While students appear to understand the dependence graph representation and how to apply it in debugging, they need more support from Atropos for eliding the implementation of data structures in order to examine their use.; I denna avhandling presenteras utvecklingen och utvarderingen av ett visualiseringssystem som skapats for att hjalpa studenter forsta och avlusa jamlopande program. I den forsta utvecklingsfasen undersoktes genom en fenomenografisk undersokning hur studenter uppfattar och utvecklar jamlopande program. Utfallsrummen fran denna undersokning handlade om hur studenter uppfattar tupelrymder, avsikten med ett ovningsarbete i programmering och vad som ingar i utvecklandet, avlusandet och testandet av ett jamlopande program. Utfallsrummen inneholl beskrivningskategorier fran enkla uppfattningar som bara omfattar…

7 citations

Cites methods from "Applying Jlint to Space Exploration..."

  • ...Deductive proofs (done by hand or with automated theorem proving tools such as the SPARK tools [13]) and model checking (using a model checker such as Spin [30] or JPF [77]) are two alternative approaches to checking the correctness of a program that can be used to check that all interleavings lead…...

    [...]

Dissertation
Open Integrated Development and Analysis Environments

[...]

Michael Eichberg
18 Apr 2007
TL;DR: This thesis proposes the concept of a Build Process Integrated Open Static Analysis Platform, an open static analysis platform tightly integrated with the incremental build process of the Eclipse IDE that turns Eclipse into an Integrated Development and Analysis Environment.
Abstract: Comprehensive tool support is essential to enable developers to cope with the complexity of modern software development pro jects. Software projects are getting larger and larger, are being developed using different languages, and make use of many third-party libraries as well as frameworks. Hence, tools are required: for software comprehension, for checking that libraries and frameworks are correctly used, and to ensure that the design does not degrade over time. Though numerous successful tools have already been developed for these tasks, several issues remain: the tools are usually highly specialized, their extensibility is limited, and an integration between the tools is lacking. Furthermore, IDE integration and in particular an integration with the incremental build process offered by modern IDEs is also often missing. Unfortunately, the direct integration of several code analysis tools with the incremental build process is not possible. When each tool processes the pro ject’s resources on its own and also maintains its own source model, the overall memory requirements and analysis time is prohibitive. To address these issues, this thesis proposes the concept of a Build Process Integrated Open Static Analysis Platform. The core functionality of such a platform is to coordinate the execution of static analyses that are encapsulated into modules with well-defined interfaces. These interfaces specify what the analyses require and provide in terms of the data they process. For a tool that is built upon such a platform it is sufficient to specify the data it requires. The platform can then determine the set of analyses and their execution order to satisfy the tool’s requirements. Modeling analyses as modular producer-consumer units facilitates the simultaneous integration of several tools into the incremental build process of modern IDEs. When compared to using several independent tools, the overall memory requirements are reduced, since the source model derived by the executed analyses is shared among all tools built upon the platform. Furthermore, the overall analysis time is also reduced since analyses are executed at most once, even if the derived information is required by more than one tool. The overall analysis time is further minimized by the parallel execution of those analyses that process different information. The feasibility of the proposed approach is demonstrated by Magellan. Magellan is an open static analysis platform tightly integrated with the incremental build process of the Eclipse IDE. This integration turns Eclipse into an Integrated Development and Analysis Environment. The set of modules implementing the static analyses is freely extensible and the data model of the database is open. An open data model is crucial to support new analyses that need to store derived information for the use by subsequent analyses. Besides featuring a fully flexible analysis stack, Magellan also supports the embedding of query engines. Supporting the execution of queries is indispensable for enabling end-users to define application specific analyses. The ability to execute queries is also required to facilitate software comprehension tools. As a proof of concept an XQuery processor and a Prolog system are embedded into Magellan. Both engines are evaluated w.r.t. to using them for the execution of queries along with the incremental build process. The XQuery engine is additionally evaluated in the context of software comprehension tools as a means to enable the end-user to define new ways to navigate through code. The platform is validated by four tools built on top of it: a software exploration tool, a metrics tool, an optional type system, and a set of lightweight static analyses that check structural properties of source code.

5 citations

Dissertation
Comova - a comprehension measurement framework for visualization systems

[...]

Harkirat Kaur Padda1
Concordia University1
01 Jan 2009
TL;DR: This work proposes an innovative way of evaluating a visualization technique by encapsulating it in a visualization pattern where it is seen as a solution to the visualization problem in a specific context and proposes a novel framework named as CoMoVA (Comprehension Model for Visualization Assessment).
Abstract: Despite the burgeoning interest shown in visualizations by many disciplines, there yet remains the unresolved question concerning comprehension. Is the concept that is being communicated through the visual easily grasped and clearly interpreted? Visual comprehension is that characteristic of any visualization system, which deals with how efficiently and effectively users are able to grasp the underlying concepts through suitable interactions provided for exploring the visually represented information. Comprehension has been considered a very complex subject, which is intangible and subjective in nature. Assessment of comprehension can help to determine the true usefulness of visualization systems to the intended users. A principal contribution of this research is the formulation of an empirical evaluation framework for systematically assessing comprehension support provided by a visualization system to its intended users. To assess comprehension i.e. to measure this seemingly immeasurable factor of visualization systems, we propose a set of criteria based on a detailed analysis of information flow from the raw data to the cognition of information in human mind. Our comprehension criteria are adapted from the pioneering work of two eminent researchers - Donald A. Norman and Aaron Marcus, who have investigated the issues of human perception and cognition, and visual effectiveness respectively. The proposed criteria have been refined with the help of opinions from experts. To gauge and verify the efficacy of these criteria in a practical sense, they were then applied to a bioinformatics visualization study tool and an immersive art visualization environment. Given the vast variety of users and their visualization goals, it may be noted that it is difficult for one to decide on the effectiveness of different visualization tools/techniques in a context independent fashion. We therefore propose an innovative way of evaluating a visualization technique by encapsulating it in a visualization pattern where it is seen as a solution to the visualization problem in a specific context. These visualization patterns guide the tool users/evaluators to compare, understand and select appropriate visualization tools/techniques. Lastly, we propose a novel framework named as CoMoVA (Comprehension Model for Visualization Assessment) that incorporates 'context of use', visualization patterns, visual design principles and important cognitive principles into a coherent whole that can be used to effectively tell us in a more quantifiable manner the benefits of visual representations and interactions provided by a system to the intended audience. Our approach of evaluation of visualization systems is similar to other questionnaire-based approaches such as SUMI (Software Usability Measurement Inventory), where all the questions deal with the measurement of a common trait. We apply this framework to two static software visualization tools in the software visualization domain to demonstrate the practical benefits of using such a framework.

4 citations

Cites background from "Applying Jlint to Space Exploration..."

  • ...ff i Yi / TJ - V V value of measure ][f N / Total number of criteria (5) \k=\ \n=\ 7 ))l...

    [...]

A cost effective methodology for quantitative evaluation of software reliability using static analysis

[...]

Walter W. Schilling1
University of Toledo1
01 Jan 2007
TL;DR: In this paper, the authors propose a method to solve the problem of "uniformity" and "uncertainty" in the context of health care, and propose a solution.
Abstract: iv

3 citations

References
More filters
Book ChapterDOI
A Temporal Logic of Nested Calls and Returns

[...]

Rajeev Alur1, Kousha Etessami2, P. Madhusudan1
University of Pennsylvania1, University of Edinburgh2
29 Mar 2004
TL;DR: This work introduces a temporal logic of calls and returns (CaRet) for specification and algorithmic verification of correctness requirements of structured programs and presents a tableau construction that reduces the model checking problem to the emptiness problem for a Buchi pushdown system.
Abstract: Model checking of linear temporal logic (LTL) specifications with respect to pushdown systems has been shown to be a useful tool for analysis of programs with potentially recursive procedures. LTL, however, can specify only regular properties, and properties such as correctness of procedures with respect to pre and post conditions, that require matching of calls and returns, are not regular. We introduce a temporal logic of calls and returns (CaRet) for specification and algorithmic verification of correctness requirements of structured programs. The formulas of CaRet are interpreted over sequences of propositional valuations tagged with special symbols call and ret. Besides the standard global temporal modalities, CaRet admits the abstract-next operator that allows a path to jump from a call to the matching return. This operator can be used to specify a variety of non-regular properties such as partial and total correctness of program blocks with respect to pre and post conditions. The abstract versions of the other temporal modalities can be used to specify regular properties of local paths within a procedure that skip over calls to other procedures. CaRet also admits the caller modality that jumps to the most recent pending call, and such caller modalities allow specification of a variety of security properties that involve inspection of the call-stack. Even though verifying context-free properties of pushdown systems is undecidable, we show that model checking CaRet formulas against a pushdown model is decidable. We present a tableau construction that reduces our model checking problem to the emptiness problem for a Buchi pushdown system. The complexity of model checking CaRet formulas is the same as that of checking LTL formulas, namely, polynomial in the model and singly exponential in the size of the specification.

3,516 citations

Book
The Java Virtual Machine Specification

[...]

Tim Lindholm, Frank Yellin
19 Sep 1996
TL;DR: In this article, the authors present a detailed overview of the Java Virtual Machine, including the internal structure of the class file format, the internal form of Fully Qualified Class and Interface names, and the implementation of new class instances.
Abstract: Preface. 1. Introduction. A Bit of History. The Java Virtual Machine. Summary of Chapters. Notation. 2. Java Programming Language Concepts. Unicode. Identifiers. Literals. Types and Values. Primitive Types and Values. Operators on Integral Values. Floating-Point Types, Value Sets, and Values. Operators on Floating-Point Values. Operators on boolean Values. Reference Types, Objects, and Reference Values. The Class Object. The Class String. Operators on Objects. Variables. Initial Values of Variables. Variables Have Types, Objects Have Classes. Conversions and Promotions. Identity Conversions. Widening Primitive Conversions. Narrowing Primitive Conversions. Widening Reference Conversions. Narrowing Reference Conversions. Value Set Conversion. Assignment Conversion. Method Invocation Conversion. Casting Conversion. Numeric Promotion. Names and Packages. Names. Packages. Members. Package Members. The Members of a Class Type. The Members of an Interface Type. The Members of an Array Type. Qualified Names and Access Control. Fully Qualified Names. Classes. Class Names. Class Modifiers. Superclasses and Subclasses. The Class Members. Fields. Field Modifiers. Initialization of Fields. Methods. Formal Parameters. Method Signature. Method Modifiers. Static Initializers. Constructors. Constructor Modifiers. Interfaces. Interface Modifiers. Superinterfaces. Interface Members. Interface (Constant) Fields. Interface (Abstract) Methods. Overriding, Inheritance, and Overloading in Interfaces. Nested Classes and Interfaces. Arrays. Array Types. Array Variables. Array Creation. Array Access. Exceptions. The Causes of Exceptions. Handling an Exception. The Exception Hierarchy. The Classes Exception and RuntimeException. Execution. Virtual Machine Start-up. Loading. Linking: Verification, Preparation, and Resolution. Initialization. Detailed Initialization Procedure. Creation of New Class Instances. Finalization of Class Instances. Unloading of Classes and Interfaces. Virtual Machine Exit. FP-strict Expressions. Threads. 3. The Structure of the Java Virtual Machine. The class File Format. Data Types. Primitive Types and Values. Integral Types and Values. Floating-Point Types, Value Sets, and Values. The returnAddress Type and Values. The boolean Type. Reference Types and Values. Runtime Data Areas. The pc Register. Java Virtual Machine Stacks. Heap. Method Area. Runtime Constant Pool. Native Method Stacks. Frames. Local Variables. Operand Stacks. Dynamic Linking. Normal Method Invocation Completion. Abrupt Method Invocation Completion. Additional Information. Representation of Objects. Floating-Point Arithmetic. Java Virtual Machine Floating-Point Arithmetic and IEEE 754. Floating-Point Modes. Value Set Conversion. Specially Named Initialization Methods. Exceptions. Instruction Set Summary. Types and the Java Virtual Machine. Load and Store Instructions. Arithmetic Instructions. Type Conversion Instructions. Object Creation and Manipulation. Operand Stack Management Instructions. Control Transfer Instructions. Method Invocation and Return Instructions. Throwing Exceptions. Implementing finally. Synchronization. Class Libraries. Public Design, Private Implementation. 4. The class File Format. The ClassFile Structure. The Internal Form of Fully Qualified Class and Interface Names. Descriptors. Grammar Notation. Field Descriptors. Method Descriptors. The Constant Pool. The CONSTANT_Class_info Structure. The CONSTANT_Fieldref_info, CONSTANT_Methodref_info, and CONSTANT_InterfaceMethodref_info Structures. The CONSTANT_String_info Structure. The CONSTANT_Integer_info and CONSTANT_Float_info Structures. The CONSTANT_Long_info and CONSTANT_Double_info Structures. The CONSTANT_NameAndType_info Structure. The CONSTANT_Utf8_info Structure. Fields. Methods. Attributes. Defining and Naming New Attributes. The ConstantValue Attribute. The Code Attribute. The Exceptions Attribute. The InnerClasses Attribute. The Synthetic Attribute. The SourceFile Attribute. The LineNumberTable Attribute. The LocalVariableTable Attribute. The Deprecated Attribute. Constraints on Java Virtual Machine Code. Static Constraints. Structural Constraints. Verification of class Files. The Verification Process. The Bytecode Verifier. Values of Types long and double. Instance Initialization Methods and Newly Created Objects. Exception Handlers. Exceptions and finally. Limitations of the Java Virtual Machine. 5. Loading, Linking, and Initializing. The Runtime Constant Pool. Virtual Machine Start-up. Creation and Loading. Loading Using the Bootstrap Class Loader. Loading Using a User-defined Class Loader. Creating Array Classes. Loading Constraints. Deriving a Class from a class File Representation. Linking. Verification. Preparation. Resolution. Access Control. Initialization. Binding Native Method Implementations. 6. The Java Virtual Machine Instruction Set. Assumptions: The Meaning of "Must." Reserved Opcodes. Virtual Machine Errors. Format of Instruction Descriptions. 7. Compiling for the Java Virtual Machine. Format of Examples. Use of Constants, Local Variables, and Control Constructs. Arithmetic. Accessing the Runtime Constant Pool. More Control Examples. Receiving Arguments. Invoking Methods. Working with Class Instances. Arrays. Compiling Switches. Operations on the Operand Stack. Throwing and Handling Exceptions. Compiling finally. Synchronization. Compiling Nested Classes and Interfaces. 8. Threads and Locks. Terminology and Framework. Execution Order and Consistency. Rules About Variables. Nonatomic Treatment of double and long Variables. Rules About Locks. Rules About the Interaction of Locks and Variables. Rules for volatile Variables. Prescient Store Operations. Discussion. Example: Possible Swap. Example: Out-of-Order Writes. Threads. Locks and Synchronization. Wait Sets and Notification. 9. Opcode Mnemonics by Opcode. Appendix: Summary of Clarifications and Amendments. Index. 0201432943T04062001

3,111 citations

Journal ArticleDOI
Eraser: a dynamic data race detector for multithreaded programs

[...]

Stefan Savage1, Michael Burrows, Greg Nelson, Patrick G. Sobalvarro, Thomas Anderson2 
University of Washington1, University of California, Berkeley2
01 Nov 1997-ACM Transactions on Computer Systems
TL;DR: A new tool, called Eraser, is described, for dynamically detecting data races in lock-based multithreaded programs, which uses binary rewriting techniques to monitor every shared-monory reference and verify that consistent locking behavior is observed.
Abstract: Multithreaded programming is difficult and error prone. It is easy to make a mistake in synchronization that produces a data race, yet it can be extremely hard to locate this mistake during debugging. This article describes a new tool, called Eraser, for dynamically detecting data races in lock-based multithreaded programs. Eraser uses binary rewriting techniques to monitor every shared-monory reference and verify that consistent locking behavior is observed. We present several case studies, including undergraduate coursework and a multithreaded Web search engine, that demonstrate the effectiveness of this approach.

1,553 citations

Journal ArticleDOI
Model checking programs

[...]

Willem Visser1, Klaus Havelund2, Guillaume Brat2, Seungjoon Park2
Research Institute for Advanced Computer Science1, Ames Research Center2
11 Sep 2000
TL;DR: A verification and testing environment for Java, called Java PathFinder (JPF), which integrates model checking, program analysis and testing, and uses state compression to handle big states and partial order and symmetry reduction, slicing, abstraction, and runtime analysis techniques to reduce the state space.
Abstract: The majority of the work carried out in the formal methods community throughout the last three decades has (for good reasons) been devoted to special languages designed to make it easier to experiment with mechanized formal methods such as theorem provers and model checkers. In this paper, we give arguments for why we believe it is time for the formal methods community to shift some of its attention towards the analysis of programs written in modern programming languages. In keeping with this philosophy, we have developed a verification and testing environment for Java, called Java PathFinder (JPF), which integrates model checking, program analysis and testing. Part of this work has consisted of building a new Java Virtual Machine that interprets Java bytecode. JPF uses state compression to handle large states, and partial order reduction, slicing, abstraction and run-time analysis techniques to reduce the state space. JPF has been applied to a real-time avionics operating system developed at Honeywell, illustrating an intricate error, and to a model of a spacecraft controller, illustrating the combination of abstraction, run-time analysis and slicing with model checking.

1,459 citations

Proceedings ArticleDOI
Eraser: a dynamic data race detector for multi-threaded programs

[...]

Stefan Savage1, Michael Burrows, Greg Nelson, Patrick G. Sobalvarro, Thomas Anderson2 
University of Washington1, University of California, Berkeley2
01 Oct 1997
TL;DR: Eraser as mentioned in this paper uses binary rewriting techniques to monitor every shared memory reference and verify that consistent locking behavior is observed in lock-based multi-threaded programs, which can be used to detect data races.
Abstract: Multi-threaded programming is difficult and error prone. It is easy to make a mistake in synchronization that produces a data race, yet it can be extremely hard to locate this mistake during debugging. This paper describes a new tool, called Eraser, for dynamically detecting data races in lock-based multi-threaded programs. Eraser uses binary rewriting techniques to monitor every shared memory reference and verify that consistent locking behavior is observed. We present several case studies, including undergraduate coursework and a multi-threaded Web search engine, that demonstrate the effectiveness of this approach.

1,424 citations

Related Papers (5)
Towards automatic exception safety verification

[...]

21 Aug 2006
Xin Li, H. James Hoover, Piotr Rudnicki
Using Static Analysis to Find Bugs

[...]

01 Sep 2008-IEEE Software
Nathaniel Ayewah, David Hovemeyer, J.D. Morgenthaler, John Penix, William Pugh 
Finding bugs is easy

[...]

23 Oct 2004
David Hovemeyer, William Pugh
Finding and preventing run-time error handling mistakes

[...]

01 Oct 2004
Westley Weimer, George C. Necula
Tracking down software bugs using automatic anomaly detection

[...]

19 May 2002
Sudheendra Hangal, Monica S. Lam