Static Analysis of Software Product Lines

Static Analysis ofSoftware Product Lines

Jan Midtgaard Andrzej Wąsowski

Claus Brabrand Paulo Borba

Mira MeziniEric Bodden

Márcio Ribeiro Társis Tolêdo

[ DFA-4-SPL ]( AOSD 2012 )

[ SPLLIFT ]( PLDI 2013 )

[ Var-Abs-Int ](in progress..)

[ 2 ]"Static Analysis of Software Product Lines" Aug 9, 2013MT Lab Meeting

< Outline >Introduction:

Software Product Lines (SPL)Dataflow Analysis (DFA)

DFA-4-SPL:A0 (brute force) (feature in-sensitive)A1 (consecutive)A2 (simultaneous)A3 (shared simultaneous)SPLLIFT (graph encoding)

Evaluation and ResultsSketch of Work in Progress: "Var-Abs-Int"

(feature sensitive)

Introduction

1x CAR

1x CELL PHONE

1x APPLICATION

CARS CELL PHONES APPLICATIONS

Traditional Software Development:One program = One product

Product Line:A ”family” of products (of N ”similar” products):

customizeSPL:

(Family ofPrograms)

Software Product LineSPL:

Feature Model: (e.g.: ψFM ≡ VIDEO COLOR)

Family ofPrograms:

COLORVIDEO

{ Video }

{ Color, Video }

Configurations:Ø, {Color}, {Video}, {Color,Video}VALID

{ Color }

customize

Set of Features:F = { COLOR, VIDEO }

Software Product LineSPLs based on Conditional Compilation:

#ifdef ( )

#endif

Logo logo;...

...logo.use();

#ifdef (VIDEO) logo = new Logo();#endif

t) *** null-pointer exception!in configurations: {Ø, {COLOR}}

: fF | |

resultresult

0100101111011010100111110111

Analysis of SPLsThe Compilation Process:

...and for Software Product Lines:

0100101111011010100111110111

resultcompile run

ERROR!

generate 0100101111011010100111110111

resultrun

ERROR!

ANALYZE!

Feature-sensitive data-flow analysis !

runruncompilecompilecompile

ANALYZE!ANALYZE! ERROR!ERROR!

Dataflow AnalysisDataflow Analysis:

1) Control-flow graph2) Lattice (finite height)3) Transfer functions (monotone)

Example:"sign-of-x analysis"

Analyzing a Program1) Program 2) Build CFG 3) Make Equations

4) Solve equations: fixed-point computation (iteration)

5) SOLUTION (least fixed point):

Annotated with program points

(feature sensitive)

Dataflow Analysis forSoftware Product LinesDFA-4-SPLClaus Brabrand

IT University of CopenhagenUniversidade Federal de Pernambuco

[ brabrand@itu.dk ]

Márcio RibeiroUniversidade Federal de Alagoas

Universidade Federal de Pernambuco[ mmr3@cin.ufpe.br ]

Paulo BorbaUniversidade Federal de Pernambuco

[ phmb@cin.ufpe.br ]

Társis ToledoUniversidade Federal de Pernambuco

[ twt@cin.ufpe.br ]

AOSD 2012 and TAOSD 2013

"Intraprocedural Dataflow Analysis for Software Product Lines"

A0A0(brute force):

void m() { int x=0; ifdef(A) x++; ifdef(B) x--;}

c = {A}: c = {B}: c = {A,B}:

int x = 0;

ψFM = A B∨

Lfeature in-sensitive!

N = O(2F) compilations!

int x = 0;

A1A1(consecutive):

c = {A}:

ψFM = A B∨

c = {B}: c = {A,B}:

✓ ✓

feature sensitive!

N = O(2F) fixp iterations!

+({A} = , {B} = , {A,B} = )

({A} = , {B} = , {A,B} = )

A2A2(simultaneous):

∀c ∈ {{A},{B},{A,B}}:

int x = 0;

✓({A} = , {B} = , {A,B} = )✓✓

✓✓

ψFM = A B∨

feature sensitive!LL × ×

{A} {B} {A,B}

( [[ψ ¬A ]] = , [[∧ ψ A ]] = , [[∧ ψ ¬A ]] = , [[∧ ψ A ]] = )∧

( [[ψ ]] = , [[ψ ]] = )

A3A3(shared sim.):

ψFM = A B:∨

int x = 0;

_|( [[ψ]] = )

0( [[ψ]] = )

(A B) ¬A ¬B ≡ ∨ ∧ ∧ false

can use BDDrepresentation !(compact+efficient)

i.e., invalid given wrt.the feature model, ψ !

ψFM = A B∨

0∧¬A ∧A +

∧¬B ∧¬B ∧B ∧B

feature sensitive!LLL × ×

{A} {B} {A,B}

Statically AnalyzingSoftware Product Linesin Minutes instead of YearsSPLLIFT

PLDI 2013

Eric BoddenTechnische Universität Darmstadt

[ bodden@acm.org ]

Társis TolêdoUniversidade Federal de Pernambuco

[ twt@cin.ufpe.br ]

Márcio RibeiroUniversidade Federal de Alagoas[ mmr3@cin.ufpe.br ]

Mira MeziniTechnische Universität Darmstadt[ mira.mezini@cased.de]

Claus BrabrandIT University of Copenhagen[ brabrand@itu.dk ]

Paulo BorbaUniversidade Federal de Pernambuco

[ phmb@cin.ufpe.br ]

"Statically Analyzing Software Product Lines in Minutes instead of Years"

[ (A B)∧ ¬A∧ ] ∨ [ true A∧ ]

true A B∧

true ¬A∧ = ¬A

SPLLIFT

IFDS:A0:

λS . (S – {x}) {y}∪

SPLLIFT (IFDS ➞ IDE):A2:( {A} = {x} , {B} = {x} , {A,B} = {x,y} )

λS . (S – {x}) {y}∪A:#ifdef (A)

( {A} = {y} , {B} = {x} , {A,B} = {y} )

A ¬A¬A

■ Reps■ Horwitz■ Sagiv

fixed-pointiteration

graphreachability➔

{x} {y}Ø

(feature sensitive)

ResultsResults for SPLLIFT (interprocedural analysis):

In fact, analyzing all valid configs is only slightly slower than analyzing one config !

Minutes instead of Years ! :-)

Reaching Definitions Possible Types Uninitialized VariablesSPL

benchmark# validconfigs

A1 SPLLIFT A1 SPLLIFT A1 SPLLIFT

Lampiro 4 3m30s 42s 13s 4s 3m09s 1m25s

MM 08 26 24m29s 59s 2m06s 3s 27m39s 2m13s

GPL 1,872 days 8m48s 9h03m39s 42s days 7m09s

Berkeley DB unknown years 12m04s years 24s years 10m18s

(feature sensitive)

Systematic Derivation of Static Analyses for Software Product LinesVar-Abs-IntJan Midtgaard

Aarhus University[ jmi@cs.au.dk ]

Claus BrabrandIT University of Copenhagen[ brabrand@itu.dk ]

Andrzej WąsowskiIT University of Copenhagen[ wasowski@itu.dk ]

I n p r o g r e s s . . .

"Systematic Derivation of Static Analyses for Software Product Lines"

Lifted Lifted

Var-Abs-Int"Systematic Derivation of Analyses for SPLs":

Lifted

Questions ?

AbstractSoftware Product Lines (SPLs) developed using annotative approaches such as conditional compilation come with an inherent risk of constructing erroneous products. For this reason, it is essential to be able to analyze such SPLs. However, as dataflow analysis techniques are not able to deal with SPLs, developers must generate and analyze all valid products individually, which is expensive for non-trivial SPLs.We demonstrate how to take any standard dataflow analysis and automatically turn it into a feature-sensitive dataflow analysis in several qualitatively different ways. All analyses are capable of analyzing all valid products of an SPL without having to generate all of them explicitly.

Example SPL

config = {G}(¬F G ¬H)∧ ∧

customize(instantiate)(preprocess)

Software Product Line: Conventional Program:

Exploded Super Graph...for Program:

Lifted Exploded Super Graph...for SPL:

independent options...

> Earth's Population (233)

[ C. K

[ 28 ]"Static Analysis of Software Product Lines" Aug 9, 2013MT Lab Meeting> Atoms in Universe (2320)

[ C. K

independent options...320

[ C. K

10 000 configurableoptions...

Specification: A1, A2, A3, A4

A1, A2, A3, and A4A1 A2

Intraprocedural EvaluationFour (qualitatively different) SPL benchmarks:

Implementation: A1, A2, A3, A4 in SOOT + CIDEEvaluation: total time, analysis time, memory usage

EvaluationFive (qualitatively different) SPL benchmarks:

Results (intra)In practice:

(Reaching Definitions)(Total time, incl. compile)

(no re-compile!)

Feature sensitive(A1, A2, and A3)all faster than A0

Overview

A0 (brute force)

A1 (consecutive)

A2 (simultaneous)

A3 (shared)

A* (combo)

(intra-procedural)

no re-compile!

caching!

sharing!

combo!

AOSD2012

TAOSD 2013

Beyond the Sum of all MethodsFor a method with K valid configurations, which of analyses A1 vs A2 vs A3 is fastest?

Statistically significant differences between A1, A2, and A3 for all N,except between A2 and A3 for N=4 (underlined above).

Combo Analysis Strategy: A*Intraprocedurally combinedanalysis strategy, A*:

A* consistently fastest(combo!)

Overview (cont'd)

A0 (brute force)

A1 (consecutive)

A2 (simultaneous)

A3 (shared)

A* (combo)

SPLLIFT

(intra-procedural)

PLDI 2013

IFDS (graph repr)

A3+BDD (esp. interprocedural)

no re-compile!

caching!

sharing!

combo!

graphencoding!

repr!AOSD2012

TAOSD 2013

Results (total time)In theory:

In practice:

6x 8x 14x

3x5x 3x

1x 1x 1x

2x 2½x2x

A2 (3x), A3 (4x), A4 (5x)Feature sensitive (avg. gain factor):

(Reaching Definitions)

Results (analysis time)In theory:

In practice:TIME(A4) : Depends on

degree of sharing in SPL !(caching!)

(Reaching Definitions) A3 (1.5x) fasterOn average (A2 vs A3):

Results (memory usage)In theory:

In practice:(Reaching Definitions) 6.3 : 1Average

SPACE(A4) : Depends ondegree of sharing in SPL !

Related Work (DFA)Path-sensitive DFA:

Idea of “conditionally executed statements”Compute different analysis info along different paths (~ A2, A3, A4) to improve precision or to optimize “hot paths”

Predicated DFA:

Guard lattice values by propositional logic predicates (~ A4), yielding “optimistic dataflow values” that are kept distinct during analysis (~ A3 and A4)

“Constant Propagation with Conditional Branches”( Wegman and Zadeck ) TOPLAS 1991

“Predicated Array Data-Flow Analysis for Run-time Parallelization”( Moon, Hall, and Murphy ) ICS 1998

Our work: Automatically lift any DFA to SPLs (with ψFM) ⇒feature-sensitive analysis for analyzing entire program family

Related Work (Lifting for SPLs)Model Checking:

Type Checking:

Parsing:

Testing:

Model Checking Lots of Systems: Efficient Verification of Temporal Properties in Software Product Lines”( Classen, Heymans, Schobbens, Legay, and Raskin ) ICSE 2010

Model checks all SPLs at the same time (3.5x faster) than one by one! (similar goal, diff techniques)

Type checking ↔ DFA (similar goal, diff techniques)Our: auto lift any DFA (uninit vars, null pointers, ...)

“Type Safety for Feature-Oriented Product Lines”( Apel, Kastner, Grösslinger, and Lengauer ) ASE 2010

“Type-Checking Software Product Lines - A Formal Approach”( Kastner and Apel ) ASE 2008

“Variability-Aware Parsing in the Presence of Lexical Macros & C.C.”( Kastner, Giarrusso, Rendel, Erdweg, Ostermann, and Berger ) OOPSLA 2011

“Reducing Combinatorics in Testing Product Lines”( Hwan, Kim, Batory, and Khurshid ) AOSD 2011

Select relevant feature combinations for a given test caseUses (hardwired) DFA (w/o FM) to compute reachability

(similar techniques, diff goal):Split and merging parsing (~A4) and also uses instrumentation

Emerging Interfaces

"A Tool for Improving Maintainability of Preprocessor-based Product Lines"( Márcio Ribeiro, Társis Tolêdo, Paulo Borba, Claus Brabrand )

*** Best Tool Award ***CBSoft 2011:

Results (analysis time)In theory:

In practice:TIME(A4) : Depends on

degree of sharing in SPL !

Nx1 ≠ 1xN?!

(caching!)

(Reaching Definitions) A3 (1.5x) fasterOn average (A2 vs A3):

A2 vs A3 (caching)Cache misses in A2 vs A3:

Normal cache:As expected, A2 incurs more cache misses ( slower!)⇒

Full/no cache*:As hypothesized, this indeed affects A2 more than A3

i.e., A3 has better cache properties than A2

*) we flush the L2 cache, by traversing an 8MB “bogus array” to invalidate cache!

IFDEF normalizationRefactor "undisciplined" (lexical) ifdefs into "disciplined" (syntactic) ifdefs:

Normalize "ifdef"s (by transformation):

Example Bug from LampiroLampiro SPL (IM client for XMPP protocol):

*** uninitialized variable "logo"(if feature "GLIDER" is defined)

Similar problems with:undeclared variables, unused variables, null pointers, ...

BDD (Binary Decision Diagram)Compact and efficient representation forboolean functions (aka., set of set of names)

FAST: negation, conjunction, disjunction, equality !

= F(A,B,C) = A(BC)

minimized BDD

C C C C

Formula ~ Set of ConfigurationsDefinitions (given F, set of feature names):

f F feature namec 2F configuration (set of feature names) c FX 22 set of config's (set of set of feature names) X 2F

Exampleifdefs:

[[ BA ]]

[[ A(BC) ]]

F = {A,B}

F = {A,B,C}

= { {A}, {B}, {A,B} }

= { {A,B}, {A,C}, {A,B,C} }

Feature Model (Example)Feature Model:

Feature set:

Formula:

Set of configurations:

FM Car Engine (1.01.4) Air1.4

{ {Car, Engine, 1.0}, {Car, Engine, 1.4}, {Car, Engine, 1.4, Air} }

F = {Car, Engine, 1.0, 1.4, Air}

Note:| [[FM]] | = 3 < 32 = |2F |

[[ ]] =

Engine

Conditional CompilationThe 'ifdef' construction:

Syntactic variant of lexical #ifdef

Propositional Logic: where fF (finite set of feature names)

Example:

STM : 'ifdef' '(' ')' STM

: fF | |

status.print("you die");ifdef (DeluxeVersion && ColorDisplay) { player.redraw(Color.red); Audio.play("crash.wav");}lives = lives - 1;

ifdef (A) { ...}

Lexical #ifdef Syntactic ifdefSimple transformation:

We do not handle non-syntactic '#ifdef's:

Fair assumption(also in CIDE)

Nested ifdef's also give rise to a conj.of formulas

CASE 1: "COPY"A4: Lazy Splitting (using BDDs)

CASE 2: "APPLY" CASE 3: "SPLIT"

[ =l , ... ]

l ' = fS(l )

[ =l , ... ]

[ =l ', ... ]

l ' = fS(l )

[ =l , ... ]

[ =l, =l' ,...]

l ' = fS(l )

= Ø = Ø

Var-Abs-Int

Static Analysis of Software Product Lines

Documents

Transcript of Static Analysis of Software Product Lines

Applying Static Analysis to Software Architecturesext.math.umass.edu/~avrunin/papers/naumovich-fse97.pdfApplying Static Analysis to Software Architectures Gleb Naumovich, George S.

Power lines cause diseases through Static Electricity New science reveals, not radiation, but static electricity produced by power lines interferes with.

Software Static Analysis

Software circus: Static websites still got it

Power lines cause diseases through Static Electricity

Software Clustering Using Dynamic Analysis and Static ...

RELAY: Static Race Detection on Millions of Lines of Code

Static Analysis Internationalization I18n Software Localization

Application of Influence Lines on Static Analysis of Cable-Stayed ...

A Taxonomy of Variability Realization Techniques › static › Variability_taxonomy.pdf · A Taxonomy of Variability Realization Techniques ... Development of software product lines

Evolution and maintenance of software product lines 1 Software maintenance and evolution Evolution and maintenance of software product lines Prof. Robertas.

Code Reviews & Static Software Analysis & Testing Techniques.

Static third-harmonic lines in widely variable ﬁber …biophotonics.illinois.edu/sites/default/files/PhysRevA...PHYSICAL REVIEW A 89, 013813 (2014) Static third-harmonic lines in

Complement Software Testing with Static Analysis

Software Publisher Lines 5112 L

PERFORMING STATIC STRUCTURE ANALYSIS USING SOFTWARE DEPENDENCIES

Static Program Analysis of Embedded Software

Brainsoft Software Private Limited, Ghaziabad, Static WebSite

Using Software Metrics to Evaluate Static Single ... Software... · Using Software Metrics to Evaluate Static Single Assignment Form in GCC Jeremy Singer1, Christos Tjortjis2,3, and

CAS Static Analysis Tool Study - Methodology Static Analysis Tool Study - Methodology Center for Assured Software ... In order to study static analysis tools, users need software for