OORPT Dynamic Analysis
description
Transcript of OORPT Dynamic Analysis
OORPTObject-Oriented Reengineering Patternsand Techniques12. Analyzing Dynamic Behavior
Orla Greevy & Adrian Lienhard
12.2
What is Dynamic Analysis?
The investigation of the properties of a runningsoftware system over one or more executions
(Static analysis examines the program code alone)
12.3
Has anyone used Dynamic Analysis?
12.4
Roadmap
MotivationSources of Runtime InformationTracing techniques and their challengesOverview of Tools (Loggers, Debuggers, Profilers, etc)Dynamic Analysis in a Reverse Engineering ContextSummary
12.5
What does this program do?
#include <stdio.h>main(t,_,a)char*a;{return!0<t?t<3?main(-79,-13,a+main(-87,1-_,main(-86,0,a+1)+a)):1,t<_?main(t+1,_,a):3,main(-94,-27+t,a)&&t==2?_<13?main(2,_+1,"%s %d %d¥n"):9:16:t<0?t<-72?main(_,t,"@n'+,#'/*{}w+/w#cdnr/+,{}r/*de}+,/*{*+,/w{%+,/w#q#n+,/#{l,+,/n{n+,/+#n+,/#¥;#q#n+,/+k#;*+,/'r:'d*'3,}{w+K w'K:'+}e#';dq#'l¥q#'+d'K#!/+k#;q#'r}eKK#}w'r}eKK{nl]'/#;#q#n'){)#}w'){){nl]'/+#n';d}rw' i;# ¥){nl]!/n{n#'; r{#w'r nc{nl]'/#{l,+'K{rw' iK{;[{nl]'/w#q#n'wk nw' ¥iwk{KK{nl]!/w{%'l##w#' i;:{nl]'/*{q#'ld;r'}{nlwb!/*de}'c ¥;;{nl'-{}rw]'/+,}##'*}#nc,',#nw]'/+kd'+e}+;#'rdq#w! nr'/ ')}+}{rl#'{n' ')# ¥}'+}##(!!/"):t<-50?_==*a?putchar(31[a]):main(-65,_,a+1):main((*a=='/')+t,_,a+1):0<t?main(2,2,"%s"):*a=='/'||main(0,main(-61,*a,"!ek;dci@bK'(q)-[w]*%n+r3#l,{}:¥nuwloca-O;m.vpbks,fxntdCeghiry"),a+1);}
Thomas Ball, The Concept of Dynamic Analysis, FSE’99
12.6
Why Dynamic Analysis?
Gap between run-time structure and code structure in OO programs
Trying to understand one [structure] from the other is like trying tounderstand the dynamism of living ecosystems from the statictaxonomy of plants and animals, and vice-versa.
-- Erich Gamma et al., Design Patterns
12.7
Reengineering Patterns basedon Dynamic Analysis
Interview during demoFind typical usage scenarios and main features
Step through the Execution with a debuggerUnderstand how objects collaborate
TestsYour life insurance
12.8
Runtime Information Sources
Many possibilities: hardware monitoring, tracing methodexecution, values of variables, memory usage etc...
executeprogram andwatch it fromoutside
Internal viewExternal view
instrumentprogramand watch itfrom inside
12.9
External View
Program output, UI (examine behavior, performance, …)
Analyze used resourcesCPU and memory usage (top)Network usage (netstat, tcpdump)Open files, pipes, sockets (lsof)
Examine logs (syslog, web logs, stdout/stderr, …)
12.10
Internal View
Log statementsin code Stack trace
Debugger
Many different tools are based on tracing: execution profilers,test coverage analyzers, tools for reverse engineering…
Execution trace
12.11
Execution Tracing
How can we capture “full”OO program execution?
Trace entry and exit of methods
Additional information:- receiver and arguments- class instantiations- …?
12.12
Tracing Techniques
Instrumentation approaches—Sourcecode modification—Bytecode modification—Wrapping methods (Smalltalk)
Simulate execution (using debugger infrastructure)
Sampling
At the VM level—Execution tracing by the interpreter—(Dynamic recompilation, JIT)
12.13
Technical Challenges
> Instrumentation influences the behavior of the execution> Overhead: increased execution time> Large amount of data
> Code also used by the tracer, library and system classescannot be instrumented
-> Trace at the VM level-> Scope instrumentation (Changeboxes)
12.14
Roadmap
MotivationSources of Runtime InformationTracing techniques and their challengesOverview of Tools (Loggers, Debuggers, Profilers, etc)Dynamic Analysis in a Reverse Engineering ContextSummary
12.15
Debuggers
Breakpoint Debuggersjdb, gdb,… (run, step, inspect)
Omniscent Debuggers (http://www.lambdacs.com/debugger/debugger.html)
Memory Debuggersjmp - java memory profilerpurify (IBM Rational) - a tool for detecting memory
leaks in C,C++ code
12.16
Loggers - low tech debugging
“…debugging statements stay with the program;debugging sessions are transient. “
Kerningham and Pike
public class Main {!public static void main(String[] args) {!
Clingon aAlien = new Clingon(); !System.out.println(“in main “); aAlien.spendLife();!} !
}
Very messy!
12.17
- defacto standard for Java
Pros- easy to use, widely used by open source and java projects- Configurable and flexible (format the output, log levels)
- Allows enabling of logging at runtime without modifying theapplication binary
- Remote servers for remote monitoring …Cons- Performance overhead- Requires effort to decide where to put log statements- Code Cluttering - Logging accounts for ~ 4% of code
export TOMCAT_OPTS="-Dlog4j.debug -Dlog4j.configuration=foobar.xml
12.18
Short Demo of log4j usage
> …
import org.apache.log4j.Logger; … public class Main {
static Logger logger =Logger.getLogger(MyApp.class);
public static void main(String[] args) {!Clingon aAlien = new Clingon();logger.info(“Entering Application“);aAlien.spendLife();}
}
1 [main] (Main.java) - Entering Application.
12.19
Profilers are used to trackperformance for optimization
- Timing information to detect bottlenecks- Compare the cost of various implementations- Understand what is happening?- Produces an execution Trace and statistical summary
12.20
JProfiler Example Views
12.21
JWireTap: An Interactive Profiler forEclipse (Demo)
12.22
Roadmap
MotivationSources of Runtime InformationTracing techniques and their challengesOverview of Tools (Loggers, Debuggers, Profilers, etc)Dynamic Analysis in a Reverse Engineering ContextSummary
12.23
Reverse Engineering
static view
+
execution traces dynamic view
+ Dynamic Analysis
12.24
Dynamic Analysis for ProgramComprehension
Post Mortem Analysis of execution tracesMetrics Based Approaches
-Frequency Analysis [Ball, Zaidman]-Runtime Coupling Metrics based on Web mining techniques todetect key classses in a trace. [Zaidman 2005]-High-Level Polymetric Views of Condensed Run-TimeInformation [Ducasse, Lanza and Bertoulli 2004]
-Query-based approaches Recoverind high-level views from runtime data
[Richner and Ducasse 1999]
12.25
Visualization of Runtime Behavior
Problem of
Large traces
[JinSight, De Pauw 1993]
12.26
Feature-Centric Reverse Engineering
F2F1
Fn
F1Fn
F2
Software System
Users Software developer
12.27
Bug reports often expressed in termsof Features.
I canʼt add new contacts!!!
The “add contacts“
feature
12.28
Dividing a trace into features
Feature 1 Feature 2 Feature n
12.29
Feature Identification is a technique tomap features to source code.
“A feature is an observable unit of behavior of a system triggeredby the user” [Eisenbarth etal. 2003]
Software Reconnaissance [Wilde and Scully ]Run a (1) feature exhibiting scenario and a (2) non-exhibiting scenario and compare the traces. Then browse the source code.
12.30
Feature-Centric Analysis:3 Complementary Perspectives
F1
F3
F2
F4
F5
Features Perspective
Features RelationshipsPerspective
Classes Perspective
12.31
Dynamix - A Model for DynamicAnalysis
12.32
DynaMoose - An Environment forFeature Analysis
12.33
Demo of Feature Analysis - FeatureViews of Classes
Feature Views of PhoneSim Classes
PhoneButtonEventBackSpace
PhoneStateContactPhoneStateContactFormEditableTextCustomTextArea
12.34
Feature Views of ʻPhonesimʼ Methods
Feature Views of PhoneSim Methods
12.35
Feature Relationships based onshared usage of classes or methods.
browseContacts,addContacts
12.36
Object Flow Analysis
Method execution traces do notreveal how… objects refer to each other… object references evolve
Trace and analyze object flow— Object-centric debugger:
Trace back flow from errors tocode that produced theobjects
— Detect object dependenciesbetween features
12.37
Dynamic vs. Static Analysis
Static analyses extract properties that hold for all possible programruns
Dynamic analysis provides more precise information…but only for the execution under consideration
Dynamic analysis cannot show that a program satisfies a particularproperty, but can detect violations of the property
12.38
Conclusions: Pros and Cons
Dependent on input—Advantage: Input or features can be directly related to execution—Disadvantage: May fail to exercise certain important paths and poor choice ofinput may be unrepresentative
Broad scope: dynamic analyses follow long paths and may discover semanticdependencies between program entities widely separated in space and time
However, understanding dynamic behavior of OO systems is difficultLarge number of executed methodsExecution paths crosscut abstraction layersSide effects
12.39
License
> http://creativecommons.org/licenses/by-sa/2.5/
Attribution-ShareAlike 2.5You are free:• to copy, distribute, display, and perform the work• to make derivative works• to make commercial use of the work
Under the following conditions:
Attribution. You must attribute the work in the manner specified by the author or licensor.
Share Alike. If you alter, transform, or build upon this work, you may distribute the resultingwork only under a license identical to this one.
• For any reuse or distribution, you must make clear to others the license terms of this work.• Any of these conditions can be waived if you get permission from the copyright holder.
Your fair use and other rights are in no way affected by the above.