path projection
play

Path Projection For User-Centered Static Analysis Tools Khoo Yit - PowerPoint PPT Presentation

Path Projection For User-Centered Static Analysis Tools Khoo Yit Phang , Jeff Foster, Michael Hicks, Vibha Sazawal University of Maryland PASTE 2008, November 10 1 Success in Static Analysis Coverity, Fortify, Grammatech, Klocwork, many others


  1. Path Projection For User-Centered Static Analysis Tools Khoo Yit Phang , Jeff Foster, Michael Hicks, Vibha Sazawal University of Maryland PASTE 2008, November 10 1

  2. Success in Static Analysis Coverity, Fortify, Grammatech, Klocwork, many others are selling static analysis tools Microsoft, Mozilla, and others are integrating static analysis into development Very active static analysis research community 2

  3. But there’ s a problem... Research has focused on static analysis algorithms But, programmers use tools , not algorithms Static analysis tools are only useful if programmers can understand the results Our goal: develop ways to make static analysis tools more user-centered 3

  4. Path Projection A new UI toolkit for visualizing program paths call stacks and control-flow paths Paths are very common in static analysis tool output Helping users understand paths will help many static analysis tools We have applied Path Projection to Locksmith and BLAST Experimental evaluation Task: triaging Locksmith error reports Result: 18% improvement in completion time, similar accuracy 4

  5. Case Study: Locksmith Polyvios Pratikakis et al. (PLDI 2006) Static data race detector for C Data race: Two or more threads access a shared variable at the same time Locksmith reports call stacks to possibly-racing dereferences To triage, user must decide whether multiple paths are simultaneously realizable 5

  6. Locksmith in Standard Viewer Standard Viewer designed to mimic typical editors/IDEs 6

  7. Locksmith in Standard Viewer Locksmith error report with hyperlinks 6

  8. 6

  9. Locksmith Error Report 7

  10. Locksmith Error Report Shared variable 7

  11. Locksmith Error Report Shared variable Call stacks leading to race 7

  12. Locksmith Error Report Thread creation 7

  13. Locksmith Error Report Thread creation Dereference 7

  14. Locksmith Error Report Thread creation Dereference w/no locks held 7

  15. Locksmith Error Report Thread creation Dereference w/no locks held 7

  16. Locksmith Error Report 7

  17. Triaging Locksmith Triage: are these call stacks simultaneously realizable? 8

  18. Triaging Locksmith Begin by clicking 9

  19. Triaging Locksmith Begin by clicking 9

  20. Triaging Locksmith Thread creation realizable? 10

  21. Triaging Locksmith Thread creation realizable? Yes, unconditionally created 10

  22. Triaging Locksmith Keep around context 11

  23. Triaging Locksmith Keep around context Easier than remembering 11

  24. Triaging Locksmith Focus 12

  25. Triaging Locksmith Next call Call site of 12

  26. Triaging Locksmith Skipping a few steps 13

  27. Triaging Locksmith the dereference, finally! 13

  28. Triaging Locksmith 14

  29. Triaging Locksmith Screen is very cluttered! 14

  30. Triaging Locksmith Old context is hidden! 14

  31. Triaging Locksmith Which function is this? Old context is hidden! Where was this called? 14

  32. A Thousand Cuts 15

  33. A Thousand Cuts Read error report Split window Click hyperlink 1 Focus Read code Back to error report Scroll up Click hyperlink 3 Scroll down Read code Split window Scroll down Focus Split window Back to error report Focus Click hyperlink 2 Back to error report Read code Collapse splits Scroll down (resize window, move window...) Many little distractions from actual task Seemingly straightforward task becomes complex! 15

  34. Path Projection Designed for tracing paths 16

  35. Path Projection Designed for tracing paths Function call inlining: Inline function directly below call site 16

  36. Path Projection Designed for tracing paths Function call inlining: Inline function directly below call site Path-derived code folding: Show only implicated lines and lexical control-blocks 16

  37. Path Projection Designed for tracing paths Function call inlining: Inline function directly below call site Path-derived code folding: Show only implicated lines and lexical control-blocks Show as much code as possible on one screen 16

  38. Path Projection Show paths side by side 17

  39. Path Projection Show paths side by side 17

  40. Path Projection Multiple searches (despite folds) 18

  41. Path Projection Multiple searches (despite folds) 18

  42. Path Projection Continuing example... 19

  43. Path Projection from 1st call stack 19

  44. Path Projection from 2nd call stack 19

  45. Path Projection from 2nd call stack dereference 19

  46. Path Projection condition for thread creation in loop condition for dereference 19

  47. Path Projection not a single click or scroll! 19

  48. Path Projection no need to look not a single click or scroll! here too! 19

  49. Path Projection What’ s foffset? 20

  50. Path Projection 20

  51. Path Projection What’ s in read_log? 21

  52. Path Projection Reveal definition (initially folded) 21

  53. Pilot User Study We discovered that static analysis is... 22

  54. Rocket Science In our pilot studies, non-expert users had great trouble triaging Locksmith error reports: ad hoc, inconsistent procedure neglected some causes of false positives sidetracked by non-causes of false positives Even with extensive tutorials! 23

  55. Rocket Science 101 Our solution: triaging checklist Checklists are tool-/ error-specific Different tools have different imprecision & error reports Anecdotally, 41% faster at triaging using checklist 24

  56. Locksmith Triaging Checklist To triage Locksmith: check if any pair of paths are simultaneously realizable different cases: threads in loop, parent-child, child-child For example: Source of imprecision: Locksmith is path-insensitive Possible false positive: child-child threads may be mutually exclusive 25

  57. Locksmith Triaging Checklist To triage Locksmith: check if any pair of paths are simultaneously realizable different cases: threads in loop, parent-child, child-child For example: Source of imprecision: Locksmith is path-insensitive Possible false positive: child-child threads may be mutually exclusive 25

  58. Locksmith Triaging Checklist To triage Locksmith: check if any pair of paths are simultaneously realizable different cases: threads in loop, parent-child, child-child For example: Source of imprecision: Locksmith is path-insensitive Possible false positive: child-child threads may be mutually exclusive 25

  59. User Study Which is better: Standard Viewer (SV) or Path Projection (PP)? Quantitatively: completion time Qualitatively: user ratings Data race triaging task using Locksmith 26

  60. User Study Issues Large variance between participants Participants have different skill level Are differences due to participant or UI? Within-subjects: each participant use both interfaces Compare UI results for each participant 27

  61. User Study Issues Order and carryover effect Participants get better over time (learning) Participants biased by initial UI or problem Counter-balance: divide participants into two groups SV-PP: Standard Viewer, then Path Projection PP-SV: Path Projection, then Standard Viewer 28

  62. User Study: Locksmith Task 6 trials from Locksmith corpus (unfamiliar to users) One warning per trial no need to manage warnings Only verify that paths are simultaneously realizable No aliasing/imprecise lock state (future work) 29

  63. User Study: Misc. 8 student participants 3 undergraduates, 5 graduates Prior experience in C, multithreading (not necessarily C) Self-rated 3-4 (1: no experience to 5: very experienced) 2 had experience in Locksmith and Eraser 30

  64. Quantitative (Chart guide) Completion time (sec) 400 Standard Viewer Path Projection 300 200 100 0 Session 1 Session 2 31

  65. Quantitative (Chart guide) Completion time (sec) 400 Standard Viewer Path Projection 300 Time in Seconds 200 100 0 Session 1 Session 2 31

  66. Quantitative (Chart guide) Completion time (sec) 400 Standard Viewer Path Projection 300 Time in Seconds PP-SV group 200 100 SV-PP group 0 Session 1 Session 2 31

  67. Faster Completion Time Completion time (sec) 400 Standard Viewer Path Projection 300 200 100 0 Session 1 Session 2 32

  68. Faster Completion Time Learning effect Completion time (sec) 400 all improved in Session 2* Standard Viewer Path Projection 300 200 Learning effect 100 0 Session 1 Session 2 *statistically significant (p<0.05) 32

  69. Faster Completion Time Learning effect Completion time (sec) 400 all improved in Session 2* Standard Viewer Path Projection SV-PP improved by 188s* 300 (effect size d=1.276) SV-PP: 188s 200 Learning effect 100 0 Session 1 Session 2 *statistically significant (p<0.05) 32

  70. Faster Completion Time Learning effect Completion time (sec) 400 all improved in Session 2* Standard Viewer Path Projection PP-SV: 55s SV-PP improved by 188s* 300 (effect size d=1.276) SV-PP: 188s 200 PP-SV improved by 55s* Learning effect 100 (effect size d=0.375) 0 Session 1 Session 2 *statistically significant (p<0.05) 32

Recommend


More recommend