User-centered Program Analysis Tools

The research and industrial communities have made great strides in developing advanced software defect detection tools based on program analysis. Most of the work in this area has focused on developing novel program analysis algorithms to find bugs more efficiently or accurately, or to find more sophisticated kinds of bugs. However, the focus on algorithms often leads to tools that are complex and difficult to actually use to debug programs. We believe that we can design better, more useful program analysis tools by taking a user-centered approach. In this dissertation, we present three possible elements of such an approach. First, we improve the user interface by designing Path Projection, a toolkit for visualizing program paths, such as call stacks, that are commonly used to explain errors. We evaluated Path Projection in a user study and found that programmers were able to verify error reports more quickly with similar accuracy, and strongly preferred Path Projection to a standard code viewer. Second, we make it easier for programmers to combine different algorithms to customize the precision or efficiency of a tool for their target programs. We designed Mix, a framework that allows programmers to apply either type checking, which is fast but imprecise, or symbolic execution, which is precise but slow, to different parts of their programs. Mix keeps its design simple by making no modifications to the constituent analyses. Instead, programmers use Mix annotations to mark blocks of code that should be typed checked or symbolically executed, and Mix automatically combines the results. We evaluated the effectiveness of Mix by implementing a prototype called Mixy for C and using it to check for null pointer errors in vsftpd. Finally, we integrate program analysis more directly into the debugging process. We designed Expositor, an interactive dynamic program analysis and debugging environment built on top of scripting and time-travel debugging. In Expositor, programmers write program analyses as scripts that analyze entire program executions, using list-like operations such as map and filter to manipulate execution traces. For efficiency, Expositor uses lazy data structures throughout its implementation to compute results on-demand, enabling a more interactive user experience. We developed a prototype of Expositor using GDB and UndoDB, and used it to debug a stack overflow and to unravel a subtle data race in Firefox

Data Modeling for Static Analysis of Web Applications

PHP je velmi oblíbený jazyk, často používaný na implementaci serverové části webových aplikací. Jazyk je velmi jednoduchý na používání a i proto je na celém internetu velké množství menších stránek, ale i rozsáhlejších aplikací, napsaných v jazyce PHP. Velká obliba PHP však způsobuje, že mnoho lidí vyhledává jeho slabiny s cílem narušit bezpečnost webových aplikací. Weverca je první nástroj schopný provést komplexní bezpečnostní analýzu celé stránky napsané v moderní verzi PHP a vyhledat informace o možných bezpečnostních rizicích aplikace. Výkon nástroje Weverca je však omezen časovou a paměťovou náročností, která je způsobena neefektivitou reprezentace paměti PHP stránky. Cílem této práce je nalézt a vyřešit hlavní nedostatky původní implementace paměťového modelu. Výsledkem je nová implementace, která minimalizuje nároky původního řešení. Powered by TCPDF (www.tcpdf.org)The PHP is a very popular language which is used to write a server side part of web applications. The language is very simple to use and there are lots of small or more complex pages across the internet. But the great widespread of the PHP attracts the people which want to harm and compromise security of the web applications. The weverca analyzer is the first tool which is able to perform complex security analysis of a full page written in the modern version of the PHP and give information about possible security risks in the application. But the performance of Weverca is limited by its time and memory complexity caused by inefficient inner representation of a PHP memory state. The goal of this thesis is to find and solve main problems of the original memory representation. The output of this thesis is an implementation of the new memory representation which minimizes the complexity of the original solution. Powered by TCPDF (www.tcpdf.org)Department of Distributed and Dependable SystemsKatedra distribuovaných a spolehlivých systémůMatematicko-fyzikální fakultaFaculty of Mathematics and Physic

Finding The Lazy Programmer's Bugs

Traditionally developers and testers created huge numbers of explicit tests, enumerating interesting cases, perhaps biased by what they believe to be the current boundary conditions of the function being tested. Or at least, they were supposed to. A major step forward was the development of property testing. Property testing requires the user to write a few functional properties that are used to generate tests, and requires an external library or tool to create test data for the tests. As such many thousands of tests can be created for a single property. For the purely functional programming language Haskell there are several such libraries; for example QuickCheck [CH00], SmallCheck and Lazy SmallCheck [RNL08]. Unfortunately, property testing still requires the user to write explicit tests. Fortunately, we note there are already many implicit tests present in programs. Developers may throw assertion errors, or the compiler may silently insert runtime exceptions for incomplete pattern matches. We attempt to automate the testing process using these implicit tests. Our contributions are in four main areas: (1) We have developed algorithms to automatically infer appropriate constructors and functions needed to generate test data without requiring additional programmer work or annotations. (2) To combine the constructors and functions into test expressions we take advantage of Haskell's lazy evaluation semantics by applying the techniques of needed narrowing and lazy instantiation to guide generation. (3) We keep the type of test data at its most general, in order to prevent committing too early to monomorphic types that cause needless wasted tests. (4) We have developed novel ways of creating Haskell case expressions to inspect elements inside returned data structures, in order to discover exceptions that may be hidden by laziness, and to make our test data generation algorithm more expressive. In order to validate our claims, we have implemented these techniques in Irulan, a fully automatic tool for generating systematic black-box unit tests for Haskell library code. We have designed Irulan to generate high coverage test suites and detect common programming errors in the process

A Survey of Monte Carlo Tree Search Methods

Monte Carlo tree search (MCTS) is a recently proposed search method that combines the precision of tree search with the generality of random sampling. It has received considerable interest due to its spectacular success in the difficult problem of computer Go, but has also proved beneficial in a range of other domains. This paper is a survey of the literature to date, intended to provide a snapshot of the state of the art after the first five years of MCTS research. We outline the core algorithm's derivation, impart some structure on the many variations and enhancements that have been proposed, and summarize the results from the key game and nongame domains to which MCTS methods have been applied. A number of open research questions indicate that the field is ripe for future work

Random walk centrality for temporal networks

Nodes can be ranked according to their relative importance within a network. Ranking algorithms based on random walks are particularly useful because they connect topological and diffusive properties of the network. Previous methods based on random walks, for example the PageRank, have focused on static structures. However, several realistic networks are indeed dynamic, meaning that their structure changes in time. In this paper, we propose a centrality measure for temporal networks based on random walks under periodic boundary conditions that we call TempoRank. It is known that, in static networks, the stationary density of the random walk is proportional to the degree or the strength of a node. In contrast, we find that, in temporal networks, the stationary density is proportional to the in-strength of the so-called effective network, a weighted and directed network explicitly constructed from the original sequence of transition matrices. The stationary density also depends on the sojourn probability q, which regulates the tendency of the walker to stay in the node, and on the temporal resolution of the data. We apply our method to human interaction networks and show that although it is important for a node to be connected to another node with many random walkers (one of the principles of the PageRank) at the right moment, this effect is negligible in practice when the time order of link activation is included

What is a Good Plan? Cultural Variations in Expert Planners’ Concepts of Plan Quality

This article presents the results of a field research study examining commonalities and differences between American and British operational planners’ mental models of planning. We conducted Cultural Network Analysis (CNA) interviews with 14 experienced operational planners in the US and UK. Our results demonstrate the existence of fundamental differences between the way American and British expert planners conceive of a high quality plan. Our results revealed that the American planners’ model focused on specification of action to achieve synchronization, providing little autonomy at the level of execution, and included the belief that increasing contingencies reduces risk. The British planners’ model stressed the internal coherence of the plan, to support shared situational awareness and thereby flexibility at the level of execution. The British model also emphasized the belief that reducing the number of assumptions decreases risk. Overall, the American ideal plan serves a controlling function, whereas the British ideal plan supports an enabling function. Interestingly, both the US and UK would view the other’s ideal plan as riskier than their own. The implications of cultural models of plans and planning are described for establishing performance measures and designing systems to support multinational planning teams

Mining eighteenth century ontologies: Machine learning and knowledge classification in the encyclopédie

The Encyclopédie of Denis Diderot and Jean le Rond d'Alembert was one of the most important and revolutionary intellectual products of the French Enlightenment. Mobilizing many of the great – and the notsogreat – philosophes of the 18th century, the Encyclopédie was a massive reference work for the arts and sciences, which sought to organize and transmit the totality of human knowledge while at the same time serving as a vehicle for critical thinking. In its digital form, it is a highly structured corpus; some 55,000 of its 77,000 articles were labeled with classes of knowledge by the editors making it a perfect sandbox for experiments with supervised learning algorithms. In this study, we train a Naive Bayesian classifier on the labeled articles and use this model to determine class membership for the remaining articles. This model is then used to make binary comparisons between labeled texts from different classes in an effort to extract the most important features in terms of class distinction. Reapplying the model onto the original classified articles leads us to question our previous assumptions about the consistency and coherency of the ontology developed by the Encyclopedists. Finally, by applying this model to another corpus from 18th century France, the Journal de Trévoux, or Mémoires pour l'Histoire des Sciences & des BeauxArts, new light is shed on the domain of Literature as it was understood and defined by 18th century writers

Solving Course Selection Problem by a Combination of Correlation Analysis and Analytic Hierarchy Process

In the universities where students have a chance to select and enroll in a particular course, they require special support to avoid the wrong combination of courses that might lead to delay their study. Analysis shows that the students' selection is mainly influenced by list of factors which we categorized them into three groups of concern: course factors, social factors, and individual factors. This paper proposed a two-phased model where the most correlated courses are generated and prioritized based on the student preferences. At this end, we have applied the multi-criteria analytic hierarchy process (MC-AHP) in order to generate the optimum set of courses from the available courses pool. To validate the model, we applied it to the data from students of the Information System Department at Taibah University, Kingdom of Saudi Arabia.