![Page 1: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/1.jpg)
Finding Programming Errors Earlier by
Evaluating Runtime Monitors Ahead-of-
Time
McGill University Eric BoddenUniversity of Waterloo Patrick Lam
McGill University Laurie Hendren
![Page 2: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/2.jpg)
![Page 3: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/3.jpg)
3
abc compiler
propertyspecification
No missed violations!
![Page 4: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/4.jpg)
4
Problem 1:
Potentially large
runtime overhead
![Page 5: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/5.jpg)
5
Problem 2:Dynamic, with no static
guarantees
![Page 6: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/6.jpg)
6
bug patternspecification
Novel staticprogram analysis
No missed violations!
Optimized Runtime
![Page 7: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/7.jpg)
Problem 3:Existing sound static
approaches have many false positives
![Page 8: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/8.jpg)
8
bug patternspecification
Novel staticprogram analysis
Likely •foo(..) line 23
Unlikely •bar(..) line 42•bar(..) line 43
Classification
![Page 9: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/9.jpg)
9
Most simple example: HasNext
Don't call next() twice on an Iterator iwithout calling hasNext() in between!
![Page 10: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/10.jpg)
10
Tracematch HasNexttracematch(Iterator i) {
}
Allan et al., OOPSLA 05
![Page 11: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/11.jpg)
11
Tracematch HasNexttracematch(Iterator i) {
sym hasNext after returning:call(* Iterator.hasNext()) && target(i);
sym next after returning:call(* Iterator.next()) && target(i);
}
Allan et al., OOPSLA 05
![Page 12: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/12.jpg)
12
Tracematch HasNexttracematch(Iterator i) {
sym hasNext after returning:call(* Iterator.hasNext()) && target(i);
sym next after returning:call(* Iterator.next()) && target(i);
next next
}
Allan et al., OOPSLA 05
![Page 13: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/13.jpg)
13
Tracematch HasNexttracematch(Iterator i) {
sym hasNext after returning:call(* Iterator.hasNext()) && target(i);
sym next after returning:call(* Iterator.next()) && target(i);
next next{
System.out.println(“Called ‘next’ twice on”+i+“!”);
}}
Allan et al., OOPSLA 05
![Page 14: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/14.jpg)
next next
i1.next();
i1.hasNext();
i1.next();
i1.next();
true falsei = o(i1) falsei = o(i1)
14
{System.out.println(“Called ‘next’ twice
on”+i+“!”);}
i = o(i1)
next, hasNext
i = o(i1)
![Page 15: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/15.jpg)
![Page 16: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/16.jpg)
Novel static program analyses
![Page 17: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/17.jpg)
17
Trade-off: Speed vs. Precision
void foo(Iterator i) {
}
![Page 18: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/18.jpg)
18
void foo(Iterator i) {
}
Summary Information
?What events ever occur on i?For every program variable i:
“Both hasNext() and next()”Can program variable j point to
the same object as i?“Only hasNext()”
![Page 19: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/19.jpg)
19
Problem 1: Missing info at method entry
void foo(Iterator i) {
i.next();
}
![Page 20: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/20.jpg)
20
Key observation!
0 1 2
next next
next, hasNext
Possible targets of “next”
0 1 2
Possible targets of “hasNext”
0 1 2
“hasNext” is a state-determining symbol!
![Page 21: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/21.jpg)
21
Key observation!
Benchmarks: 68% of symbolsare state-determining
![Page 22: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/22.jpg)
22
void foo(Iterator i) {if(i.hasNext()) {
i.next();}
}
Problem 1: Missing info at method entry
![Page 23: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/23.jpg)
23
void foo(Iterator i) {if(i.hasNext()) {Iterator i2=i;i2.next();}
}
Problem 2: Aliasing
![Page 24: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/24.jpg)
24
Object representatives
Whole
program
Current method Other method
Must-not-alias (points-to)
Must-alias Must-not-alias Must Must-not
o1o2 o3
Must (Dummy)
Don’tknow
Precision where we can afford itSpeed where we need it
FS:
FI:
![Page 25: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/25.jpg)
25
Problem 3: Outgoing method calls?
void foo(Iterator i) {if(i.hasNext()) {bar(i);i.next();}
}
bar(i) may only call hasNext() on i!
Summary Information
![Page 26: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/26.jpg)
26
Problem 4: Continuation of control flow
void foo(Iterator i) {if(i.hasNext()) {
i.next();}
}void baz(Iterator i) {foo(i);i.next();
}
Can we remove the instrumentation here? NO!
Rest of program may call next() on i!
Summary Information
NO!
No missed violations at runtime!
![Page 27: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/27.jpg)
27
Let the fun begin…binding multiple objects!
For every Collection c and Iterator i:Don't modify c while i is used on c.
![Page 28: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/28.jpg)
28
void whiz(Collection c1){
Iterator i1 = c1.iterator();
i1.next();
}
Let the fun begin…binding multiple objects!
![Page 29: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/29.jpg)
29
Solution: "Uniqueness Check"
Prove that:i = o(i1) c = o(c1)
Requires clever combination of pointer analyses (using object representatives).
Summary Information
![Page 30: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/30.jpg)
30
Benchmarks - TracematchesASyncIteration HasNextElem
FailSafeEnum LeakingSync
FailSafeIter Reader
HashMap Writer
HasNext
![Page 31: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/31.jpg)
Benchmark programs
31
antlr hsqldbbloat jythonchart luceneeclipse pmdfop xalan
… and SciMark (with 4 extra tracematches)
DaCapo:
![Page 32: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/32.jpg)
32
|.........|.........|.........|.........|.........|.........|.........|.........|.........|.........|..
|.........|.........|.........|.........|.........|.........|.........|.........|.........|.........|..
|.........|.........|.........|.........|.........|.........|.........|.........|.........|.........|..
Results – Elimination of potential failure points
103 program/tracematch combinationsstatic guarantees in 84 cases
in 14 cases: less than10 potential failure
points
![Page 33: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/33.jpg)
Likely • foo(..) line 23
Unlikely • bar(…) line 42• bar(…) line 44
Classification of potential failure points
![Page 34: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/34.jpg)
![Page 35: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/35.jpg)
35
HasNext:next - <InductionVarAnalyzer.isMu(..)>
@ line 217next - <InductionVarAnalyzer.isMu(..)>
@ line 218
HasNext:next - <CodeGenerator.removeEmptyBl(..)>
@ line 587hasNext - <CodeGenerator.removeEmptyBl(..)>
@ line 586
Analysis annotates potential failure points
![Page 36: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/36.jpg)
36
HasNext: features []next - <InductionVarAnalyzer.isMu(..)>
@ line 217next - <InductionVarAnalyzer.isMu(..)>
@ line 218
HasNext: features [CALL]next - <CodeGenerator.removeEmptyBl(..)>
@ line 587hasNext - <CodeGenerator.removeEmptyBl(..)>
@ line 586
Analysis annotates potential failure points
![Page 37: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/37.jpg)
37
Features: Reasons for imprecision CALL ABORTED NO_CONTEXT DELEGATE
CONTINUATION DYNAMIC_LOADING OVERLAPS
![Page 38: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/38.jpg)
38
HasNext: features [], ACTUALnext - <InductionVarAnalyzer.isMu(..)>
@ line 217next - <InductionVarAnalyzer.isMu(..)>
@ line 218
HasNext: features [CALL]next - <CodeGenerator.removeEmptyBl(..)>
@ line 587hasNext - <CodeGenerator.removeEmptyBl(..)>
@ line 586
Manually annotated actual failure points
![Page 39: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/39.jpg)
39
CALL = 0| ABORTED = 0| | DELEGATE = 0| | | NO_CONTEXT = 0: TRUE_POSITIVE (11.0/1.0)| | | NO_CONTEXT = 1: FALSE_POSITIVE (4.0/1.0)| | DELEGATE = 1: FALSE_POSITIVE (10.0)| ABORTED = 1: FALSE_POSITIVE (30.0)CALL = 1: FALSE_POSITIVE (406.0/1.0)
Weka machine learning kit
![Page 40: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/40.jpg)
40
Results – Filtering458
12
Correct Un-filtered false positiveFiltered actual violation
Found 5 programs with
bugs or questionable
code.
![Page 41: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/41.jpg)
![Page 42: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/42.jpg)
42
Related work: TypestateStatic and hybrid verification of typestate props. Typestate (Strom & Yemini, TSE Vol 12 No. 1, 86) Fugue for .NET (DeLine & Fähndrich, ECOOP 04) Typest. & Aliasing (Bierhoff & Aldrich, OOPSLA 07) Hybrid static/dynamic (Dwyer & Purandare, ASE 07)
![Page 43: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/43.jpg)
43
Related work: Tracematch-likeFlow-sensitive analysis of Tracematches Naeem and Lhoták, OOPSLA 08
Other state-based runtime-verification tools for Java JavaMOP (Chen & Roşu, OOPSLA 08) PQL (Martin, Livshits & Lam, OOPSLA 05) PTQL (Goldsmith, O’Callahan & Aiken, OOPSLA 05)
![Page 44: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/44.jpg)
44
Related work: Static checkersStatic checkers FindBugs (Hovemeyer & Pugh, OOPSLA 04) PMD (http://pmd.sf.net/)Pre and postconditions, invariants ESC/Java (Flanagan et al., PLDI 02) Java Modeling Language (JML)Specialized interprocedural analyses Jlint (http://artho.com/jlint/)Comparison: Rutar et al., ISSRE 04
![Page 45: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/45.jpg)
45
Related work: Invariant mining and checkingDynamic invariant inference and checking Daikon (Ernst et al., TSE Vol 27. No 2, 01) DIDUCE (Hangal & Lam, ICSE 02) JADET (Wasylkowski et al., FSE 07) Spec. Mining (Ammons et al., POPL 02)Static rule mining and checking PR-Miner (Li & Zhou, FSE 05) Houdini (Flanagan & Leino, FME 01)
![Page 46: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/46.jpg)
46
Special thanks to…Co-workers Ondřej Lhoták Nomair Naeem
Maintainers of Tracematch implementation Pavel Avgustinov Julian Tibble
![Page 47: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/47.jpg)
www.aspectbench.orgwww.bodden.de
![Page 48: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/48.jpg)
![Page 49: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/49.jpg)
private final void FillBuff() {...try {
if ((i = inputStream.read(...)) == -1) {inputStream.close();throw new java.io.IOException();
}else
maxNextCharInd += i;return;
}...
}
Jython / Reader (1/2)
![Page 50: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/50.jpg)
50
Jython / Reader (2/2)static String getLine(BufferedReader reader, int line) { if (reader == null) return ""; try { String text=null; for(int i=0; i < line; i++) { text = reader.readLine(); } return text; } catch (IOException ioe) { return null; }}
![Page 51: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/51.jpg)
bloat-HasNextpublic Block isMu(...) {... final Iterator iter = cfg.preds(phi.block()).iterator(); final Block pred1 = (Block) iter.next(); final Block pred2 = (Block) iter.next();
![Page 52: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/52.jpg)
52
pmd / HasNext (old version)private List markUsages(IDataFlowNode inode) {
...for (Iterator k = ((List)entry.getValue())
.iterator();k.hasNext();) {addAccess(k, inode);
}...
}
...
private void addAccess(Iterator k, IDataFlowNode inode) {
NameOccurrence occurrence =(NameOccurrence) k.next();
... }
![Page 53: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/53.jpg)
53
pmd / HasNext (fixed version)private List markUsages(IDataFlowNode inode) {
... for (NameOccurrence occurrence: entry.getValue())
{addAccess(occurrence, inode);
}...
}
...
private void addAccess(NameOccurrence occurrence,IDataFlowNode inode) {
... }
![Page 54: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/54.jpg)
while (c == null && enumMap.hasMoreElements()) { ... if (!enumC.hasMoreElements()) c = null;}// At this point, c == null if there are no more elements,// and otherwise is the first collection with a free element// (with enumC set up to return that element).if (c == null) { // no more elements, so return null; return (null);} else { Perm answer = (Perm) enumC.nextElement(); ...
Eclipse, false positive
![Page 55: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/55.jpg)
55
Jython / hasNext (delegate)public Iterator iterator() { return new Iterator() { Iterator i = list.iterator(); public void remove() { throw new UnsupportedOperationException(); } public boolean hasNext() { return i.hasNext();
} public Object next() { return i.next();
} };}
![Page 56: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/56.jpg)
56
Results – Static analysis time
45%
50%
5%
compilationpoints-to analysisour analysis
Average total: 6 minutesMax total: 20 minutes
![Page 57: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/57.jpg)
57
public Object next(){
}
Delegating calls
inner.next() public Object next()
DELEGATE
![Page 58: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/58.jpg)
58
boolean foo(Iterator i, Iterator j){
}
Reasons for imprecision
bar(i) void bar(..)
CALL
![Page 59: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/59.jpg)
59
boolean foz(Set c1, Set c2){
}
i1 = c1.iterator();
i2 = c2.iterator();
Reasons for imprecision
NO_CONTEXT
public Iterator iterator() {return new HashIterator();
}
![Page 60: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/60.jpg)
60
boolean baz(Iterator i, Iterator j){
}
Reasons for imprecision
ABORTED
123453000
![Page 61: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/61.jpg)
61
Using alias queries to reduce false-positive rate
x = r1 x ≠ r1x = r2 x = r1 ≡ x = r2 falsex ≠ r2 false x ≠ r1 ≡ x ≠ r2
Assume we know r1 and r2 must-alias,r1 occurs in some constraint bound to xand we see an event that binds x to r2.
![Page 62: Finding Programming Errors Earlier by Evaluating Runtime Monitors Ahead-of-Time](https://reader035.vdocuments.net/reader035/viewer/2022062310/56815e4e550346895dccc69e/html5/thumbnails/62.jpg)
62
Using alias queries to reduce false-positive rate
x = r1 x ≠ r1x = r2 false x = r2x ≠ r2 x = r1 x ≠ r1 ^ x ≠ r2
Assume we know r1 and r2 must-not-alias,r1 occurs in some constraint bound to xand we see an event that binds x to r2.