skip to main content
10.1145/1007512.1007545acmconferencesArticle/Chapter ViewAbstractPublication PagesisstaConference Proceedingsconference-collections
Article

SABER: smart analysis based error reduction

Published: 01 July 2004 Publication History

Abstract

In this paper, we present an approach to automatically detect high impact coding errors in large Java applications which use frameworks. These high impact errors cause serious performance degradation and outages in real world production environments, are very time-consuming to detect, and potentially cost businesses thousands of dollars. Based on 3 years experience working with IBM customer production systems, we have identified over 400 high impact coding patterns, from which we have been able to distill a small set of pattern detection algorithms. These algorithms use deep static analysis, thus moving problem detection earlier in the development cycle from production to development. Additionally, we have developed an automatic false positive filtering mechanism based on domain specific knowledge to achieve a level of usability acceptable to IBM field engineers. Our approach also provides necessary contextual information around the sources of the problems to help in problem remediation. We outline how our approach to problem determination can be extended to multiple programming models and domains. We have implemented this problem determination approach in the SABER tool and have used it successfully to detect many serious code defects in several large commercial applications. This paper shows results from four such applications that had over 60 coding defects.

References

[1]
A.V. Aho, R. Sethi, and J.D. Ullman, Compilers principles, techniques, and tools. AddisonWesley, Reading, MA, 1986.
[2]
D. Alur, J. Crupi, D. Malks, Core J2EE Patterns: Best Practices and Design Strategies, Prentice Hall, June 2001.
[3]
M. Das, S. Lerner, M. Seigle. ESP: Path-Sensitive Program Verification in Linear Time, In Proc. of PLDI 2002.
[4]
T. Ball and S. K. Rajamani. The SLAM project: debugging system software via static analysis, In Proc. of the 29th POPL, January 2002, 1--3.
[5]
W. R. Bush, J. D. Pincus, and D. J. Sielaff. A static analyzer for finding dynamic programming errors. Software Practice and Experience, 30 (7), June 2000, 775--802.
[6]
H. Chen and D. Wagner. MOPS: an infrastructure for examining security properties of software, In Proc. of the Ninth ACM Conference on Computer and Communications Security (Washington, DC, November 2002), 235--244.
[7]
J-D Choi, M. Gupta, M. J. Serrano, V. C. Sreedhar, S. Midkiff, Escape Analysis For Java, In Proc. of OOPSLA, October 1999, 1--19.
[8]
J. Corbett, M. Dwyer, J. Hatcliff, C. Pasareanu, Robby, S. Laubach, H. Zheng. Bandera: Extracting Finite-state Models from Java Source Code, In Proc. of ICSE, June 2000.
[9]
D. L. Detlefs. An overview of the extended static checking system. SIGSOFT Proceedings of the First Workshop on Formal Methods in Software Practice, January 1996, 1--9.
[10]
M. Emami, R. Ghiya, and L. Hendren. Context-sensitive interprocedural points-to analysis in the presence of function pointers, In Proc. of PLDI, June 1994, 242--257.
[11]
D. Engler, B. Chelf, A. Chou and S. Hallem, Checking System Rules Using System-Specific, Programmer-Written Compiler Extensions, In Proc. of SOSP, October 2000, 1--16.
[12]
D. Evans. Static Detection of Dynamic Memory Errors. In Proc. of PLDI, May 1996, 44--53.
[13]
S. Hallem, B. Chelf, Y. Xie and D. Engler, A System and Language for Building System-Specific, Static Analyses, In Proc. of PLDI, June 2002, 69--82.
[14]
D. Hovemeyer and W. Pugh, Finding Bugs is Easy, http://www.cs.umd.edu/~pugh/java/bugs/docs/findbugsPaper.pdf
[15]
D. Jackson. Aspect: Detecting bugs with abstract dependencies. ACM Trans. on Software Engineering and Methodology, 4 (2), April 1995, 109-145. Java™ 2 Platform, Standard Edition, v 1.4.2 API Specification, http://java.sun.com/j2se/1.4.2/docs/api/index.html
[16]
S.C. Johnson. Lint, a C program checker. Unix Programmer's Manual, 4.2 Berkeley Software Distribution Supplementary Docs; U.C. Berkeley, 1984.
[17]
L. Koved, JABA-JAva Bytecode Analysis nhttp://www.research.ibm.com/javasec/JaBA.html.
[18]
L. Koved, M. Pistoia, and A. Kershenbaum. Access rights analysis for Java, In Proc. of OOPSLA, Nov 2002.
[19]
Object Technology International, Inc. Eclipse platform technical overview, July 2001, http://www.eclipse.org/whitepapers/eclipse-overview.pdf.
[20]
Parasoft Corporation. Automatic Java{TM} software and component testing: using Jtest to automate unit testing and coding standard enforcement, http://www.parasoft.com/jsp/products/article.jsp?articleId=839&product=Jtest.
[21]
J. Viega, J. T. Bloch, T. Kohno, G. McGraw. ITS4: A Static Vulnerability Scanner for C and C++ Code, In Proc. of the 16th Annual Computer Security Applications Conference, December 2000, 257--269.

Cited By

View all

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
ISSTA '04: Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysis
July 2004
294 pages
ISBN:1581138202
DOI:10.1145/1007512
  • cover image ACM SIGSOFT Software Engineering Notes
    ACM SIGSOFT Software Engineering Notes  Volume 29, Issue 4
    July 2004
    284 pages
    ISSN:0163-5948
    DOI:10.1145/1013886
    Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 July 2004

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. defect understanding
  2. frameworks
  3. program analysis

Qualifiers

  • Article

Conference

ISSTA04
Sponsor:

Acceptance Rates

Overall Acceptance Rate 58 of 213 submissions, 27%

Upcoming Conference

ISSTA '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)7
  • Downloads (Last 6 weeks)0
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2013)Model checking driven static analysis for the real worldInnovations in Systems and Software Engineering10.1007/s11334-012-0192-59:1(45-56)Online publication date: 1-Mar-2013
  • (2010)DECORIEEE Transactions on Software Engineering10.1109/TSE.2009.5036:1(20-36)Online publication date: 1-Jan-2010
  • (2009)An Intuitive Approach for Specifying Interface ConstraintProceedings of the 2009 Ninth International Conference on Quality Software10.1109/QSIC.2009.62(418-425)Online publication date: 24-Aug-2009
  • (2008)Automatic generation of XSS and SQL injection attacks with goal-directed model checkingProceedings of the 17th conference on Security symposium10.5555/1496711.1496714(31-43)Online publication date: 28-Jul-2008
  • (2008)Securing web applications with static and dynamic information flow trackingProceedings of the 2008 ACM SIGPLAN symposium on Partial evaluation and semantics-based program manipulation10.1145/1328408.1328410(3-12)Online publication date: 7-Jan-2008
  • (2008)Towards SOA-Based Code Defect AnalysisProceedings of the 2008 IEEE International Symposium on Service-Oriented System Engineering10.1109/SOSE.2008.47(269-274)Online publication date: 18-Dec-2008
  • (2008)An Evaluation of Two Bug Pattern Tools for JavaProceedings of the 2008 International Conference on Software Testing, Verification, and Validation10.1109/ICST.2008.63(248-257)Online publication date: 9-Apr-2008
  • (2008)Patterns: from system design to software testingInnovations in Systems and Software Engineering10.1007/s11334-007-0042-z4:1(71-85)Online publication date: 12-Jan-2008
  • (2007)A static aspect language for checking design rulesProceedings of the 6th international conference on Aspect-oriented software development10.1145/1218563.1218571(63-72)Online publication date: 14-Mar-2007
  • (2007)Testing Patterns31st IEEE Software Engineering Workshop (SEW 2007)10.1109/SEW.2007.108(109-120)Online publication date: Mar-2007
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media