1.
Tao Xie
North Carolina State University
Raleigh, NC, USA
RAISE 2013

2.
IBM's Deep Blue defeated chess champion
Garry Kasparov in 1997
IBMWatson defeated top human Jeopardy!
players in 2011

3.
Google’s driverless car
Microsoft's instant voice translation tool
IBMWatson as Jeopardy! player

4.
"Completely Automated
Public Turing test to tell
Computers and Humans
Apart"

5.
Movie: Minority Report
CNN News
iPad

6.
…

7.
 Machine is better at task set A
 Mechanical, tedious, repetitive tasks, …
 Ex. solving constraints along a long path
 Human is better at task set B
 Intelligence, human intent, abstraction, domain
knowledge, …
 Ex. local reasoning after a loop, recognizing naming
semantics
= A U B 8

8.
Malaysia Airlines Flight 124
@2005Lisanne Bainbridge, "Ironies of Automation”,Automatica 1983 .
Ironies of Automation
“Even highly automated systems, such as
electric power networks, need human beings...
one can draw the paradoxical conclusion that
automated systems still are man-machine
systems, for which both technical and human
factors are important.”
“As the plane passed 39 000 feet, the stall and overspeed
warning indicators came on simultaneously—something
that’s supposed to be impossible, and a situation the crew
is not trained to handle.” IEEE Spectrum 2009

9.
Malaysia Airlines Flight 124
@2005Lisanne Bainbridge, "Ironies of Automation”,Automatica 1983 .
Ironies of Automation
“The increased interest in human factors among
engineers reflects the irony that the more
advanced a control system is, so the more
crucial may be the contribution of the human
operator.”

10.
 Don’t forget human intelligence
 Using your tools as end-to-end solutions
 Helping your tools
 Don’t forget cooperations of human and tool
intelligence; human and human intelligence
 Human can help your tools too
 Human and human could work together to help your
tools, e.g., crowdsourcing
11

11.
 Don’t forget human intelligence
 Using your tools as end-to-end solutions
 Helping your tools
 Don’t forget cooperations of human and tool
intelligence; human and human intelligence
 Human can help your tools too
 Human and human could work together to help your
tools, e.g., crowdsourcing
12

12.
14
“During the past 21 years, over 75 papers and 9
Ph.D. theses have been published on pointer
analysis.Given the tones of work on this topic
one may wonder, “Haven't we solved this
problem yet?''With input from many
researchers in the field, this paper describes
issues related to pointer analysis and remaining
open problems.”
Michael Hind. Pointer analysis: haven't we solved this problem yet?. In Proc.
ACMSIGPLAN-SIGSOFT Workshop on Program Analysis for SoftwareTools and
Engineering (PASTE 2001)

13.
15
Section 4.3 Designing an Analysis for a Client’s Needs
“Barbara Ryder expands on this topic: “…We can all write
an unbounded number of papers that compare different
pointer analysis approximations in the abstract.
However, this does not accomplish the key goal, which is
to design and engineer pointer analyses that are useful
for solving real software problems for realistic
programs.”

14.
17
Zhenmin Li, Shan Lu, Suvda Myagmar, and
Yuanyuan Zhou. CP-Miner: a tool for
finding copy-paste and related bugs in
operating system code. In Proc. OSDI
2004.
MSRA
XIAO
Yingnong Dang, Dongmei Zhang, Song Ge,
Chengyun Chu,Yingjun Qiu, andTao Xie.
XIAO:Tuning Code Clones at Hands of
Engineers in Practice. In Proc. ACSAC
2012,
MSR 2011 Keynote byYY Zhou: ConnectingTechnology with
Real-world Problems – From Copy-paste Detection to
Detecting Known Bugs
Human Intelligence to
Determine What are
Serious Bugs

15.
18
Available inVisual Studio 2012
Searching similar snippets for
fixing bug once
Finding refactoring
opportunity
Yingnong Dang, Dongmei Zhang, SongGe,YingjunQiu, andTao Xie. XIAO:Tuning Code Clones at Hands of Engineers in
Practice. In Proc. AnnualComputer Security ApplicationsConference (ACSAC 2012)
XIAO Code Clone Search service integrated into workflow of
Microsoft Security Response Center (MSRC)
MicrosoftTechnet Blog about XIAO:
We wanted to be sure to address the vulnerable code wherever it appeared
across the Microsoft code base.To that end, we have been working with
Microsoft Research to develop a “Cloned Code Detection” system that we can
run for every MSRC case to find any instance of the vulnerable
code in any shipping product.This system is the one that found several of
the copies of CVE-2011-3402 that we are now addressing with MS12-034.

16.
19
XIAO enables code clone analysis with
High scalability, High compatibility
High tunability: what you tune is what you get
High explorability:
1. Clone navigation based on source tree hierarchy
2. Pivoting of folder level statistics
3. Folder level statistics
4. Clone function list in selected folder
5. Clone function filters
6. Sorting by bug or refactoring potential
7. Tagging
1 2 3 4 5 6
7
1. Block correspondence
2. Block types
3. Block navigation
4. Copying
5. Bug filing
6. Tagging
1
2
3
4
1
6
5
How to navigate through the large
number of detected clones? How to quickly review a pair of clones?

17.
 50 years of automated debugging research
 N papers  only 5 evaluated with actual programmers
“
”
Chris Parnin and Alessandro Orso. Are automated debugging techniques actually helping
programmers?. In Proc. ISSTA 2011

18.
 Academia
 Tend to leave human out of loop (involving human makes
evaluations difficult to conduct or write)
 Tend not to spend effort on improving tool usability
▪ tool usability would be valued more in HCI than in SE
▪ too much to include both the approach/tool itself and usability/its evaluation
in a single paper
 Real-world
 Often has human in the loop (familiar IDE integration, social
effect, lack of expertise/willingness to write specs,…)
 Examples
 Agitar [ISSTA 2006] vs. Daikon [TSE 2001]
 Test generation in Pex based on constraint solving

19.
 Goal: to identify the future directions in research
in formal methods and its transition to industrial
practice.
 The workshop will bring together researchers and
identify primary challenges in the field, both
foundational, infrastructural, and in transitioning
ideas from research labs to developer tools.
http://goto.ucsd.edu/~rjhala/NSFWorkshop/

20.
 “Lack of education amongst practitioners”
 “Education of students in logic and design for
verification”
 “Expertise required to create and use a verification
tool. E.g., both Astre for Airbus and SDV for
Windows drivers were closely shepherded by
verification experts.”
 “Tools require lots of up-front effort (e.g., to write
specifications)”
 “User effort required to guide verification tools,
such as assertions or specifications”

21.
 “Not integrated with standard development flows
(testing)”
 “Too many false positives and no ranking of errors”
 “General usability of tools, in terms of false alarms
and error messages.The Coverity CACM paper
pointed out that they had developed features that
they do not deploy because they baffle users.
Many tools choose unsoundness over soundness to
avoid false alarms.”

22.
 “The necessity of detailed specifications and
complex interaction with tools, which is very costly
and discouraging for industrial, who lack high-level
specialists.”
 “Feedback to users. It’s difficult to explain to users
why automated verification tools are failing.
Counterexamples to properties can be very difficult
for users to understand, especially when they are
abstract, or based on incomplete environment
models or constraints.”

23.
2010 Dagstuhl Seminar 10111
Practical Software Testing: Tool Automation and Human Factors
http://www.dagstuhl.de/programm/kalender/semhp/?semnr=1011

24.
2010 Dagstuhl Seminar 10111
Practical Software Testing: Tool Automation and Human Factors
Human Factors
http://www.dagstuhl.de/programm/kalender/semhp/?semnr=1011

25.
Andy Ko and Brad Myers. Debugging Reinvented: Asking and Answering Why and Why Not
Questions about Program Behavior. In Proc. ICSE 2008

26.
 Don’t forget human intelligence
 Using your tools as end-to-end solutions
 Helping your tools
 Don’t forget cooperations of human and tool
intelligence; human and human intelligence
 Human can help your tools too
 Human and human could work together to help your
tools, e.g., crowdsourcing
29

27.
 Motivation
 Architecture recovery is challenging (abstraction gap)
 Human typically has high-level view in mind
 Repeat
 Human: define/update high-level model of interest
 Tool: extract a source model
 Human: define/update declarative mapping between
high-level model and source model
 Tool: compute a software reflexion model
 Human: interpret the software reflexion model
Until happy
Gail C. Murphy, David Notkin. Reengineering with Reflection Models: A Case Study. IEEE Computer 1997

28.
Running Symbolic PathFinder ...
…
============================================
========== results
no errors detected
============================================
========== statistics
elapsed time: 0:00:02
states: new=4, visited=0,
backtracked=4, end=2
search: maxDepth=3,
constraints=0
choice generators: thread=1, data=2
heap: gc=3, new=271, free=22
instructions: 2875
max memory: 81MB
loaded code: classes=71, methods=884
…
31

29.
 object-creation problems (OCP) - 65%
 external-method call problems (EMCP) – 27%
Total block coverage achieved is 50%, lowest coverage 16%.
32
 Ex: Dynamic Symbolic Execution (DSE) /ConcolicTesting
[Godefroid et al. 05][Sen et al. 05][Tillmann et al. 08]
 Instrument code to explore feasible paths
 Challenge: path explosion When desirable
receiver or argument
objects are not
generated

30.
33
 A graph example from
QuickGraph library
 Includes two classes
Graph
DFSAlgorithm
 Graph
AddVertex
AddEdge: requires
both vertices to be
in graph
00: class Graph { …
03: public void AddVertex (Vertex v) {
04: vertices.Add(v); // B1 }
06: public Edge AddEdge (Vertex v1, Vertex v2) {
07: if (!vertices.Contains(v1))
08: throw new VNotFoundException("");
09: // B2
10: if (!vertices.Contains(v2))
11: throw new VNotFoundException("");
12: // B3
14: Edge e = new Edge(v1, v2);
15: edges.Add(e); } }
//DFS:DepthFirstSearch
18: class DFSAlgorithm { …
23: public void Compute (Vertex s) { ...
24: if (graph.GetEdges().Size() > 0) { // B4
25: isComputed = true;
26: foreach (Edge e in graph.GetEdges()) {
27: ... // B5
28: }
29: } } } 33
[OOPSLA 11]

31.
34
 Test target: Cover true
branch (B4) of Line 24
 Desired object
state: graph should
include at least one
edge
 Target sequence:
Graph ag = new Graph();
Vertex v1 = new Vertex(0);
Vertex v2 = new Vertex(1);
ag.AddVertex(v1);
ag.AddVertex(v2);
ag.AddEdge(v1, v2);
DFSAlgorithm algo = new
DFSAlgorithm(ag);
algo.Compute(v1);
34
00: class Graph { …
03: public void AddVertex (Vertex v) {
04: vertices.Add(v); // B1 }
06: public Edge AddEdge (Vertex v1, Vertex v2) {
07: if (!vertices.Contains(v1))
08: throw new VNotFoundException("");
09: // B2
10: if (!vertices.Contains(v2))
11: throw new VNotFoundException("");
12: // B3
14: Edge e = new Edge(v1, v2);
15: edges.Add(e); } }
//DFS:DepthFirstSearch
18: class DFSAlgorithm { …
23: public void Compute (Vertex s) { ...
24: if (graph.GetEdges().Size() > 0) { // B4
25: isComputed = true;
26: foreach (Edge e in graph.GetEdges()) {
27: ... // B5
28: }
29: } } }
[OOPSLA 11]

32.
 object-creation problems (OCP) - 65%
 external-method call problems (EMCP) – 27%
Total block coverage achieved is 50%, lowest coverage 16%.
35
 Ex: Dynamic Symbolic Execution (DSE) /ConcolicTesting
[Godefroid et al. 05][Sen et al. 05][Tillmann et al. 08]
 Instrument code to explore feasible paths
 Challenge: path explosion
Typically DSE instruments or explores
only methods @ project under test;
Third-party API external methods
(network, I/O, ..):
•too many paths
•uninstrumentable

33.
36

34.
Total block coverage achieved is 50%, lowest coverage 16%.
37
 Ex: Dynamic Symbolic Execution (DSE) /ConcolicTesting
[Godefroid et al. 05][Sen et al. 05][Tillmann et al. 08]
 Instrument code to explore feasible paths
 Challenge: path explosion
Xusheng Xiao,Tao Xie, NikolaiTillmann, and Jonathan de Halleux. Precise Identification of Problems for
Structural Test Generation. In Proc. ICSE 2011

35.
2010 Dagstuhl Seminar 10111
Practical SoftwareTesting: Tool Automation and Human Factors

36.
 Tackling object-creation problems
 Seeker [OOSPLA 11] , MSeqGen [ESEC/FSE 09]
Covana [ICSE 2011], OCAT [ISSTA 10]
Evacon [ASE 08], Symclat [ASE 06]
 Still not good enough (at least for now)!
▪ Seeker (52%) > Pex/DSE (41%) > Randoop/random (26%)
 Tackling external-method call problems
 DBAppTesting [ESEC/FSE 11], [ASE 11]
 CloudAppTesting [IEEE Soft 12]
 Deal with only common environment APIs
@NCSUASE

37.
40
 Test target: Cover true
branch (B4) of Line 24
 Desired object
state: graph should
include at least one
edge
 Target sequence:
Graph ag = new Graph();
Vertex v1 = new Vertex(0);
Vertex v2 = new Vertex(1);
ag.AddVertex(v1);
ag.AddVertex(v2);
ag.AddEdge(v1, v2);
DFSAlgorithm algo = new
DFSAlgorithm(ag);
algo.Compute(v1);
40
00: class Graph { …
03: public void AddVertex (Vertex v) {
04: vertices.Add(v); // B1 }
06: public Edge AddEdge (Vertex v1, Vertex v2) {
07: if (!vertices.Contains(v1))
08: throw new VNotFoundException("");
09: // B2
10: if (!vertices.Contains(v2))
11: throw new VNotFoundException("");
12: // B3
14: Edge e = new Edge(v1, v2);
15: edges.Add(e); } }
//DFS:DepthFirstSearch
18: class DFSAlgorithm { …
23: public void Compute (Vertex s) { ...
24: if (graph.GetEdges().Size() > 0) { // B4
25: isComputed = true;
26: foreach (Edge e in graph.GetEdges()) {
27: ... // B5
28: }
29: } } }

38.
Tackle object-creation problems with Factory Methods
41

39.
Tackle external-method call problems with Mock Methods or
Method Instrumentation
Mocking System.IO.File.ReadAllText
42

40.
 Human-Assisted Computing
 Driver: tool Helper: human
 Ex. Covana [Xiao et al. ICSE 2011]
 Human-Centric Computing
 Driver: human  Helper: tool
 Ex. Coding duels @Pex for Fun
Interfaces are important. Contents are important too!
43

41.
 Motivation
 Tools are often not powerful enough
 Human is good at some aspects that tools are not
 What difficulties does the tool face?
 How to communicate info to the user to get help?
 How does the user help the tool based on the info?
44
Iterations to form Feedback Loop

42.
 Human-Assisted Computing
 Driver: tool Helper: human
 Ex. Covana [Xiao et al. ICSE 2011]
 Human-Centric Computing
 Driver: human  Helper: tool
 Ex. Coding duels @Pex for Fun
Interfaces are important. Contents are important too!
45

43.
1,230,309 clicked 'Ask Pex!'
www.pexforfun.com
46
NikolaiTillmann, Jonathan De Halleux,Tao Xie, Sumit Gulwani and Judith Bishop.
Teaching and Learning Programming and Software Engineering via Interactive
Gaming. In Proc. ICSE 2013 SEE.

44.
Secret Implementation
class Secret {
public static int Puzzle(int x) {
if (x <= 0) return 1;
return x * Puzzle(x-1);
}
}
Player Implementation
class Player {
public static int Puzzle(int x) {
return x;
}
}
classTest {
public static void Driver(int x) {
if (Secret.Puzzle(x) != Player.Puzzle(x))
throw new Exception(“Mismatch”);
}
}
behavior
Secret Impl == Player Impl
47

45.
 Coding duels at http://www.pexforfun.com/
 Brain exercising/learning while having fun
 Fun: iterative, adaptive/personalized, w/ win criterion
 Abstraction/generalization, debugging, problem solving
Brain exercising

46.
http://pexforfun.com/gradsofteng
Observed Benefits
• Automatic Grading
• Real-time Feedback (for Both Students andTeachers)
• Fun Learning Experiences

47.
“It really got me *excited*.The part that got me most is
about spreading interest in teaching CS: I do think that it’s
REALLY great for teaching | learning!”
“I used to love the first person shooters and the
satisfaction of blowing away a whole team of
Noobies playing Rainbow Six, but this is far more
fun.”
“I’m afraid I’ll have to constrain myself to spend just an hour
or so a day on this really exciting stuff, as I’m really stuffed
with work.”
X

48.
52
Internet
class Secret {
public static int Puzzle(int x) {
if (x <= 0) return 1;
return x * Puzzle(x-1); } }
 Everyone can
contribute
 Coding duels
 Duel solutions

49.
Internet
Puzzle Games Made from
Difficult Constraints or Object-
Creation Problems
Supported by MSR SEIFAward
Ning Chen and Sunghun Kim. Puzzle-based Automatic Testing: bringing humans into the loop by
solving puzzles. In Proc. ASE 2012

50.
http://www.cs.washington.edu/verigames/

51.
55
Pattern Matching
Bug update
Problematic
Pattern Repository
Bug Database
Trace analysis
Bug
filing
StackMine [Han et al. ICSE 12]
Trace StorageTrace collection
Internet
Shi Han,Yingnong Dang, Song Ge, Dongmei Zhang, and Tao Xie. Performance Debugging in the Large
via Mining Millions of StackTraces. In Proc. ICSE 2012

52.
“We believe that the MSRA tool is highly valuable and
much more efficient for mass trace (100+ traces) analysis.
For 1000 traces, we believe the tool saves us 4-6 weeks of
time to create new signatures, which is quite a significant
productivity boost.”
- from Development Manager inWindows
Highly effective new issue discovery on
Windows mini-hang
Continuous impact on futureWindows versions
Shi Han,Yingnong Dang, Song Ge, Dongmei Zhang, and Tao Xie. Performance Debugging in the Large
via Mining Millions of StackTraces. In Proc. ICSE 2012

53.
 Don’t forget human intelligence
 Using your tools as end-to-end solutions
 Helping your tools
 Don’t forget cooperations of human and tool
intelligence; human and human intelligence
 Human can help your tools too
 Human and human could work together to help your
tools, e.g., crowdsourcing
57

54.
 Human-Assisted Computing
 Human-Centric Computing
 Human-Human Cooperation

55.
 Wonderful current/former students@NCSU ASE
 Collaborators, especially those from Microsoft
Research Redmond/Asia, Peking University
 Colleagues who gave feedback and inspired me
NSF grants CCF-0845272, CCF-0915400, CNS-0958235, ARO grant W911NF-08-1-0443, an
NSA Science of Security, Lablet grant, a NIST grant, a 2011 Microsoft Research SEIFAward

56.
Questions ?
https://sites.google.com/site/asergrp/