Extraction of
High-level Semantics
from Software Code

Yusuke Shinyama
Tokyo Tech, Japan

Introduction

public int add
  ArrayList<St
  int nWidth =
  while (st <
    int height
    if (st * r
      img.chec
    } else if 
...

Why is Software So Important?

Software controls...

Your phone
Your payroll
Cars, trains and airplanes
Electricity and nuclear plants
Everything!

How many had software glitch in the past month?

Software = Too much $$$

Software costs >50% of the car R&D today.

Software = Life or Death

Toyota "Unintended Acceleration" circa 2010.
- Class action: $1.2B.
- Faulty software on ETCS?
- 2,272 global variables.
- 80,000 violations of MISRA C.
- Over 67 functions "spaghetti".
Huge U.S. Blackout in 2003.
WannaCry attacked a UK hospital.
Therac-25 (killed 3 people).
pixnio.com

Software = So Subtle

Apple's "GotoFail" (2014)

static OSStatus
SSLVerifySignedServerKeyExchange(...)
{
    OSStatus        err;
    ...
    if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
        goto fail;
    if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
        goto fail;
        goto fail;
    if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
        goto fail;
    ...
 
fail:
    SSLFreeBuffer(&signedHashes);
    SSLFreeBuffer(&hashCtx);
    return err;
}

Problem Description

Problems

Software maintenance : 60 ~ 80% of cost.
- "Suppose that you're asked to
  rewrite Halmet in which
  the main character is female."
Code understanding : 50% ~ of time.
- Need all the details!
- Error prone.

Attacking the Monster

No "Silver Bullet".
Multi-faceted solutions.
- Make better tools.
- Establish better practices.
- ...
- Help reducing cognitive burden.

Research Question

Focus on program variables:
1. Gives programmers a hint on what a code is about.
2. Telegraphs its caveats.
3. "Grounding" the meaning of a word.

a = 100;
b = 2;
c = a + b;
d = a * c;
...

Example 1

if (c == 1) {
    b = b - 100;
    a1 = a1 + 1;
} else if (c == 2) {
    b = b - 300;
    a2 = a2 + 1;
} else
...

Q. What's the role of variable b?

Example 1

if (choice == 1) {
    money = money - 100;
    item1 = item1 + 1;
} else if (choice == 2) {
    money = money - 300;
    item2 = item2 + 1;
} else
...

money : Quantity you can exchange with any item.

Example 2

if (x) {
    y = y - 1;
}
if (y == 0) {
    g();
}
...

Q. What's the role of variable y?

Example 2

if (hit) {
    life = life - 1;
}
if (life == 0) {
    gameover();
}
...

Motral Kombat Wiki

life : Quantiy that decreases when you're hit.
When it reaches zero, Game Over.

Methodology

Basic Idea

Convert a source code to
a "Dataflow graph".

pow(x, y) {
    z = 1;
    while (0 < y) {
        z *= x;
        y -= 1;
    }
    return z;
}

Pattern Matching

Learn mappings from a large corpus.
```
if (c == 1) {
    b = b - 10
    a1 = a1 + 
} else if (c =
    ...
```
Apply patterns to the target code.

Current Progress

Download top 1,000 GitHub repos.
(11GB zipped text)
Parse .java codes. [Eclipse JDT]
(480,627 files. 74,088,883 loc.)
Store dataflow graphs.
(4,199,301 functions, 42,133,919 nodes)
Implement pattern matching.

Wrap-up

Conclusions

Help programmers to understand code.
Obtain patterns from existing code.
Assign meaning to program variables.

References

This Car Runs on Code, IEEE Specrum, 2009
Koopman, "A Case Study of Toyota Unintended Acceleration and Software Safety", 2014
Glass, Facts and Fallacies of Software Engineering, Addison-Wesley, 2002
Eclipse Java development tools (JDT)

Introduction

Contents

Why is Software So Important?

Software = Too much $$$

Software = Life or Death

Software = So Subtle

Problems

Attacking the Monster

Research Question

Example 1

Example 1

Example 2

Example 2

Basic Idea

Pattern Matching

Current Progress

Conclusions

References