Abstract—Formal specifications are used to identify programming errors, verify the correctness of programs, and as documentation. Unfortunately, producing them is error-prone and time-consuming, so they are rarely used in practice. Inferring specifications from a running application is a promising solution. However, to be practical, such an approach requires special techniques to treat large amounts of runtime data. We present a scalable dynamic analysis that infers specifications of correct method call sequences on multiple related objects. It preprocesses method traces to identify small sets of related objects and method calls which can be analyzed separately. We implemented our approach and applied the analysis to eleven real-world applications and more than 240 million runtime events. The experiments show the scalability of our approach. Moreover, the generated specifications describe correct and typical behavior, and match existing API usage documentation. Keywords-Specification inference, dynamic analysis, formal specifications, temporal properties I.

Finite state machine-derived specifications such as X-State Machines, are an established means to model software behaviour. They allow for comprehensive testing of an implementation in terms of its intended behaviour. In practice however they are rarely generated and maintained during software development, hence their benefits can rarely be exploited. We address this problem by using an interactive grammar inference technique to infer the underlying state machine representation of an existing software system. The approach is interactive because it generates queries to the user as it constructs a hypothesis machine, which can be interpreted as system tests. This paper describes (1) how an existing grammar inference technique (QSM) can be used to reverse-engineer state-based models of software from execution traces at a developer-defined level of abstraction and (2) how the QSM technique can be improved for a better balance between the number of tests it proposes and the accuracy of the machine it derives. The technique has been implemented, which has enabled us to present a small case study of its use with respect to a real software system, along with some preliminary performance results. 1.

Software applications typically have many features that vary in their similarity. We define a measurement of similarity between pairs of features based on their underlying implementations and use this measurement to compute a set of canonical features. The Canonical Features Set (CFS) consists of a small number of features that are as dissimilar as possible to each other, yet are most representative of the features that are not in the CFS. The members of the CFS are distinguishing features and understanding their implementation provides the engineer with an overview of the system undergoing scrutiny. The members of the CFS can also be used as cluster centroids to partition the entire set of features. Partitioning the set of features can simplify the understanding of large and complex software systems. Additionally, when a specific feature must undergo maintenance, it is helpful to know which features are most closely related to it. We demonstrate the utility of our method through the analysis of the Jext, Firefox, and Gaim software systems. 1

Abstract—Software maintenance tasks, such as testing and program understanding, can benefit from formal specifications that describe how a program should use an API. Recently, there has been increasing interest in specification miners that automatically extract finite state specifications of method ordering constraints from existing software. However, comparing different mining approaches is difficult, because no common ground to evaluate the effectiveness of specification miners has been established yet. We present a framework for evaluating to which extent specification miners find valid finite state descriptions of API usage constraints. The framework helps in creating reference specifications and includes metrics to compare mined specifications to the reference specifications. The metrics are tailored for evaluating specification miners and account for imprecision and incompleteness in mined specifications. We use the framework to compare the effectiveness of three mining approaches and to show their respective benefits.

Dynamic protocol recovery tries to recover a component’s sequencing constraints by means of dynamic analysis. This problem has been tackled by several automaton learning approaches in the past. These approaches are based on the sequence of component method invocations only. We introduce a new dynamic protocol recovery technique based on object process graphs. These graphs contain information about loops and the context in which methods are being called. We describe the transformation of a set of these graphs to a protocol automaton. The additional input, compared to the sole sequence of method calls, results in a more detailed protocol. In a case study, we compare the resulting protocol automata of our approach to those of several existing automaton learning approaches.

Software maintenance activities require a sufficient level of understanding of the software at hand that unfortunately is not always readily available. Execution trace visualization is a common approach in gaining this understanding, and among our own efforts in this context is EXTRAVIS, a tool for the visualization of large traces. While many such tools have been evaluated through case studies, there have been no quantitative evaluations to the present day. This paper reports on the first controlled experiment to quantitatively measure the added value of trace visualization for program comprehension. We designed eight typical tasks aimed at gaining an understanding of a representative subject system, and measured how a control group (using the Eclipse IDE) and an experimental group (using both Eclipse and EXTRAVIS) performed these tasks in terms of time spent and solution correctness. The results are statistically significant in both regards, showing a 22 % decrease in time requirements and a 43 % increase in correctness for the group using trace visualization.

Abstract. To extract abstract views of the behavior of an object-oriented system for reverse engineering, a body of research exists that analyzes a system’s runtime execution. Those approaches primarily analyze the control flow by tracing method execution events. However, they do not capture information flows. We address this problem by proposing a novel dynamic analysis technique named Object Flow Analysis, which complements method execution tracing with an accurate analysis of the runtime flow of objects. To exemplify the usefulness of our analysis we present a visual approach that allows a system engineer to study classes and components in terms of how they exchange objects at runtime. We illustrate and validate our approach on two case studies. 1

behavioral views. Those approaches primarily analyze control flow by tracing method execution events or they analyze object graphs of heap memory snapshots. However, they do not capture how objects are passed through the system at runtime. We refer to the exchange of objects as the object flow, and we claim that it is necessary to analyze object flows if we are to understand the runtime of an objectoriented application. We propose and detail Object Flow Analysis, a novel dynamic analysis technique that takes this new information into account. To evaluate its usefulness, we present a visual approach that allows a developer to study classes and components in terms of how they exchange objects at runtime. We illustrate our approach on three case studies.

In this paper, we present an approach that examines the evolution of code stored in source control repositories. The technique identifies Change Clusters, which can help managers to classify different code change activities as either a software maintenance or a new development. Furthermore, identifying the variations in Change Clusters over time exposes trends in the development of a software system. We present a case study that uses a sequence of Change Clusters to track the evolution of the PostgreSQL software project. Our case study demonstrates that our technique reveals interesting patterns about the progress of code development within each release of PostgreSQL. We show that the increase in the number of clusters not only identifies the areas where development has occurred, but also reflects the amount of structural change in code. We also compare how the Change Clusters vary over time in order to make generalizations about the focus of development. 1

Points-to analysis for large object-oriented systems is currently too imprecise or too slow. This prevents or hampers many useful client analyses, refactorings, or optimizations. In this paper, we present an SSA-based approach to points-to analysis that simulates the actual execution of a program. It is precise since it is both locally and globally flow-sensitive, more precise by construction compared to other scalable approaches. We confirm this statement with experiments. The experiments also show that in practice our approach is also more efficient (on average) in spite of a higher worst-case time complexity.