Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Automated Repair - ISSTA Summer School

853 views

Published on

Invited Talk given in ISSTA 2019 Summer School, Beijing, China

Published in: Education
  • Be the first to comment

  • Be the first to like this

Automated Repair - ISSTA Summer School

  1. 1. Automated Program Repair 1 Abhik Roychoudhury Professor, National University of Singapore ISSTA Summer School 2019
  2. 2. ISSTA Summer School 2019 Working in Program Analysis and Software Security (2001-) Singapore Cybersecurity Consortium (2016) National Satellite of Excellence in Trustworthy Software Systems (2019) 2 Comprehensive university with Science, Arts, Engineering, medical, Law, Business, Public Policy, Music, Computing, … Public university 30K undergraduate students, 10K+ graduate students overall. 2500+ faculty members overall, 100+ in Computing (two departments CS and IS). http://www.nus.edu.sg/about#corporate-information Early Morning Introduction
  3. 3. Viewpoint Village Upstream Summit ISSTA Summer School 2019 3 Search Space Exploration Avoid over-fitting Symbolic Execution Himalayas 2019
  4. 4. Trustworthy SW • FuzzTesting – Feed semi-random inputs to find hangs and crashes • Continuous fuzzing – Incrementally find new “problems” in software • Crash reproduction – Re-construct a reported crash, crashing input not included due to privacy • Reaching nooks and corners • Localizing reported observable errors • Patching reported errors from input-output examples Space of Problems (Search Problems?) ISSTA Summer School 2019 4
  5. 5. Trustworth y SW Search Problems • Random Search – Less systematic – Easy set-up, execute up to a time budget – Use objective function to steer search. • Symbolic Execution – Systematic – More involved set-up, solver calls. – Use logical formula to steer search. ISSTA Summer School 2019 5
  6. 6. Use of Random Search - Fuzzing ISSTA Summer School 2019 6 Input: Seed Inputs S 1:T✗ = ∅ 2:T = S 3: ifT = ∅ then 4: add empty file toT 5: end if 6: repeat 7: t = chooseNext(T) 8: p = assignEnergy(t) 9: for i from 1 to p do 10: t0 = mutate_input(t) 11: if t0 crashes then 12: add t0 toT✗ 13: else if isInteresting(t0 ) then 14: add t0 toT 15: end if 16: end for 17: until timeout reached or abort-signal Output: Crashing InputsT✗
  7. 7. Symbolic Execution ISSTA Summer School 2019 7 int test_me(int Climb, int Up){ int sep, upward; if (Climb > 0){ sep = Up;} else {sep = add100(Up);} if (sep > 150){ upward = 1; } else {upward = 0;} if (upward < 0){ abort; } else return upward; }
  8. 8. Symbolic Execution ISSTA Summer School 2019 int test_me(int Climb, int Up){ int sep, upward; if (Climb > 0){ sep = Up;} else {sep = add100(Up);} if (sep > 150){ upward = 1; } else {upward = 0;} if (upward < 0){ abort; } else return upward; } 8 Execute IF(r) : FORK [provided r is unresolved] Then: PC := PC  r Else: PC := PC  r Execute IF(r) Resolved branch condition r using concrete values Suppose true, PC := PC  r , OR Suppose false, PC := PC  r
  9. 9. Trustworth y SW Search Problems • Random Search – Less systematic – Easy set-up, execute up to a time budget – Use objective function to steer search. – Enhance the effectiveness of search, with symbolic execution as inspiration • Symbolic Execution – Systematic – More involved set-up, solver calls. – Use logical formula to steer search. – Explore capabilities of symbolic execution beyond directed search ISSTA Summer School 2019 9
  10. 10. Bug Fixing – Most software has many bugs. – Security-related bugs should be fixed before they are exploited by malicious users. – Oftentimes, bugs are not fixed even a few months after they were reported. – E.g. Bug 18665 of glibc • Reported and responded on July 2015 • Patched on Feb 2016 • CVSS score: 8.1 / 10 (buffer overflow) – “Thanks for the bug report. Do you have a test case that triggers this scenario? Do you have a patch or suggested fix?” ISSTA Summer School 2019 10
  11. 11. Background • Why debugging is hard? – Huge search space ? OR … • What would make debugging easy? – Specification Inference • Ideas in debugging which lead to automated fixing – Using implicit specification inference. ISSTA Summer School 2019 11
  12. 12. A quote from many years ago “Even today, debugging remains very much of an art. Much of the computer science community has largely ignored the debugging problem….. over 50 percent of the problems resulted from the time and space chasm between symptom and root cause or inadequate debugging tools.” Hailpern & Santhanam, IBM Systems Journal, 41(1), 2002 Any progress in 2002 – 2018? How can symbolic execution help? ISSTA Summer School 2019 12
  13. 13. Dynamic slicing: a debugging aid ISSTA Summer School 2019 13 Program Input Exec.Trace Output OK Unexpected, debug it Dynamic Slice = Bug Reportcriterion Debugging Instrument
  14. 14. Statistical Fault localization ISSTA Summer School 2019 14 Buggy Program Test Suite Fault Localizatio n Ranked list of suspicious statements Assign scores to program statements based on their occurrence in passing / failing tests. Correlation equals causation! Score(s) = fail(s) allfail fail(s) allfail pass(s) allpass + An example of scoring scheme [Tarantula]
  15. 15. Trace Comparison based Debugging ISSTA Summer School 2019 15 Compare Execution Failing Run Successful Run Difference As Diagnostics Choose Successful Run Pool Difference Metric Testing Change Failing InputGenerate
  16. 16. Debugging: comparing to intended behavior ISSTA Summer School 2019 16 P input = 0 output = 0 Specification about observable output Test input What went wrong? What would have been right? Execution
  17. 17. What is the intended behavior? Source of Information Name of SymbolicTechnique Internal inconsistency Cause Clue Clauses [PLDI 11] Error Invariants [FM 12] PassingTests Angelic Debugging [ICSE 11] Previous version / Golden implementation Regression Debugging [FSE09, FSE10, FSE11] ISSTA Summer School 2019 17 Only in the programmer’s mind? Assertions capturing programmer’s intent at each statement Too much overhead on programmer: almost as much work as a proof
  18. 18. Example Input: a, index 1. base = a; 2. sentinel = base; 3. offset = index; 4. address = base + offset; 5. output address, sentinel ISSTA Summer School 2019 18 Test 1 <a, index==10> assert sentinel <= address assert address < a + 10 Test 2 <a, index==9> assert sentinel <= address assert address < a + 10
  19. 19. CCC : General idea ISSTA Summer School 2019 19 Input: a, index 1. base = a; 2. sentinel = base; 3. offset = index; 4. address = base + offset; 5. assert sentinel <= address <a, index == 10>  Failing input  Program formula  Observed Output == false  address < a + 10 == false Cause Clue Clauses, Jose and Majumdar, PLDI 2011.
  20. 20. CCC: General idea ISSTA Summer School 2019 20 Input: a, index 1. base = a; 2. sentinel = base; 3. offset = index; 4. address = base + offset; 5. assert sentinel <= address <a, index == 10>   address < a + 10 == false index== 10  base == a  sentinel == base  offset == index  address == base + offset  sentinel ≤ address  address < a + 10 == false Hard constraint Soft constraint Hard constraint
  21. 21. First iteration ISSTA Summer School 2019 21 index== 10  base == a  sentinel == base  offset == index  address == base + offset  sentinel ≤ address  address < a + 10 == false Hard constraint Soft constraint Hard constraint Running Partial MAXSAT, we get base == a as a soft constraint that can be removed. Corresponds to the fix: Input: a, index 1. base = a - 1; 2. sentinel = base; 3. offset = index; 4. address = base + offset; 5. output address, sentinel
  22. 22. Moving further ISSTA Summer School 2019 22 index== 10  base == a  sentinel == base  offset == index  address == base + offset  sentinel ≤ address  address < a + 10 == false Hard constraint Hard & Soft constraints Hard constraint We mark base == a as hard now, and run Partial MaxSAT again, to get offset == index. Corresponds to the fix: Input: a, index 1. base = a; 2. sentinel = base; 3. offset = index - 1; 4. address = base + offset; 5. output address, sentinelThe clause sentinel==base does not help (or hurt)
  23. 23. Fix determines fault ISSTA Summer School 2019 23 Input: a, index 1. base = a; 2. sentinel = base; 3. offset = index; 4. address = base + offset; 5. output address, sentinel Input: a, index 1. base = a - 1; 2. sentinel = base; 3. offset = index; 4. address = base + offset; 5. output address, sentinel Input: a, index 1. base = a; 2. sentinel = base; 3. offset = index - 1; 4. address = base + offset; 5. output address, sentinel Off-by-one error
  24. 24. Specification discovery? • Find statements that cause inconsistency in the failing execution – Removal of that inconsistency makes the error go away • Minimal inconsistency  cause – Starting point for repair – Simple specification discovery • Removing statement S causes error to disappear • Do not know what S should have been! ISSTA Summer School 2019 24
  25. 25. Retrospective Debugging – some milestones – Manual era: prints and breakpoints – Statistical fault localization [e.g.Tarantula ] – Dynamic slicing [e.g. JSlice] – Trace comparison and delta debugging • Look for workarounds – how to avoid the error? – Symbolic techniques • Replace repeated experimentation with constraint solving. • Discover and (partially) infer intended semantics by symbolic analysis • The Future: repair (hints) ISSTA Summer School 2019 25
  26. 26. Trustworth y SW Search Problems • Random Search – Less systematic – Easy set-up, execute up to a time budget – Use objective function to steer search. – Enhance the effectiveness of search, with symbolic execution as inspiration • Symbolic Execution – Systematic – More involved set-up, solver calls. – Use logical formula to steer search. – Explore capabilities of symbolic execution beyond directed search ISSTA Summer School 2019 26
  27. 27. Program Repair ISSTA Summer School 2019 27 REPLACETHIS FLOW Buggy Program Tests
  28. 28. Repair: Why? ISSTA Summer School 2019 28 Education Productivity Security
  29. 29. Search ISSTA Summer School 2019 29 Applicability Scalability Over-fitting Acknowledgment for the figure: C Le Goues
  30. 30. • An individual is a candidate patch or set of changes to the input program. • A patch is a series of statement-level edits: – delete X – replace X withY – insertY after X. • Replace/insert: pickY from somewhere else in the program. 30 Candidate Patch ISSTASummerSchool2019
  31. 31. 31 1 void gcd(int a, int b) { 2 if (a == 0) { 3 printf(“%d”, b); 4 } 5 while (b > 0) { 6 if (a > b) 7 a = a – b; 8 else 9 b = b – a; 10 } 11 printf(“%d”, a); 12 return; 13 } > gcd(4,2) > 2 > > gcd(1071,1029) > 21 > > gcd(0,55) > 55 ISSTASummerSchool2019 (looping forever)
  32. 32. 32 printf(b) {block} while (b>0) {block}{block} {block} if(a==0) if(a>b) a = a – b {block}{block} printf(a) return b = b – a Input: ISSTASummerSchool2019 Ack: Claire Le Goues (CMU)
  33. 33. 33 {block} while (b>0) {block}{block} {block} if(a==0) if(a>b) a = a – b {block}{block} printf(a) return b = b – a Input: An edit is: • Insert statement X after statementY • Replace statement X with statementY • Delete statement X return printf(b) ISSTASummerSchool2019 Ack: Claire Le Goues (CMU)
  34. 34. Search-based Regression Repair P P’ RT Pass Fail PT Fail Pass Test Pass Pass Program P Diff Clang: Contextual Operators Statement Ranking & filtering Generate Mutant Evaluate Mutant Repair Program P’ Ochiai Reduced Test Suite Whole Test Suite Abbreviations RT – Regression tests that pass in earlier version, fail in current program version PT – Progression tests that fails in earlier version, pass in current program version relifix [ICSE15]
  35. 35. Sample Mutation Operators • Use changed expression as input for other operator • Revert to previous statement - if (((f = lookup_file (p)) != 0 && f->is_target) + if (((f = lookup_file (p)) != 0 && (f->is_target || intermed_ok)) - /* Removing this loop will fix Savannah bug #16670: - do we want to? */ - while ( out > line && isblank (( unsigned char ) out[-1])) - --out ;
  36. 36. Application: Android Apps Repair System (Droix) 36 Operators Log analyzer Logs UI sequence Mutant generator Decompiler Evaluator Selector Code checker Test checker Mutant Mutants pool Bug report Buggy APK APKs Fixed APK Fault locations Violations Violations Droix [ICSE18]
  37. 37. Over-fitting ISSTA Summer School 2019 37 Tests with oracles Buggy Program Symbolic Formulae Program Repair Patched Program Avoid generating programs like if (input1) return output1 else if (input2) return output2 else if (input3) return output3 ….
  38. 38. Example ISSTA Summer School 2019 38 Test id a b c oracle Pass 1 -1 -1 -1 INVALID 2 1 1 1 EQUILATERAL 3 2 2 3 ISOSCELES 4 2 3 2 ISOSCELES 5 3 2 2 ISOSCELES 6 2 3 4 SCALANE 1 int triangle(int a, int b, int c){ 2 if (a <= 0 || b <= 0 || c <= 0) 3 return INVALID; 4 if (a == b && b == c) 5 return EQUILATERAL; 6 if (a == b || b != c) // bug! 7 return ISOSCELES; 8 return SCALENE; 9 } Correct fix (a == b || b== c || a == c) Traverse all mutations of line 6 ?? Hard to generate fix since (a ==c) or (c ==a) never appear anywhere else in the program !
  39. 39. Example ISSTA Summer School 2019 39 Test id a b c oracle Pass 1 -1 -1 -1 INVALID 2 1 1 1 EQUILATERAL 3 2 2 3 ISOSCELES 4 2 3 2 ISOSCELES 5 3 2 2 ISOSCELES 6 2 3 4 SCALANE 1 int triangle(int a, int b, int c){ 2 if (a <= 0 || b <= 0 || c <= 0) 3 return INVALID; 4 if (a == b && b == c) 5 return EQUILATERAL; 6 if (a == b || b != c) // bug! 7 return ISOSCELES; 8 return SCALENE; 9 } Correct fix (a == b || b== c || a == c) Automatically generate the constraint f(2,2,3)  f(2,3,2)  f(3,2,2)   f(2,3,4) Solution f(ab,c) = (a == b || b == c || a == c)
  40. 40. ISSTA Summer School 2019 40 1 int triangle(int a, int b, int c){ 2 if (a <= 0 || b <= 0 || c <= 0) 3 return INVALID; 4 if (a == b && b == c) 5 return EQUILATERAL; 6 if (a == b || b != c) // bug! 7 return ISOSCELES; 8 return SCALENE; 9 } Test id a b c oracle Pass 1 -1 -1 -1 INVALID pass 2 1 1 1 EQUILATERAL pass 3 2 2 3 ISOSCELES pass 4 2 3 2 ISOSCELES fail 5 3 2 2 ISOSCELES fail 6 2 3 4 SCALENES fail Correct fix (a == b || b == c || a== c) Traverse all mutations of line 6, and check Hard to generate correct fix since a==c never appears elsewhere in the program. OR Generate the constraint f(2,2,3)f(2,3,2) f(3,2,2)f(2,3,4) And get the solution f(a,b,c) = (a == b || b == c || a== c)
  41. 41. Comparison 1. Where to fix, which line? 2. Generate patches in the candidate line 3. Validate the candidate patches against correctness criterion. 1. Where to fix, which line(s)? 2. What values should be returned by those lines, e.g. <inp ==1, ret== 0> 3. What are the expressions which will return such values? ISSTA Summer School 2019 41 Syntax-based Schematic for e in Search-space{ Validate e againstTests } Semantics-basedSchematic for t inTests { generate repair constraintΨt } Synthesize e from ∧tΨt
  42. 42. Specification Inference ISSTA Summer School 2019 42 var = f(live_vars) // X Test input t Concrete values Oracle (expected output) Output: Value-set or Constraint Symbolic execution Program Concrete Execution
  43. 43. Example inhibit up_sep down_sep Observed o/p Oracle Pass 1 0 100 0 0 1 11 110 0 1 0 100 50 1 1 1 -20 60 0 1 0 0 10 0 0 ISSTA Summer School 2019 43 1 int is_upward( int inhibit, int up_sep, int down_sep){ 2 int bias; 3 if (inhibit) 4 bias = down_sep; // bias= up_sep + 100 5 else bias = up_sep ; 6 if (bias > down_sep) 7 return 1; 8 else return 0; 9 }
  44. 44. Debugging • Given a test-suiteT – fail(s) º # of failing executions in which s occurs – pass(s) º # of passing executions in which s occurs – allfail ºTotal # of failing executions – allpass º Total # of passing executions • allfail+ allpass = |T| • Can also use other metric likeOchiai. Score(s) = fail(s) allfail fail(s) allfail pass(s) allpass + Buggy Program Test Suite -Investigate what this statement should be. - Generate a fixed statement Fixed Program YES NO ISSTA Summer School 2019 44
  45. 45. Example ISSTA Summer School 2019 45
  46. 46. Example ISSTA Summer School 2019 46
  47. 47. Example ISSTA Summer School 2019 47 • Accumulated constraints – f(1,11, 110) > 110  – f(1,0,100) ≤ 100  – … • Find a f satisfying this constraint – By fixing the set of operators appearing in f • Candidate methods • Search over the space of expressions • Program synthesis with fixed set of operators – Can also be achieved by second-order constraint solving • Generated fix – f(inhibit,up_sep,down_sep) = up_sep + 100
  48. 48. Repair Workflow ISSTA Summer School 2019 48
  49. 49. Simplified Workflow, but ISSTA Summer School 2019 49 Applicability Over-fitting Scalability
  50. 50. No fault localization 50 int foo(int x, int y){ if (x > y) y = y + 1; else y = y – 1; return y + 2; } Test: foo(0,0) == 3? x = 0  y = 0  result = 3 ( if (x1 > y1) then (y2 = y1 + 1) else (y2 = y1 – 1)  (result = y2 + 2) )  = UNSAT ISSTA Summer School 2019
  51. 51. Constraint = Whole Program 51 51 x = 0  y = 0  result = 3 ( if (x1 > y1) then (y2 = y1 + 1) else (y2 = y1 – 1)  (result = y2 + 2) )  = UNSAT ( if (x1 >= y1) then (y2 = y1 + 1) else (y2 = y1 – 1)  (result = y2 + 2) )  x = 0  y = 0  result = 3 = SAT ISSTA Summer School 2019
  52. 52. Comparison ISSTA Summer School 2019 52 #Programs Equivalent Same Loc. Diff. SemFix [ICSE13] 44 17% 46% 6.36 DirectFix [ICSE15] 44 53% 95% 2.31
  53. 53. Workflows ISSTA Summer School 2019 53 Applicability Over-fitting Scalability
  54. 54. Angelic Values ISSTA Summer School 2019 54 Syntax-based Schematic for e in SearchSpace{ Validate e againstTests } Semantics-based Schematic for t inTests { generate repair constraint Ψt } Synthesize e from ∧tΨt Instead of representing Ψt as a SMT constraint represent it using values. Value that is arbitrarily set during execution to a selected expression and that makes the program pass. Can be found by solving path condition of failing test case 𝐼, 𝑂 : 𝑝𝑎𝑡ℎ𝑐𝑜𝑛𝑑𝑖𝑡𝑖𝑜𝑛 𝛼 ∧ 𝑖𝑛𝑝𝑢𝑡 = 𝐼 ∧ 𝑜𝑢𝑡𝑝𝑢𝑡 = 𝑂
  55. 55. Angelix ISSTA Summer School 2019 55
  56. 56. Constraint ISSTA Summer School 2019 56 • SemFix work (ICSE 2013) – Example: for an identified expression e to be fixed • [ X > 0 ] ∧ f(t) == X for each test t • DirectFix work (ICSE 2015) – Whole Program as repair constraint – Use the principle of minimality to synthesize a minimal patch. • Angelix work (ICSE 2016) – Example: for identified expressions e1, e2, … to be fixed – [ (X == 1) ∨ (X == 2) ∨ (X== 3)] ∧ f(t) ==X for each test t. – [ (X== 1 ∧Y == 1) ∨ (X==2 ∧Y ==2)] ∧ f(t) ==X ∧g(t)==Y for each test t.
  57. 57. Scalability Subject LoC wireshark 2814K php 1046K gzip 491K gmp 145K libtiff 77K ISSTA Summer School 2019 57Average time == 32 minutes 0 5 10 15 20 25 30 35 wireshark php gzip gmp libtiff Overall Angelix SPR GenProg
  58. 58. Patch Quality ISSTA Summer School 2019 58
  59. 59. • “The core technique inAngelix using symbolic execution and program synthesis works well”. • “It can potentially suffer from poor fault localization”. • “With better fault localization, the patch synthesis seems hard to improve in effectiveness” – Can still be improved in terms of efficiency • [Anecdotal comments only from user groups] ISSTA Summer School 2019 [ICSE16 and its usage] 59 Experience of others
  60. 60. • Two approaches – Get property of function f via symbolic execution, and synthesize a function f satisfying these properties. – Directly solve for function f by building a second-order symbolic execution engine. ISSTA Summer School 2019 • Allow for existentially quantified second order variables. • Restrict their interpretation to a language e.g. linear integer arithmetic Term =Var |Constant |Term +Term |Term –Term |Constant *Term • Example SAT – (0) > 0  (1) ≤ 0 – Satisfying solution  = x. 1 – x 60 Specification Inference
  61. 61. First order Symbolic Execution ISSTA Summer School 2019 61 size_t search (data , len , pred ) { size_t i; for (i = 0; i < len; i++){ if ( pred ( data [i])) return i; } return len; } int positive (int x) { return x > 0; } Symbolic Execution results of Path Condition Input Output  > 0 {1,0,0} 0  ≤ 0   >0 {0,1,0} 1  ≤ 0   ≤ 0 {0,0,1} 2  ≤ 0   ≤ 0   ≤ 0 {0,0,0} 3 search((int[]){,,}, 3, positive)
  62. 62. Second order Symbolic Execution ISSTA Summer School 2019 62 size_t search (data , len , pred ) { size_t i; for (i = 0; i < len; i++){ if ( pred ( data [i])) return i; } return len; } Symbolic Execution results of Path Condition  Output (0) x. true 0  (0) (1) x. x>0 1  (0)  (1)  (2) x. x> 1 2  (0)  (1)   (2) x. false 3 search((int[]){0,1,2}, 3,  )
  63. 63. Syntactic Program Repair ISSTA Summer School 2019 63 scanf(“%d”, &x); for(i = 0; i <10; i++){ int t = x – i; if (t > 0) printf(“1”); else printf(“0”); } P(5)  “1110000000” expected “1111111000” Enumerate and test P[x − i → x + i], P[x − i → x − 1], ... Buggy Program: SampleTest: Generate and validate based repair tools:
  64. 64. First order Semantic Program Repair ISSTA Summer School 2019 64 scanf(“%d”, &x); for(i = 0; i <10; i++){ int t = ; if (t > 0) printf(“1”); else printf(“0”); } P(5)  “1110000000” expected “1111111000” Buggy Program: SampleTest: Synthesis Specification:  e Term. i i [e]  output = expected Path ConditionsTraversed: 210 = 1024 Background theory LIA
  65. 65. Second order Semantic Program Repair 65 scanf(“%d”, &x); for(i = 0; i <10; i++){ int t = (i,x); if (t > 0) printf(“1”); else printf(“0”); } P(5)  “1110000000” expected “1111111000” Buggy Program: SampleTest: Synthesis Specification:  . i i  output = expected Solve for  directly Term =Var | Constant |Term +Term | Term –Term | Constant *Term ISSTA Summer School 2019
  66. 66. Term =Var | Constant |Term +Term | Term –Term | Constant *Term Second order Program Repair 66 scanf(“%d”, &x); for(i = 0; i <10; i++){ int t = (i,x); if (t > 0) printf(“1”); else printf(“0”); } P(5)  “1110000000” expected “1111111000” Buggy Program: SampleTest: Synthesis Specification:  . i i  output = expected Solve for  directly Term =Var | Constant |Term +Term | Term –Term | Constant *Term 𝜌 0,5 > 0 𝜌 1,5 > 0 𝜌 1,5 > 0 𝜌 2,5 > 0 𝜌 2,5 > 0 𝜌 2,5 > 0 𝜌 2,5 > 0 Yes No Yes No Yes No 𝑈𝑁𝑆𝐴𝑇 Yes Term =Var | Constant |Term +Term | Term –Term | Constant *Term ISSTA Summer School 2019
  67. 67. Encoding for Program Synthesis 67 ISSTA Summer School 2019 … error_severity(1); return; } / / r(ent->fts_info, ent->fts_errno, prev_depth) else if (ent->fts_info == FTSSLNONE){ if (symlink_loop(ent->fts_accpath)) … [IFSE18]
  68. 68. Digression: Library Synthesis ISSTA Summer School 2019 68
  69. 69. (Test-based) Program Repair Syntax-based Schematic Semantic Schematic for t inTests { generate repair constraintΨt } Synthesize e from ∧tΨt ISSTA Summer School 2019 for e in Search-space{ Validate e against Tests } 69
  70. 70. Middle Path 中道 Madhyama Pratipada ISSTA Summer School 2019 70
  71. 71. Test- equivalence based repair ISSTA Summer School 2019 scanf ("%d" ,&x); for (i = 0; i < 10; i++) if (x – i > 0) printf ("1"); else printf ("0"); Consider all inequalities 𝛼𝑥 ± 𝛽𝑖 [>≥=≠] 𝛾 Sequence of values: Equivalence class (x = 4): {T, T, T, T, T, T, T, T, T, T} {x > 0, x > 1, …} {T, T, T, T, T, T, T, T, T, F} {x – i > -5, …} {T, T, T, T, T, T, T, T, F, T} EMPTY {T, T, T, T, T, T, T, T, F, F} {x – i > -4, …} {T, T, T, T, T, T, T, F, T, T} EMPTY {T, T, T, T, T, T, T, F, T, F} EMPTY {T, T, T, T, T, T, T, F, F,T} EMPTY … 71
  72. 72. Efficiency ISSTA Summer School 2019 72 [TOSEM18]
  73. 73. Test generation to Alleviate Overfitting 73 The given test suite can be enhanced by test generation (random, evolutionary algorithm and etc.). Test cases Repair Buggy program Patched program Auto-generate tests P P Problems: 1. The oracles of newly generated tests are usually unknown. 2. Test generation for program repair is inefficient because it has no knowledge about patch candidates. ISSTA Summer School 2019
  74. 74. Repair with Fuzzing 74 ISSTA Summer School 2019
  75. 75. Fix2Fit ISSTA Summer School 2019 75 Integration of repair into programming environments? Number of plausible patches that can be reduced if the tests are empowered with more oracles [ISSTA19]
  76. 76. Provably Correct ISSTA Summer School 2019 FromTests? From Programs? 76
  77. 77. Analyzing Linux Busybox ISSTA Summer School 2019 77 [ICSE18]
  78. 78. GNU Coreutils Cut ISSTA Summer School 2019 78 GNU Coreutils wrongly interprets the command -b 2-,3- as -b 3- (extract input bytes starting from the third byte): echo -ne ’1234 ’ | cut -b 2-,3- 34 instead of -b 2- (extract input bytes starting from the second byte): echo -ne ’1234 ’ | cut -b 2-,3- 234 Developer tests: echo -ne ’1234 ’ | cut -b 2-,3- echo -ne ’1234 ’ | cut -b 3-,2-
  79. 79. Tests vs. Reference Program ISSTA Summer School 2019 79 if (! rhs_specified ){ if ( eol_range_start == 0 || eol_range_start == 3) eol_range_start = initial ; field_found = true ; } if (! rhs_specified ){ if ( eol_range_start == 0 || initial < eol_range_start) eol_range_start = initial ; field_found = true ; } Developer patch Automatic patch based on developer tests Parameterized test to improve automated repair and apply SemGraft echo -ne ’1234 ’ | cut -b -,-
  80. 80. Other Applications: Education ISSTA Summer School 2019 Education Productivity Security Intelligent tutoring systems:Automated grading and hint generation via Program Repair Detailed Study in IIT-Kanpur, India [FSE17, and ongoing] 80
  81. 81. Dataset Preparation  Lab: Programming assignments 81 ISSTA Summer School 2019
  82. 82. Repair in steps ISSTA Summer School 2019 82
  83. 83. Some Relevant Research Results ISSTA Summer School 2019 83 Semantic Program Repair Using a Reference Implementation ( PDF ) ICSE 2018. Angelix: Scalable Multiline Program Patch Synthesis via Symbolic Analysis ( pdf ) ICSE 2016. DirectFix: Looking for Simple Program Repairs ( PDF ) ICSE 2015. SemFix: Program Repair via Semantic Analysis ( pdf ) ICSE 2013. Symbolic execution with second order existential constraints ESEC-FSE 2018. ACKNOWLEDGEMENT: National Cyber Security Research program from NRF Singapore http://www.comp.nus.edu.sg/~tsunami/ Acknowledgement: Sergey Mechtaev (UCL) and Shin HweiTan (SUSTech) Crash-Avoiding Program Repair ISSTA 2019. A Feasibility Study of Using Automated Program Repair for Introductory Programming Assignments ESEC-FSE 2017. Relifix: Automated Repair of Software Regressions ( PDF ) ICSE 2015. Repairing Crashes in Android Apps ICSE 2018.
  84. 84. BIST for Software? Common in critical systems such as avionics, military and others, supplemented by a repair. Can autonomous software test and repair itself autonomously to cater for corner cases? Can autonomous software repair itself subject to changes in environment? ? ISSTA Summer School 2019 84
  85. 85. Summary ISSTA Summer School 2019 85 Automated Program Repair C. Le Goues, M. Pradel, A. Roychoudhury Review Article,Communications of the ACM, 2019. https://www.dropbox.com/s/wep864umfw8lvz4/SummerSchool2019.pdf?dl=0 Download the talk from https://www.comp.nus.edu.sg/~abhik/projects/Repair/ All papers available from

×