SlideShare a Scribd company logo

Repair dagstuhl

Abhik Roychoudhury
Abhik Roychoudhury

SEMFIX is a program repair technique that uses semantic analysis via symbolic execution. It takes a failing test suite as input, ranks suspicious statements using statistical fault localization, symbolically executes tests to extract specifications of suspicious statements, and uses program synthesis to generate fixes by solving constraints from symbolic execution. The technique aims to infer the intended meaning of code and automatically generate fixes without human guidance.

1 of 26
SEMFIX: PROGRAM REPAIR VIA SEMANTIC ANALYSIS Dagstuhl, Feb 2013 H.D.T. Nguyen, Dawei Qi, Abhik Roychoudhury National University of Singapore, & Satish Chandra 1 IBM Research Talk given at Dagstuhl Seminar on Fault Prediction, Localization and Repair, February 2013.
WHAT WE HAVE BEEN DISCUSSING Precise debugging is laborious. Dagstuhl, Feb 2013 Specification based repair, Genetic Programming, … Symbolic execution of test cases to extract specifications 2
Test–suite Failing tests THIS WORK … Dagstuhl, Feb 2013 Suspicions !! – statistical fault localization. Infer intended meaning of suspicious statements - Symbolic execution (SE) Solve constraint from SE to create fixed statement - Program synthesis 3
0. THE PROBLEM 1 int is_upward( int inhibit, int up_sep, int down_sep){ 2 int bias; 3 if (inhibit) Dagstuhl, Feb 2013 4 bias = down_sep; // bias= up_sep + 100 5 else bias = up_sep ; 6 if (bias > down_sep) 7 return 1; 8 else return 0; 9 } inhibit up_sep down_se Observed Expected Result p output Output 1 0 100 0 0 pass 1 11 110 0 1 fail 0 100 50 1 1 pass 4 1 -20 60 0 1 fail 0 0 10 0 0 pass
1. FIND A SUSPECT 1 int is_upward( int inhibit, int up_sep, int down_sep){ 2 int bias; 3 if (inhibit) 4 bias = down_sep; // bias= up_sep + 100 Dagstuhl, Feb 2013 5 else bias = up_sep ; 6 if (bias > down_sep) 7 return 1; 8 else return 0; 9 } Line Score Rank 4 0.75 1 8 0.6 2 3 0.5 3 6 0.5 3 5 0 5 5 7 0 5
2 WHAT IT SHOULD HAVE BEEN 1 int is_upward( int inhibit, int up_sep, int down_sep){ 2 int bias; 3 if (inhibit) 4 bias = down_sep; // bias= up_sep + 100 5 else bias = up_sep ; 6 if (bias > down_sep) Dagstuhl, Feb 2013 7 return 1; 8 else return 0; 9 } inhibit up_sep down_se Observed Expected Result p output Output 1 11 110 0 1 fail Line 4 inhibit = 1, up_sep = 11, down_sep = 110 bias = X, path condition = true Line 7 Line 8 inhibit = 1, up_sep = 11, down_sep = 110 inhibit = 1, up_sep = 11, down_sep = 110 6 bias = X, path condition = X> 110 bias = X, path condition = X ≤ 110
2. WHAT IT SHOULD HAVE BEEN Inhibit up_sep down_se == 1 == 11 p == 110 1 int is_upward( int inhibit, int up_sep, int Dagstuhl, Feb 2013 down_sep){ 2 int bias; 3 if (inhibit) 4 bias = f(inhibit, up_sep, down_sep) 5 else bias = up_sep ; 6 if (bias > down_sep) 7 return 1; 8 else return 0; 9 } Symbolic Execution 7 f(1,11,110) > 110
3. FIX THE SUSPECT  Accumulated constraints  f(1,11, 110) > 110  Dagstuhl, Feb 2013  f(1,0,100) ≤ 100   …  Find a f satisfying this constraint  By fixing the set of operators appearing in f  Candidate methods  Search over the space of expressions  Program synthesis with fixed set of operators  More efficient!!  Generated fix 8  f(inhibit,up_sep,down_sep) = up_sep + 100
TO RECAPITULATE  Ranked Bug report  Hypothesize the error causes – suspect Dagstuhl, Feb 2013  Symbolic execution  Specification of the suspicious statement  Input-output requirements from each test  Repair constraint  Program synthesis  Decide operators which can appear in the fix  Generate a fix by solving repair constraint. 9
PRODUCING RANKED BUG REPORT  We use the Tarantula toolkit.  Given a test-suite T Dagstuhl, Feb 2013 fail(s) allfail Score(s) = fail(s) pass(s) allfail + allpass  fail(s)  # of failing executions in which s occurs  pass(s)  # of passing executions in which s occurs  allfail  Total # of failing executions  allpass  Total # of passing executions  allfail + allpass = |T|  Can also use other metric like Ochiai. 10
USAGE OF RANKED BUG REPORT Buggy Program Dagstuhl, Feb 2013 Test Suite NO -Investigate what this statement should be. - Generate a fixed YES statement Fixed 11 Program
TO RECAPITULATE  Ranked Bug report  Hypothesize the error causes – suspect Dagstuhl, Feb 2013  Symbolic execution  Specification of the suspicious statement  Input-output requirements from each test  Repair constraint  Program synthesis  Decide operators which can appear in the fix  Generate a fixed statement by solving repair constraint. 12
WHAT IT SHOULD HAVE BEEN Concrete test input Dagstuhl, Feb 2013 … Concrete Execution var = x + b – c; a Buggy Program Symbolic Execution with x as the only unknown Path conditions, 13 Output Expressions
EXAMPLE Inhibit == 1 up_sep == 11 down_sep == 110 1 int is_upward( int inhibit, int up_sep, int down_sep){ 2 int bias; Dagstuhl, Feb 2013 3 if (inhibit) 4 bias = f(inhibit, up_sep, down_sep) // X 5 else bias = up_sep ; 6 if (bias > down_sep) 7 return 1; 8 else return 0; 9 } Symbolic Execution  ( pcj  outj == expected_out(t) ) ( (X >110  1 ==1) j  Paths  (X ≤ 110  0 == 1)  )  f(1,11,110) == X f(t) == X 14 Repair constraint
OVERALL REPAIR CONSTRAINT t1 t2 Repair constraint =  Consi Dagstuhl, Feb 2013 TS … var = … ; 1. TS = failing tests; 2. Repair based on TS // guaranteed to pass TS 3. New = newly failed tests due to repair 4. If (New == ) exit // Got your repair 5. else { TS = TS  New; 6. Go to 2 } Cons1 Cons2 15 Repair Constraint = Cons1  Cons2
TO RECAPITULATE  Ranked Bug report  Hypothesize the error causes – suspect Dagstuhl, Feb 2013  Symbolic execution  Specification of the suspicious statement  Input-output requirements from each test  Repair constraint  Program synthesis  Decide operators which can appear in the fix  Generate a fix by solving repair constraint. 16
WHY PROGRAM SYNTHESIS Repair Constraint:  Instead of solving f(1,11,110) > 110  f(1,0,100) ≤ 100  f(1,-20,60) > 60 Dagstuhl, Feb 2013  Select primitive components to be used by the synthesized program based on complexity  Look for a program that uses only these primitive components and satisfy the repair constraint  Where to place each component? int tmp = down_sep -1; int tmp=down_sep + 1; return up_sep + tmp; + return tmp- inhibit;  What are the parameters? int tmp = down_sep -1; int tmp = down_sep -1; return tmp + inhibit ; 17 inhibit return tmp + inhibit ; up_sep
LOCATION VARIABLES  Define location variables for each component  Constraint on location variables solved by SMT.  Well-formed e.g. defined before being used Dagstuhl, Feb 2013  Output constraint from each test (repair constraint)  Meaning of the components  Lines determine the value Lx == Ly  x == y  Once locations are found, program is constructed. Components = {+} Lin == 0, Lout == 1, Lout+ == 1, Lin1+ == 0, Lin2+ == 0 0 r0 = input; 1 r = r0 + r0; 2 return r; 18
EVALUATION  Results from  SIR and GNU CoreUtils Dagstuhl, Feb 2013  Tools  Ranked Bug report (Tarantula)  Symbolic execution (KLEE)  Program synthesis (Own tool + Z3) 19
SUCCESS OF REPAIR (SIR) 45 Time bound = 4 mins. 40 Dagstuhl, Feb 2013 35 30 # of programs repaired 25 Total 20 Semfix TCAS 15 GenProg 10 5 0 10 20 30 40 50 Number of tests Overall 90 programs from SIR 20 SemFix repaired 48/90, GenProg repaired 16/90 for 50 tests. GenProg running time is >3 times of SemFix
TYPE OF BUGS (SIR) Total SemFix GenProg Dagstuhl, Feb 2013 Constant 14 10 3 Arithmetic 14 6 0 Comparison 16 12 5 Logic 10 10 3 Code 27 5 3 Missing Redundant 9 5 2 Code ALL 90 48 16 21
GNU COREUTILS  9 buggy programs where bug could be reproduced.  Taken from paper on KLEE, OSDI 2008. Dagstuhl, Feb 2013  SemFix succeeded in 4/9 [mkdir, cp, …]  Average time = 3.8 mins.  Average time = 6 mins. [GenProg]  All GenProg experiments using configuration from ICSE 2012 paper by Le Goues et al.  Pop size, # generations, …  Other configurations may lead to success for GP, but then we need a systematic method to determine the configurations. 22
EXPRESSION ENUMERATION  Enumerate all expressions over a given set of components (i.e. operators) Enforce axioms of the operators Dagstuhl, Feb 2013   If candidate repair contains a constant, solve using SMT  Program synthesis turns out to be faster. Subject TCAS Schedule Schedule2 replace grep Ratio 6.9 2.8 2.5 1.36 2.2 23 Enumeration also timed out > 20 minutes. These are not even included.
REPAIRS THAT WERE NOT DONE  Multiple line fix  Complex code to be inserted Dagstuhl, Feb 2013  Same wrong branch condition  if (c ){ … } … if (c) { … }  Updates to multiple variables  x = e1; … ; y = e2; …  Floating point bugs  n = (int) (count*ratio + 1.1);  Can be overcome, limitation of KLEE/solvers  Other problems, e.g. wrong function call  current_job = (struct process *)0; get_current(); 24
EXAMPLE FIXES  enabled = High_Confidence && (Own_Tracked_Alt_Rate <= OLEV); /*&& (Cur_Vertical_Sep > MAXALTDIFF);missing Dagstuhl, Feb 2013 code*/  Synthesizes missing code  tmp = Up_Separation;  Synthesizes  tmp = ((OtherCapability < Alt_Layer_Value)?  Two_of_Three_Reports_Valid:  Cur_Vertical_Sep  ); 25
OUR PAPER APPEARS IN ICSE’13  Repair exploiting symbolic execution  Avoids enumeration over a space of expressions from a Dagstuhl, Feb 2013 pre-fixed template language.  Repair via constraint solving  Synthesize rather than lifting fixes from elsewhere.  Repair without formal specifications  Pass given test cases by a constraint solver answering “What it should have been?”  Single line repair – need to do more …  Try other background debugging tools / metrics.  Synthesize guards to relate different fragments to fix. 26

Recommended

Abhik-Satish-dagstuhl
Abhik-Satish-dagstuhlAbhik-Satish-dagstuhl
Abhik-Satish-dagstuhl
Abhik Roychoudhury
 
Repair dagstuhl jan2017
Repair dagstuhl jan2017Repair dagstuhl jan2017
Repair dagstuhl jan2017
Abhik Roychoudhury
 
Automated Repair - ISSTA Summer School
Automated Repair - ISSTA Summer SchoolAutomated Repair - ISSTA Summer School
Automated Repair - ISSTA Summer School
Abhik Roychoudhury
 
Issta13 workshop on debugging
Issta13 workshop on debuggingIssta13 workshop on debugging
Issta13 workshop on debugging
Abhik Roychoudhury
 
Mobilesoft 2017 Keynote
Mobilesoft 2017 KeynoteMobilesoft 2017 Keynote
Mobilesoft 2017 Keynote
Abhik Roychoudhury
 
Isorc18 keynote
Isorc18 keynoteIsorc18 keynote
Isorc18 keynote
Abhik Roychoudhury
 
MuVM: Higher Order Mutation Analysis Virtual Machine for C
MuVM: Higher Order Mutation Analysis Virtual Machine for CMuVM: Higher Order Mutation Analysis Virtual Machine for C
MuVM: Higher Order Mutation Analysis Virtual Machine for C
Susumu Tokumoto
 
Automated Program Repair Keynote talk
Automated Program Repair Keynote talkAutomated Program Repair Keynote talk
Automated Program Repair Keynote talk
Abhik Roychoudhury
 

Recommended

Abhik-Satish-dagstuhl
Abhik-Satish-dagstuhlAbhik-Satish-dagstuhl
Abhik-Satish-dagstuhl
Abhik Roychoudhury
 
Repair dagstuhl jan2017
Repair dagstuhl jan2017Repair dagstuhl jan2017
Repair dagstuhl jan2017
Abhik Roychoudhury
 
Automated Repair - ISSTA Summer School
Automated Repair - ISSTA Summer SchoolAutomated Repair - ISSTA Summer School
Automated Repair - ISSTA Summer School
Abhik Roychoudhury
 
Issta13 workshop on debugging
Issta13 workshop on debuggingIssta13 workshop on debugging
Issta13 workshop on debugging
Abhik Roychoudhury
 
Mobilesoft 2017 Keynote
Mobilesoft 2017 KeynoteMobilesoft 2017 Keynote
Mobilesoft 2017 Keynote
Abhik Roychoudhury
 
Isorc18 keynote
Isorc18 keynoteIsorc18 keynote
Isorc18 keynote
Abhik Roychoudhury
 
MuVM: Higher Order Mutation Analysis Virtual Machine for C
MuVM: Higher Order Mutation Analysis Virtual Machine for CMuVM: Higher Order Mutation Analysis Virtual Machine for C
MuVM: Higher Order Mutation Analysis Virtual Machine for C
Susumu Tokumoto
 
Automated Program Repair Keynote talk
Automated Program Repair Keynote talkAutomated Program Repair Keynote talk
Automated Program Repair Keynote talk
Abhik Roychoudhury
 
Comp102 lec 5.1
Comp102 lec 5.1Comp102 lec 5.1
Comp102 lec 5.1
Fraz Bakhsh
 
LSRepair: Live Search of Fix Ingredients for Automated Program Repair
LSRepair: Live Search of Fix Ingredients for Automated Program RepairLSRepair: Live Search of Fix Ingredients for Automated Program Repair
LSRepair: Live Search of Fix Ingredients for Automated Program Repair
Dongsun Kim
 
Test final jav_aaa
Test final jav_aaaTest final jav_aaa
Test final jav_aaa
BagusBudi11
 
Operators In Java Part - 8
Operators In Java Part - 8Operators In Java Part - 8
Operators In Java Part - 8
MuhammadAtif231
 
Symbolic Execution And KLEE
Symbolic Execution And KLEESymbolic Execution And KLEE
Symbolic Execution And KLEE
Shauvik Roy Choudhary, Ph.D.
 
Introduction to programming with ZIO functional effects
Introduction to programming with ZIO functional effectsIntroduction to programming with ZIO functional effects
Introduction to programming with ZIO functional effects
Jorge Vásquez
 
Fpga 06-data-types-system-tasks-compiler-directives
Fpga 06-data-types-system-tasks-compiler-directivesFpga 06-data-types-system-tasks-compiler-directives
Fpga 06-data-types-system-tasks-compiler-directives
Malik Tauqir Hasan
 
Java chapter 3
Java chapter 3Java chapter 3
Java chapter 3
Munsif Ullah
 
Pi j1.3 operators
Pi j1.3 operatorsPi j1.3 operators
Pi j1.3 operators
mcollison
 
Exception handling
Exception handlingException handling
Exception handling
vishal choudhary
 
Control Structures: Part 1
Control Structures: Part 1Control Structures: Part 1
Control Structures: Part 1
Andy Juan Sarango Veliz
 
Verilog Lecture4 2014
Verilog Lecture4 2014Verilog Lecture4 2014
Verilog Lecture4 2014
Béo Tú
 
Lazy Java
Lazy JavaLazy Java
Lazy Java
Nicola Pedot
 
conditional statements
conditional statementsconditional statements
conditional statements
James Brotsos
 
You Cannot Fix What You Cannot Find! --- An Investigation of Fault Localizati...
You Cannot Fix What You Cannot Find! --- An Investigation of Fault Localizati...You Cannot Fix What You Cannot Find! --- An Investigation of Fault Localizati...
You Cannot Fix What You Cannot Find! --- An Investigation of Fault Localizati...
Dongsun Kim
 
White Box Testing
White Box TestingWhite Box Testing
White Box Testing
alessandro100
 
Fnt software solutions placement paper
Fnt software solutions placement paperFnt software solutions placement paper
Fnt software solutions placement paper
fntsofttech
 
Introduction to Selection control structures in C++
Introduction to Selection control structures in C++ Introduction to Selection control structures in C++
Introduction to Selection control structures in C++
Neeru Mittal
 
Navigating the xDD Alphabet Soup
Navigating the xDD Alphabet SoupNavigating the xDD Alphabet Soup
Navigating the xDD Alphabet Soup
Dror Helper
 
16May_ICSE_MIP_APR_2023.pptx
16May_ICSE_MIP_APR_2023.pptx16May_ICSE_MIP_APR_2023.pptx
16May_ICSE_MIP_APR_2023.pptx
Abhik Roychoudhury
 
IFIP2023-Abhik.pptx
IFIP2023-Abhik.pptxIFIP2023-Abhik.pptx
IFIP2023-Abhik.pptx
Abhik Roychoudhury
 
Fuzzing.pptx
Fuzzing.pptxFuzzing.pptx
Fuzzing.pptx
Abhik Roychoudhury
 

More Related Content

What's hot

Comp102 lec 5.1
Comp102 lec 5.1Comp102 lec 5.1
Comp102 lec 5.1
Fraz Bakhsh
 
LSRepair: Live Search of Fix Ingredients for Automated Program Repair
LSRepair: Live Search of Fix Ingredients for Automated Program RepairLSRepair: Live Search of Fix Ingredients for Automated Program Repair
LSRepair: Live Search of Fix Ingredients for Automated Program Repair
Dongsun Kim
 
Test final jav_aaa
Test final jav_aaaTest final jav_aaa
Test final jav_aaa
BagusBudi11
 
Operators In Java Part - 8
Operators In Java Part - 8Operators In Java Part - 8
Operators In Java Part - 8
MuhammadAtif231
 
Symbolic Execution And KLEE
Symbolic Execution And KLEESymbolic Execution And KLEE
Symbolic Execution And KLEE
Shauvik Roy Choudhary, Ph.D.
 
Introduction to programming with ZIO functional effects
Introduction to programming with ZIO functional effectsIntroduction to programming with ZIO functional effects
Introduction to programming with ZIO functional effects
Jorge Vásquez
 
Fpga 06-data-types-system-tasks-compiler-directives
Fpga 06-data-types-system-tasks-compiler-directivesFpga 06-data-types-system-tasks-compiler-directives
Fpga 06-data-types-system-tasks-compiler-directives
Malik Tauqir Hasan
 
Java chapter 3
Java chapter 3Java chapter 3
Java chapter 3
Munsif Ullah
 
Pi j1.3 operators
Pi j1.3 operatorsPi j1.3 operators
Pi j1.3 operators
mcollison
 
Exception handling
Exception handlingException handling
Exception handling
vishal choudhary
 
Control Structures: Part 1
Control Structures: Part 1Control Structures: Part 1
Control Structures: Part 1
Andy Juan Sarango Veliz
 
Verilog Lecture4 2014
Verilog Lecture4 2014Verilog Lecture4 2014
Verilog Lecture4 2014
Béo Tú
 
Lazy Java
Lazy JavaLazy Java
Lazy Java
Nicola Pedot
 
conditional statements
conditional statementsconditional statements
conditional statements
James Brotsos
 
You Cannot Fix What You Cannot Find! --- An Investigation of Fault Localizati...
You Cannot Fix What You Cannot Find! --- An Investigation of Fault Localizati...You Cannot Fix What You Cannot Find! --- An Investigation of Fault Localizati...
You Cannot Fix What You Cannot Find! --- An Investigation of Fault Localizati...
Dongsun Kim
 
White Box Testing
White Box TestingWhite Box Testing
White Box Testing
alessandro100
 
Fnt software solutions placement paper
Fnt software solutions placement paperFnt software solutions placement paper
Fnt software solutions placement paper
fntsofttech
 
Introduction to Selection control structures in C++
Introduction to Selection control structures in C++ Introduction to Selection control structures in C++
Introduction to Selection control structures in C++
Neeru Mittal
 
Navigating the xDD Alphabet Soup
Navigating the xDD Alphabet SoupNavigating the xDD Alphabet Soup
Navigating the xDD Alphabet Soup
Dror Helper
 

What's hot (19)

Comp102 lec 5.1
Comp102 lec 5.1Comp102 lec 5.1
Comp102 lec 5.1
 
LSRepair: Live Search of Fix Ingredients for Automated Program Repair
LSRepair: Live Search of Fix Ingredients for Automated Program RepairLSRepair: Live Search of Fix Ingredients for Automated Program Repair
LSRepair: Live Search of Fix Ingredients for Automated Program Repair
 
Test final jav_aaa
Test final jav_aaaTest final jav_aaa
Test final jav_aaa
 
Operators In Java Part - 8
Operators In Java Part - 8Operators In Java Part - 8
Operators In Java Part - 8
 
Symbolic Execution And KLEE
Symbolic Execution And KLEESymbolic Execution And KLEE
Symbolic Execution And KLEE
 
Introduction to programming with ZIO functional effects
Introduction to programming with ZIO functional effectsIntroduction to programming with ZIO functional effects
Introduction to programming with ZIO functional effects
 
Fpga 06-data-types-system-tasks-compiler-directives
Fpga 06-data-types-system-tasks-compiler-directivesFpga 06-data-types-system-tasks-compiler-directives
Fpga 06-data-types-system-tasks-compiler-directives
 
Java chapter 3
Java chapter 3Java chapter 3
Java chapter 3
 
Pi j1.3 operators
Pi j1.3 operatorsPi j1.3 operators
Pi j1.3 operators
 
Exception handling
Exception handlingException handling
Exception handling
 
Control Structures: Part 1
Control Structures: Part 1Control Structures: Part 1
Control Structures: Part 1
 
Verilog Lecture4 2014
Verilog Lecture4 2014Verilog Lecture4 2014
Verilog Lecture4 2014
 
Lazy Java
Lazy JavaLazy Java
Lazy Java
 
conditional statements
conditional statementsconditional statements
conditional statements
 
You Cannot Fix What You Cannot Find! --- An Investigation of Fault Localizati...
You Cannot Fix What You Cannot Find! --- An Investigation of Fault Localizati...You Cannot Fix What You Cannot Find! --- An Investigation of Fault Localizati...
You Cannot Fix What You Cannot Find! --- An Investigation of Fault Localizati...
 
White Box Testing
White Box TestingWhite Box Testing
White Box Testing
 
Fnt software solutions placement paper
Fnt software solutions placement paperFnt software solutions placement paper
Fnt software solutions placement paper
 
Introduction to Selection control structures in C++
Introduction to Selection control structures in C++ Introduction to Selection control structures in C++
Introduction to Selection control structures in C++
 
Navigating the xDD Alphabet Soup
Navigating the xDD Alphabet SoupNavigating the xDD Alphabet Soup
Navigating the xDD Alphabet Soup
 

More from Abhik Roychoudhury

16May_ICSE_MIP_APR_2023.pptx
16May_ICSE_MIP_APR_2023.pptx16May_ICSE_MIP_APR_2023.pptx
16May_ICSE_MIP_APR_2023.pptx
Abhik Roychoudhury
 
IFIP2023-Abhik.pptx
IFIP2023-Abhik.pptxIFIP2023-Abhik.pptx
IFIP2023-Abhik.pptx
Abhik Roychoudhury
 
Fuzzing.pptx
Fuzzing.pptxFuzzing.pptx
Fuzzing.pptx
Abhik Roychoudhury
 
Dagstuhl2021
Dagstuhl2021Dagstuhl2021
Dagstuhl2021
Abhik Roychoudhury
 
APSEC2020 Keynote
APSEC2020 KeynoteAPSEC2020 Keynote
APSEC2020 Keynote
Abhik Roychoudhury
 
Singapore International Cyberweek 2020
Singapore International Cyberweek 2020Singapore International Cyberweek 2020
Singapore International Cyberweek 2020
Abhik Roychoudhury
 
NUS PhD e-open day 2020
NUS PhD e-open day 2020NUS PhD e-open day 2020
NUS PhD e-open day 2020
Abhik Roychoudhury
 
Art of Computer Science Research Planning
Art of Computer Science Research PlanningArt of Computer Science Research Planning
Art of Computer Science Research Planning
Abhik Roychoudhury
 
Automated Program Repair, Distinguished lecture at MPI-SWS
Automated Program Repair, Distinguished lecture at MPI-SWSAutomated Program Repair, Distinguished lecture at MPI-SWS
Automated Program Repair, Distinguished lecture at MPI-SWS
Abhik Roychoudhury
 
Symbexecsearch
SymbexecsearchSymbexecsearch
Symbexecsearch
Abhik Roychoudhury
 
Binary Analysis - Luxembourg
Binary Analysis - LuxembourgBinary Analysis - Luxembourg
Binary Analysis - Luxembourg
Abhik Roychoudhury
 
PAS 2012
PAS 2012PAS 2012
PAS 2012
Abhik Roychoudhury
 
Pas oct12
Pas oct12Pas oct12
Pas oct12
Abhik Roychoudhury
 

More from Abhik Roychoudhury (13)

16May_ICSE_MIP_APR_2023.pptx
16May_ICSE_MIP_APR_2023.pptx16May_ICSE_MIP_APR_2023.pptx
16May_ICSE_MIP_APR_2023.pptx
 
IFIP2023-Abhik.pptx
IFIP2023-Abhik.pptxIFIP2023-Abhik.pptx
IFIP2023-Abhik.pptx
 
Fuzzing.pptx
Fuzzing.pptxFuzzing.pptx
Fuzzing.pptx
 
Dagstuhl2021
Dagstuhl2021Dagstuhl2021
Dagstuhl2021
 
APSEC2020 Keynote
APSEC2020 KeynoteAPSEC2020 Keynote
APSEC2020 Keynote
 
Singapore International Cyberweek 2020
Singapore International Cyberweek 2020Singapore International Cyberweek 2020
Singapore International Cyberweek 2020
 
NUS PhD e-open day 2020
NUS PhD e-open day 2020NUS PhD e-open day 2020
NUS PhD e-open day 2020
 
Art of Computer Science Research Planning
Art of Computer Science Research PlanningArt of Computer Science Research Planning
Art of Computer Science Research Planning
 
Automated Program Repair, Distinguished lecture at MPI-SWS
Automated Program Repair, Distinguished lecture at MPI-SWSAutomated Program Repair, Distinguished lecture at MPI-SWS
Automated Program Repair, Distinguished lecture at MPI-SWS
 
Symbexecsearch
SymbexecsearchSymbexecsearch
Symbexecsearch
 
Binary Analysis - Luxembourg
Binary Analysis - LuxembourgBinary Analysis - Luxembourg
Binary Analysis - Luxembourg
 
PAS 2012
PAS 2012PAS 2012
PAS 2012
 
Pas oct12
Pas oct12Pas oct12
Pas oct12
 

Repair dagstuhl

  • 1. SEMFIX: PROGRAM REPAIR VIA SEMANTIC ANALYSIS Dagstuhl, Feb 2013 H.D.T. Nguyen, Dawei Qi, Abhik Roychoudhury National University of Singapore, & Satish Chandra 1 IBM Research Talk given at Dagstuhl Seminar on Fault Prediction, Localization and Repair, February 2013.
  • 2. WHAT WE HAVE BEEN DISCUSSING Precise debugging is laborious. Dagstuhl, Feb 2013 Specification based repair, Genetic Programming, … Symbolic execution of test cases to extract specifications 2
  • 3. Test–suite Failing tests THIS WORK … Dagstuhl, Feb 2013 Suspicions !! – statistical fault localization. Infer intended meaning of suspicious statements - Symbolic execution (SE) Solve constraint from SE to create fixed statement - Program synthesis 3
  • 4. 0. THE PROBLEM 1 int is_upward( int inhibit, int up_sep, int down_sep){ 2 int bias; 3 if (inhibit) Dagstuhl, Feb 2013 4 bias = down_sep; // bias= up_sep + 100 5 else bias = up_sep ; 6 if (bias > down_sep) 7 return 1; 8 else return 0; 9 } inhibit up_sep down_se Observed Expected Result p output Output 1 0 100 0 0 pass 1 11 110 0 1 fail 0 100 50 1 1 pass 4 1 -20 60 0 1 fail 0 0 10 0 0 pass
  • 5. 1. FIND A SUSPECT 1 int is_upward( int inhibit, int up_sep, int down_sep){ 2 int bias; 3 if (inhibit) 4 bias = down_sep; // bias= up_sep + 100 Dagstuhl, Feb 2013 5 else bias = up_sep ; 6 if (bias > down_sep) 7 return 1; 8 else return 0; 9 } Line Score Rank 4 0.75 1 8 0.6 2 3 0.5 3 6 0.5 3 5 0 5 5 7 0 5
  • 6. 2 WHAT IT SHOULD HAVE BEEN 1 int is_upward( int inhibit, int up_sep, int down_sep){ 2 int bias; 3 if (inhibit) 4 bias = down_sep; // bias= up_sep + 100 5 else bias = up_sep ; 6 if (bias > down_sep) Dagstuhl, Feb 2013 7 return 1; 8 else return 0; 9 } inhibit up_sep down_se Observed Expected Result p output Output 1 11 110 0 1 fail Line 4 inhibit = 1, up_sep = 11, down_sep = 110 bias = X, path condition = true Line 7 Line 8 inhibit = 1, up_sep = 11, down_sep = 110 inhibit = 1, up_sep = 11, down_sep = 110 6 bias = X, path condition = X> 110 bias = X, path condition = X ≤ 110
  • 7. 2. WHAT IT SHOULD HAVE BEEN Inhibit up_sep down_se == 1 == 11 p == 110 1 int is_upward( int inhibit, int up_sep, int Dagstuhl, Feb 2013 down_sep){ 2 int bias; 3 if (inhibit) 4 bias = f(inhibit, up_sep, down_sep) 5 else bias = up_sep ; 6 if (bias > down_sep) 7 return 1; 8 else return 0; 9 } Symbolic Execution 7 f(1,11,110) > 110
  • 8. 3. FIX THE SUSPECT  Accumulated constraints  f(1,11, 110) > 110  Dagstuhl, Feb 2013  f(1,0,100) ≤ 100   …  Find a f satisfying this constraint  By fixing the set of operators appearing in f  Candidate methods  Search over the space of expressions  Program synthesis with fixed set of operators  More efficient!!  Generated fix 8  f(inhibit,up_sep,down_sep) = up_sep + 100
  • 9. TO RECAPITULATE  Ranked Bug report  Hypothesize the error causes – suspect Dagstuhl, Feb 2013  Symbolic execution  Specification of the suspicious statement  Input-output requirements from each test  Repair constraint  Program synthesis  Decide operators which can appear in the fix  Generate a fix by solving repair constraint. 9
  • 10. PRODUCING RANKED BUG REPORT  We use the Tarantula toolkit.  Given a test-suite T Dagstuhl, Feb 2013 fail(s) allfail Score(s) = fail(s) pass(s) allfail + allpass  fail(s)  # of failing executions in which s occurs  pass(s)  # of passing executions in which s occurs  allfail  Total # of failing executions  allpass  Total # of passing executions  allfail + allpass = |T|  Can also use other metric like Ochiai. 10
  • 11. USAGE OF RANKED BUG REPORT Buggy Program Dagstuhl, Feb 2013 Test Suite NO -Investigate what this statement should be. - Generate a fixed YES statement Fixed 11 Program
  • 12. TO RECAPITULATE  Ranked Bug report  Hypothesize the error causes – suspect Dagstuhl, Feb 2013  Symbolic execution  Specification of the suspicious statement  Input-output requirements from each test  Repair constraint  Program synthesis  Decide operators which can appear in the fix  Generate a fixed statement by solving repair constraint. 12
  • 13. WHAT IT SHOULD HAVE BEEN Concrete test input Dagstuhl, Feb 2013 … Concrete Execution var = x + b – c; a Buggy Program Symbolic Execution with x as the only unknown Path conditions, 13 Output Expressions
  • 14. EXAMPLE Inhibit == 1 up_sep == 11 down_sep == 110 1 int is_upward( int inhibit, int up_sep, int down_sep){ 2 int bias; Dagstuhl, Feb 2013 3 if (inhibit) 4 bias = f(inhibit, up_sep, down_sep) // X 5 else bias = up_sep ; 6 if (bias > down_sep) 7 return 1; 8 else return 0; 9 } Symbolic Execution  ( pcj  outj == expected_out(t) ) ( (X >110  1 ==1) j  Paths  (X ≤ 110  0 == 1)  )  f(1,11,110) == X f(t) == X 14 Repair constraint
  • 15. OVERALL REPAIR CONSTRAINT t1 t2 Repair constraint =  Consi Dagstuhl, Feb 2013 TS … var = … ; 1. TS = failing tests; 2. Repair based on TS // guaranteed to pass TS 3. New = newly failed tests due to repair 4. If (New == ) exit // Got your repair 5. else { TS = TS  New; 6. Go to 2 } Cons1 Cons2 15 Repair Constraint = Cons1  Cons2
  • 16. TO RECAPITULATE  Ranked Bug report  Hypothesize the error causes – suspect Dagstuhl, Feb 2013  Symbolic execution  Specification of the suspicious statement  Input-output requirements from each test  Repair constraint  Program synthesis  Decide operators which can appear in the fix  Generate a fix by solving repair constraint. 16
  • 17. WHY PROGRAM SYNTHESIS Repair Constraint:  Instead of solving f(1,11,110) > 110  f(1,0,100) ≤ 100  f(1,-20,60) > 60 Dagstuhl, Feb 2013  Select primitive components to be used by the synthesized program based on complexity  Look for a program that uses only these primitive components and satisfy the repair constraint  Where to place each component? int tmp = down_sep -1; int tmp=down_sep + 1; return up_sep + tmp; + return tmp- inhibit;  What are the parameters? int tmp = down_sep -1; int tmp = down_sep -1; return tmp + inhibit ; 17 inhibit return tmp + inhibit ; up_sep
  • 18. LOCATION VARIABLES  Define location variables for each component  Constraint on location variables solved by SMT.  Well-formed e.g. defined before being used Dagstuhl, Feb 2013  Output constraint from each test (repair constraint)  Meaning of the components  Lines determine the value Lx == Ly  x == y  Once locations are found, program is constructed. Components = {+} Lin == 0, Lout == 1, Lout+ == 1, Lin1+ == 0, Lin2+ == 0 0 r0 = input; 1 r = r0 + r0; 2 return r; 18
  • 19. EVALUATION  Results from  SIR and GNU CoreUtils Dagstuhl, Feb 2013  Tools  Ranked Bug report (Tarantula)  Symbolic execution (KLEE)  Program synthesis (Own tool + Z3) 19
  • 20. SUCCESS OF REPAIR (SIR) 45 Time bound = 4 mins. 40 Dagstuhl, Feb 2013 35 30 # of programs repaired 25 Total 20 Semfix TCAS 15 GenProg 10 5 0 10 20 30 40 50 Number of tests Overall 90 programs from SIR 20 SemFix repaired 48/90, GenProg repaired 16/90 for 50 tests. GenProg running time is >3 times of SemFix
  • 21. TYPE OF BUGS (SIR) Total SemFix GenProg Dagstuhl, Feb 2013 Constant 14 10 3 Arithmetic 14 6 0 Comparison 16 12 5 Logic 10 10 3 Code 27 5 3 Missing Redundant 9 5 2 Code ALL 90 48 16 21
  • 22. GNU COREUTILS  9 buggy programs where bug could be reproduced.  Taken from paper on KLEE, OSDI 2008. Dagstuhl, Feb 2013  SemFix succeeded in 4/9 [mkdir, cp, …]  Average time = 3.8 mins.  Average time = 6 mins. [GenProg]  All GenProg experiments using configuration from ICSE 2012 paper by Le Goues et al.  Pop size, # generations, …  Other configurations may lead to success for GP, but then we need a systematic method to determine the configurations. 22
  • 23. EXPRESSION ENUMERATION  Enumerate all expressions over a given set of components (i.e. operators) Enforce axioms of the operators Dagstuhl, Feb 2013   If candidate repair contains a constant, solve using SMT  Program synthesis turns out to be faster. Subject TCAS Schedule Schedule2 replace grep Ratio 6.9 2.8 2.5 1.36 2.2 23 Enumeration also timed out > 20 minutes. These are not even included.
  • 24. REPAIRS THAT WERE NOT DONE  Multiple line fix  Complex code to be inserted Dagstuhl, Feb 2013  Same wrong branch condition  if (c ){ … } … if (c) { … }  Updates to multiple variables  x = e1; … ; y = e2; …  Floating point bugs  n = (int) (count*ratio + 1.1);  Can be overcome, limitation of KLEE/solvers  Other problems, e.g. wrong function call  current_job = (struct process *)0; get_current(); 24
  • 25. EXAMPLE FIXES  enabled = High_Confidence && (Own_Tracked_Alt_Rate <= OLEV); /*&& (Cur_Vertical_Sep > MAXALTDIFF);missing Dagstuhl, Feb 2013 code*/  Synthesizes missing code  tmp = Up_Separation;  Synthesizes  tmp = ((OtherCapability < Alt_Layer_Value)?  Two_of_Three_Reports_Valid:  Cur_Vertical_Sep  ); 25
  • 26. OUR PAPER APPEARS IN ICSE’13  Repair exploiting symbolic execution  Avoids enumeration over a space of expressions from a Dagstuhl, Feb 2013 pre-fixed template language.  Repair via constraint solving  Synthesize rather than lifting fixes from elsewhere.  Repair without formal specifications  Pass given test cases by a constraint solver answering “What it should have been?”  Single line repair – need to do more …  Try other background debugging tools / metrics.  Synthesize guards to relate different fragments to fix. 26