SEMFIX is a program repair technique that uses semantic analysis via symbolic execution. It takes a failing test suite as input, ranks suspicious statements using statistical fault localization, symbolically executes tests to extract specifications of suspicious statements, and uses program synthesis to generate fixes by solving constraints from symbolic execution. The technique aims to infer the intended meaning of code and automatically generate fixes without human guidance.
The document discusses several techniques for using symbolic execution for software debugging, including regression debugging, cause clue clauses, error invariants, and angelic debugging. Regression debugging involves comparing execution paths of a failing test case in a new buggy program version to paths in an older stable version to find differences that may indicate the root cause. Other techniques use symbolic execution to extract specifications from passing tests, internal program properties, or previous versions to infer the intended behavior and identify inconsistencies in a failing run.
The document summarizes information about program repair and semantic repair. It discusses how most software has bugs that are often not fixed for months after being reported. It then describes reasons for program repair including generating patches as better bug reports and automating simple one-line fixes. It notes challenges with repair like weak test cases and large search spaces. It proposes using specifications, dynamic invariants, or test-driven repair as correctness criteria. It characterizes general purpose repair using generate-and-test or specification inference and discusses associated technical challenges. Finally, it discusses interactive and semantics-based repair.
The document summarizes Abhik Roychoudhury's presentation on automated program repair at the ISSTA Summer School 2019. It provides background on Roychoudhury as a professor at the National University of Singapore who works in program analysis and software security. It then outlines some of the key challenges in automated program repair, including the large search space, overfitting patches to test cases, and the scalability of repair techniques. Symbolic execution and random search are discussed as approaches to guiding the repair search process. Specific techniques like cause clue clauses for debugging and generating patch candidates by editing statements are also summarized.
This document discusses using symbolic reasoning and dynamic symbolic execution to help with program debugging, repair, and regression testing. It presents an approach where inputs are grouped based on producing the same symbolic output to more efficiently test programs and debug issues. Relevant slice conditions are computed to precisely capture input-output relationships and group related paths. This technique aims to find a notion of "similarity" between inputs and executions that is coarser than just considering program paths. The approach is demonstrated on example programs and shown to reduce debugging time compared to only considering program paths.
The document discusses future directions for mobile software with a focus on energy and performance. Some key points:
- Energy and performance are not synonymous and energy measurements are needed to understand energy efficiency.
- Energy bugs and hotspots can be detected by analyzing energy consumption and hardware utilization traces. Refactoring code based on energy guidelines can help fix inefficiencies.
- User reviews and field failures related to battery drain can provide insights and be used to generate tests to localize defects.
- Emerging areas like drone disaster management may benefit from distributed energy management across tasks based on priority and a virtual marketplace model.
This document summarizes a keynote presentation on timing analysis and testing. It discusses several topics:
- Timing analysis techniques including worst-case execution time analysis, detailed architectural modeling, and the Chronos timing analysis tool.
- Cache analysis including identifying thrashing scenarios, instrumenting assertions, and using symbolic execution to generate tests that expose cache performance issues.
- Applications to multi-core timing analysis, analyzing cache side channels, and generating tests or attack scenarios rather than just worst-case execution bounds.
The document advocates leveraging advances in constraint solving and symbolic execution to develop additional timing analysis applications beyond traditional worst-case execution time analysis.
MuVM: Higher Order Mutation Analysis Virtual Machine for CSusumu Tokumoto
Mutation analysis is a method for evaluating the effectiveness of a test suite by seeding faults artificially and measuring the fraction of seeded faults detected by the test suite. The major limitation of mutation analysis is its lengthy execution time because it involves generating, compiling and running large numbers of mutated programs, called mutants. Our tool MuVM achieves a significant runtime improvement by performing higher order mutation analysis using four techniques, metamutation, mutation on virtual machine, higher order split-stream execution, and online adaptation technique. In order to obtain the same behavior as mutating the source code directly, metamutation preserves the mutation location information which may potentially be lost during bitcode compilation and optimization. Mutation on a virtual machine reduces the compilation and testing cost by compiling a program once and invoking a process once. Higher order split-stream execution also reduces the testing cost by executing common parts of the mutants together and splitting the execution at a seeded fault. Online adaptation technique reduces the number of generated mutants by omitting infeasible mutants. Our comparative experiments indicate that our tool is significantly superior to an existing tool, an existing technique (mutation schema generation), and no-split-stream execution in higher order mutation.
Professor Abhik Roychoudhury discusses automated program repair through his research project TSUNAMi. The key points discussed are:
1) TSUNAMi is a national research project in Singapore from 2015-2020 focused on developing trustworthy systems from untrusted components through techniques like vulnerability discovery, binary hardening, verification, and data protection.
2) Automated program repair aims to automatically detect and fix vulnerabilities in software. This involves techniques like syntactic and semantic repair as well as specification inference to understand intended program behavior.
3) Challenges in automated program repair include weak specifications of intended behavior, large search spaces for candidate patches, and limited applicability of existing techniques. Roychoud
The document discusses several techniques for using symbolic execution for software debugging, including regression debugging, cause clue clauses, error invariants, and angelic debugging. Regression debugging involves comparing execution paths of a failing test case in a new buggy program version to paths in an older stable version to find differences that may indicate the root cause. Other techniques use symbolic execution to extract specifications from passing tests, internal program properties, or previous versions to infer the intended behavior and identify inconsistencies in a failing run.
The document summarizes information about program repair and semantic repair. It discusses how most software has bugs that are often not fixed for months after being reported. It then describes reasons for program repair including generating patches as better bug reports and automating simple one-line fixes. It notes challenges with repair like weak test cases and large search spaces. It proposes using specifications, dynamic invariants, or test-driven repair as correctness criteria. It characterizes general purpose repair using generate-and-test or specification inference and discusses associated technical challenges. Finally, it discusses interactive and semantics-based repair.
The document summarizes Abhik Roychoudhury's presentation on automated program repair at the ISSTA Summer School 2019. It provides background on Roychoudhury as a professor at the National University of Singapore who works in program analysis and software security. It then outlines some of the key challenges in automated program repair, including the large search space, overfitting patches to test cases, and the scalability of repair techniques. Symbolic execution and random search are discussed as approaches to guiding the repair search process. Specific techniques like cause clue clauses for debugging and generating patch candidates by editing statements are also summarized.
This document discusses using symbolic reasoning and dynamic symbolic execution to help with program debugging, repair, and regression testing. It presents an approach where inputs are grouped based on producing the same symbolic output to more efficiently test programs and debug issues. Relevant slice conditions are computed to precisely capture input-output relationships and group related paths. This technique aims to find a notion of "similarity" between inputs and executions that is coarser than just considering program paths. The approach is demonstrated on example programs and shown to reduce debugging time compared to only considering program paths.
The document discusses future directions for mobile software with a focus on energy and performance. Some key points:
- Energy and performance are not synonymous and energy measurements are needed to understand energy efficiency.
- Energy bugs and hotspots can be detected by analyzing energy consumption and hardware utilization traces. Refactoring code based on energy guidelines can help fix inefficiencies.
- User reviews and field failures related to battery drain can provide insights and be used to generate tests to localize defects.
- Emerging areas like drone disaster management may benefit from distributed energy management across tasks based on priority and a virtual marketplace model.
This document summarizes a keynote presentation on timing analysis and testing. It discusses several topics:
- Timing analysis techniques including worst-case execution time analysis, detailed architectural modeling, and the Chronos timing analysis tool.
- Cache analysis including identifying thrashing scenarios, instrumenting assertions, and using symbolic execution to generate tests that expose cache performance issues.
- Applications to multi-core timing analysis, analyzing cache side channels, and generating tests or attack scenarios rather than just worst-case execution bounds.
The document advocates leveraging advances in constraint solving and symbolic execution to develop additional timing analysis applications beyond traditional worst-case execution time analysis.
MuVM: Higher Order Mutation Analysis Virtual Machine for CSusumu Tokumoto
Mutation analysis is a method for evaluating the effectiveness of a test suite by seeding faults artificially and measuring the fraction of seeded faults detected by the test suite. The major limitation of mutation analysis is its lengthy execution time because it involves generating, compiling and running large numbers of mutated programs, called mutants. Our tool MuVM achieves a significant runtime improvement by performing higher order mutation analysis using four techniques, metamutation, mutation on virtual machine, higher order split-stream execution, and online adaptation technique. In order to obtain the same behavior as mutating the source code directly, metamutation preserves the mutation location information which may potentially be lost during bitcode compilation and optimization. Mutation on a virtual machine reduces the compilation and testing cost by compiling a program once and invoking a process once. Higher order split-stream execution also reduces the testing cost by executing common parts of the mutants together and splitting the execution at a seeded fault. Online adaptation technique reduces the number of generated mutants by omitting infeasible mutants. Our comparative experiments indicate that our tool is significantly superior to an existing tool, an existing technique (mutation schema generation), and no-split-stream execution in higher order mutation.
Professor Abhik Roychoudhury discusses automated program repair through his research project TSUNAMi. The key points discussed are:
1) TSUNAMi is a national research project in Singapore from 2015-2020 focused on developing trustworthy systems from untrusted components through techniques like vulnerability discovery, binary hardening, verification, and data protection.
2) Automated program repair aims to automatically detect and fix vulnerabilities in software. This involves techniques like syntactic and semantic repair as well as specification inference to understand intended program behavior.
3) Challenges in automated program repair include weak specifications of intended behavior, large search spaces for candidate patches, and limited applicability of existing techniques. Roychoud
The document discusses various concepts related to conditional statements and logical operators in Java.
1) It explains if, if-else statements and how they allow a program to make choices and execute different code blocks conditionally. Nested if statements and else-if ladder are also covered.
2) Logical operators like &&, || and ! are described which allow combining multiple boolean expressions. Truth tables for AND, OR and NOT operators are provided.
3) The conditional operator ?: is explained as another way to write conditional expressions in a single line.
4) The switch statement is summarized as providing an alternative to multiple if-else statements when checking discrete cases of a variable.
LSRepair: Live Search of Fix Ingredients for Automated Program RepairDongsun Kim
Automated program repair (APR) has extensively been developed by leveraging search-based techniques, in which fix ingredients are explored and identified in different granular- ities from a specific search space. State-of-the approaches often find fix ingredients by using mutation operators or leveraging manually-crafted templates. We argue that the fix ingredients can be searched in an online mode, leveraging code search techniques to find potentially-fixed versions of buggy code fragments from which repair actions can be extracted. In this study, we present an APR tool, LSRepair, that automatically explores code repositories to search for fix ingredients at the method-level granularity with three strategies of similar code search. Our preliminary evaluation shows that code search can drive a faster fix process (some bugs are fixed in a few seconds). LSRepair helps repair 19 bugs from the Defects4J benchmark successfully. We expect our approach to open new directions for fixing multiple-lines bugs.
This document contains a summary of a Java fundamentals exam with 10 sections and 38 multiple choice questions. Key points:
1) The exam covers topics like Eclipse views, Java syntax, loops, arrays, strings, exceptions, and object-oriented concepts.
2) Most questions have a single correct answer marked with an asterisk and feedback is provided for incorrect responses.
3) The questions test knowledge of fundamental Java concepts like variable declaration, loop initialization, object creation, and exception handling.
Operators In Java Part - 8
Like My Page:
www.facebook.com/pakcoders
What is Java? Part - 1
https://www.slideshare.net/MuhammadAtif231/what-is-java-part-1
History Of Java Part - 2
https://www.slideshare.net/MuhammadAtif231/history-of-java-part-2
Features Of Java Part - 3
https://www.slideshare.net/MuhammadAtif231/history-of-java-part-2
C++ Vs Java Part - 4
https://www.slideshare.net/MuhammadAtif231/c-vs-java-part-4
These slides contain an introduction to Symbolic execution and an introduction to KLEE.
I made this for a small demo/intro for my research group's meeting.
Introduction to programming with ZIO functional effectsJorge Vásquez
This document provides an introduction to functional programming concepts and the ZIO library. It discusses programming with pure functions, handling side effects through effect types, and the ZIO data type for describing side effects in a type-safe way. It then introduces some common ZIO type aliases like Task, UIO, RIO, IO and URIO. The document concludes by mentioning a live coding example of building a Hangman game using ZIO.
1) Verilog allows parameters and localparams to define constants in modules. Parameters can alter module behavior when their values change, while localparam values cannot change.
2) System tasks like $display and $monitor are used for outputting values and monitoring signals. $stop and $finish control simulation execution.
3) Compiler directives like `define, `include, `ifdef and `timescale are used to define macros, include files, and make conditional compilations in Verilog.
This document discusses operators in Java programming. It describes various types of operators including arithmetic, relational, logical, assignment, increment/decrement, and ternary operators. It provides examples of using each type of operator and explains their functionality and precedence. Key operator types covered are arithmetic, relational, logical, assignment, increment/decrement, ternary, and short-circuit logical operators. The document aims to explain how operators work in Java and demonstrate their usage through code examples.
This document provides an overview of a 5-day Java programming workshop covering operators and conditionals. It discusses arithmetic, assignment, relational and logical operators as well as operator precedence. It also covers conditional statements using if/else and switch/case and provides examples of evaluating grades based on percentages. Additional learning resources on Java programming concepts and documentation are recommended.
Exception handling in Java allows programmers to manage runtime errors programmatically. The try block contains code that may throw exceptions, while catch blocks define how to handle specific exceptions. Finally blocks contain cleanup code that always executes regardless of exceptions. Common exceptions include NullPointerException, ArrayIndexOutOfBoundsException, and ArithmeticException. The throw keyword explicitly throws exceptions, while throws in method declarations informs callers about checked exceptions they must handle or propagate.
This document outlines Chapter 4 of a textbook on control structures in programming. It introduces algorithms and pseudocode, then covers various control structures like sequence, selection, and repetition structures. It discusses if, if/else, and while statements in Java. It includes examples of algorithms to calculate class averages using counter-controlled and sentinel-controlled repetition. It also covers topics like compound assignment operators, increment/decrement operators, and nested control structures.
This document discusses behavioral Verilog coding constructs including always and initial blocks, blocking vs non-blocking assignments, and if-else and case statements. It provides examples of coding flip-flops and sequential logic using these constructs. It also discusses simulator mechanics and the stratified event queue model of simulation.
The document discusses lazy evaluation and how it can improve performance by avoiding unnecessary computations. Some key points:
- Lazy evaluation delays evaluating expressions until their values are needed. This allows for optimizations like avoiding evaluating function arguments that are not used.
- Languages like Java are strict, meaning functions always immediately evaluate their arguments. But some constructs like boolean operators and ternary expressions are lazily evaluated for efficiency.
- Lazy evaluation enables infinite streams, as in Java 8, since intermediate operations are not computed until a terminal operation triggers the full pipeline.
- Some algorithms like generating primes cannot reasonably be implemented without laziness. It allows separating problem description from evaluation.
- Implementing laziness in Java requires
The document discusses conditional execution in Java using if, if/else, and nested if/else statements. It provides examples of using relational operators in conditional tests and evaluating logical expressions. It also covers topics like factoring redundant code out of if/else blocks, having if/else statements return values, ensuring all code paths in if/else blocks return, and using cumulative sums in loops.
You Cannot Fix What You Cannot Find! --- An Investigation of Fault Localizati...Dongsun Kim
Properly benchmarking Automated Program Re- pair (APR) systems should contribute to the development and adoption of the research outputs by practitioners. To that end, the research community must ensure that it reaches significant milestones by reliably comparing state-of-the-art tools for a better understanding of their strengths and weaknesses. In this work, we identify and investigate a practical bias caused by the fault localization (FL) step in a repair pipeline. We propose to highlight the different fault localization configurations used in the literature, and their impact on APR systems when applied to the Defects4J benchmark. Then, we explore the performance variations that can be achieved by “tweaking” the FL step. Eventually, we expect to create a new momentum for (1) full disclosure of APR experimental procedures with respect to FL, (2) realistic expectations of repairing bugs in Defects4J, as well as (3) reliable performance comparison among the state-of-the- art APR systems, and against the baseline performance results of our thoroughly assessed kPAR repair tool. Our main findings include: (a) only a subset of Defects4J bugs can be currently localized by commonly-used FL techniques; (b) current practice of comparing state-of-the-art APR systems (i.e., counting the number of fixed bugs) is potentially misleading due to the bias of FL configurations; and (c) APR authors do not properly qualify their performance achievement with respect to the different tuning parameters implemented in APR systems.
- White-box or glass-box testing focuses on exploiting a program's control structure and flow to design test cases.
- It allows testing of specific parts of a program and systematically covering every part.
- Types of white-box tests include statement coverage, decision coverage, and condition coverage.
- Statement coverage aims to exercise all statements at least once while decision and condition coverage aim to test all decisions and conditions under both true and false values.
The document contains a list of 40 Java interview questions related to core Java, servlets, and JSP. The questions cover topics such as default array values, declaring and initializing arrays, Java keywords, if/else conditions, switch statements, loops, strings, wrappers, methods, threads, JDBC, servlet scopes, servlet lifecycle methods, differences between servlets and JSPs, implicit objects in JSP, and JSP directives.
Introduction to Selection control structures in C++ Neeru Mittal
The document discusses various control structures in C++ that alter the sequential flow of program execution. It describes selection statements like if, if-else which execute code conditionally based on boolean expressions. Iterative statements like for, while, do-while loops repeat code execution. The switch statement provides a selection from multiple options. Control structures allow solving problems by choosing the appropriate combination of decision making and repetition.
TDD, BDD, ATDD are all methodologies that enable incremental design that is suitable for Agile environments. It seems that every day a new xDD methodology is born with the promise to be better than what came before. Should you use behaviour-driven tests or plain old unit tests? Which methodology is better? And how exactly would it benefit the development life cycle?
In this session, Dror will help to sort out the various methodologies – explaining where they came from, the tools they use, and discussing how and when to use each one. Here we will once and for all answer the question as to whether or not there’s one “DD” to rule them all.
This document summarizes a talk given about the most influential paper award from ICSE2023 on program repair and auto-coding. It discusses:
1. The 2013 SemFix paper which introduced an automated repair method using symbolic execution, constraint solving, and program synthesis to generate patches without formal specifications.
2. How subsequent work incorporated learning and inference techniques to glean specifications from tests to guide repair when specifications were not available.
3. The impact of machine learning approaches on automated program repair, including learning from large code change datasets to predict edits, and opportunities for continued improvement in localization and accuracy.
Greybox fuzzing methods to find security vulnerabilities in software systems are discussed in this talk. We discuss how fuzz testing methods can be inspired by ideas from symbolic execution and model checking to go beyond conventional fuzzing methods, without sacrificing the efficiency of fuzzing.
Overview of Fuzz Testing and the latest advances in the field are discussed. Fuzz testing is a popular method to find security vulnerabilities in software systems.
The document discusses various concepts related to conditional statements and logical operators in Java.
1) It explains if, if-else statements and how they allow a program to make choices and execute different code blocks conditionally. Nested if statements and else-if ladder are also covered.
2) Logical operators like &&, || and ! are described which allow combining multiple boolean expressions. Truth tables for AND, OR and NOT operators are provided.
3) The conditional operator ?: is explained as another way to write conditional expressions in a single line.
4) The switch statement is summarized as providing an alternative to multiple if-else statements when checking discrete cases of a variable.
LSRepair: Live Search of Fix Ingredients for Automated Program RepairDongsun Kim
Automated program repair (APR) has extensively been developed by leveraging search-based techniques, in which fix ingredients are explored and identified in different granular- ities from a specific search space. State-of-the approaches often find fix ingredients by using mutation operators or leveraging manually-crafted templates. We argue that the fix ingredients can be searched in an online mode, leveraging code search techniques to find potentially-fixed versions of buggy code fragments from which repair actions can be extracted. In this study, we present an APR tool, LSRepair, that automatically explores code repositories to search for fix ingredients at the method-level granularity with three strategies of similar code search. Our preliminary evaluation shows that code search can drive a faster fix process (some bugs are fixed in a few seconds). LSRepair helps repair 19 bugs from the Defects4J benchmark successfully. We expect our approach to open new directions for fixing multiple-lines bugs.
This document contains a summary of a Java fundamentals exam with 10 sections and 38 multiple choice questions. Key points:
1) The exam covers topics like Eclipse views, Java syntax, loops, arrays, strings, exceptions, and object-oriented concepts.
2) Most questions have a single correct answer marked with an asterisk and feedback is provided for incorrect responses.
3) The questions test knowledge of fundamental Java concepts like variable declaration, loop initialization, object creation, and exception handling.
Operators In Java Part - 8
Like My Page:
www.facebook.com/pakcoders
What is Java? Part - 1
https://www.slideshare.net/MuhammadAtif231/what-is-java-part-1
History Of Java Part - 2
https://www.slideshare.net/MuhammadAtif231/history-of-java-part-2
Features Of Java Part - 3
https://www.slideshare.net/MuhammadAtif231/history-of-java-part-2
C++ Vs Java Part - 4
https://www.slideshare.net/MuhammadAtif231/c-vs-java-part-4
These slides contain an introduction to Symbolic execution and an introduction to KLEE.
I made this for a small demo/intro for my research group's meeting.
Introduction to programming with ZIO functional effectsJorge Vásquez
This document provides an introduction to functional programming concepts and the ZIO library. It discusses programming with pure functions, handling side effects through effect types, and the ZIO data type for describing side effects in a type-safe way. It then introduces some common ZIO type aliases like Task, UIO, RIO, IO and URIO. The document concludes by mentioning a live coding example of building a Hangman game using ZIO.
1) Verilog allows parameters and localparams to define constants in modules. Parameters can alter module behavior when their values change, while localparam values cannot change.
2) System tasks like $display and $monitor are used for outputting values and monitoring signals. $stop and $finish control simulation execution.
3) Compiler directives like `define, `include, `ifdef and `timescale are used to define macros, include files, and make conditional compilations in Verilog.
This document discusses operators in Java programming. It describes various types of operators including arithmetic, relational, logical, assignment, increment/decrement, and ternary operators. It provides examples of using each type of operator and explains their functionality and precedence. Key operator types covered are arithmetic, relational, logical, assignment, increment/decrement, ternary, and short-circuit logical operators. The document aims to explain how operators work in Java and demonstrate their usage through code examples.
This document provides an overview of a 5-day Java programming workshop covering operators and conditionals. It discusses arithmetic, assignment, relational and logical operators as well as operator precedence. It also covers conditional statements using if/else and switch/case and provides examples of evaluating grades based on percentages. Additional learning resources on Java programming concepts and documentation are recommended.
Exception handling in Java allows programmers to manage runtime errors programmatically. The try block contains code that may throw exceptions, while catch blocks define how to handle specific exceptions. Finally blocks contain cleanup code that always executes regardless of exceptions. Common exceptions include NullPointerException, ArrayIndexOutOfBoundsException, and ArithmeticException. The throw keyword explicitly throws exceptions, while throws in method declarations informs callers about checked exceptions they must handle or propagate.
This document outlines Chapter 4 of a textbook on control structures in programming. It introduces algorithms and pseudocode, then covers various control structures like sequence, selection, and repetition structures. It discusses if, if/else, and while statements in Java. It includes examples of algorithms to calculate class averages using counter-controlled and sentinel-controlled repetition. It also covers topics like compound assignment operators, increment/decrement operators, and nested control structures.
This document discusses behavioral Verilog coding constructs including always and initial blocks, blocking vs non-blocking assignments, and if-else and case statements. It provides examples of coding flip-flops and sequential logic using these constructs. It also discusses simulator mechanics and the stratified event queue model of simulation.
The document discusses lazy evaluation and how it can improve performance by avoiding unnecessary computations. Some key points:
- Lazy evaluation delays evaluating expressions until their values are needed. This allows for optimizations like avoiding evaluating function arguments that are not used.
- Languages like Java are strict, meaning functions always immediately evaluate their arguments. But some constructs like boolean operators and ternary expressions are lazily evaluated for efficiency.
- Lazy evaluation enables infinite streams, as in Java 8, since intermediate operations are not computed until a terminal operation triggers the full pipeline.
- Some algorithms like generating primes cannot reasonably be implemented without laziness. It allows separating problem description from evaluation.
- Implementing laziness in Java requires
The document discusses conditional execution in Java using if, if/else, and nested if/else statements. It provides examples of using relational operators in conditional tests and evaluating logical expressions. It also covers topics like factoring redundant code out of if/else blocks, having if/else statements return values, ensuring all code paths in if/else blocks return, and using cumulative sums in loops.
You Cannot Fix What You Cannot Find! --- An Investigation of Fault Localizati...Dongsun Kim
Properly benchmarking Automated Program Re- pair (APR) systems should contribute to the development and adoption of the research outputs by practitioners. To that end, the research community must ensure that it reaches significant milestones by reliably comparing state-of-the-art tools for a better understanding of their strengths and weaknesses. In this work, we identify and investigate a practical bias caused by the fault localization (FL) step in a repair pipeline. We propose to highlight the different fault localization configurations used in the literature, and their impact on APR systems when applied to the Defects4J benchmark. Then, we explore the performance variations that can be achieved by “tweaking” the FL step. Eventually, we expect to create a new momentum for (1) full disclosure of APR experimental procedures with respect to FL, (2) realistic expectations of repairing bugs in Defects4J, as well as (3) reliable performance comparison among the state-of-the- art APR systems, and against the baseline performance results of our thoroughly assessed kPAR repair tool. Our main findings include: (a) only a subset of Defects4J bugs can be currently localized by commonly-used FL techniques; (b) current practice of comparing state-of-the-art APR systems (i.e., counting the number of fixed bugs) is potentially misleading due to the bias of FL configurations; and (c) APR authors do not properly qualify their performance achievement with respect to the different tuning parameters implemented in APR systems.
- White-box or glass-box testing focuses on exploiting a program's control structure and flow to design test cases.
- It allows testing of specific parts of a program and systematically covering every part.
- Types of white-box tests include statement coverage, decision coverage, and condition coverage.
- Statement coverage aims to exercise all statements at least once while decision and condition coverage aim to test all decisions and conditions under both true and false values.
The document contains a list of 40 Java interview questions related to core Java, servlets, and JSP. The questions cover topics such as default array values, declaring and initializing arrays, Java keywords, if/else conditions, switch statements, loops, strings, wrappers, methods, threads, JDBC, servlet scopes, servlet lifecycle methods, differences between servlets and JSPs, implicit objects in JSP, and JSP directives.
Introduction to Selection control structures in C++ Neeru Mittal
The document discusses various control structures in C++ that alter the sequential flow of program execution. It describes selection statements like if, if-else which execute code conditionally based on boolean expressions. Iterative statements like for, while, do-while loops repeat code execution. The switch statement provides a selection from multiple options. Control structures allow solving problems by choosing the appropriate combination of decision making and repetition.
TDD, BDD, ATDD are all methodologies that enable incremental design that is suitable for Agile environments. It seems that every day a new xDD methodology is born with the promise to be better than what came before. Should you use behaviour-driven tests or plain old unit tests? Which methodology is better? And how exactly would it benefit the development life cycle?
In this session, Dror will help to sort out the various methodologies – explaining where they came from, the tools they use, and discussing how and when to use each one. Here we will once and for all answer the question as to whether or not there’s one “DD” to rule them all.
This document summarizes a talk given about the most influential paper award from ICSE2023 on program repair and auto-coding. It discusses:
1. The 2013 SemFix paper which introduced an automated repair method using symbolic execution, constraint solving, and program synthesis to generate patches without formal specifications.
2. How subsequent work incorporated learning and inference techniques to glean specifications from tests to guide repair when specifications were not available.
3. The impact of machine learning approaches on automated program repair, including learning from large code change datasets to predict edits, and opportunities for continued improvement in localization and accuracy.
Greybox fuzzing methods to find security vulnerabilities in software systems are discussed in this talk. We discuss how fuzz testing methods can be inspired by ideas from symbolic execution and model checking to go beyond conventional fuzzing methods, without sacrificing the efficiency of fuzzing.
Overview of Fuzz Testing and the latest advances in the field are discussed. Fuzz testing is a popular method to find security vulnerabilities in software systems.
This document summarizes an expert talk on fuzz testing and greybox fuzzing. It discusses various fuzz testing techniques like black-box, white-box, and greybox fuzzing. It explains the greybox fuzzing algorithm and how techniques like directed and structured fuzzing can enhance it. It also discusses applications of fuzzing like finding crashes and vulnerabilities, and integration into tools like OSS-Fuzz. Overall, the document outlines the state-of-the-art in fuzz testing and opportunities to improve greybox fuzzing through techniques inspired by symbolic execution and model checking.
Keynote given at the Asia Pacific Software Engineering Conference (APSEC), December 2020, on Automated Program Repair technologies and their applications.
The document discusses trustworthy systems and trusted AI. It provides background on the Singapore Cybersecurity Consortium and its vision of trustworthy systems. It then summarizes ongoing work, including capabilities for security testing, formal verification of systems, and research on defending against Spectre attacks and fuzz testing. It also discusses model training and robustness, fuzzing for deep neural networks, and research on self-healing systems through specification inference and genetic programming.
Introductory talk given to PhD students starting research at NUS PhD open day 2020. Covers research in Computer Science, and some experience in research on trustworthy software systems.
This document summarizes a talk given by Prof. Abhik Roychoudhury about skills needed for a PhD. He discusses obvious skills like analyzing papers and identifying research trends. Less obvious skills include choosing impactful problems and determining if one has the right background. The least obvious skill is determining what constitutes a research contribution, which is qualitative rather than quantitative. The talk provides examples of different types of contributions and emphasizes choosing an interesting research area and topic, considering its relevance over time, potential for translation, and avoiding negative perceptions from the community.
Automated Program Repair, Distinguished lecture at MPI-SWSAbhik Roychoudhury
MPI-SWS Distinguished Lecture 2019. The talk focuses on fuzzing, symbolic execution as background technologies and compares their relative power. Then the use of such technologies for automated program repair is investigated.
Keynote in KLEE workshop on Symbolic Execution 2018
Systematic greybox fuzzing inspired by ideas from symbolic execution, work at NUS
Covers new usage of symbolic execution in automated program repair, work at NUS
This document discusses binary analysis for vulnerability detection. It describes research conducted at the National University of Singapore on binary analysis techniques like fuzz testing, comprehension, debugging, and patching. It outlines projects with DSO National Labs and the National Research Foundation of Singapore. The research aims to enhance capabilities in detecting vulnerabilities and securing software through automated binary analysis and techniques like fuzzing.
Why does P’ behave differently than P for input t?
Programmer: P' was changed to handle negative inputs correctly. It was not supposed to change behavior for non-negative inputs like t.
1. SEMFIX: PROGRAM REPAIR VIA
SEMANTIC ANALYSIS
Dagstuhl, Feb 2013
H.D.T. Nguyen, Dawei Qi, Abhik Roychoudhury
National University of Singapore, &
Satish Chandra
1 IBM Research
Talk given at Dagstuhl Seminar on Fault Prediction,
Localization and Repair, February 2013.
2. WHAT WE HAVE BEEN DISCUSSING
Precise debugging is laborious.
Dagstuhl, Feb 2013
Specification based repair,
Genetic Programming,
…
Symbolic execution of test cases to extract specifications
2
3. Test–suite Failing tests
THIS WORK …
Dagstuhl, Feb 2013
Suspicions !! – statistical fault localization.
Infer intended meaning of suspicious statements
- Symbolic execution (SE)
Solve constraint from SE to create fixed statement
- Program synthesis 3
4. 0. THE PROBLEM
1 int is_upward( int inhibit, int up_sep, int down_sep){
2 int bias;
3 if (inhibit)
Dagstuhl, Feb 2013
4 bias = down_sep; // bias= up_sep + 100
5 else bias = up_sep ;
6 if (bias > down_sep)
7 return 1;
8 else return 0;
9 }
inhibit up_sep down_se Observed Expected Result
p output Output
1 0 100 0 0 pass
1 11 110 0 1 fail
0 100 50 1 1 pass
4
1 -20 60 0 1 fail
0 0 10 0 0 pass
5. 1. FIND A SUSPECT
1 int is_upward( int inhibit, int up_sep, int down_sep){
2 int bias;
3 if (inhibit)
4 bias = down_sep; // bias= up_sep + 100
Dagstuhl, Feb 2013
5 else bias = up_sep ;
6 if (bias > down_sep)
7 return 1;
8 else return 0;
9 }
Line Score Rank
4 0.75 1
8 0.6 2
3 0.5 3
6 0.5 3
5 0 5
5
7 0 5
6. 2 WHAT IT SHOULD HAVE BEEN
1 int is_upward( int inhibit, int up_sep, int down_sep){
2 int bias;
3 if (inhibit)
4 bias = down_sep; // bias= up_sep + 100
5 else bias = up_sep ;
6 if (bias > down_sep)
Dagstuhl, Feb 2013
7 return 1;
8 else return 0;
9 }
inhibit up_sep down_se Observed Expected Result
p output Output
1 11 110 0 1 fail
Line 4
inhibit = 1, up_sep = 11, down_sep = 110
bias = X, path condition = true
Line 7 Line 8
inhibit = 1, up_sep = 11, down_sep = 110 inhibit = 1, up_sep = 11, down_sep = 110 6
bias = X, path condition = X> 110 bias = X, path condition = X ≤ 110
7. 2. WHAT IT SHOULD HAVE BEEN
Inhibit up_sep down_se
== 1 == 11 p == 110
1 int is_upward( int inhibit, int up_sep, int
Dagstuhl, Feb 2013
down_sep){
2 int bias;
3 if (inhibit)
4 bias = f(inhibit, up_sep, down_sep)
5 else bias = up_sep ;
6 if (bias > down_sep)
7 return 1;
8 else return 0;
9 }
Symbolic Execution
7
f(1,11,110) > 110
8. 3. FIX THE SUSPECT
Accumulated constraints
f(1,11, 110) > 110
Dagstuhl, Feb 2013
f(1,0,100) ≤ 100
…
Find a f satisfying this constraint
By fixing the set of operators appearing in f
Candidate methods
Search over the space of expressions
Program synthesis with fixed set of operators
More efficient!!
Generated fix
8
f(inhibit,up_sep,down_sep) = up_sep + 100
9. TO RECAPITULATE
Ranked Bug report
Hypothesize the error causes – suspect
Dagstuhl, Feb 2013
Symbolic execution
Specification of the suspicious statement
Input-output requirements from each test
Repair constraint
Program synthesis
Decide operators which can appear in the fix
Generate a fix by solving repair constraint.
9
10. PRODUCING RANKED BUG REPORT
We use the Tarantula toolkit.
Given a test-suite T
Dagstuhl, Feb 2013
fail(s)
allfail
Score(s) = fail(s) pass(s)
allfail
+ allpass
fail(s) # of failing executions in which s occurs
pass(s) # of passing executions in which s occurs
allfail Total # of failing executions
allpass Total # of passing executions
allfail + allpass = |T|
Can also use other metric like Ochiai. 10
11. USAGE OF RANKED BUG REPORT
Buggy
Program
Dagstuhl, Feb 2013
Test Suite
NO
-Investigate what this
statement should be.
- Generate a fixed
YES statement
Fixed 11
Program
12. TO RECAPITULATE
Ranked Bug report
Hypothesize the error causes – suspect
Dagstuhl, Feb 2013
Symbolic execution
Specification of the suspicious statement
Input-output requirements from each test
Repair constraint
Program synthesis
Decide operators which can appear in the fix
Generate a fixed statement by solving repair constraint.
12
13. WHAT IT SHOULD HAVE BEEN
Concrete test input
Dagstuhl, Feb 2013
… Concrete Execution
var = x + b – c;
a Buggy Program
Symbolic Execution with x as the
only unknown
Path conditions,
13
Output Expressions
14. EXAMPLE
Inhibit == 1 up_sep == 11 down_sep == 110
1 int is_upward( int inhibit, int up_sep, int down_sep){
2 int bias;
Dagstuhl, Feb 2013
3 if (inhibit)
4 bias = f(inhibit, up_sep, down_sep) // X
5 else bias = up_sep ;
6 if (bias > down_sep)
7 return 1;
8 else return 0;
9 } Symbolic Execution
( pcj outj == expected_out(t) )
( (X >110 1 ==1) j Paths
(X ≤ 110 0 == 1)
)
f(1,11,110) == X f(t) == X 14
Repair constraint
15. OVERALL REPAIR CONSTRAINT
t1 t2
Repair constraint = Consi
Dagstuhl, Feb 2013
TS
…
var = … ;
1. TS = failing tests;
2. Repair based on TS // guaranteed to pass TS
3. New = newly failed tests due to repair
4. If (New == ) exit // Got your repair
5. else { TS = TS New;
6. Go to 2 }
Cons1 Cons2 15
Repair Constraint = Cons1 Cons2
16. TO RECAPITULATE
Ranked Bug report
Hypothesize the error causes – suspect
Dagstuhl, Feb 2013
Symbolic execution
Specification of the suspicious statement
Input-output requirements from each test
Repair constraint
Program synthesis
Decide operators which can appear in the fix
Generate a fix by solving repair constraint.
16
17. WHY PROGRAM SYNTHESIS
Repair Constraint:
Instead of solving f(1,11,110) > 110 f(1,0,100) ≤ 100
f(1,-20,60) > 60
Dagstuhl, Feb 2013
Select primitive components to be used by the synthesized program
based on complexity
Look for a program that uses only these primitive components and
satisfy the repair constraint
Where to place each component?
int tmp = down_sep -1; int tmp=down_sep + 1;
return up_sep + tmp;
+ return tmp- inhibit;
What are the parameters?
int tmp = down_sep -1; int tmp = down_sep -1;
return tmp + inhibit ; 17
inhibit return tmp + inhibit ;
up_sep
18. LOCATION VARIABLES
Define location variables for each component
Constraint on location variables solved by SMT.
Well-formed e.g. defined before being used
Dagstuhl, Feb 2013
Output constraint from each test (repair constraint)
Meaning of the components
Lines determine the value Lx == Ly x == y
Once locations are found, program is constructed.
Components = {+}
Lin == 0, Lout == 1, Lout+ == 1, Lin1+ == 0, Lin2+ == 0
0 r0 = input;
1 r = r0 + r0;
2 return r;
18
19. EVALUATION
Results from
SIR and GNU CoreUtils
Dagstuhl, Feb 2013
Tools
Ranked Bug report (Tarantula)
Symbolic execution (KLEE)
Program synthesis (Own tool + Z3)
19
20. SUCCESS OF REPAIR (SIR)
45 Time bound = 4 mins.
40
Dagstuhl, Feb 2013
35
30
# of programs repaired
25 Total
20 Semfix TCAS
15 GenProg
10
5
0
10 20 30 40 50 Number of tests
Overall 90 programs from SIR
20
SemFix repaired 48/90, GenProg repaired 16/90 for 50 tests.
GenProg running time is >3 times of SemFix
21. TYPE OF BUGS (SIR)
Total SemFix GenProg
Dagstuhl, Feb 2013
Constant 14 10 3
Arithmetic 14 6 0
Comparison 16 12 5
Logic 10 10 3
Code 27 5 3
Missing
Redundant 9 5 2
Code
ALL 90 48 16
21
22. GNU COREUTILS
9 buggy programs where bug could be reproduced.
Taken from paper on KLEE, OSDI 2008.
Dagstuhl, Feb 2013
SemFix succeeded in 4/9 [mkdir, cp, …]
Average time = 3.8 mins.
Average time = 6 mins. [GenProg]
All GenProg experiments using configuration from ICSE
2012 paper by Le Goues et al.
Pop size, # generations, …
Other configurations may lead to success for GP, but then we
need a systematic method to determine the configurations.
22
23. EXPRESSION ENUMERATION
Enumerate all expressions over a given set of
components (i.e. operators)
Enforce axioms of the operators
Dagstuhl, Feb 2013
If candidate repair contains a constant, solve using SMT
Program synthesis turns out to be faster.
Subject TCAS Schedule Schedule2 replace grep
Ratio 6.9 2.8 2.5 1.36 2.2
23
Enumeration also timed out > 20 minutes. These are not even included.
24. REPAIRS THAT WERE NOT DONE
Multiple line fix
Complex code to be inserted
Dagstuhl, Feb 2013
Same wrong branch condition
if (c ){ … } … if (c) { … }
Updates to multiple variables
x = e1; … ; y = e2; …
Floating point bugs
n = (int) (count*ratio + 1.1);
Can be overcome, limitation of KLEE/solvers
Other problems, e.g. wrong function call
current_job = (struct process *)0;
get_current(); 24
26. OUR PAPER APPEARS IN ICSE’13
Repair exploiting symbolic execution
Avoids enumeration over a space of expressions from a
Dagstuhl, Feb 2013
pre-fixed template language.
Repair via constraint solving
Synthesize rather than lifting fixes from elsewhere.
Repair without formal specifications
Pass given test cases by a constraint solver answering
“What it should have been?”
Single line repair – need to do more …
Try other background debugging tools / metrics.
Synthesize guards to relate different fragments to fix.
26