Hai Wan School of Software Sun Yat-sen University KRW-2012 June 17, 2012

Hai WanSchool of Software

Sun Yat-sen University

KRW-2012June 17, 2012

Boolean Program Repair Reverse Conversion Tool via SMT

◆ Background◆ Related work◆ Key ideas ◇ Translating C into boolean program ◇ Reduce to SMT ◇ Boolean program repair formula reverse

◆ Empirical result

Outline

Background Related work Key ideas Empirical result

◆ Manual debugging

◆ Automated debugging

◆ which is comprised of

◇ Error detection

◇ Fault location

◇ Understanding

◇ Program repair

1 static int x;2 void main() {3 x = 3;4 f();5 assert(x == 0); }6 void f(){7 x = x – 1;8 if(x > 1){ 9 f();

} }





◇ Error detection

◇ Fault location

◇ Understanding

◇ Program repair


} }

Test case



} }

x = 0

main()

Static Area

Stack




◇ Error detection

◇ Fault location

◇ Understanding

◇ Program repair



} }

x = 3

main()

Static Area

Stack




◇ Error detection

◇ Fault location

◇ Understanding

◇ Program repair



} }

x = 2

main()

f()

Static Area

Stack




◇ Error detection

◇ Fault location

◇ Understanding

◇ Program repair



} }

x = 2

main()

f()

f()

Static Area

Stack




◇ Error detection

◇ Fault location

◇ Understanding

◇ Program repair



} }

x = 1

main()

f()

f()

Static Area

Stack




◇ Error detection

◇ Fault location

◇ Understanding

◇ Program repair



} }

x = 1

main()

Static Area

Stack




◇ Error detection

◇ Fault location

◇ Understanding

◇ Program repair


1 static int x;2 void main() {3 x = 3;4 f();5 assert(x == 0); }6 void f(){7 x = x – 1;8 if(x !=0 ){ 9 f();

} }

x = 0

main()

Static Area

Stack




◇ Error detection

◇ Fault location

◇ Understanding

◇ Program repair





◇ Error detection

◇ Fault location

◇ Understanding

◇ Program repair


} }

Test caseWrong program





◇ Error detection

◇ Fault location

◇ Understanding

◇ Program repair

Test casesWrong Program

Automated debugging

Correct Program

Specification





◇ Error detection

◇ Fault location

◇ Understanding

◇ Program repair


} }

Test case

((x == 3) ∧

(x’ == 2) ∧

(x’’ == 1))

(x’’ == 0)





◇ Error detection

◇ Fault location

◇ Understanding

◇ Program repair


} }

Fault location





◇ Error detection

◇ Fault location

◇ Understanding

◇ Program repair

1 static int x;2 void main() {3 x = 3;4 f();5 assert(x == 0); }6 void f(){7 x = x – 1;8 if(x > 1){ ??? 9 f();

} }

((x == 3) ∧

(x’ == 2) ∧

(x’’ == 1)

(x’’’ == 0)

(x’’’ == 0))

Mutation





◇ Error detection

◇ Fault location

◇ Understanding

◇ Program repair

1 static int x;2 void main() {3 x = 3;4 f();5 assert(x == 0); }6 void f(){7 x = x – 1;8 if(x != 0){ 9 f();

} }

((x == 3) ∧

(x’ == 2) ∧

(x’’ == 1)

(x’’’ == 0)

(x’’’ == 0))


1 Demsky B. et al [1] Data structure consistency specifications

2 Arcuri [2] Automatic Bug Fixing (ABF)

3 Weimer W. et al [3] Genetic Programming (GP)

4 Griesmayer[4] Program repair as a game

[1] Demsky B., Ernst M.D., Guo P.J., McCamant S., Perkins J., Rinard M. Inference and enforcement of data structure consistency specifications[A]. Proceedings of the 2006 international symposium on Software testing and analysis[C]. 2006: 233-234.[2] Arcuri A. On the automation of fixing software bugs[A]. Companion of the 30th international conference on Software engineering[C]. 2008: 1003-1006.[3] Westley Weimer, ThanhVu Nguyen, Claire Le Goues, Stephanie Forrest. Automatically finding patches using genetic programming[A]. Proceeding ICSE '09 Proceedings of the 31st International Conference on Software Engineering Pages 364-374 [4] Griesmayer A., Bloem R., Cook B. Repair of boolean programs with an application to C[A]. Computer Aided Verification[C]. 2006: 358-371.

Specification

Test case


◆ Translating C into boolean program

◆ Reduce to SMT

◆ Boolean program repair formula reverse

Translating C into Boolean Program [5]


◆ Assume there exists only one located error, < PC , T >

PB

◇ PC , a wrong C program

◇ T, a test case

◇ PB , a translated wrong Boolean program

◆ Tools

◇ SLAM1, SATABS2[5] Ball T., Majumdar R., Millstein T., Rajamani S. Automatic predicate abstraction of C programs[A]. ACM SIGPLAN Notices[C]. 2001: 203-213.1 http://research.microsoft.com/en-us/projects/slam/2 http://www.cprover.org/satabs/

Translating C into Boolean Program


1 static int x;2 void main(){3 x = 3;4 f();5 assert(x == 0); }6 void f(){7 x = x – 1;8 if(x > 1){ 9 f();

} }

decl p1, p2, p3;0 main()1 p1, p2, p3 := 0, 1, 1;2 f();3 assert(p1);4 end;5 f()6 p1, p2, p3 := *, p3, *;7 if(p2) 8 f();9 fi10 End

p1: x == 0p2: x > 1p3: x > 2

Translating C into Boolean Program


1 static int x;2 void main(){3 x = 3;4 f();5 assert(x == 0); }6 void f(){7 x = x – 1;8 if(x > 1){ 9 f();

} }

decl p1, p2, p3;0 main()1 p1, p2, p3 := 0, 1, 1;2 f();3 assert(p1);4 end;5 f()6 p1, p2, p3 := *, p3, *;7 if(*rep) // if(p2) 8 f();9 fi10 End

p1: x == 0p2: x > 1p3: x > 2

Reduce to SMT


decl p1, p2, p3;0 main()1 p1, p2, p3 := 0, 1, 1;2 f();3 assert(p1);4 end;5 f()6 p1, p2, p3 := *, p3, *;7 if(p2) // if(*rep) 8 f();9 fi10 End

000 010 011 100

X

Reduce to SMT



Reduce to SMT



⌝a a ⌝b b ⌝c c ⌝d d

X X X √

⌝ab ⌝b ⌝c ab( ⌝ d)

000 010 011 100

⌝bc

Reduce to SMT




X X X √

⌝ab ⌝b ⌝c ab( ⌝ d)

000 010 011 100

Fp1= b⌝

Reduce to SMT




X X X √

⌝ab ⌝b ⌝c ab( ⌝ d)

000 010 011 100

Fp1= b⌝

Fp0= ab⌝

Fp2= c⌝

Reduce to SMT


◆ F=⌝(Fp1 ∨ Fp2 … ∨ ∨ Fpn )

Reduce to SMT


◆ Compute prime implicant I of F=⌝(Fp1 ∨ Fp2 … ∨ ∨ Fpn )

◇ F=⌝(⌝ab ⋁⌝b ⋁ ⌝c)

◇ I=(a b c⋁ ⋁ )

Reduce to SMT



◇ F=⌝(⌝ab ⋁⌝b ⋁ ⌝c)

◇ I=(a b c⋁ ⋁ )

◇ Ip= ⌝p1∧(p2 ⋁⌝p3)

Reduce to SMT



◇ F=⌝(⌝ab ⋁⌝b ⋁ ⌝c)

◇ I=(a b c⋁ ⋁ )

◇ Ip= ⌝p1∧(p2 ⋁⌝p3)

p1: x == 0, p2: x > 1, p3: x > 2

Reduce to SMT



◇ F=⌝(⌝ab ⋁⌝b ⋁ ⌝c)

◇ I=(a b c⋁ ⋁ )

◇ Ip= ⌝p1∧(p2 ⋁⌝p3)

◇ Ix= ((x!=0 x>1) (x!=0 x<=2)) ∧ ⋁ ∧

p1: x == 0, p2: x > 1, p3: x > 2

Reduce to SMT [6]



◇ F=⌝(⌝ab ⋁⌝b ⋁ ⌝c)

◇ I=(a b c⋁ ⋁ )

◇ Ip= ⌝p1∧(p2 ⋁⌝p3)

◇ Ix= ((x!=0 x>1) (x!=0 x<=2)) ∧ ⋁ ∧ ◆ i I, if any i is unsatisfiable in ∈ SMT(satisfiability modulo theories),

there exists no repair. ◆ Tools: Z33

[6] Cimatti A., Beyond boolean sat: satisfiability modulo theories[A]. Discrete Event Systems, 2008. WODES 2008. 9 th International Workshop on[C]. 2008: 68-73.3.http://research.microsoft.com/en-us/um/redmond/projects/z3/index.html

Boolean program repair formula reverse


◆ Program with multi test cases

◆ Check SMT with the formula of each test case

◆ If there exists no unsatisfiable test case

◇ Convert each Ip to CNF

◇ Reduce clauses

◇ Convert the reduced CNF to Ix

◇ Reduce Ix

◇ ((x!=0 && x>1) || (x!=0 && x<=2)) x!=0


• TCAS in Siemens Suit4

– modify the input arguments

– 10 error version

• Finding the max in array

– no loop in TCAS

4 http://sir.unl.edu/content/sir.php


Version KV/GV Lnb T(s) pass Avb T(s)

v1 7/22 803 73 99.9% 806 132

v3 2/13 887 115 97.5% 851 258

v4 10/16 697 168 100% 697 87

v5 4/18 792 55 100% 597 93

v6 5/19 768 54 91% 725 101

v9 8/24 952 135 95.5% 959 660

v12 4/18 824 88 83.2% 820 117

v26 4/18 803 60 100% 602 93

v27 4/18 792 55 100% 597 93

v34 3/17 856 88 83.2% 820 223


Version KV/GV Lnb T(s) pass Avb T(s)

while-v1 5/40 178 0.2 61.2% 178 2

while-v2 4/40 177 0.6 87.3% 177 20

for-v1 5/40 178 0.3 61.2% 178 2

for-v2 4/40 177 0.7 87.3% 177 20

Future Work

◆ Consider more C language grammar: *, &, ……

◆ Consider more efficient reverse methods

……◆

Thank you！

Hai Wan School of Software Sun Yat-sen University KRW-2012 June 17, 2012

Documents

Transcript of Hai Wan School of Software Sun Yat-sen University KRW-2012 June 17, 2012