Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hai Wan School of Software Sun Yat-sen University KRW-2012 June 17, 2012 Boolean Program Repair Reverse Conversion Tool via SMT.

Published byHope Campbell Modified over 8 years ago

Similar presentations

Presentation on theme: "Hai Wan School of Software Sun Yat-sen University KRW-2012 June 17, 2012 Boolean Program Repair Reverse Conversion Tool via SMT."— Presentation transcript:

1 Hai Wan School of Software Sun Yat-sen University KRW-2012 June 17, 2012 Boolean Program Repair Reverse Conversion Tool via SMT

2 ◆ Background ◆ Related work ◆ Key ideas ◇ Translating C into boolean program ◇ Reduce to SMT ◇ Boolean program repair formula reverse ◆ Empirical result Outline

3 BackgroundRelated workKey ideasEmpirical result ◆ Manual debugging ◆ Automated debugging ◆ which is comprised of ◇ Error detection ◇ Fault location ◇ Understanding ◇ Program repair 1 static int x; 2 void main() { 3 x = 3; 4 f(); 5assert(x == 0); } 6 void f(){ 7x = x – 1; 8if(x > 1){ 9 f(); }

4 BackgroundRelated workKey ideasEmpirical result ◆ Manual debugging ◆ Automated debugging ◆ which is comprised of ◇ Error detection ◇ Fault location ◇ Understanding ◇ Program repair 1 static int x; 2 void main() { 3 x = 3; 4 f(); 5 assert(x == 0); } 6 void f(){ 7x = x – 1; 8if(x > 1){ 9 f(); } Test case

5 BackgroundRelated workKey ideasEmpirical result 1 static int x; 2 void main() { 3 x = 3; 4 f(); 5assert(x == 0); } 6 void f(){ 7x = x – 1; 8if(x > 1){ 9 f(); } x = 0 main() Static Area Stack ◆ Manual debugging ◆ Automated debugging ◆ which is comprised of ◇ Error detection ◇ Fault location ◇ Understanding ◇ Program repair

6 BackgroundRelated workKey ideasEmpirical result 1 static int x; 2 void main() { 3 x = 3; 4 f(); 5assert(x == 0); } 6 void f(){ 7x = x – 1; 8if(x > 1){ 9 f(); } x = 3 main() Static Area Stack ◆ Manual debugging ◆ Automated debugging ◆ which is comprised of ◇ Error detection ◇ Fault location ◇ Understanding ◇ Program repair

7 BackgroundRelated workKey ideasEmpirical result 1 static int x; 2 void main() { 3 x = 3; 4 f(); 5assert(x == 0); } 6 void f(){ 7x = x – 1; 8if(x > 1){ 9 f(); } x = 2 main() f() Static Area Stack ◆ Manual debugging ◆ Automated debugging ◆ which is comprised of ◇ Error detection ◇ Fault location ◇ Understanding ◇ Program repair

8 BackgroundRelated workKey ideasEmpirical result 1 static int x; 2 void main() { 3 x = 3; 4 f(); 5assert(x == 0); } 6 void f(){ 7x = x – 1; 8if(x > 1){ 9 f(); } x = 2 main() f() Static Area Stack ◆ Manual debugging ◆ Automated debugging ◆ which is comprised of ◇ Error detection ◇ Fault location ◇ Understanding ◇ Program repair

9 BackgroundRelated workKey ideasEmpirical result 1 static int x; 2 void main() { 3 x = 3; 4 f(); 5assert(x == 0); } 6 void f(){ 7x = x – 1; 8if(x > 1){ 9 f(); } x = 1 main() f() Static Area Stack ◆ Manual debugging ◆ Automated debugging ◆ which is comprised of ◇ Error detection ◇ Fault location ◇ Understanding ◇ Program repair

10 BackgroundRelated workKey ideasEmpirical result 1 static int x; 2 void main() { 3 x = 3; 4 f(); 5assert(x == 0); } 6 void f(){ 7x = x – 1; 8if(x > 1){ 9 f(); } x = 1 main() Static Area Stack ◆ Manual debugging ◆ Automated debugging ◆ which is comprised of ◇ Error detection ◇ Fault location ◇ Understanding ◇ Program repair

11 BackgroundRelated workKey ideasEmpirical result 1 static int x; 2 void main() { 3 x = 3; 4 f(); 5assert(x == 0); } 6 void f(){ 7x = x – 1; 8 if(x !=0 ){ 9 f(); } x = 0 main() Static Area Stack ◆ Manual debugging ◆ Automated debugging ◆ which is comprised of ◇ Error detection ◇ Fault location ◇ Understanding ◇ Program repair

12 BackgroundRelated workKey ideasEmpirical result ◆ Manual debugging ◆ Automated debugging ◆ which is comprised of ◇ Error detection ◇ Fault location ◇ Understanding ◇ Program repair 1 static int x; 2 void main() { 3 x = 3; 4 f(); 5 assert(x == 0); } 6 void f(){ 7x = x – 1; 8if(x > 1){ 9 f(); } Test caseWrong program

13 BackgroundRelated workKey ideasEmpirical result ◆ Manual debugging ◆ Automated debugging ◆ which is comprised of ◇ Error detection ◇ Fault location ◇ Understanding ◇ Program repair Test cases Wrong Program Automated debugging Correct Program Specification

14 BackgroundRelated workKey ideasEmpirical result ◆ Manual debugging ◆ Automated debugging ◆ which is comprised of ◇ Error detection ◇ Fault location ◇ Understanding ◇ Program repair 1 static int x; 2 void main() { 3 x = 3; 4 f(); 5 assert(x == 0); } 6 void f(){ 7x = x – 1; 8if(x > 1){ 9 f(); } Test case ((x == 3) ∧ (x’ == 2) ∧ (x’’ == 1)) (x’’ == 0)

15 BackgroundRelated workKey ideasEmpirical result ◆ Manual debugging ◆ Automated debugging ◆ which is comprised of ◇ Error detection ◇ Fault location ◇ Understanding ◇ Program repair 1 static int x; 2 void main() { 3 x = 3; 4 f(); 5assert(x == 0); } 6 void f(){ 7x = x – 1; 8if(x > 1){ 9 f(); } Fault location

16 BackgroundRelated workKey ideasEmpirical result ◆ Manual debugging ◆ Automated debugging ◆ which is comprised of ◇ Error detection ◇ Fault location ◇ Understanding ◇ Program repair 1 static int x; 2 void main() { 3 x = 3; 4 f(); 5 assert(x == 0); } 6 void f(){ 7x = x – 1; 8if(x > 1){ ??? 9 f(); } ((x == 3) ∧ (x’ == 2) ∧ (x’’ == 1) (x’’’ == 0) (x’’’ == 0)) Mutation

17 BackgroundRelated workKey ideasEmpirical result ◆ Manual debugging ◆ Automated debugging ◆ which is comprised of ◇ Error detection ◇ Fault location ◇ Understanding ◇ Program repair 1 static int x; 2 void main() { 3 x = 3; 4 f(); 5assert(x == 0); } 6 void f(){ 7x = x – 1; 8if(x != 0){ 9 f(); } ((x == 3) ∧ (x’ == 2) ∧ (x’’ == 1) (x’’’ == 0) (x’’’ == 0))

18 BackgroundRelated workKey ideasEmpirical result 1Demsky B. et al [1] Data structure consistency specifications 2Arcuri [2] Automatic Bug Fixing (ABF) 3Weimer W. et al [3] Genetic Programming (GP) 4Griesmayer [4] Program repair as a game [1] Demsky B., Ernst M.D., Guo P.J., McCamant S., Perkins J., Rinard M. Inference and enforcement of data structure consistency specifications[A]. Proceedings of the 2006 international symposium on Software testing and analysis[C]. 2006: 233-234. [2] Arcuri A. On the automation of fixing software bugs[A]. Companion of the 30th international conference on Software engineering[C]. 2008: 1003-1006. [3] Westley Weimer, ThanhVu Nguyen, Claire Le Goues, Stephanie Forrest. Automatically finding patches using genetic programming[A]. Proceeding ICSE '09 Proceedings of the 31st International Conference on Software Engineering Pages 364-374 [4] Griesmayer A., Bloem R., Cook B. Repair of boolean programs with an application to C[A]. Computer Aided Verification[C]. 2006: 358-371. Specification Test case

19 BackgroundRelated workKey ideasEmpirical result ◆ Translating C into boolean program ◆ Reduce to SMT ◆ Boolean program repair formula reverse

20 Translating C into Boolean Program [5] BackgroundRelated workKey ideasEmpirical result ◆ Assume there exists only one located error,  P B ◇ P C, a wrong C program ◇ T, a test case ◇ P B, a translated wrong Boolean program ◆ Tools ◇ SLAM 1, SATABS 2 [5] Ball T., Majumdar R., Millstein T., Rajamani S. Automatic predicate abstraction of C programs[A]. ACM SIGPLAN Notices[C]. 2001: 203-213. 1 http://research.microsoft.com/en-us/projects/slam/ 2 http://www.cprover.org/satabs/

21 Translating C into Boolean Program BackgroundRelated workKey ideasEmpirical result 1 static int x; 2 void main(){ 3 x = 3; 4 f(); 5assert(x == 0); } 6 void f(){ 7x = x – 1; 8if(x > 1){ 9f(); } decl p1, p2, p3; 0 main() 1 p1, p2, p3 := 0, 1, 1; 2f(); 3 assert(p1); 4 end; 5 f() 6p1, p2, p3 := *, p3, *; 7if(p2) 8 f(); 9fi 10 End p1: x == 0 p2: x > 1 p3: x > 2

22 Translating C into Boolean Program BackgroundRelated workKey ideasEmpirical result 1 static int x; 2 void main(){ 3 x = 3; 4 f(); 5assert(x == 0); } 6 void f(){ 7x = x – 1; 8if(x > 1){ 9f(); } decl p1, p2, p3; 0 main() 1 p1, p2, p3 := 0, 1, 1; 2f(); 3 assert(p1); 4 end; 5 f() 6p1, p2, p3 := *, p3, *; 7if(*rep) // if(p2) 8 f(); 9fi 10 End p1: x == 0 p2: x > 1 p3: x > 2

23 Reduce to SMT BackgroundRelated workKey ideasEmpirical result decl p1, p2, p3; 0 main() 1 p1, p2, p3 := 0, 1, 1; 2f(); 3 assert(p1); 4 end; 5 f() 6p1, p2, p3 := *, p3, *; 7if(p2) // if(*rep) 8 f(); 9fi 10 End 000 010 011 100 X

24 Reduce to SMT BackgroundRelated workKey ideasEmpirical result decl p1, p2, p3; 0 main() 1 p1, p2, p3 := 0, 1, 1; 2f(); 3 assert(p1); 4 end; 5 f() 6p1, p2, p3 := *, p3, *; 7if(*rep) // if(p2) 8 f(); 9fi 10 End

25 Reduce to SMT BackgroundRelated workKey ideasEmpirical result decl p1, p2, p3; 0 main() 1 p1, p2, p3 := 0, 1, 1; 2f(); 3 assert(p1); 4 end; 5 f() 6p1, p2, p3 := *, p3, *; 7if(*rep) // if(p2) 8 f(); 9fi 10 End ⌝ a a ⌝ b b ⌝ c c ⌝ d d X X X √ ⌝ ab ⌝ b ⌝ c ab( ⌝ d) 000 010 011 100 ⌝ bc

26 Reduce to SMT BackgroundRelated workKey ideasEmpirical result decl p1, p2, p3; 0 main() 1 p1, p2, p3 := 0, 1, 1; 2f(); 3 assert(p1); 4 end; 5 f() 6p1, p2, p3 := *, p3, *; 7if(*rep) // if(p2) 8 f(); 9fi 10 End ⌝ a a ⌝ b b ⌝ c c ⌝ d d X X X √ ⌝ ab ⌝ b ⌝ c ab( ⌝ d) 000 010 011 100 ⌝ bc

27 Reduce to SMT BackgroundRelated workKey ideasEmpirical result decl p1, p2, p3; 0 main() 1 p1, p2, p3 := 0, 1, 1; 2f(); 3 assert(p1); 4 end; 5 f() 6p1, p2, p3 := *, p3, *; 7if(*rep) // if(p2) 8 f(); 9fi 10 End ⌝ a a ⌝ b b ⌝ c c ⌝ d d X X X √ ⌝ ab ⌝ b ⌝ c ab( ⌝ d) 000 010 011 100 F p1 = ⌝ b

28 Reduce to SMT BackgroundRelated workKey ideasEmpirical result decl p1, p2, p3; 0 main() 1 p1, p2, p3 := 0, 1, 1; 2f(); 3 assert(p1); 4 end; 5 f() 6p1, p2, p3 := *, p3, *; 7if(*rep) // if(p2) 8 f(); 9fi 10 End ⌝ a a ⌝ b b ⌝ c c ⌝ d d X X X √ ⌝ ab ⌝ b ⌝ c ab( ⌝ d) 000 010 011 100 F p1 = ⌝ b F p0 = ⌝ ab F p2 = ⌝ c

29 Reduce to SMT BackgroundRelated workKey ideasEmpirical result ◆ F= ⌝ (F p1 ∨ F p2 ∨ … ∨ F pn )

30 Reduce to SMT BackgroundRelated workKey ideasEmpirical result ◆ Compute prime implicant I of F= ⌝ (F p1 ∨ F p2 ∨ … ∨ F pn ) ◇ F= ⌝ ( ⌝ ab ⋁⌝ b ⋁ ⌝ c) ◇ I=(a ⋁ b ⋁ c )

31 Reduce to SMT BackgroundRelated workKey ideasEmpirical result ◆ Compute prime implicant I of F= ⌝ (F p1 ∨ F p2 ∨ … ∨ F pn ) ◇ F= ⌝ ( ⌝ ab ⋁⌝ b ⋁ ⌝ c) ◇ I=(a ⋁ b ⋁ c )

32 Reduce to SMT BackgroundRelated workKey ideasEmpirical result ◆ Compute prime implicant I of F= ⌝ (F p1 ∨ F p2 ∨ … ∨ F pn ) ◇ F= ⌝ ( ⌝ ab ⋁⌝ b ⋁ ⌝ c) ◇ I=(a ⋁ b ⋁ c ) ◇ I p = ⌝ p1 ∧ (p2 ⋁⌝ p3)

33 Reduce to SMT BackgroundRelated workKey ideasEmpirical result ◆ Compute prime implicant I of F= ⌝ (F p1 ∨ F p2 ∨ … ∨ F pn ) ◇ F= ⌝ ( ⌝ ab ⋁⌝ b ⋁ ⌝ c) ◇ I=(a ⋁ b ⋁ c ) ◇ I p = ⌝ p1 ∧ (p2 ⋁⌝ p3) p1: x == 0, p2: x > 1, p3: x > 2

34 Reduce to SMT BackgroundRelated workKey ideasEmpirical result ◆ Compute prime implicant I of F= ⌝ (F p1 ∨ F p2 ∨ … ∨ F pn ) ◇ F= ⌝ ( ⌝ ab ⋁⌝ b ⋁ ⌝ c) ◇ I=(a ⋁ b ⋁ c ) ◇ I p = ⌝ p1 ∧ (p2 ⋁⌝ p3) ◇ I x = ((x!=0 ∧ x>1) ⋁ (x!=0 ∧ x<=2)) p1: x == 0, p2: x > 1, p3: x > 2

35 Reduce to SMT [6] BackgroundRelated workKey ideasEmpirical result ◆ Compute prime implicant I of F= ⌝ (F p1 ∨ F p2 ∨ … ∨ F pn ) ◇ F= ⌝ ( ⌝ ab ⋁⌝ b ⋁ ⌝ c) ◇ I=(a ⋁ b ⋁ c ) ◇ I p = ⌝ p1 ∧ (p2 ⋁⌝ p3) ◇ I x = ((x!=0 ∧ x>1) ⋁ (x!=0 ∧ x<=2)) ◆ i ∈ I, if any i is unsatisfiable in SMT(satisfiability modulo theories), there exists no repair. ◆ Tools: Z3 3 [6] Cimatti A., Beyond boolean sat: satisfiability modulo theories[A]. Discrete Event Systems, 2008. WODES 2008. 9 th International Workshop on[C]. 2008: 68-73. 3.http://research.microsoft.com/en-us/um/redmond/projects/z3/index.html

36 Boolean program repair formula reverse BackgroundRelated workKey ideasEmpirical result ◆ Program with multi test cases ◆ Check SMT with the formula of each test case ◆ If there exists no unsatisfiable test case ◇ Convert each Ip to CNF ◇ Reduce clauses ◇ Convert the reduced CNF to Ix ◇ Reduce Ix ◇ ((x!=0 && x>1) || (x!=0 && x<=2))  x!=0

37 BackgroundRelated workKey ideasEmpirical result TCAS in Siemens Suit 4 – modify the input arguments – 10 error version Finding the max in array – no loop in TCAS 4 http://sir.unl.edu/content/sir.php

38 BackgroundRelated workKey ideasEmpirical result VersionKV/GVLn b T(s)passAv b T(s) v17/228037399.9%806132 v32/1388711597.5%851258 v410/16697168100%69787 v54/1879255100%59793 v65/197685491%725101 v98/2495213595.5%959660 v124/188248883.2%820117 v264/1880360100%60293 v274/1879255100%59793 v343/178568883.2%820223

39 BackgroundRelated workKey ideasEmpirical result VersionKV/GVLn b T(s)passAv b T(s) while-v15/401780.261.2%1782 while-v24/401770.687.3%17720 for-v15/401780.361.2%1782 for-v24/401770.787.3%17720

40 Future Work ◆ Consider more C language grammar: *, &, …… ◆ Consider more efficient reverse methods ◆ ……

41 Thank you !

Download ppt "Hai Wan School of Software Sun Yat-sen University KRW-2012 June 17, 2012 Boolean Program Repair Reverse Conversion Tool via SMT."

Similar presentations

Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
+ Post-Silicon Fault Localisation using MAX-SAT & Backbones Georg Weissenbacher Charlie Shucheng Zhu, Sharad Malik Princeton University (Photo: Intel Press.

+ Post-Silicon Fault Localisation using MAX-SAT & Backbones Georg Weissenbacher Charlie Shucheng Zhu, Sharad Malik Princeton University (Photo: Intel Press.
50.530: Software Engineering

50.530: Software Engineering
Satisfiability Modulo Theories (An introduction)

Satisfiability Modulo Theories (An introduction)
P-Optimal CSP Solvers Applied to Software Security P-Optimal CSP Solvers Applied to Software Security Ahmed Abdel Mohsen and Karl Lieberherr College of.

P-Optimal CSP Solvers Applied to Software Security P-Optimal CSP Solvers Applied to Software Security Ahmed Abdel Mohsen and Karl Lieberherr College of.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Programming with Constraint Solvers CS294: Program Synthesis for Everyone Ras Bodik Emina Torlak Division of Computer Science University of California,

Programming with Constraint Solvers CS294: Program Synthesis for Everyone Ras Bodik Emina Torlak Division of Computer Science University of California,
Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.

Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.
Mahadevan Subramaniam and Bo Guo University of Nebraska at Omaha An Approach for Selecting Tests with Provable Guarantees.

Mahadevan Subramaniam and Bo Guo University of Nebraska at Omaha An Approach for Selecting Tests with Provable Guarantees.
By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan.

By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan.
A SYSTEMATIC STUDY OF AUTOMATED PROGRAM REPAIR: FIXING 55 OUT OF 105 BUGS FOR $8 EACH Claire Le Goues Michael Dewey-Vogt Stephanie Forrest Westley Weimer.

A SYSTEMATIC STUDY OF AUTOMATED PROGRAM REPAIR: FIXING 55 OUT OF 105 BUGS FOR $8 EACH Claire Le Goues Michael Dewey-Vogt Stephanie Forrest Westley Weimer.
Introducing BLAST Software Verification John Gallagher CS4117.

Introducing BLAST Software Verification John Gallagher CS4117.
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,

1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,
1 Program Slicing Purvi Patel. 2 Contents Introduction What is program slicing? Principle of dependences Variants of program slicing Slicing classifications.

1 Program Slicing Purvi Patel. 2 Contents Introduction What is program slicing? Principle of dependences Variants of program slicing Slicing classifications.
Automatic Software Repair Using GenProg 张汉生 ZHANG Hansheng 2013/12/3.

Automatic Software Repair Using GenProg 张汉生 ZHANG Hansheng 2013/12/3.
Automatic Program Correction Anton Akhi Friday, July 08, 2011.

Automatic Program Correction Anton Akhi Friday, July 08, 2011.
1.7.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
PROOF TRANSLATION AND SMT LIB CERTIFICATION Yeting Ge Clark Barrett SMT 2008 July 7 Princeton.

PROOF TRANSLATION AND SMT LIB CERTIFICATION Yeting Ge Clark Barrett SMT 2008 July 7 Princeton.
1 Software Testing and Quality Assurance Lecture 9 - Software Testing Techniques.

1 Software Testing and Quality Assurance Lecture 9 - Software Testing Techniques.
Interpolants [Craig 1957] G(y,z) F(x,y)

Interpolants [Craig 1957] G(y,z) F(x,y)

Similar presentations

Ads by Google