1 / 41

Hai Wan School of Software Sun Yat-sen University KRW-2012 June 17, 2012

Boolean Program R epair Reverse Conversion Tool via SMT. Hai Wan School of Software Sun Yat-sen University KRW-2012 June 17, 2012. Outline. ◆ Background ◆ Related work ◆ Key ideas ◇ Translating C into boolean program ◇ Reduce to SMT ◇ Boolean program repair formula reverse

liona
Download Presentation

Hai Wan School of Software Sun Yat-sen University KRW-2012 June 17, 2012

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Boolean Program Repair Reverse Conversion Tool via SMT Hai Wan School of Software Sun Yat-sen University KRW-2012 June 17, 2012

  2. Outline ◆ Background ◆ Related work ◆ Key ideas ◇ Translating C into boolean program ◇ Reduce to SMT ◇ Boolean program repair formula reverse ◆ Empirical result

  3. Background Related work Key ideas Empirical result • ◆Manual debugging • ◆Automated debugging • ◆ which is comprised of • ◇Error detection • ◇Fault location • ◇ Understanding • ◇ Program repair 1 static int x; 2 void main() { 3 x = 3; 4 f(); 5assert(x == 0); } 6 void f(){ 7x = x –1; 8if(x > 1){ 9f(); } }

  4. Background Related work Key ideas Empirical result • ◆ Manual debugging • ◆Automated debugging • ◆ which is comprised of • ◇Error detection • ◇Fault location • ◇ Understanding • ◇ Program repair 1 static int x; 2 void main() { 3 x = 3; 4 f(); 5assert(x == 0); } 6 void f(){ 7x = x –1; 8if(x > 1){ 9f(); } } Test case

  5. Background Related work Key ideas Empirical result • ◆ Manual debugging • ◆Automated debugging • ◆ which is comprised of • ◇Error detection • ◇Fault location • ◇ Understanding • ◇ Program repair 1 static int x; 2 void main() { 3 x = 3; 4 f(); 5assert(x == 0); } 6 void f(){ 7x = x –1; 8if(x > 1){ 9f(); } } x = 0 Static Area main() Stack

  6. Background Related work Key ideas Empirical result • ◆ Manual debugging • ◆Automated debugging • ◆ which is comprised of • ◇Error detection • ◇Fault location • ◇ Understanding • ◇ Program repair 1 static int x; 2 void main() { 3 x = 3; 4 f(); 5assert(x == 0); } 6 void f(){ 7x = x –1; 8if(x > 1){ 9f(); } } x = 3 Static Area main() Stack

  7. Background Related work Key ideas Empirical result • ◆ Manual debugging • ◆Automated debugging • ◆ which is comprised of • ◇Error detection • ◇Fault location • ◇ Understanding • ◇ Program repair 1 static int x; 2 void main() { 3 x = 3; 4 f(); 5assert(x == 0); } 6 void f(){ 7x = x –1; 8if(x > 1){ 9f(); } } x = 2 Static Area f() main() Stack

  8. Background Related work Key ideas Empirical result • ◆ Manual debugging • ◆Automated debugging • ◆ which is comprised of • ◇Error detection • ◇Fault location • ◇ Understanding • ◇ Program repair 1 static int x; 2 void main() { 3 x = 3; 4 f(); 5assert(x == 0); } 6 void f(){ 7x = x –1; 8if(x > 1){ 9f(); } } x = 2 Static Area f() f() main() Stack

  9. Background Related work Key ideas Empirical result • ◆ Manual debugging • ◆Automated debugging • ◆ which is comprised of • ◇Error detection • ◇Fault location • ◇ Understanding • ◇ Program repair 1 static int x; 2 void main() { 3 x = 3; 4 f(); 5assert(x == 0); } 6 void f(){ 7x = x –1; 8if(x > 1){ 9f(); } } x = 1 Static Area f() f() main() Stack

  10. Background Related work Key ideas Empirical result • ◆ Manual debugging • ◆Automated debugging • ◆ which is comprised of • ◇Error detection • ◇Fault location • ◇ Understanding • ◇ Program repair 1 static int x; 2 void main() { 3 x = 3; 4 f(); 5assert(x == 0); } 6 void f(){ 7x = x –1; 8if(x > 1){ 9f(); } } x = 1 Static Area main() Stack

  11. Background Related work Key ideas Empirical result • ◆ Manual debugging • ◆Automated debugging • ◆ which is comprised of • ◇Error detection • ◇Fault location • ◇ Understanding • ◇ Program repair 1 static int x; 2 void main() { 3 x = 3; 4 f(); 5assert(x == 0); } 6 void f(){ 7x = x –1; 8if(x !=0 ){ 9f(); } } x = 0 Static Area main() Stack

  12. Background Related work Key ideas Empirical result Wrong program Test case • ◆ Manual debugging • ◆Automated debugging • ◆ which is comprised of • ◇Error detection • ◇Fault location • ◇ Understanding • ◇ Program repair 1 static int x; 2 void main() { 3 x = 3; 4 f(); 5assert(x == 0); } 6 void f(){ 7x = x –1; 8if(x > 1){ 9f(); } }

  13. Correct Program Background Related work Key ideas Empirical result • ◆ Manual debugging • ◆Automated debugging • ◆ which is comprised of • ◇Error detection • ◇Fault location • ◇ Understanding • ◇ Program repair Specification Wrong Program Test cases Automated debugging

  14. Background Related work Key ideas Empirical result • ◆ Manual debugging • ◆Automated debugging • ◆ which is comprised of • ◇Error detection • ◇Fault location • ◇ Understanding • ◇ Program repair 1 static int x; 2 void main() { 3 x = 3; 4 f(); 5assert(x == 0); } 6 void f(){ 7x = x –1; 8if(x > 1){ 9f(); } } Test case ((x == 3) ∧ (x’ == 2) ∧ (x’’ == 1)) (x’’ == 0)

  15. Background Related work Key ideas Empirical result • ◆ Manual debugging • ◆Automated debugging • ◆ which is comprised of • ◇Error detection • ◇Fault location • ◇ Understanding • ◇ Program repair 1 static int x; 2 void main() { 3 x = 3; 4 f(); 5assert(x == 0); } 6 void f(){ 7x = x –1; 8if(x > 1){ 9f(); } } Fault location

  16. Background Related work Key ideas Empirical result • ◆ Manual debugging • ◆Automated debugging • ◆ which is comprised of • ◇Error detection • ◇Fault location • ◇Understanding • ◇ Program repair 1 static int x; 2 void main() { 3 x = 3; 4 f(); 5assert(x == 0); } 6 void f(){ 7x = x –1; 8if(x > 1){ ??? 9f(); } } ((x == 3) ∧ (x’ == 2) ∧ (x’’ == 1) (x’’’ == 0)) (x’’’ == 0) Mutation

  17. Background Related work Key ideas Empirical result • ◆ Manual debugging • ◆Automated debugging • ◆ which is comprised of • ◇Error detection • ◇Fault location • ◇Understanding • ◇Program repair 1 static int x; 2 void main() { 3 x = 3; 4 f(); 5assert(x == 0); } 6 void f(){ 7x = x –1; 8if(x != 0){ 9f(); } } ((x == 3) ∧ (x’ == 2) ∧ (x’’ == 1) (x’’’ == 0)) (x’’’ == 0)

  18. Background Related work Key ideas Empirical result Specification Test case [1] Demsky B., Ernst M.D., Guo P.J., McCamant S., Perkins J., Rinard M. Inference and enforcement of data structure consistency specifications[A]. Proceedings of the 2006 international symposium on Software testing and analysis[C]. 2006: 233-234. [2] Arcuri A. On the automation of fixing software bugs[A]. Companion of the 30th international conference on Software engineering[C]. 2008: 1003-1006. [3] Westley Weimer, ThanhVu Nguyen, Claire Le Goues, Stephanie Forrest. Automatically finding patches using genetic programming[A]. Proceeding ICSE '09 Proceedings of the 31st International Conference on Software Engineering Pages 364-374 [4] Griesmayer A., Bloem R., Cook B. Repair of boolean programs with an application to C[A]. Computer Aided Verification[C]. 2006: 358-371.

  19. Background Related work Key ideas Empirical result ◆ Translating C into boolean program ◆Reduce to SMT ◆ Boolean program repair formula reverse

  20. Background Related work Key ideas Empirical result Translating C into Boolean Program [5] ◆ Assume there exists only one located error, < PC , T >  PB ◇PC ,a wrong C program ◇T, a test case ◇PB ,a translated wrong Boolean program ◆ Tools ◇SLAM1, SATABS2 [5] Ball T., Majumdar R., Millstein T., Rajamani S. Automatic predicate abstraction of C programs[A]. ACM SIGPLAN Notices[C]. 2001: 203-213. 1 http://research.microsoft.com/en-us/projects/slam/ 2http://www.cprover.org/satabs/

  21. Background Related work Key ideas Empirical result Translating C into Boolean Program 1 static int x; 2 void main(){ 3 x = 3; 4 f(); 5assert(x == 0); } 6 void f(){ 7x = x –1; 8if(x > 1){ 9f(); } } decl p1, p2, p3; 0main() 1 p1, p2, p3 := 0, 1, 1; 2 f(); 3 assert(p1); 4end; 5f() 6p1, p2, p3 := *, p3, *; 7 if(p2) 8 f(); 9 fi 10End p1: x == 0 p2: x > 1 p3: x > 2

  22. Background Related work Key ideas Empirical result Translating C into Boolean Program 1 static int x; 2 void main(){ 3 x = 3; 4 f(); 5assert(x == 0); } 6 void f(){ 7x = x –1; 8if(x > 1){ 9f(); } } decl p1, p2, p3; 0main() 1 p1, p2, p3 := 0, 1, 1; 2 f(); 3 assert(p1); 4end; 5f() 6p1, p2, p3 := *, p3, *; 7 if(*rep)// if(p2) 8 f(); 9 fi 10End p1: x == 0 p2: x > 1 p3: x > 2

  23. Background Related work Key ideas Empirical result Reduce to SMT 000 010 011 100 decl p1, p2, p3; 0main() 1 p1, p2, p3 := 0, 1, 1; 2 f(); 3 assert(p1); 4end; 5f() 6p1, p2, p3 := *, p3, *; 7 if(p2)//if(*rep) 8 f(); 9 fi 10End X

  24. Background Related work Key ideas Empirical result Reduce to SMT decl p1, p2, p3; 0main() 1 p1, p2, p3 := 0, 1, 1; 2 f(); 3 assert(p1); 4end; 5f() 6p1, p2, p3 := *, p3, *; 7 if(*rep)//if(p2) 8 f(); 9 fi 10End

  25. Background Related work Key ideas Empirical result Reduce to SMT 000 010 011 100 decl p1, p2, p3; 0main() 1 p1, p2, p3 := 0, 1, 1; 2 f(); 3 assert(p1); 4end; 5f() 6p1, p2, p3 := *, p3, *; 7 if(*rep)//if(p2) 8 f(); 9 fi 10End ⌝ab ⌝b ⌝c ab(⌝ d) X X X √ ⌝bc ⌝a a ⌝b b ⌝c c ⌝dd

  26. Background Related work Key ideas Empirical result Reduce to SMT 000 010 011 100 decl p1, p2, p3; 0main() 1 p1, p2, p3 := 0, 1, 1; 2 f(); 3 assert(p1); 4end; 5f() 6p1, p2, p3 := *, p3, *; 7 if(*rep)//if(p2) 8 f(); 9 fi 10End ⌝ab ⌝b ⌝c ab(⌝ d) X X X √ ⌝bc ⌝a a ⌝b b ⌝c c ⌝dd

  27. Background Related work Key ideas Empirical result Reduce to SMT 000 010 011 100 decl p1, p2, p3; 0main() 1 p1, p2, p3 := 0, 1, 1; 2 f(); 3 assert(p1); 4end; 5f() 6p1, p2, p3 := *, p3, *; 7 if(*rep)//if(p2) 8 f(); 9 fi 10End ⌝ab ⌝b ⌝c ab(⌝ d) X X X √ Fp1=⌝b ⌝a a ⌝b b ⌝c c ⌝dd

  28. Background Related work Key ideas Empirical result Reduce to SMT 000 010 011 100 decl p1, p2, p3; 0main() 1 p1, p2, p3 := 0, 1, 1; 2 f(); 3 assert(p1); 4end; 5f() 6p1, p2, p3 := *, p3, *; 7 if(*rep)//if(p2) 8 f(); 9 fi 10End ⌝ab ⌝b ⌝c ab(⌝ d) X X X √ Fp1=⌝b ⌝a a ⌝b b ⌝c c ⌝dd Fp0=⌝ab Fp2=⌝c

  29. Background Related work Key ideas Empirical result Reduce to SMT ◆F=⌝(Fp1∨ Fp2∨…∨ Fpn )

  30. Background Related work Key ideas Empirical result Reduce to SMT ◆ Compute prime implicant Iof F=⌝(Fp1∨ Fp2∨…∨ Fpn ) ◇ F=⌝(⌝ab ⋁⌝b ⋁ ⌝c) ◇I=(a ⋁ b ⋁ c)

  31. Background Related work Key ideas Empirical result Reduce to SMT ◆ Compute prime implicant Iof F=⌝(Fp1∨ Fp2∨…∨ Fpn ) ◇ F=⌝(⌝ab ⋁⌝b ⋁ ⌝c) ◇I=(a ⋁ b ⋁ c)

  32. Background Related work Key ideas Empirical result Reduce to SMT ◆ Compute prime implicant Iof F=⌝(Fp1∨ Fp2∨…∨ Fpn ) ◇ F=⌝(⌝ab ⋁⌝b ⋁ ⌝c) ◇I=(a ⋁ b ⋁ c) ◇Ip= ⌝p1∧(p2 ⋁⌝p3)

  33. Background Related work Key ideas Empirical result Reduce to SMT ◆ Compute prime implicant Iof F=⌝(Fp1∨ Fp2∨…∨ Fpn ) ◇ F=⌝(⌝ab ⋁⌝b ⋁ ⌝c) ◇I=(a ⋁ b ⋁ c) ◇Ip= ⌝p1∧(p2 ⋁⌝p3) p1: x == 0, p2: x > 1, p3: x > 2

  34. Background Related work Key ideas Empirical result Reduce to SMT ◆ Compute prime implicant Iof F=⌝(Fp1∨ Fp2∨…∨ Fpn ) ◇ F=⌝(⌝ab ⋁⌝b ⋁ ⌝c) ◇I=(a ⋁ b ⋁ c) ◇Ip= ⌝p1∧(p2 ⋁⌝p3) ◇Ix= ((x!=0 ∧ x>1) ⋁ (x!=0 ∧ x<=2)) p1: x == 0, p2: x > 1, p3: x > 2

  35. Background Related work Key ideas Empirical result Reduce to SMT [6] ◆ Compute prime implicant Iof F=⌝(Fp1∨ Fp2∨…∨ Fpn ) ◇ F=⌝(⌝ab ⋁⌝b ⋁ ⌝c) ◇I=(a ⋁ b ⋁ c) ◇Ip= ⌝p1∧(p2 ⋁⌝p3) ◇Ix= ((x!=0 ∧ x>1) ⋁ (x!=0 ∧ x<=2)) ◆ i∈I, if any i is unsatisfiable in SMT(satisfiability modulo theories), there exists no repair. ◆ Tools: Z33 [6] Cimatti A., Beyond boolean sat: satisfiability modulo theories[A]. Discrete Event Systems, 2008. WODES 2008. 9th International Workshop on[C]. 2008: 68-73. 3.http://research.microsoft.com/en-us/um/redmond/projects/z3/index.html

  36. Background Related work Key ideas Empirical result Boolean program repair formula reverse • ◆ Program with multi test cases • ◆Check SMT with the formula of each test case • ◆ If there exists no unsatisfiable test case • ◇Convert each Ip to CNF • ◇Reduce clauses • ◇ Convert the reduced CNF to Ix • ◇ Reduce Ix • ◇((x!=0 && x>1) || (x!=0 && x<=2))  x!=0

  37. Background Related work Key ideas Empirical result • TCAS in Siemens Suit4 • modify the input arguments • 10 error version • Finding the max in array • no loop in TCAS 4 http://sir.unl.edu/content/sir.php

  38. Background Related work Key ideas Empirical result

  39. Background Related work Key ideas Empirical result

  40. Future Work ◆ Consider more C language grammar: *, &, …… ◆ Consider more efficient reverse methods ◆ ……

  41. Thank you!

More Related