Aut Automati tic Data Str truc uctur ture Repa pair usi using - - PowerPoint PPT Presentation

aut automati tic data str truc uctur ture repa pair usi
SMART_READER_LITE
LIVE PREVIEW

Aut Automati tic Data Str truc uctur ture Repa pair usi using - - PowerPoint PPT Presentation

Dec 05, 2022 462 likes •674 views

Aut Automati tic Data Str truc uctur ture Repa pair usi using ng Sepa parati tion n Logi gic Gu Guolong Zheng, , ThanhVu Nguyen University of Nebraska-Lincoln Quang Loc Le Quoc-Sang Phan Teesside University Fujitsu

slide-1
SLIDE 1

Aut Automati tic Data Str truc uctur ture Repa pair usi using ng Sepa parati tion n Logi gic

Gu Guolong Zheng, , ThanhVu Nguyen University of Nebraska-Lincoln Quang Loc Le Quoc-Sang Phan Teesside University Fujitsu Labs. of America

MV MVD’1 ’18

slide-2
SLIDE 2

Introduction

Offline Repair

  • Stop program
  • Repair source code
  • Recompile
  • Rerun
  • GenProg; Angelix; InferFix

2

On-the-fly Repair

  • Suspend program
  • Repair program states
  • No need to recompile
  • Resume running
  • Tarmeem;
slide-3
SLIDE 3

Ø On-the-fly Repair

  • Repairs corrupted data structure

Ø Specification based repair

  • Uses Separation Logic
  • Uses STARLIB

3

StarFix

slide-4
SLIDE 4

4

Separation Logic

Ø Extends Hoare Logic

  • Deal with pointers, dynamically allocated memory
  • tree(root) := emp ∧ root = null OR

root|->(left, right) ∗ tree(left) ∗ tree(right)

Ø Benefits

  • v.s. repOk
  • Describes memory shape property
  • Naturally encodes recursively defined data structure
  • Utilizes existing model checking algorithms
slide-5
SLIDE 5

5

Running Program STARFIX Bug Detection Auto Repair T (Corrupted

Data Structure)

∆ (SL Specification) T’ (Fixed data Structure)

StarFix

slide-6
SLIDE 6

Circular Doubly Linked List

6

head A B C D

Normal link Corrupted link

A B C D head

slide-7
SLIDE 7

7

(emp ∧ head=null) (∃p, n. head |→Node(p, n) ∗ lst(head, p, head, n)) (emp ∧ prevh=cur & next=h) (∃n. next |→Node(cur, n) ∗ lst(h, prevh, next, n))

SL definition for DLL

dll(head) lst(h, prevh, cur, next) empty list inductive list cur is the tail inductive sublist

slide-8
SLIDE 8

8

A B C D head ∆1 = emp ∧ head=null ∆2 =∃p1,n1 . head |→Node(p1,n1) ∗ lst(head,p1,head, n1)) Symbolic Heap Concrete Model ✗ ✓

Unfolding dll(head)

M0 ≡ {head=A; p1=D; n1=B }

slide-9
SLIDE 9

9

A B C D head ∆3 ≡∃p1,n1. head |→Node(p1, n1) ∧ p1=head∧head= n1 ∆4 ≡∃p1,n1,n2. head |→Node(p1, n1) ∗ n1 |→Node(head,n2) ∗ lst(head, p1, n1, n2) Symbolic Heap Concrete Model ✗ ✓

Unfolding ∆2

M1 ≡ {head=A; p1=D; n1=B; n2=C}

slide-10
SLIDE 10

10

A B C D head ∆5 ≡∃p1,n1,n2. head |→Node(p1, n1) ∗ n1|→Node(head,n2) ∧ p1= n1∧n2=head ∆6 ≡∃p1,n1,n2,n3.head|→Node(p1, n1) ∗ n1|→Node(head,n2) ∗ n2|→Node(n1, n3) ∗ lst(head, p1, n2, n3) Symbolic Heap Concrete Model ✗ ✓

Unfolding ∆4

M2 ≡ {head=A; p1=D; n1=B; n2=C;n3=B}

slide-11
SLIDE 11

11

A B C D head ∆7 ≡∃p1,B,n2,n3. head|→Node(p1, n1) ∗ n1|→Node(head,n2) ∗ n2|→Node(n1,n3) ∧ p1=n2∧n3=head ∆8 ≡∃p1,B,n2,n3,n4. head|→Node(p1, n1) ∗ n1|→Node(head,n2) ∗ n2|→Node(n1, n3) ∗ n3|→Node(n2, n4) ∗ lst(head, p1, n3, n4) Symbolic Heap Concrete Model ✗ ✗

Unfolding ∆6

M2 ≡ {head=A; p1=D; n1=B; n2=C;n3=B}

slide-12
SLIDE 12

12

A B C D head ∆6 ≡∃p1,B,n2,n3.head|→Node(p1 ,n1) ∗ n1|→Node(head,n2) ∗ n2|→Node(n1, n3) ∗ lst(head, p1, n2, n3) Symbolic Heap Concrete Model

Roll back to ∆6 and Repair n3

M2’ ≡ {head=A; p1=D; B=B; n2=C; n3=( null | D | A | C)}

slide-13
SLIDE 13

13

A B C D head ∆7 ≡∃p1,B,n2,n3. head|→Node(p1, n1) ∗ n1|→Node(head,n2) ∗ n2|→Node(n1,n3) ∧ p1=n2∧n3=head ∆8 ≡∃p1,B,n2,n3,n4. head|→Node(p1, n1) ∗ n1|→Node(head,n2) ∗ n2|→Node(n1, n3) ∗ n3|→Node(n2, n4) ∗ lst(head, p1, n3, n4) Symbolic Heap Concrete Model ✗

Unfolding ∆6

M3 ≡ {head=A; p1=D; n1=B; n2=C;n3=D;n2=B;n4=A} ✗

slide-14
SLIDE 14

14

A B C D head ∆7 ≡∃p1,B,n2,n3. head|→Node(p1, n1) ∗ n1|→Node(head,n2) ∗ n2|→Node(n1,n3) ∧ p1=n2∧n3=head ∆8 ≡∃p1,B,n2,n3,n4. head|→Node(p1, n1) ∗ n1|→Node(head,n2) ∗ n2|→Node(n1, n3) ∗ n3|→Node(n2, n4) ∗ lst(head, p1, n3, n4) Symbolic Heap Concrete Model ✗

Repairing n2

M3 ≡ {head=A; p1=D; n1=B; n2=C;n3=D;n4=A} ✓

slide-15
SLIDE 15

15

A B C D head ∆9 ≡∃p1,B,n2,n3,n4. head|→Node(p1, n1) ∗ n1|→Node(head,n2) ∗ n2|→Node(n1, n3) ∗ n3|→Node(n2, n4) ∧p1 =n3 ∧ head=n4 Symbolic Heap Concrete Model

Unfolding ∆8

M3 ≡ {head=A; p1=D; n1=B; n2=C;n3=D;n4=A}

slide-16
SLIDE 16

16

A D head A B D head

Multiple Valid Fixes

slide-17
SLIDE 17

17

Algorithm

StarFix (SL spec ∆, Data StructureT)

Ø Check T ⟹ ∆ §

Unfold ∆ one depth to find a match

  • True: return T
  • False: repair T
  • Neither: keep unfolding

Ø Repair T §

Modify T to T’

§

Check T'

slide-18
SLIDE 18

18

a b c d e f g a b c d e f g a b c d e f g Corrupted Tree One fix Another Fix

Repairing a Binary Tree

slide-19
SLIDE 19

19

  • Use more powerful SL model checker
  • Ranking fixes
  • Heuristics to optimize repairing performance
  • Automatically inferring specifications from good

program runs

Future Work

slide-20
SLIDE 20

20

THANKS!

Any questions?