automatically automatically finding patches finding
play

Automatically Automatically Finding Patches Finding Patches Using - PowerPoint PPT Presentation

Feb 04, 2023 •143 likes •679 views

Automatically Automatically Finding Patches Finding Patches Using Genetic Using Genetic Programming Programming Westley Weimer, Westley Weimer, Stephanie Forrest, Stephanie Forrest, Claire Le Goues, Claire Le Goues, ThanVu Nguyen,

  1. Automatically Automatically Finding Patches Finding Patches Using Genetic Using Genetic Programming Programming Westley Weimer, Westley Weimer, Stephanie Forrest, Stephanie Forrest, Claire Le Goues, Claire Le Goues, ThanVu Nguyen, ThanVu Nguyen, Ethan Fast, Ethan Fast, Briana Satchell, Briana Satchell, Eric Schulte Eric Schulte

  2. Motivation ● Software Quality remains a key problem ● Over one half of 1 percent of US GDP each year [NIST02] ● The cost of fixing a defect increases ($25 - $16k) [IBM08] ● Even security-critical bugs take 28 days (avg) [Symantec06] ● Despite bug detection and test suites ● Programs ship with known bugs ● How can we reduce debugging costs? ● Bug reports accompanied by patches are addressed more rapidly ● Thus: Automated Patch Generation 2

  3. Main Claim ● We can automatically and efficiently repair certain classes of bugs in off-the-shelf, unannotated legacy programs. ● Basic idea: Biased search through the space of certain nearby programs until you find a variant that repairs the problem. Key insights: ● Use existing test cases to evaluate variants. ● Search by perturbing parts of the program likely to contain the error. ICSE'09 Best Paper, GECCO'09 Best Paper, SBST'09 Best Short Paper, 2009 IFIP TC2 Manfred Paul Award, 2009 Gold Human-Competitive Award 3

  4. Repair Process Preview ● Input: ● The program source code ● System/regression tests passed by the program ● A test case failed by the program (= the bug) ● Genetic Programming Work: ● Create variants of the program ● Run them on the test cases ● Repeat, retaining and combining variants ● Output: ● New program source code that passes all tests ● or “no solution found in time” 4

  5. This Talk ● Fixing Real Bugs In Real Programs ● Representation and Operations ● The Quality of Automated Repairs ● Self-Healing Systems and Metrics ● Test Suite Selection ● Success and Explanations ● Open Questions in Automated Repair 5

  6. Genetic Programming ● Genetic programming is the application of evolutionary or genetic algorithms to program source code. ● Representing a population of program variants ● Mutation and crossover operations ● Fitness function ● GP serves as a search heuristic ● Others (random search, brute force, etc.) also work ● Similar in ways to search-based software engineering: ● Regression tests to guide the search 6

  7. Useful Insight #1 – Where To Fix ● In a large program, not every line is equally likely to contribute to the bug. ● Fault localization : given a bug, find its location in the program source. ● Insight: since we have the test cases, run them and collect coverage information. ● The bug is more likely to be found on lines visited when running the failed test case. ● The bug is less likely to be found on lines visited when running the passed test cases. 7

  8. Useful Insight #2 – How To Fix ● Developers often use statements or lines of code as atomic units representing actions ● Insight: operate on statements or lines ● Not on assembly ops or expressions ● Factor of 10 reduction in search space each time ● Insight: do not invent new code ● Instead, copy and modify existing statements ● We assume the program “contains the seeds of its own repair” ● e.g., has another null check somewhere 8

  9. Fault Localization Formalism ● We define a weighted path to be a list of <statement, weight> pairs. ● We use this weighted path: ● The statements are those visited during the failed test case. ● The weight for a statement S is – High (1.0) if S is not visited on a passed test – Low (0.0-0.1) if S is also visited on a passed test ● (Other weight sources are possible: e.g., Cooperative Bug Isolation or Daikon predicates) 9

  10. Genetic Programming for Program Repair: Mutation ● Population of Variants: ● Each variant is an <AST , weighted path> pair ● Mutation: ● To mutate a variant V = <AST V , wp V >, choose a statement S from wp V biased by the weights ● Replacement . Replace S with S1 ● Insertion . Replace S with { S2 ; S } ● Deletion . Replace S with { } ● Choose S1 and S2 from the entire AST ● All variants retain weighted path length 10

  11. Genetic Programming for Program Repair: Fitness ● Compile a variant ● If it fails to compile, Fitness = 0 ● Otherwise, run it on the test cases ● Fitness = number of test cases passed ● Weighted: passing the bug test case is worth more ● Selection and Crossover ● Higher fitness variants are retained and combined into the next generation ● Tournament selection and one-point crossover ● Repeat until a solution is found 11

  12. Example: GCD /* requires: a >= 0, b >= 0 */ void print_gcd(int a, int b) { if (a == 0) printf(“%d”, b); Bug: when while (b != 0) { a==0 and b>0, if (a > b) it loops forever! a = a – b; else b = b – a; } printf(“%d”, a); return; } 12

  13. Example: Abstract Syntax Tree { block } while if (a==0) printf(... a) return (b != 0) { block } { block } { block } if if printf(... b) (isLeapYear) (a > b) { block } { block } a = a - b b = b - a 13

  14. Example: Weighted Path (1/3) { block } while if (a==0) printf(... a) return (b != 0) { block } { block } { block } if if printf(... b) (isLeapYear) (a > b) { block } { block } a = a - b b = b - a Nodes visited on Negative test case (a=0,b=55) : (printf ...b) 14

  15. Example: Weighted Path (2/3) { block } while if (a==0) printf(... a) return (b != 0) { block } { block } { block } if if printf(... b) (isLeapYear) (a > b) Nodes visited on Positive test case { block } { block } (a=1071,b=1029) : b = b - a a = a - b b = b - a Nodes visited on Negative test case (a=0,b=55) : (printf ...b) 15

  16. Example: Weighted Path (3/3) { block } while if (a==0) printf(... a) return (b != 0) { block } { block } { block } if if printf(... b) (isLeapYear) (a > b) { block } { block } a = a - b b = b - a Weighted Path: (printf ...b) 16

  17. Example: Mutation (1/2) { block } while if (a==0) printf(... a) return (b != 0) { block } { block } { block } if if printf(... b) (isLeapYear) (a > b) { block } { block } a = a - b b = b - a Mutation Source: Anywhere in AST Mutation Destination: Weighted Path 17

  18. Example: Mutation (2/2) { block } while if (a==0) printf(... a) return (b != 0) { block } { block } { block } if if printf(... b) return (isLeapYear) (a > b) { block } { block } a = a - b b = b - a Mutation Source: Anywhere in AST Mutation Destination: Weighted Path 18

  19. Example: Final Repair { block } while if (a==0) printf(... a) return (b != 0) { block } { block } { block } if if printf(... b) return (isLeapYear) (a > b) { block } { block } a = a - b b = b - a 19

  20. Minimize The Repair ● Repair Patch is a diff between orig and variant ● Mutations may add unneeded statements ● (e.g., dead code, redundant computation) ● In essence: try removing each line in the diff and check if the result still passes all tests ● Delta Debugging finds a 1-minimal subset of the diff in O(n 2 ) time ● Removing any single line causes a test to fail ● We use a tree-structured diff algorithm (diffX) ● Avoids problems with balanced curly braces, etc. 20

  21. Experimental Results: 20 Repairs Many defects from “black hat” lists; avg minimization time: 12 seconds. 21

  22. The Story Thus Far ● How does the approach work? ● Create programs in a restricted search space ● Can it produce repairs? ● Yes, for many types of programs and defects ● Can I afford to use it? ● Are the repairs trustworthy? ● Does the approach scale? 22

  23. Repair Quality ● Repairs are typically not what a human would have done ● Example: our technique adds bounds checks to one particular network read, rather than refactoring to use a safe abstract string class in multiple places ● Recall: any proposed repair must pass all regression test cases ● When POST test is omitted from nullhttpd, the generated repair eliminates POST functionality ● Tests ensure we do not sacrifice functionality ● Minimization prevents gratuitous deletions ● Adding more tests helps rather than hurting 23

  24. Repair Quality Experiment ● A high-quality repair ... ● Retains required functionality ● Does not introduce new bugs ● Is not a “fragile memorization” of the buggy input ● Works as part of an entire system ● If humans are present, they can inspect it ● Let's consider a human-free situation, such as: ● A long-running server with an anomaly intrusion detection system that will generate and deploy repairs for all detected anomalies. 24

  25. Repair Quality Benchmarks ● Two webservers with buffer overflows ● nullhttpd (simple, multithreaded) ● lighttpd (used by Wikimedia, etc.) ● 138,226 requests from 12,743 distinct client IP addresses (held out; one day of data) ● One web application language interpreter ● php (integer overflow vulnerability) ● 15kloc secure reservation system web app ● 12,375 requests (held out; one day of data) 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Automatically Finding Theory Morphisms for Knowledge Management uller 1 Florian Rabe 1,2 Michael

Automatically Finding Theory Morphisms for Knowledge Management uller 1 Florian Rabe 1,2 Michael

1 Automatically Finding Theory Morphisms for Knowledge Management uller 1 Florian Rabe 1,2 Michael Kohlhase 1 Dennis M Computer Science, FAU Erlangen-N urnberg LRI, Universit e Paris Sud August 13, 2018 Introduction 2 Introduction

188 views • 14 slides
Understanding Automatically- Generated Patches Through Symbolic Invariant Differences Padraic

Understanding Automatically- Generated Patches Through Symbolic Invariant Differences Padraic

Understanding Automatically- Generated Patches Through Symbolic Invariant Differences Padraic Cashin, Carianne Martinez, Westley Weimer, Stephanie Forrest The Problem Automated program repair may reduce software maintenance costs

86 views • 8 slides
1 We want to automatically reject malformed, or not working patches 2 3 4 name: Proctree

1 We want to automatically reject malformed, or not working patches 2 3 4 name: Proctree

1 We want to automatically reject malformed, or not working patches 2 3 4 name: Proctree Syscall builds: - arch: x86_64 config: - config/proctree_syscall - config/virtio_net - config/gcov - config/overlayfs lava: True [...] - arch:

598 views • 33 slides
Finding your way in a graph Finding your way in a graph Finding your way in a graph Finding your

Finding your way in a graph Finding your way in a graph Finding your way in a graph Finding your

Finding your way in a graph Finding your way in a graph Finding your way in a graph Finding your way in a graph = station One loop = junction A system of interconnected loops L L What is the best way to go from L to ? L L L 1 ? L

2.13k views • 166 slides
STATUS COUNT FINDING APPROVED 5 FINDING CONDITIONAL 16 FINDING DENIED 11

STATUS COUNT FINDING APPROVED 5 FINDING CONDITIONAL 16 FINDING DENIED 11

STATUS COUNT FINDING APPROVED 5 FINDING CONDITIONAL 16 FINDING DENIED 11 LICENSED 148 PENDING 27 WITHDRAWN 32 TOTAL 239 ADUs reviewed as Special Exceptions Pre 2013 ZTA 12-11 Allows ADUs as

741 views • 14 slides
NEEDFINDING IN HUMAN CENTERED DESIGN What is need finding? What is need finding? What is need

NEEDFINDING IN HUMAN CENTERED DESIGN What is need finding? What is need finding? What is need

NEEDFINDING IN HUMAN CENTERED DESIGN What is need finding? What is need finding? What is need finding? Needfinding is the process of uncovering User needs Opportunities for improvement Design Insights by learning about their goals

418 views • 14 slides
Automatically Constructing Semantic Web Services from Online Sources Craig A. Knoblock Jos

Automatically Constructing Semantic Web Services from Online Sources Craig A. Knoblock Jos

Automatically Constructing Semantic Web Services from Online Sources Craig A. Knoblock Jos Luis Ambite, Sirish Darbha, Aman Goel, Kristina Lerman, Rahul Parundekar, and Tom Russ University Southern California Goal Automatically build

870 views • 38 slides
Ubiquitous and Mobile Computing CS 528: Automatically Characterizing Places with Opportunistic

Ubiquitous and Mobile Computing CS 528: Automatically Characterizing Places with Opportunistic

Ubiquitous and Mobile Computing CS 528: Automatically Characterizing Places with Opportunistic CrowdSensing using Smartphones Gauri Pulekar Computer Science Dept. Worcester Polytechnic Institute (WPI) Automatically Characterizing Places with

311 views • 30 slides
Finding t Finding the he fue fuel poor: an l poor: an exploration of challenges and ex

Finding t Finding the he fue fuel poor: an l poor: an exploration of challenges and ex

Finding t Finding the he fue fuel poor: an l poor: an exploration of challenges and ex practicable pract icable s solut olutions ions. Postgraduate symposium on household energy consumption, technology and efficiency, University of

551 views • 27 slides
Automatically Documenting Program Changes Ray Buse Wes Weimer De ltaDoc 13 May 2011 diffs

Automatically Documenting Program Changes Ray Buse Wes Weimer De ltaDoc 13 May 2011 diffs

Automatically Documenting Program Changes Ray Buse Wes Weimer De ltaDoc 13 May 2011 diffs Commit Messages 13 th CREST Open Workshop Automated Software Engineering '10 So Much Change Automatically Documenting Program Changes 2 Understanding

589 views • 40 slides
An Automatically Built Named Entity Lexicon for Arabic M. Attia*, A. Toral *, L. Tounsi*, M.

An Automatically Built Named Entity Lexicon for Arabic M. Attia*, A. Toral *, L. Tounsi*, M.

An Automatically Built Named Entity Lexicon for Arabic M. Attia*, A. Toral *, L. Tounsi*, M. Monachini^, J.v. Genabith* *Dublin City University (Ireland) ^Istituto di Linguistica Computazionale - CNR, Pisa (Italy) An Automatically Built Named

326 views • 17 slides
1 2 3 The asset record is created automatically from the PO. The equipment record shell is

1 2 3 The asset record is created automatically from the PO. The equipment record shell is

1 2 3 The asset record is created automatically from the PO. The equipment record shell is created automatically from the asset if the class is a vehicle. The shell must be manually completed by the agencys Fleet Coordinator. 4 We execute

558 views • 17 slides
FE FELI LIX Tes est Fi Firmware Purpos ose type with Hit Finding/Hit Finding Emulator Com

FE FELI LIX Tes est Fi Firmware Purpos ose type with Hit Finding/Hit Finding Emulator Com

FE FELI LIX Tes est Fi Firmware Purpos ose type with Hit Finding/Hit Finding Emulator Com ompatible inter erface ty Add FELIX bloc ock hea eader er and chunk trailer er - Compatible with FELIX FULLMODE data - Identify

267 views • 6 slides
Automatically Assessing Code Understandability Reanalyzed : Combined Metrics Matter Asher

Automatically Assessing Code Understandability Reanalyzed : Combined Metrics Matter Asher

Automatically Assessing Code Understandability Reanalyzed : Combined Metrics Matter Asher Trockman , Keenen Cates, Mark Mozina, Tuan Nguyen, Christian Kstner, Bogdan Vasilescu Automatically Assessing Code Understandability: How far are

383 views • 12 slides
Cross-Device Consistency in Automatically Generated User Interfaces Krzysztof Gajos, Anthony Wu

Cross-Device Consistency in Automatically Generated User Interfaces Krzysztof Gajos, Anthony Wu

Cross-Device Consistency in Automatically Generated User Interfaces Krzysztof Gajos, Anthony Wu and Daniel S. Weld University of Washington Seattle, USA Problem Statement How to automatically generate user interfaces for the same application

408 views • 37 slides
Finding Finding Al All l Nearest earest Neighb Neighbors ors wi with th a Single a Single

Finding Finding Al All l Nearest earest Neighb Neighbors ors wi with th a Single a Single

Finding Finding Al All l Nearest earest Neighb Neighbors ors wi with th a Single a Single Graph Traversal raph Traversal Yixin Xu, Jianzhong Qi, Renata Borovica-Gajic, and Lars Kulik Motivation Parking undersupply? 65% oversupply [1]

417 views • 22 slides
Anytime Search in Dynamic Graphs Maxim Likhachev a , Dave Ferguson b , c , Geoff Gordon c , Anthony

Anytime Search in Dynamic Graphs Maxim Likhachev a , Dave Ferguson b , c , Geoff Gordon c , Anthony

Anytime Search in Dynamic Graphs Maxim Likhachev a , Dave Ferguson b , c , Geoff Gordon c , Anthony Stentz c , and Sebastian Thrun d a Computer and Information Science, University of Pennsylvania, Philadelphia, PA, USA b Intel Research Pittsburgh,

729 views • 52 slides
Random Number Generators for Cryptography Design and Evaluation Viktor F ISCHER Laboratoire

Random Number Generators for Cryptography Design and Evaluation Viktor F ISCHER Laboratoire

TRNG Design TRNG Classes Conclusions Random Number Generators for Cryptography Design and Evaluation Viktor F ISCHER Laboratoire Hubert Curien, UMR 5516 CNRS Jean Monnet University, Member of University of Lyon Saint-Etienne, France

675 views • 52 slides
S T ABL E OF CONT E NT AGE NDA DAY 1 DAY 2 GOAL S OF GE NOMIC ME DICINE VIII ME E

S T ABL E OF CONT E NT AGE NDA DAY 1 DAY 2 GOAL S OF GE NOMIC ME DICINE VIII ME E

Ge no mic Me dic ine VIII: NHGRIs Ge no mic Me dic ine Po r tfo lio S T ABL E OF CONT E NT AGE NDA DAY 1 DAY 2 GOAL S OF GE NOMIC ME DICINE VIII ME E T ING OBJE CT IVE S RE L T AE D T O GE NOMIC ME DICINE

850 views • 82 slides
Some ROS Slides D.A. Forsyth Credits I didnt make these slides Ive cut them from a

Some ROS Slides D.A. Forsyth Credits I didnt make these slides Ive cut them from a

Some ROS Slides D.A. Forsyth Credits I didnt make these slides Ive cut them from a series of 10 lectures by Roi Yehoshua, at Bar-Ilan without permission (though Ill try and fix this!) URL to full slides on website

1.17k views • 101 slides
4 Application Layer Protocols Device Management Protocols Application layer protocols offering

4 Application Layer Protocols Device Management Protocols Application layer protocols offering

EPFL, Spring 2017 4 Application Layer Protocols Device Management Protocols Application layer protocols offering remote services for large networks of devices: - Monitoring (health of devices and network, get current state) - Management

1.31k views • 93 slides
Service Composition and Synthesis The Roman Model Giuseppe De Giacomo SAPIENZA Universit di

Service Composition and Synthesis The Roman Model Giuseppe De Giacomo SAPIENZA Universit di

Service Composition and Synthesis The Roman Model Giuseppe De Giacomo SAPIENZA Universit di Roma, Italy Joint work with Daniela Berardi, Massimiliano de Leoni, Diego Calvanese, Fahima Cheikh, Rick Hull, Maurizio Lenzerini, Massimo Mecella,

611 views • 40 slides
behavior Timothy R. Vollmer University of Florida Overview A bit about my background and

behavior Timothy R. Vollmer University of Florida Overview A bit about my background and

automatically reinforced behavior Timothy R. Vollmer University of Florida Overview A bit about my background and research interests Overview of the functions of severe problem behavior Typical treatment logic and why it does not

529 views • 23 slides
Auto ma tic a lly Cha ra c te rizing L a rg e Sc a le Pro g ra m Be ha vio r Timothy Sherwood

Auto ma tic a lly Cha ra c te rizing L a rg e Sc a le Pro g ra m Be ha vio r Timothy Sherwood

Auto ma tic a lly Cha ra c te rizing L a rg e Sc a le Pro g ra m Be ha vio r Timothy Sherwood Erez Perelman Greg Hamerly Brad Calder T itle Ideal : To understand the effects of cycle-level events on full program execution

465 views • 29 slides

More recommend