mutation analysis for coq
play

Mutation Analysis for Coq Pengyu Nie 1 Ahmet Celik 1 , Karl Palmskog - PowerPoint PPT Presentation

Feb 20, 2023 •244 likes •682 views

Mutation Analysis for Coq Pengyu Nie 1 Ahmet Celik 1 , Karl Palmskog 1 , Marinela Parovic 1 , us Gallego Arias 2 , and Milos Gligoric 1 Emilio Jes ASE 2019 1 2 1 / 24 Program Verification Using Proof Assistants Verified software: encode

  1. Mutation Analysis for Coq Pengyu Nie 1 Ahmet Celik 1 , Karl Palmskog 1 , Marinela Parovic 1 , us Gallego Arias 2 , and Milos Gligoric 1 Emilio Jes´ ASE 2019 1 2 1 / 24

  2. Program Verification Using Proof Assistants Verified software: encode program in formalism, write specifications for functions and prove them Proof assistants: prove specifications interactively Coq, HOL4, HOL Light, Isabelle/HOL, Lean, Nuprl, ... Verified executable systems built using proof assistants are reaching unprecedented scale CompCert (C compiler), 8 person years, 120k LOC seL4 (OS kernel), 25 person years, 200k LOC Verdi Raft (consensus protocol), 2 person years, 50k LOC These systems are being deployed CompCert – embedded systems seL4 – military autonomous vehicles 2 / 24

  3. An Example of a Verified Function github.com/uwplse/StructTact Using Coq proof assistant Dependency of large verified systems, including Verdi Raft and Oeuf compiler From mathcomp Require Import all_ssreflect. Fixpoint before_func A (f g : A → bool) (l : list A) : bool := match l with | [::] ⇒ false | a :: l’ ⇒ (f a == true) || (g a == false && before_func A f g l’) end. Lemma before_func_app : ∀ A (f g : A → bool) (l l’ : list A), before_func A f g l → before_func A f g (l + + l’). Proof. intros;induction l ⇒ /=; intuition; move/orP: H; case; [by move/eqP → |]. by move/andP ⇒ [H1 H2]; rewrite H1 /=; apply/orP; right; apply IHl. Qed. Before.v 3 / 24

  4. An Example of a Verified Function github.com/uwplse/StructTact Using Coq proof assistant Dependency of large verified systems, including Verdi Raft and Oeuf compiler Import From mathcomp Require Import all_ssreflect. Fixpoint before_func A (f g : A → bool) (l : list A) : bool := match l with | [::] ⇒ false | a :: l’ ⇒ (f a == true) || (g a == false && before_func A f g l’) end. Lemma before_func_app : ∀ A (f g : A → bool) (l l’ : list A), before_func A f g l → before_func A f g (l + + l’). Proof. intros;induction l ⇒ /=; intuition; move/orP: H; case; [by move/eqP → |]. by move/andP ⇒ [H1 H2]; rewrite H1 /=; apply/orP; right; apply IHl. Qed. Before.v 3 / 24

  5. An Example of a Verified Function github.com/uwplse/StructTact Using Coq proof assistant Dependency of large verified systems, including Verdi Raft and Oeuf compiler From mathcomp Require Import all_ssreflect. Function Fixpoint before_func A (f g : A → bool) (l : list A) : bool := match l with | [::] ⇒ false | a :: l’ ⇒ (f a == true) || (g a == false && before_func A f g l’) end. Lemma before_func_app : ∀ A (f g : A → bool) (l l’ : list A), before_func A f g l → before_func A f g (l + + l’). Proof. intros;induction l ⇒ /=; intuition; move/orP: H; case; [by move/eqP → |]. by move/andP ⇒ [H1 H2]; rewrite H1 /=; apply/orP; right; apply IHl. Qed. Before.v 3 / 24

  6. An Example of a Verified Function github.com/uwplse/StructTact Using Coq proof assistant Dependency of large verified systems, including Verdi Raft and Oeuf compiler Specification From mathcomp Require Import all_ssreflect. Fixpoint before_func A (f g : A → bool) (l : list A) : bool := match l with | [::] ⇒ false | a :: l’ ⇒ (f a == true) || (g a == false && before_func A f g l’) end. Lemma before_func_app : ∀ A (f g : A → bool) (l l’ : list A), before_func A f g l → before_func A f g (l + + l’). Proof. intros;induction l ⇒ /=; intuition; move/orP: H; case; [by move/eqP → |]. by move/andP ⇒ [H1 H2]; rewrite H1 /=; apply/orP; right; apply IHl. Qed. Before.v 3 / 24

  7. An Example of a Verified Function github.com/uwplse/StructTact Using Coq proof assistant Dependency of large verified systems, including Verdi Raft and Oeuf compiler From mathcomp Require Import all_ssreflect. Proof Fixpoint before_func A (f g : A → bool) (l : list A) : bool := match l with | [::] ⇒ false | a :: l’ ⇒ (f a == true) || (g a == false && before_func A f g l’) end. Lemma before_func_app : ∀ A (f g : A → bool) (l l’ : list A), before_func A f g l → before_func A f g (l + + l’). Proof. intros;induction l ⇒ /=; intuition; move/orP: H; case; [by move/eqP → |]. by move/andP ⇒ [H1 H2]; rewrite H1 /=; apply/orP; right; apply IHl. Qed. Before.v 3 / 24

  8. Problem: Incomplete and Missing Specifications StructTact Verdi Raft incomplete spec Specifications might not cover the core parts of the function Some functions might have no specification at all Usage of such functions could lead to surprises and even bugs How do we detect incomplete and missing specifications? 4 / 24

  9. Our Contributions 1 Introduce mutation proving for proof assistants libraries Mutate functions and check if any lemma fails No lemma fails (live mutant) may indicate incomplete spec Analogous to mutation testing 2 Implement mutation proving for Coq libraries, mCoq 3 Optimize mCoq with selective and parallel proof checking 4 Quantitatively evaluate mCoq on 12 popular Coq libraries 5 Qualitatively evaluate dozens of live mutants and report incomplete specifications 5 / 24

  10. Mutation Proving Example, Original Code From mathcomp Require Import all_ssreflect. Fixpoint before_func A (f g : A → bool) (l : list A) : bool := match l with | [::] ⇒ false | a :: l’ ⇒ (f a == true) || (g a == false && before_func A f g l’) end. Lemma before_func_app : ∀ A (f g : A → bool) (l l’ : list A), before_func A f g l → before_func A f g (l + + l’). Proof. intros;induction l ⇒ /=; intuition; move/orP: H; case; [by move/eqP → |]. by move/andP ⇒ [H1 H2]; rewrite H1 /=; apply/orP; right; apply IHl. Qed. Before.v Proof passes 6 / 24

  11. Mutation Proving Example, Mutated Code From mathcomp Require Import all_ssreflect. Fixpoint before_func A (f g : A → bool) (l : list A) : bool := match l with | [::] ⇒ false - | a :: l’ ⇒ (f a == true) || (g a == false && before_func A f g l’) + | a :: l’ ⇒ (f a == true) || (g a == true && before_func A f g l’) end. Lemma before_func_app : ∀ A (f g : A → bool) (l l’ : list A), before_func A f g l → before_func A f g (l + + l’). Proof. intros;induction l ⇒ /=; intuition; move/orP: H; case; [by move/eqP → |]. by move/andP ⇒ [H1 H2]; rewrite H1 /=; apply/orP; right; apply IHl. Qed. Before.v 7 / 24

  12. Mutation Proving Example, Mutated Code From mathcomp Require Import all_ssreflect. Fixpoint before_func A (f g : A → bool) (l : list A) : bool := match l with | [::] ⇒ false - | a :: l’ ⇒ (f a == true) || (g a == false && before_func A f g l’) + | a :: l’ ⇒ (f a == true) || (g a == true && before_func A f g l’) end. Lemma before_func_app : ∀ A (f g : A → bool) (l l’ : list A), before_func A f g l → before_func A f g (l + + l’). Proof. intros;induction l ⇒ /=; intuition; move/orP: H; case; [by move/eqP → |]. by move/andP ⇒ [H1 H2]; rewrite H1 /=; apply/orP; right; apply IHl. Qed. Before.v Proof still passes → Live mutant → Incomplete specification 7 / 24

  13. mCoq Architecture and Workflow sexp parser .v file 1 transformer sercomp 2 Coq QMutator SerAPI compser 5 3 4 sexp file 8 / 24

  14. mCoq Architecture and Workflow sexp parser .v file 1 transformer sercomp 2 Coq QMutator SerAPI compser 5 3 4 sexp file Fixpoint.. Lemma.. Proof.. Qed. 8 / 24

  15. mCoq Architecture and Workflow sexp parser .v file 1 transformer sercomp 2 Coq QMutator SerAPI compser 5 3 4 sexp file sexp 1 Fixpoint.. 2 Lemma.. Proof.. Qed. 8 / 24

  16. mCoq Architecture and Workflow sexp parser .v file 1 transformer sercomp 2 Coq QMutator SerAPI compser 5 3 4 sexp file mutants sexp 1 3 Fixpoint.. 2 4 Lemma.. Proof.. Qed. 8 / 24

  17. mCoq Architecture and Workflow sexp parser .v file 1 transformer sercomp 2 Coq QMutator SerAPI compser 5 3 4 sexp file mutants 5 live sexp 1 3 Fixpoint.. killed 2 4 live Lemma.. killed Proof.. live Qed. killed 8 / 24

  18. mCoq Components (1): Serialization and Deserialization SerAPI extended OCaml library supporting full (de)serialization of Coq code sercomp command-line SerAPI -based OCaml program which takes Coq .v file and outputs lists of sexps compser command-line SerAPI -based program which takes lists of sexps and performs proof checking with Coq 9 / 24

  19. mCoq Components (2): QMutator and Runner QMutator sexp transformation library in Java that performs mutations given mutation operator and location Runner driver program in Java and bash to orchestrate components and compute mutation scores 10 / 24

  20. Mutation Operators Inspired by our experience (17 years cumulative) and mutation operators for functional languages Category Name Description Reorder branches in if-else expression GIB General GIC Reverse constructor order in inductive type GME Replace exp in the 2nd match case with 1st case exp LRH Replace list with head singleton list LRT Replace list with its tail LRE Replace list with empty list Lists Reorder arguments to the list append operator LAR LAF Replace list append expression with first argument Replace list append expression with second argument LAS Replace plus with minus NPM NZO Replace zero with one Numbers NSZ Replace successor constructor with zero NSA Replace successor constructor with its argument BFT Replace false with true Booleans BTF Replace true with false 11 / 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Using Conditional Mutation to Increase the Efficiency of Mutation Analysis e Just 1 & Gregory

Using Conditional Mutation to Increase the Efficiency of Mutation Analysis e Just 1 & Gregory

Using Conditional Mutation to Increase the Efficiency of Mutation Analysis e Just 1 & Gregory M. Kapfhammer 2 & Franz Schweiggert 1 Ren 1 Ulm University, Germany 2 Allegheny College, USA 6th International Workshop on the Automation of

946 views • 73 slides
IS MUTATION ANALYSIS OF BCR-ABL OF ANY VALUE IN CLINICAL MANAGEMENT OF CML PATIENTS? David

IS MUTATION ANALYSIS OF BCR-ABL OF ANY VALUE IN CLINICAL MANAGEMENT OF CML PATIENTS? David

IS MUTATION ANALYSIS OF BCR-ABL OF ANY VALUE IN CLINICAL MANAGEMENT OF CML PATIENTS? David Marin, Imperial College London Tell me generals, are we politicians necessary? I have to admit defeat before starting Mutation analysis, like

458 views • 27 slides
Equivalence Modulo States Bo Wang, Yingfei Xiong , Yangqingwei Shi, Lu Zhang, Dan Hao Peking

Equivalence Modulo States Bo Wang, Yingfei Xiong , Yangqingwei Shi, Lu Zhang, Dan Hao Peking

Faster Mutation Analysis via Equivalence Modulo States Bo Wang, Yingfei Xiong , Yangqingwei Shi, Lu Zhang, Dan Hao Peking University July 12, 2017 Mutation Analysis Mutation analysis is a fundamental software analysis technique Mutation

365 views • 24 slides
1 Mutation pressure Let = the mutation rate from A a Let = the mutation rate from a

1 Mutation pressure Let = the mutation rate from A a Let = the mutation rate from a

Population Genetics 5: Mutation pressure Mutation pressure Table 1 : Estimates of per generation mutation rates for a range of organisms Organism Per nucleotide rate Genomic rate RNA GENOMES 1.97 10 -5 Poliovirus 0.15 1.10 10 -4

306 views • 7 slides
1 Mutation pressure Let = the mutation rate from A a Let = the mutation rate from a

1 Mutation pressure Let = the mutation rate from A a Let = the mutation rate from a

Population Genetics 5: Mutation pressure Mutation pressure Table 1 : Estimates of per generation mutation rates for a range of organisms Organism Per nucleotide rate Genomic rate RNA GENOMES 1.97 10 -5 Poliovirus 0.15 1.10 10 -4

350 views • 6 slides
The Role Of Mutation Analysis in Porphyria. Dr SharonWhatley Cardiff SAS Porphyria Service

The Role Of Mutation Analysis in Porphyria. Dr SharonWhatley Cardiff SAS Porphyria Service

The Role Of Mutation Analysis in Porphyria. Dr SharonWhatley Cardiff SAS Porphyria Service Mutation Analysis in the Acute Porphyrias Family studies Identify relatives who are at risk Avoid known precipitants Sex hormones Unsafe

510 views • 48 slides
Do Redundant Mutants Affect the Effectiveness and Efficiency of Mutation Analysis? Ren Just 1

Do Redundant Mutants Affect the Effectiveness and Efficiency of Mutation Analysis? Ren Just 1

Do Redundant Mutants Affect the Effectiveness and Efficiency of Mutation Analysis? Ren Just 1 & Gregory M. Kapfhammer 2 & Franz Schweiggert 1 1 Ulm University, Germany 2 Allegheny College, USA 7th International Workshop on Mutation

781 views • 67 slides
A Generic Approach to Run Mutation Analysis Siamak Haschemi and Stephan Weileder

A Generic Approach to Run Mutation Analysis Siamak Haschemi and Stephan Weileder

A Generic Approach to Run Mutation Analysis Siamak Haschemi and Stephan Weileder Humboldt-Universitt zu Berlin METRIK Research Training Group TAIC-PART 2010 Sonntag, 5. September 2010 Mutation Analysis 2 Sonntag, 5. September 2010

676 views • 51 slides
1 Mutation - selection equilibrium 1. Mutation pressure: ( ) ( ) = Let = the

1 Mutation - selection equilibrium 1. Mutation pressure: ( ) ( ) = Let = the

Population Genetics 7: transient verses equilibrium polymorphism Mutation - selection equilibrium Mutation pressure and selection can operate in opposite directions as a force for change in allele frequencies in populations. Note that

359 views • 9 slides
Cancer gene discovery via network analysis of somatic mutation data Insuk Lee Cancer is a

Cancer gene discovery via network analysis of somatic mutation data Insuk Lee Cancer is a

Cancer gene discovery via network analysis of somatic mutation data Insuk Lee Cancer is a progressive genetic disorder. Accumulation of somatic mutations cause cancer. For example, in colorectal cancer, the first gatekeeping mutation

295 views • 28 slides
Using Non-Redundant Mutation Operators and Test Suite Prioritization to Achieve Efficient and

Using Non-Redundant Mutation Operators and Test Suite Prioritization to Achieve Efficient and

Using Non-Redundant Mutation Operators and Test Suite Prioritization to Achieve Efficient and Scalable Mutation Analysis Ren Just 1 , 2 & Gregory M. Kapfhammer 3 & Franz Schweiggert 2 1 University of Washington, USA 2 Ulm University,

1.18k views • 85 slides
MAJOR: An Efficient and Extensible Tool for Mutation Analysis in a Java Compiler e Just 1 , Franz

MAJOR: An Efficient and Extensible Tool for Mutation Analysis in a Java Compiler e Just 1 , Franz

MAJOR: An Efficient and Extensible Tool for Mutation Analysis in a Java Compiler e Just 1 , Franz Schweiggert 1 , and Gregory M. Kapfhammer 2 Ren 1 Ulm University, Germany 2 Allegheny College, USA 26th International Conference on Automated

743 views • 32 slides
Drift, mutation, selection, and the evolutionary dispersion of mean phenotypes recombination

Drift, mutation, selection, and the evolutionary dispersion of mean phenotypes recombination

Drift, mutation, selection, and the evolutionary dispersion of mean phenotypes recombination random mutation genetic drift The Population-genetic Environment 1000x Range of Variation in the Mutation Rate The mutation rate per nucleotide

480 views • 27 slides
The Impact of Equivalent, Redundant and Quasi Mutants on Database Schema Mutation Analysis Chris

The Impact of Equivalent, Redundant and Quasi Mutants on Database Schema Mutation Analysis Chris

The Impact of Equivalent, Redundant and Quasi Mutants on Database Schema Mutation Analysis Chris J. Wright Gregory M. Kapfhammer Phil McMinn The Impact of Equivalent, Redundant and Quasi Mutants on Database Schema Mutation Analysis Chris J.

2.11k views • 162 slides
CSE 331 Mutation and immutability slides created by Marty Stepp based on materials by M. Ernst,

CSE 331 Mutation and immutability slides created by Marty Stepp based on materials by M. Ernst,

CSE 331 Mutation and immutability slides created by Marty Stepp based on materials by M. Ernst, S. Reges, D. Notkin, R. Mercer, Wikipedia http://www.cs.washington.edu/331/ 1 Mutation mutation : A modification to the state of an object.

571 views • 29 slides
Mutation of type D friezes Ana Garcia Elsener and Khrystyna Serhiyenko University of Kentucky

Mutation of type D friezes Ana Garcia Elsener and Khrystyna Serhiyenko University of Kentucky

Mutation of type D friezes Ana Garcia Elsener and Khrystyna Serhiyenko University of Kentucky November 24, 2019 Spring 2016, Banff Problem: Define and study mutation of friezes that is compatible with cluster mutation,

199 views • 15 slides
Simultaneous Identification of Multiple Driver Pathways in Cancer Mark D. M. Leiserson, et.al

Simultaneous Identification of Multiple Driver Pathways in Cancer Mark D. M. Leiserson, et.al

Simultaneous Identification of Multiple Driver Pathways in Cancer Mark D. M. Leiserson, et.al Goal To distinguish the functional driver mutations responsible for cancer development from the random passenger mutations that have no

537 views • 22 slides
BRCA Founder Mutations Ashkenazi Jewish (Hungarian and Russian): BRCA1 - 185delAG and

BRCA Founder Mutations Ashkenazi Jewish (Hungarian and Russian): BRCA1 - 185delAG and

Development of a Founder Mutation Development of a Founder Mutation A high frequency of a specific gene mutation in a A high frequency of a specific gene mutation in a population founded by a small ancestral group population founded by a small

278 views • 8 slides
Mutation testing at SAAB Niklas Pettersson niklas.pettersson2@saabgroup.com Joakim Brnnstrm

Mutation testing at SAAB Niklas Pettersson niklas.pettersson2@saabgroup.com Joakim Brnnstrm

COMPANY RESTRICTED | NOT EXPORT CONTROLLED | NOT CLASSIFIED COMPANY RESTRICTED | NOT EXPORT CONTROLLED | NOT CLASSIFIED OPEN | NOT EXPORT CONTROLLED | NOT CLASSIFIED 1 Hkan Anderwall | LN-030676| Issue 1 Hkan Anderwall | LN-030676| Issue

743 views • 48 slides
Mutation Testing Software Engineering Gordon Fraser Saarland University 1 The most common

Mutation Testing Software Engineering Gordon Fraser Saarland University 1 The most common

Mutation Testing Software Engineering Gordon Fraser Saarland University 1 The most common way to determine the quality of a test suite How good are my tests? is to measure its coverage - we ve already seen quite a number of

423 views • 38 slides
Maximal green sequences of minimal mutation-infinite quivers John Lawson joint with Matthew

Maximal green sequences of minimal mutation-infinite quivers John Lawson joint with Matthew

Maximal green sequences of minimal mutation-infinite quivers John Lawson joint with Matthew Mills Durham University Oct 2016 Spoilers Theorem. All minimal mutation-infinite quivers have a maximal green sequence. Theorem. Any cluster algebra

584 views • 32 slides
Accepted Point Mutation (Dayhoff et al. 68,72,78) An APM in a protein is a replacement of

Accepted Point Mutation (Dayhoff et al. 68,72,78) An APM in a protein is a replacement of

1 Accepted Point Mutation (Dayhoff et al. 68,72,78) An APM in a protein is a replacement of one AA by another accepted by evolution We want to estimate the probability that given a site with AA A has udergone an APM, the new AA

513 views • 8 slides
Mutation Testing How good your tests are 2017 whoami iOS Developer by day compiler

Mutation Testing How good your tests are 2017 whoami iOS Developer by day compiler

Mutation Testing How good your tests are 2017 whoami iOS Developer by day compiler hacker by night https://twitter.com/1101_debian https://lowlevelbits.org https://systemundertest.org Mars Climate Orbiter Mars Climate

1k views • 85 slides
Semantic Mutation Testing John A. Clark, Haitao Dan, Robert M Hierons The 8th CREST Open

Semantic Mutation Testing John A. Clark, Haitao Dan, Robert M Hierons The 8th CREST Open

Semantic Mutation Testing John A. Clark, Haitao Dan, Robert M Hierons The 8th CREST Open Workshop, 27-10-2010 An example: cruise control Question What happens in no_vehicle_in_front if brake and level=increase? Another question What

376 views • 21 slides

More recommend