Chenghao Cai,Jing Sun,Gillian Dobbie

DOI: https://doi.org/10.1109/ICECCS2018.2018.00012

2018-01-01

Abstract:The B-method provides facilities for the design, development and automated verification of software systems, but the repair of faulty abstract machines of B is still a manual task. This paper proposes B-repair, a method that supports the computer-assisted repair of faulty abstract machines. Based on model checking, the B-repair system can generate possible repairs, evaluate the repairs and apply the repairs to faulty B machines. The generation of repairs is based on two formal templates, namely isolation and revision. Moreover, the evaluation of repairs is based on machine learning techniques, such as logistic models, residual neural networks and random forests. The machine learning models learn from the state graph of the original abstract machine, which are used to estimate the quality of repairs. Users are able to select satisfactory repairs and apply the selected repairs to the original machine. Using such a computer-assisted methodology, the B-repair method improves the efficiency of software development using the B-method. The B-repair method has been validated using different real-world models, and the validation result has shown that B-repair can suggest a number of repairs with realistic meanings.

Cheng-Hao Cai,Jing Sun,Gillian Dobbie,Zhe Hou,Hadrien Bride,Jin Song Dong,Scott Uk-Jin Lee

DOI: https://doi.org/10.1145/3536430

2022-01-01

Formal Aspects of Computing

Abstract:Automated model repair techniques enable machines to synthesise patches that ensure models meet given requirements. B-repair, which is an existing model repair approach, assists users in repairing erroneous models in the B formal method, but repairing large models is inefficient due to successive applications of repair. In this work, we improve the performance of B-repair using simultaneous modifications, repair refactoring, and better classifiers. The simultaneous modifications can eliminate multiple invariant violations at a time so the average time to repair each fault can be reduced. Further, the modifications can be refactored to reduce the length of repair. The purpose of using better classifiers is to perform more accurate and general repairs and avoid inefficient brute-force searches. We conducted an empirical study to demonstrate that the improved implementation leads to the entire model process achieving higher accuracy, generality, and efficiency.

Chenghao Cai,Jing Sun,Gillian Dobbie

DOI: https://doi.org/10.1007/978-3-030-32409-4_30

2019-01-01

Abstract:The main research content of this topic is model repair in formal methods. Formal verification can verify the correctness of a model using rigorous mathematical methods. However, the repair of incorrect models is usually done by humans. In order to automate the model repair, we combine the B method, formal verification, probabilistic methods, satisfiability modulo theories and program synthesis, and we study various automatic model repair algorithms, which are used to fix reachability and eliminate invariant violations and deadlock states in incorrect models.

Jingyi Wang,Jun Sun,Qixia Yuan,Jun Pang

DOI: https://doi.org/10.1007/978-3-662-54494-5_1

2017-01-01

Abstract:Many automated system analysis techniques e.g., model checking, model-based testing rely on first obtaining a model of the system under analysis. System modeling is often done manually, which is often considered as a hindrance to adopt model-based system analysis and development techniques. To overcome this problem, researchers have proposed to automatically \"learn\" models based on sample system executions and shown that the learned models can be useful sometimes. There are however many questions to be answered. For instance, how much shall we generalize from the observed samples and how fast would learning converge? Or, would the analysis result based on the learned model be more accurate than the estimation we could have obtained by sampling many system executions within the same amount of time? In this work, we investigate existing algorithms for learning probabilistic models for model checking, propose an evolution-based approach for better controlling the degree of generalization and conduct an empirical study in order to answer the questions. One of our findings is that the effectiveness of learning may sometimes be limited.

Cheng-Hao Cai,Jing Sun,Gillian Dobbie

DOI: https://doi.org/10.1016/j.scico.2021.102732

IF: 1.039

2021-01-01

Science of Computer Programming

Abstract:In software engineering, formal methods are often used to specify and verify design models of software products. Whether design models are consistent with required properties can significantly impact the quality of final software products. In this work, we study B model quality measurements based on the ISO/IEC 25010 standard. These measurements are formulated as domain-independent formulae and computed by model checking. Moreover, we study how to enable machines to automatically solve unreachable goals in B models. We suggest to use constraint solvers and semantic learners to discover state transitions to the goals. To demonstrate the effectiveness of the model repair technique, a set of experiments are conducted based on the model quality measurements. The results demonstrate that the model repair technique can solve unreachable goals while preserving the quality of models.

CHEN Feng,LI Weihua,CHEN Hao,L(U) Zheng

2011-01-01

Abstract:In order to improve the analysis and design of software safety,on the basis of current researches on safety model and verification technology,a modeling and checking method is proposed for object-oriented software safety.Establishing non-formal UML models of software safety,safety extended deterministic finite automata and linear temporal logic are used to create the formal models and describe the safety properties separately.Through a model checker,we get the verification result.This approach realizes the combination of software safety model and verification technology.Experimental results show that the method can analyze and verify the safety properties effectively in the early stage of software design.

Yuze Zhao,Zhenya Huang,Yixiao Ma,Rui Li,Kai Zhang,Hao Jiang,Qi Liu,Linbo Zhu,Yu Su

2024-08-21

Abstract:The gap between the trepidation of program reliability and the expense of repairs underscores the indispensability of Automated Program Repair (APR). APR is instrumental in transforming vulnerable programs into more robust ones, bolstering program reliability while simultaneously diminishing the financial burden of manual repairs. Commercial-scale language models (LM) have taken APR to unprecedented levels. However, the emergence reveals that for models fewer than 100B parameters, making single-step modifications may be difficult to achieve the desired effect. Moreover, humans interact with the LM through explicit prompts, which hinders the LM from receiving feedback from compiler and test cases to automatically optimize its repair policies. In this literature, we explore how small-scale LM (less than 20B) achieve excellent performance through process supervision and feedback. We start by constructing a dataset named CodeNet4Repair, replete with multiple repair records, which supervises the fine-tuning of a foundational model. Building upon the encouraging outcomes of reinforcement learning, we develop a reward model that serves as a critic, providing feedback for the fine-tuned LM's action, progressively optimizing its policy. During inference, we require the LM to generate solutions iteratively until the repair effect no longer improves or hits the maximum step limit. The results show that process-based not only outperforms larger outcome-based generation methods, but also nearly matches the performance of closed-source commercial large-scale LMs.

Software Engineering,Computation and Language

Cheng-Hao Cai,Jing Sun,Gillian Dobbie

DOI: https://doi.org/10.1002/spe.3255

2023-01-01

Abstract:The automation of programming, which lies at the intersection of software engineering and artificial intelligence, enables machines to automatically generate programs that satisfy given requirements. In the context of B formal design modeling, one of the challenges is the refactoring of substitutions in design specifications, which often uses state transitions to describe how program or system statuses change during execution. This paper proposes a condition and substitution refactoring algorithm for the B formal specification language. The aim of the work is to automatically derive B operational predicates based on given transitions. The work has been extremely useful to machine-driven formal design model repair as well as automated design specification generation. Given a set of state transitions, common relations of their state variables can be discovered and clustered into a number of classes. These relations can be further used to synthesize substitutions that derive new states from existing states. To restrict application domains of the synthesized substitutions, conditions that guard these substitutions are generated using first-order logic. We have implemented the proposed algorithm as an extension to the ProB model checker. Experiments were conducted based on the B model public dataset. The evaluation results demonstrated that our solution is able to synthesize conditions and substitutions for various sets of state transitions in a wide range of B models.

Liushan Chen,Yu Pei,Minxue Pan,Tian Zhang,Qixin Wang,Carlo A. Furia

DOI: https://doi.org/10.1109/tse.2022.3164662

IF: 7.4

2022-01-01

IEEE Transactions on Software Engineering

Abstract:A key challenge in generate-and-validate automated program repair is directing the search for fixes so that it can efficiently find those that are more likely to be correct. To this end, several techniques use machine learning to capture the features of programmer-written fixes. In existing approaches, fitting the model typically takes place before fix generation and is independent of it: the fix generation process uses the learned model as one of its inputs. However, the intermediate outcomes of an ongoing fix generation process often provide valuable information about which candidate fixes were “better”; this information could profitably be used to retrain the model, so that each new iteration of the fixing process would also learn from the outcome of previous ones. In this paper, we propose the Liana technique for automated program repair, which is based on this idea of repeatedly learning the features of generated fixes. To this end, Liana uses a fine-grained model that combines information about fix characteristics, their relations to the fixing context, and the results of test execution. The model is initially trained offline, and then repeatedly updated online as the fix generation process unravels; at any step, the most up-to-date model is used to guide the search for fixes—prioritizing those that are more likely to include the right ingredients. In an experimental evaluation on 732 real-world Java bugs from 3 popular benchmarks, Liana built correct fixes for 134 faults (83 ranked as first in its output)— improving over several other generate-and-validate program repair tools according to various measures.

Omar I. Al-Bataineh,Anastasiia Grishina,Leon Moonen

DOI: https://doi.org/10.1109/qrs54544.2021.00075

2021-12-01

Abstract:A long-standing open challenge for automated program repair is the overfitting problem, which is caused by having insufficient or incomplete specifications to validate whether a generated patch is correct or not. Most available repair systems rely on weak specifications (i.e., specifications that are synthesized from test cases) which limits the quality of generated repairs. To strengthen specifications and improve the quality of repairs, we propose to closer integrate static bug detection techniques with automated program repair. The integration combines automated program repair with static analysis techniques in such a way that bug detection patterns can be synthesized into specifications that the repair system can use. We explore the feasibility of such integration using two types of bugs: arithmetic bugs, such as integer overflow, and logical bugs, such as termination bugs. As part of our analysis, we make several observations that help to improve patch generation for these classes of bugs. Moreover, these observations assist with narrowing down the candidate patch search space, and inferring an effective search order.

Yiannis Charalambous,Edoardo Manino,Lucas C. Cordeiro

2024-05-14

Abstract:The next generation of AI systems requires strong safety guarantees. This report looks at the software implementation of neural networks and related memory safety properties, including NULL pointer deference, out-of-bound access, double-free, and memory leaks. Our goal is to detect these vulnerabilities, and automatically repair them with the help of large language models. To this end, we first expand the size of NeuroCodeBench, an existing dataset of neural network code, to about 81k programs via an automated process of program mutation. Then, we verify the memory safety of the mutated neural network implementations with ESBMC, a state-of-the-art software verifier. Whenever ESBMC spots a vulnerability, we invoke a large language model to repair the source code. For the latest task, we compare the performance of various state-of-the-art prompt engineering techniques, and an iterative approach that repeatedly calls the large language model.

Software Engineering,Artificial Intelligence

Cheng-Hao Cai,Jing Sun,Gillian Dobbie,Scott Uk-Jin Lee

DOI: https://doi.org/10.1109/apsec48747.2019.00043

2019-01-01

Abstract:This paper proposes a probabilistic reachability repair solution that enables abstract machines to automatically evolve and satisfy desired requirements. The solution is a combination of the B-method, machine learning and program synthesis. The B-method is used to formally specify an abstract machine and analyse the reachability of the abstract machine. Machine learning models are used to approximate features hidden in the semantics of the abstract machine. When the abstract machine fails to reach a desired state, the machine learning models are used to discover missing transitions to the state. Inserting the discovered transitions into the original abstract machine will lead to a repaired abstract machine that is capable of achieving the state. To obtain the repaired abstract machine, a set of insertion repairs are synthesised from the discovered transitions and are simplified using context-free grammars. Experimental results reveal that the reachability repair solution is applicable to a wide range of abstract machines and can accurately discover transitions that satisfy the requirements of reachability. Moreover, the results demonstrate that random forests are efficient machine learning models on transition discovery tasks. Additionally, we argue that the automated reachability repair process can improve the efficiency of software development.

Martin Monperrus

DOI: https://doi.org/10.1145/3105906

2018-07-02

Abstract:This article presents a survey on automatic software repair. Automatic software repair consists of automatically finding a solution to software bugs without human intervention. This article considers all kinds of repairs. First, it discusses behavioral repair where test suites, contracts, models, and crashing inputs are taken as oracle. Second, it discusses state repair, also known as runtime repair or runtime recovery, with techniques such as checkpoint and restart, reconfiguration, and invariant restoration. The uniqueness of this article is that it spans the research communities that contribute to this body of knowledge: software engineering, dependability, operating systems, programming languages, and security. It provides a novel and structured overview of the diversity of bug oracles and repair operators used in the literature.

Software Engineering,Cryptography and Security,Programming Languages

Fengjie Li,Jiajun Jiang,Jiajun Sun,Hongyu Zhang

2024-06-04

Abstract:Automated Program Repair (APR) has garnered significant attention due to its potential to streamline the bug repair process for human developers. Recently, LLM-based APR methods have shown promise in repairing real-world bugs. However, existing APR methods often utilize patches generated by LLMs without further optimization, resulting in reduced effectiveness due to the lack of program-specific knowledge. Furthermore, the evaluations of these APR methods have typically been conducted under the assumption of perfect fault localization, which may not accurately reflect their real-world effectiveness. To address these limitations, this paper introduces an innovative APR approach called GIANTREPAIR. Our approach leverages the insight that LLM-generated patches, although not necessarily correct, offer valuable guidance for the patch generation process. Based on this insight, GIANTREPAIR first constructs patch skeletons from LLM-generated patches to confine the patch space, and then generates high-quality patches tailored to specific programs through context-aware patch generation by instantiating the skeletons. To evaluate the performance of our approach, we conduct two large-scale experiments. The results demonstrate that GIANTREPAIR not only effectively repairs more bugs (an average of 27.78% on Defects4J v1.2 and 23.40% on Defects4J v2.0) than using LLM-generated patches directly, but also outperforms state-of-the-art APR methods by repairing at least 42 and 7 more bugs under perfect and automated fault localization scenarios, respectively.

Software Engineering

Xin Yin,Chao Ni,Shaohua Wang,Zhenhao Li,Limin Zeng,Xiaohu Yang

2024-07-30

Abstract:Though many approaches have been proposed for Automated Program Repair (APR) and indeed achieved remarkable performance, they still have limitations in fixing bugs that require analyzing and reasoning about the logic of the buggy program. Recently, large language models (LLMs) instructed by prompt engineering have attracted much attention for their powerful ability to address many kinds of tasks including bug-fixing. However, the quality of the prompt will highly affect the ability of LLMs and manually constructing high-quality prompts is a costly endeavor. To address this limitation, we propose a self-directed LLM-based automated program repair, ThinkRepair, with two main phases: collection phase and fixing phase. The former phase automatically collects various chains of thoughts that constitute pre-fixed knowledge by instructing LLMs with the Chain-of-Thought (CoT) prompt. The latter phase targets fixing a bug by first selecting examples for few-shot learning and second automatically interacting with LLMs, optionally appending with feedback of testing information. Evaluations on two widely studied datasets (Defects4J and QuixBugs) by comparing ThinkRepair with 12 SOTA APRs indicate the priority of ThinkRepair in fixing bugs. Notably, ThinkRepair fixes 98 bugs and improves baselines by 27%-344.4% on Defects4J V1.2. On Defects4J V2.0, ThinkRepair fixes 12-65 more bugs than the SOTA APRs. Additionally, ThinkRepair also makes a considerable improvement on QuixBugs (31 for Java and 21 for Python at most).

Software Engineering

Lu Chen,Jian Jiao,Jiping Fan,Fuchun Ren

DOI: https://doi.org/10.1109/rams.2016.7447978

2016-01-01

Abstract:Fault propagation identification is an indispensable task in complex system safety analysis. With the growing of system scale and complexity, it is hard for the traditional safety analysis techniques, which depend mainly on analysts' personal skills and experiences, to keep completeness and timeliness; moreover, some failure modes may be neglected and failure effects misjudged during the analysis. Formal science provides a new way to solve this problem, where formal verification method such as model checking can automatically validate whether the system design satisfies the given safety requirements, which can reduce an analysts' repetitive work and design cost, and improve the efficiency and quality of safety analysis. However, there is lack of a deliberate and reasonable way to build system models because of the diversity and flexibility of languages used for model checking, which results in that it is difficult to specify and model system quickly and accurately, and leads to some deviation in model checking. In this paper, a system modeling and safety property specifying approach using symbolic language SMV is proposed, including guidance on the mapping relationships between the formal language elements and system functions, architecture and failure modes; moreover, how to define system specifications and safety requirements using temporal logic formulas is discussed as well. Finally, a case study about airborne system safety analysis is provided, in which the counter-examples that do not meet system specifications can be identified automatically using model checker NuSMV to find out fault events and their propagation that can result in accidents.

Qiang Wang,Yan Lei,Simon Bliudze,Xiaoguang Mao

DOI: https://doi.org/10.1007/978-3-319-25942-0_18

2015-01-01

Abstract:This paper presents a novel idea of automatic fault localization by exploiting counterexamples generated by a model checker. The key insight is that, if a candidate statement is faulty, it is possible to modify i.e. correct this statement so that the counterexample is eliminated. We have implemented the proposed fault localization algorithm for component-based systems modelled in the BIP Behaviour, Interaction and Priority language, and conducted the first experimental evaluation on a set of benchmarks with injected faults, showing that our approach is promising and capable of quickly and precisely localizing faults.

Mengtao Geng,Xiaoyu Zhang,Jianwen Li

DOI: https://doi.org/10.3390/electronics10232957

IF: 2.9

2021-01-01

Electronics

Abstract:Model checking is an efficient formal verification technique that has been applied to a wide spectrum of applications in software engineering. Popular model checking algorithms include Bounded Model Checking (BMC) and Incremental Construction of Inductive Clauses for Indubitable Correctness/Property Directed Reachability(IC3/PDR). The recently proposed Complementary Approximate Reachability (CAR) model checking algorithm has a performance close to BMC in bug-finding, while its depth-first strategy sometimes leads the algorithm to a trap, which will waste lots of computation. In this paper, we enhance the recently proposed Complementary Approximate Reachability (CAR) model checking algorithm by integrating the restart policy, which yields a restartable CAR model (abbreviated as r-CAR). The restart policy can help avoid the trap problem caused by the depth-first strategy and has played an important role in modern SAT-solving algorithms to search for a satisfactory solution. As the bug-finding in model checking is reducible to a similar search problem, the restart policy can be useful to enhance the bug-finding capability. We made an extensive experiment to evaluate the new algorithm. Our results show that out of the 749 industrial instances, r-CAR is able to find 13 instances that the state-of-the-art BMC technique cannot find and can solve more than 11 instances than the original CAR. The new algorithm successfully contributes to the current model-checking portfolio in practice.

Omar I. Al-Bataineh,Leon Moonen

DOI: https://doi.org/10.48550/arXiv.2211.03911

2022-11-07

Software Engineering

Abstract:Modern automated program repair (APR) is well-tuned to finding and repairing bugs that introduce observable erroneous behavior to a program. However, a significant class of bugs does not lead to such observable behavior (e.g., liveness/termination bugs, non-functional bugs, and information flow bugs). Such bugs can generally not be handled with current APR approaches, so, as a community, we need to develop complementary techniques. To stimulate the systematic study of alternative APR approaches and hybrid APR combinations, we devise a novel bug classification system that enables methodical analysis of their bug detection power and bug repair capabilities. To demonstrate the benefits, we analyze the repair of termination bugs in sequential and concurrent programs. The study shows that integrating dynamic APR with formal analysis techniques, such as termination provers and software model checkers, reduces complexity and improves the overall reliability of these repairs.

Lu Chen,Jian Jiao,Qianxin Wei,Tingdi Zhao

DOI: https://doi.org/10.1016/j.engfailanal.2017.06.034

IF: 4

2017-01-01

Engineering Failure Analysis

Abstract:It is important to analyze the failure in safety-critical system because a disaster may occur once any type of failure mode and/or failure effect is neglected or misjudged. In order to conduct the failure analysis more effectively and efficiently, the concept of formal modeling is introduced. This paper improved the model-based safety analysis (MBSA) working process to optimize the formal failure analysis approach of safety-critical system. As the core works of MBSA process, the formal modeling and model extension aim to build an integrated system model which can be used for analyzing the failure behaviors in the system by model checking. However, in order to automatically check if there are any potential failures in the structured system model and whether the model satisfies the specified system properties and requirements using model checker, model transformation is normally needed, which can introduced potential errors during the transformation. Moreover, different model checkers generally require the system models to be expressed in a particular input language, which increases the difficulty of modeling as well. In order to avoid these problems and improve the efficiency of failure analysis work, this paper focused on how to build an unified model of safety-critical system quickly and accurately using symbolic language SMV, and conduct automatic verification using the corresponding open-source model checker NuSMV soon afterwards. After the model checking, the formal verification results such as counter-examples generated by model checking need to be transformed into traditional failure analysis artifacts, such as FMEA and/or FTA, to guide the iterative improvement of system development conveniently. Therefore, to solve the transformation from formal verification conclusions to traditional failure analysis results is another key point of this paper. Finally, a case study about airborne equipment is provided to validate the proposed method.