Aut Automati tic Data Str truc uctur ture Repa pair usi using ng Sepa parati tion n Logi gic Gu Guolong Zheng, , ThanhVu Nguyen University of Nebraska-Lincoln Quang Loc Le Quoc-Sang Phan Teesside University Fujitsu Labs. of America MV MVD’1 ’18
Introduction Offline Repair On-the-fly Repair - - Stop program Suspend program - - Repair source code Repair program states - - Recompile No need to recompile - - Rerun Resume running - - GenProg; Angelix; InferFix Tarmeem; 2
StarFix Ø On-the-fly Repair • Repairs corrupted data structure Ø Specification based repair • Uses Separation Logic • Uses STARLIB 3
Separation Logic Ø Extends Hoare Logic • Deal with pointers, dynamically allocated memory • tree(root) := emp ∧ root = null OR root|->(left, right) ∗ tree(left) ∗ tree(right) Ø Benefits • v.s. repOk • Describes memory shape property • Naturally encodes recursively defined data structure • Utilizes existing model checking algorithms 4
StarFix ∆ ( SL Specification ) STARFIX T ( Corrupted Data Structure ) Running Bug Auto Program Detection Repair T’ ( Fixed data Structure ) 5
Circular Doubly Linked List Normal link Corrupted link B C D A head A B C D head 6
SL definition for DLL ( emp ∧ head=null) empty list dll(head) ( ∃ p, n. head |→Node(p, n) ∗ lst(head, p, head, n)) inductive list ( emp ∧ prev h =cur & next=h) cur is the tail lst(h, prev h , cur, next) ( ∃ n. next |→Node(cur, n) ∗ lst(h, prev h , next, n)) inductive sublist 7
Unfolding dll(head) B C D A head ∆1 = emp ∧ head=null ✗ Symbolic Heap ∆2 = ∃ p 1 ,n 1 . head |→Node(p 1 ,n 1 ) ∗ lst(head,p 1 ,head, n 1 )) ✓ Concrete M 0 ≡ {head=A; p 1 =D; n 1 =B } Model 8
Unfolding ∆2 B C D A head ✗ ∆3 ≡ ∃ p 1 ,n 1 . head |→Node(p 1 , n 1 ) ∧ p 1 =head ∧ head= n 1 Symbolic Heap ∆4 ≡ ∃ p 1 ,n 1 ,n 2 . head |→Node(p 1 , n 1 ) ∗ n 1 |→Node(head,n 2 ) ✓ ∗ lst(head, p1, n 1 , n2) Concrete M 1 ≡ {head=A; p 1 =D; n 1 =B; n 2 =C} Model 9
Unfolding ∆4 A B C D head ∆5 ≡ ∃ p 1 ,n 1 ,n 2 . head |→Node(p 1 , n 1 ) ∗ n 1 |→Node(head,n 2 ) ✗ Symbolic ∧ p 1 = n 1 ∧ n 2 =head Heap ∆6 ≡ ∃ p 1 ,n 1 ,n 2 ,n 3 .head|→Node(p 1 , n 1 ) ∗ n 1 |→Node(head,n 2 ) ✓ ∗ n 2 |→Node(n 1 , n 3 ) ∗ lst(head, p 1 , n 2 , n 3 ) Concrete M 2 ≡ {head=A; p 1 =D; n 1 =B; n 2 =C;n 3 =B} Model 10
Unfolding ∆6 A B C D head ∆7 ≡ ∃ p 1 ,B,n 2 ,n 3 . head|→Node(p 1 , n 1 ) ∗ n 1 |→Node(head,n 2 ) ✗ ∗ n 2 |→Node(n 1 ,n 3 ) ∧ p 1 =n 2 ∧ n 3 =head Symbolic Heap ∆8 ≡ ∃ p1,B,n2,n3,n 4 . head|→Node(p 1 , n 1 ) ∗ n 1 |→Node(head,n 2 ) ✗ ∗ n 2 |→Node(n 1 , n 3 ) ∗ n 3 |→Node(n 2 , n 4 ) ∗ lst(head, p 1 , n 3 , n 4 ) Concrete M 2 ≡ {head=A; p 1 =D; n 1 =B; n 2 =C;n 3 =B} Model 11
Roll back to ∆6 and Repair n3 A B C D head Symbolic ∆6 ≡ ∃ p 1 ,B,n 2 ,n 3 .head|→Node(p 1 ,n 1 ) ∗ n 1 |→Node(head,n 2 ) Heap ∗ n 2 |→Node(n 1 , n 3 ) ∗ lst(head, p 1 , n 2 , n 3 ) Concrete M 2 ’ ≡ {head=A; p 1 =D; B=B; n 2 =C; n 3 =( null | D | A | C)} Model 12
Unfolding ∆6 A B C D head ∆7 ≡ ∃ p 1 ,B,n 2 ,n 3 . head|→Node(p 1 , n 1 ) ∗ n 1 |→Node(head,n 2 ) ✗ ∗ n 2 |→Node(n 1 ,n 3 ) ∧ p 1 =n 2 ∧ n 3 =head Symbolic Heap ∆8 ≡ ∃ p1,B,n2,n3,n 4 . head|→Node(p 1 , n 1 ) ∗ n 1 |→Node(head,n 2 ) ✗ ∗ n 2 |→Node(n 1 , n 3 ) ∗ n 3 |→Node(n 2 , n 4 ) ∗ lst(head, p 1 , n 3 , n 4 ) Concrete M 3 ≡ {head=A; p 1 =D; n 1 =B; n 2 =C;n 3 =D;n 2 =B;n 4 =A} Model 13
Repairing n 2 A B C D head ∆7 ≡ ∃ p 1 ,B,n 2 ,n 3 . head|→Node(p 1 , n 1 ) ∗ n 1 |→Node(head,n 2 ) ✗ ∗ n 2 |→Node(n 1 ,n 3 ) ∧ p 1 =n 2 ∧ n 3 =head Symbolic Heap ∆8 ≡ ∃ p1,B,n2,n3,n 4 . head|→Node(p 1 , n 1 ) ∗ n 1 |→Node(head,n 2 ) ✓ ∗ n 2 |→Node(n 1 , n 3 ) ∗ n 3 |→Node(n 2 , n 4 ) ∗ lst(head, p 1 , n 3 , n 4 ) Concrete M 3 ≡ {head=A; p 1 =D; n 1 =B; n 2 =C;n 3 =D;n 4 =A} Model 14
Unfolding ∆8 A B C D head ∆9 ≡ ∃ p1,B,n2,n3,n 4 . head|→Node(p 1 , n 1 ) ∗ n 1 |→Node(head,n 2 ) Symbolic ∗ n 2 |→Node(n 1 , n 3 ) ∗ n 3 |→Node(n 2 , n 4 ) Heap ∧ p 1 =n 3 ∧ head=n 4 Concrete M 3 ≡ {head=A; p 1 =D; n 1 =B; n 2 =C;n 3 =D;n 4 =A} Model 15
Multiple Valid Fixes A D head A B D head 16
Algorithm StarFix (SL spec ∆, Data StructureT) Ø Check T ⟹ ∆ § Unfold ∆ one depth to find a match • True: return T • False: repair T • Neither: keep unfolding Ø Repair T § Modify T to T’ § Check T' 17
Repairing a Binary Tree a a a b c b c b c d e d e d e f f f g g g Corrupted Tree One fix Another Fix 18
Future Work • Use more powerful SL model checker • Ranking fixes • Heuristics to optimize repairing performance • Automatically inferring specifications from good program runs 19
THANKS! Any questions? 20
Recommend
More recommend