ProveNFix: Temporal Property-Guided Program Repair
Article No.: 11, Pages 226 - 248
Abstract
Model checking has been used traditionally for finding violations of temporal properties. Recently, testing or fuzzing approaches have also been applied to software systems to find temporal property violations. However, model checking suffers from state explosion, while fuzzing can only partially cover program paths. Moreover, once a violation is found, the fix for the temporal error is usually manual. In this work, we develop the first compositional static analyzer for temporal properties, and the analyzer supports a proof-based repair strategy to fix temporal bugs automatically. To enable a more flexible specification style for temporal properties, on top of the classic pre/post-conditions, we allow users to write a future-condition to modularly express the expected behaviors after the function call. Instead of requiring users to write specifications for each procedure, our approach automatically infers the procedure’s specification according to user-supplied specifications for a small number of primitive APIs. We further devise a term rewriting system to check the actual behaviors against its inferred specification. Our method supports the analysis of 1) memory usage bugs, 2) unchecked return values, 3) resource leaks, etc., with annotated specifications for 17 primitive APIs, and detects 515 vulnerabilities from over 1 million lines of code ranging from ten real-world C projects. Intuitively, the benefit of our approach is that a small set of properties can be specified once and used to analyze/repair a large number of programs. Experimental results show that our tool, ProveNFix, detects 72.2% more true alarms than the latest release of the Infer static analyzer. Moreover, we show the effectiveness of our repair strategy when compared to other state-of-the-art systems — fixing 5% more memory leaks than SAVER, 40% more resource leaks than FootPatch, and with a 90% fix rate for null pointer dereferences.
References
[1]
Marco Almeida, Nelma Moreira, and Rogério Reis. 2009. Antimirov and Mosses’s Rewrite System Revisited. Int. J. Found. Comput. Sci., 20, 4 (2009), 669–684. https://doi.org/10.1142/S0129054109006802
[2]
Valentin Antimirov. 1995. Partial derivatives of regular expressions and finite automata constructions. In Annual Symposium on Theoretical Aspects of Computer Science. 455–466.
[3]
Valentin M. Antimirov and Peter D. Mosses. 1995. Rewriting Extended Regular Expressions. Theor. Comput. Sci., 143, 1 (1995), 51–72. https://doi.org/10.1016/0304-3975(95)80024-4
[4]
Dirk Beyer and M Erkan Keremoglu. 2011. CPAchecker: A tool for configurable software verification. In Computer Aided Verification: 23rd International Conference, CAV 2011, Snowbird, UT, USA, July 14-20, 2011. Proceedings 23. 184–190.
[5]
Cristiano Calcagno, Dino Distefano, Jérémy Dubreil, Dominik Gabi, Pieter Hooimeijer, Martino Luca, Peter W. O’Hearn, Irene Papakonstantinou, Jim Purbrick, and Dulma Rodriguez. 2015. Moving Fast with Software Verification. In NASA Formal Methods - 7th International Symposium, NFM 2015, Pasadena, CA, USA, April 27-29, 2015, Proceedings, Klaus Havelund, Gerard J. Holzmann, and Rajeev Joshi (Eds.) (Lecture Notes in Computer Science, Vol. 9058). Springer, 3–11. https://doi.org/10.1007/978-3-319-17524-9_1
[6]
Alessandro Cimatti, Edmund Clarke, Enrico Giunchiglia, Fausto Giunchiglia, Marco Pistore, Marco Roveri, Roberto Sebastiani, and Armando Tacchella. 2002. Nusmv 2: An opensource tool for symbolic model checking. In Computer Aided Verification: 14th International Conference, CAV 2002 Copenhagen, Denmark, July 27–31, 2002 Proceedings 14. 359–364.
[7]
Edmund M Clarke. 1997. Model checking. In Foundations of Software Technology and Theoretical Computer Science: 17th Conference Kharagpur, India, December 18–20, 1997 Proceedings 17. 54–56.
[8]
Edmund M. Clarke, William Klieber, Milos Novácek, and Paolo Zuliani. 2011. Model Checking and the State Explosion Problem. In Tools for Practical Software Verification, LASER, International Summer School 2011, Elba Island, Italy, Revised Tutorial Lectures, Bertrand Meyer and Martin Nordio (Eds.) (Lecture Notes in Computer Science, Vol. 7682). Springer, 1–30. https://doi.org/10.1007/978-3-642-35746-6_1
[9]
CVE-2016-2113. 2016. CVE-2016-2113. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2113
[10]
Cve-2016-2182. 2016. Cve-2016-2182. https://nvd.nist.gov/vuln/detail/CVE-2016-2182
[11]
Leonardo Mendonça de Moura and Nikolaj Bjørner. 2008. Z3: An Efficient SMT Solver. In Tools and Algorithms for the Construction and Analysis of Systems, 14th International Conference, TACAS 2008, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2008, Budapest, Hungary, March 29-April 6, 2008. Proceedings, C. R. Ramakrishnan and Jakob Rehof (Eds.) (Lecture Notes in Computer Science, Vol. 4963). Springer, 337–340. https://doi.org/10.1007/978-3-540-78800-3_24
[12]
Andrew Gacek, Andreas Katis, Michael W. Whalen, John Backes, and Darren D. Cofer. 2015. Towards Realizability Checking of Contracts Using Theories. In NASA Formal Methods - 7th International Symposium, NFM 2015, Pasadena, CA, USA, April 27-29, 2015, Proceedings, Klaus Havelund, Gerard J. Holzmann, and Rajeev Joshi (Eds.) (Lecture Notes in Computer Science, Vol. 9058). Springer, 173–187. https://doi.org/10.1007/978-3-319-17524-9_13
[13]
Martin Georgiev, Subodh Iyengar, Suman Jana, Rishita Anubhai, Dan Boneh, and Vitaly Shmatikov. 2012. The most dangerous code in the world: validating SSL certificates in non-browser software. In the ACM Conference on Computer and Communications Security, CCS’12, Raleigh, NC, USA, October 16-18, 2012, Ting Yu, George Danezis, and Virgil D. Gligor (Eds.). ACM, 38–49. https://doi.org/10.1145/2382196.2382204
[14]
Zuxing Gu, Jiecheng Wu, Chi Li, Min Zhou, and Ming Gu. 2019. SSLDoc: Automatically Diagnosing Incorrect SSL API Usages in C Programs. In The 31st International Conference on Software Engineering and Knowledge Engineering, SEKE 2019, Hotel Tivoli, Lisbon, Portugal, July 10-12, 2019, Angelo Perkusich (Ed.). KSI Research Inc. and Knowledge Systems Institute Graduate School, 707–777. https://doi.org/10.18293/SEKE2019-006
[15]
Simón Gutiérrez Brida, Germán Regis, Guolong Zheng, Hamid Bagheri, ThanhVu Nguyen, Nazareno Aguirre, and Marcelo Frias. 2021. Bounded Exhaustive Search of Alloy Specification Repairs. In 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE).
[16]
Gerard J. Holzmann. 1997. The model checker SPIN. IEEE Transactions on software engineering, 23, 5 (1997), 279–295.
[17]
Seongjoon Hong, Junhee Lee, Jeongsoo Lee, and Hakjoo Oh. 2020. SAVER: scalable, precise, and safe memory-error repair. In ICSE ’20: 42nd International Conference on Software Engineering, Seoul, South Korea, 27 June - 19 July, 2020, Gregg Rothermel and Doo-Hwan Bae (Eds.). ACM, 271–283. https://doi.org/10.1145/3377811.3380323
[18]
Dag Hovland. 2012. The inclusion problem for regular expressions. J. Comput. Syst. Sci., 78, 6 (2012), 1795–1813. https://doi.org/10.1016/j.jcss.2011.12.003
[19]
Zhen Huang, David Lie, Gang Tan, and Trent Jaeger. 2019. Using Safety Properties to Generate Vulnerability Patches. In 2019 IEEE Symposium on Security and Privacy, SP 2019, San Francisco, CA, USA, May 19-23, 2019. IEEE, 539–554. https://doi.org/10.1109/SP.2019.00071
[20]
Gijs Kant, Alfons Laarman, Jeroen Meijer, Jaco Van de Pol, Stefan Blom, and Tom Van Dijk. 2015. LTSmin: high-performance language-independent model checking. In Tools and Algorithms for the Construction and Analysis of Systems: 21st International Conference, TACAS 2015, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2015, London, UK, April 11-18, 2015, Proceedings 21. 692–707.
[21]
Matthias Keil and Peter Thiemann. 2014. Symbolic Solving of Extended Regular Expression Inequalities. In 34th International Conference on Foundation of Software Technology and Theoretical Computer Science, FSTTCS 2014, December 15-17, 2014, New Delhi, India, Venkatesh Raman and S. P. Suresh (Eds.) (LIPIcs, Vol. 29). Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 175–186. https://doi.org/10.4230/LIPIcs.FSTTCS.2014.175
[22]
Etienne Kneuss, Manos Koukoutos, and Viktor Kuncak. 2015. Deductive Program Repair. In Computer Aided Verification - 27th International Conference, CAV 2015, San Francisco, CA, USA, July 18-24, 2015, Proceedings, Part II, Daniel Kroening and Corina S. Pasareanu (Eds.) (Lecture Notes in Computer Science, Vol. 9207). Springer, 217–233. https://doi.org/10.1007/978-3-319-21668-3_13
[23]
Quang Loc Le, Azalea Raad, Jules Villard, Josh Berdine, Derek Dreyer, and Peter W. O’Hearn. 2022. Finding real bugs in big programs with incorrectness logic. Proc. ACM Program. Lang., 6, OOPSLA1 (2022), 1–27. https://doi.org/10.1145/3527325
[24]
Junhee Lee, Seongjoon Hong, and Hakjoo Oh. 2018. MemFix: static analysis-based repair of memory deallocation errors for C. In Proceedings of the 2018 ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/SIGSOFT FSE 2018, Lake Buena Vista, FL, USA, November 04-09, 2018, Gary T. Leavens, Alessandro Garcia, and Corina S. Pasareanu (Eds.). ACM, 95–106. https://doi.org/10.1145/3236024.3236079
[25]
Owolabi Legunsen, Wajih Ul Hassan, Xinyue Xu, Grigore Rosu, and Darko Marinov. 2016. How good are the specs? a study of the bug-finding effectiveness of existing Java API specifications. In Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering, ASE 2016, Singapore, September 3-7, 2016, David Lo, Sven Apel, and Sarfraz Khurshid (Eds.). ACM, 602–613. https://doi.org/10.1145/2970276.2970356
[26]
Ruijie Meng, Zhen Dong, Jialin Li, Ivan Beschastnikh, and Abhik Roychoudhury. 2022. Linear-time Temporal Logic guided Greybox Fuzzing. In 44th IEEE/ACM 44th International Conference on Software Engineering, ICSE 2022, Pittsburgh, PA, USA, May 25-27, 2022. ACM, 1343–1355. https://doi.org/10.1145/3510003.3510082
[27]
Madanlal Musuvathi, David YW Park, Andy Chou, Dawson R Engler, and David L Dill. 2002. CMC: A pragmatic approach to model checking real code. ACM SIGOPS Operating Systems Review, 36, SI (2002), 75–88.
[28]
Thanh-Toan Nguyen, Quang-Trung Ta, Ilya Sergey, and Wei-Ngan Chin. 2021. Automated Repair of Heap-Manipulating Programs Using Deductive Synthesis. In Verification, Model Checking, and Abstract Interpretation - 22nd International Conference, VMCAI 2021, Copenhagen, Denmark, January 17-19, 2021, Proceedings, Fritz Henglein, Sharon Shoham, and Yakir Vizel (Eds.) (Lecture Notes in Computer Science, Vol. 12597). Springer, 376–400. https://doi.org/10.1007/978-3-030-67067-2_17
[29]
openssl. 2019. Openssl: cryptography and ssl/tls toolkit. https://github.com/openssl/
[30]
Yu Pei, Carlo A Furia, Martin Nordio, Yi Wei, Bertrand Meyer, and Andreas Zeller. 2014. Automated fixing of programs with contracts. IEEE transactions on software engineering, 40, 5 (2014), 427–449.
[31]
Nadia Polikarpova and Ilya Sergey. 2019. Structuring the synthesis of heap-manipulating programs. Proc. ACM Program. Lang., 3, POPL (2019), 72:1–72:30. https://doi.org/10.1145/3290385
[32]
Swoole Project. [n.d.]. Swoole Project. https://github.com/swoole/swoole-src
[33]
Giles Reger, Helena Cuenca Cruz, and David Rydeheard. 2015. MarQ: monitoring at runtime with QEA. In Tools and Algorithms for the Construction and Analysis of Systems: 21st International Conference, TACAS 2015, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2015, London, UK, April 11-18, 2015, Proceedings 21. 596–610.
[34]
Bat-Chen Rothenberg and Orna Grumberg. 2016. Sound and complete mutation-based program repair. In FM 2016: Formal Methods: 21st International Symposium, Limassol, Cyprus, November 9-11, 2016, Proceedings 21. 593–611.
[35]
Micha Sharir and Amir Pnueli. 1978. Two approaches to interprocedural data flow analysis. New York University. Courant Institute of Mathematical Sciences ….
[36]
Yahui Song and Wei-Ngan Chin. 2020. Automated Temporal Verification of Integrated Dependent Effects. In Formal Methods and Software Engineering - 22nd International Conference on Formal Engineering Methods, ICFEM 2020, Singapore, Singapore, March 1-3, 2021, Proceedings, Shang-Wei Lin, Zhe Hou, and Brendan P. Mahony (Eds.) (Lecture Notes in Computer Science, Vol. 12531). Springer, 73–90. https://doi.org/10.1007/978-3-030-63406-3_5
[37]
Yahui Song and Wei-Ngan Chin. 2021. A Synchronous Effects Logic for Temporal Verification of Pure Esterel. In Verification, Model Checking, and Abstract Interpretation - 22nd International Conference, VMCAI 2021, Copenhagen, Denmark, January 17-19, 2021, Proceedings, Fritz Henglein, Sharon Shoham, and Yakir Vizel (Eds.) (Lecture Notes in Computer Science, Vol. 12597). Springer, 417–440. https://doi.org/10.1007/978-3-030-67067-2_19
[38]
Yahui Song and Wei-Ngan Chin. 2023. Automated Verification for Real-Time Systems. In Tools and Algorithms for the Construction and Analysis of Systems, Sriram Sankaranarayanan and Natasha Sharygina (Eds.). Springer Nature Switzerland, Cham. 569–587. isbn:978-3-031-30823-9
[39]
Yahui Song, Darius Foo, and Wei-Ngan Chin. 2022. Automated Temporal Verification for Algebraic Effects. In Programming Languages and Systems - 20th Asian Symposium, APLAS 2022, Auckland, New Zealand, December 5, 2022, Proceedings, Ilya Sergey (Ed.) (Lecture Notes in Computer Science, Vol. 13658). Springer, 88–109. https://doi.org/10.1007/978-3-031-21037-2_5
[40]
Daniel Thoma. [n.d.]. Runtime Monitoring with Union-Find Structures. Tools and Algorithms for the Construction and Analysis of Systems LNCS 9636, 868.
[41]
Rijnard van Tonder and Claire Le Goues. 2018. Static automated program repair for heap properties. In Proceedings of the 40th International Conference on Software Engineering, ICSE 2018, Gothenburg, Sweden, May 27 - June 03, 2018, Michel Chaudron, Ivica Crnkovic, Marsha Chechik, and Mark Harman (Eds.). ACM, 151–162. https://doi.org/10.1145/3180155.3180250
[42]
Willem Visser and Peter Mehlitz. 2005. Model checking programs with Java PathFinder. In Model Checking Software: 12th International SPIN Workshop. 27–27.
[43]
Pierre Wolper. 1983. Temporal Logic Can Be More Expressive. Inf. Control., 56, 1/2 (1983), 72–99. https://doi.org/10.1016/S0019-9958(83)80051-5
[44]
Jinlin Yang and David Evans. 2004. Automatically Inferring Temporal Properties for Program Evolution. In 15th International Symposium on Software Reliability Engineering (ISSRE 2004), 2-5 November 2004, Saint-Malo, Bretagne, France. IEEE Computer Society, 340–351. https://doi.org/10.1109/ISSRE.2004.11
[45]
Jinlin Yang and David Evans. 2004. Dynamically inferring temporal properties. In Proceedings of the 2004 ACM SIGPLAN-SIGSOFT Workshop on Program Analysis For Software Tools and Engineering, PASTE’04, Washington, DC, USA, June 7-8, 2004, Cormac Flanagan and Andreas Zeller (Eds.). ACM, 23–28. https://doi.org/10.1145/996821.996832
[46]
Zenodo. 2023. Benchmark and Source Code. https://doi.org/10.5281/zenodo.8388488
Index Terms
- ProveNFix: Temporal Property-Guided Program Repair
Recommendations
Temporal property verification as a program analysis task
We describe a reduction from temporal property verification to a program analysis problem. First we present a proof system that, unlike the standard formulation, is more amenable to reasoning about infinite-state systems: disjunction is treated by ...
Interprocedural pointer alias analysis
We present practical approximation methods for computing and representing interprocedural aliases for a program written in a language that includes pointers, reference parameters, and recursion. We present the following contributions: (1) a framework ...
Tracking pointers with path and context sensitivity for bug detection in C programs
This paper proposes a pointer alias analysis for automatic error detection. State-of-the-art pointer alias analyses are either too slow or too imprecise for finding errors in real-life programs. We propose a hybrid pointer analysis that tracks actively ...
Comments
Information & Contributors
Information
Published In
July 2024
2770 pages
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 12 July 2024
Published in PACMSE Volume 1, Issue FSE
Badges
Artifacts Available / v1.1
Artifacts Evaluated & Reusable / v1.1
Distinguished Paper
Author Tags
Qualifiers
- Research-article
Funding Sources
- MOE-MOET32021-0001
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 205Total Downloads
- Downloads (Last 12 months)205
- Downloads (Last 6 weeks)105
Reflects downloads up to 15 Oct 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in