SlideShare ist ein Scribd-Unternehmen logo

Field Failure Reproduction Using Symbolic Execution and Genetic Programming

Alex Orso
Alex Orso

Talk at the 30th CREST Open Workshop on Search Based Software Testing (SBST) and Dynamic Symbolic Execution (DSE) -- http://crest.cs.ucl.ac.uk/cow/30/ University College London, January 2014 Video available at http://youtu.be/i4T2g-mdJ-U A recent survey conducted among developers of the Apache, Eclipse, and Mozilla projects showed that the ability to recreate field failures is considered of fundamental importance when investigating bug reports. Unfortunately, the information typically contained in a bug report, such as memory dumps or call stacks, is usually insufficient for recreating the problem. Even more advanced approaches for gathering field data and help in-house debugging tend to collect either too little information, and be ineffective, or too much information, and be inefficient. This talk presents two techniques that address these issues: BugRedux and SBFR. Both techniques aim to provide support for in-house debugging of field failures by synthesizing, using execution data collected in the field, executions that mimic the observed field failures. BugRedux relies on symbolic execution, whereas SBFR leverages dynamic programming. The talk discusses the two techniques' complementary strengths and weaknesses.

TechnologieBildung
1 von 37
FIELD FAILURE REPRODUCTION USING SYMBOLIC EXECUTION AND GENETIC PROGRAMMING Alessandro (Alex) Orso School of Computer Science – College of Computing Georgia Institute of Technology Partially supported by: NSF, IBM, and MSR
DSE SBST FIELD FAILURE REPRODUCTION USING SYMBOLIC EXECUTION AND GENETIC PROGRAMMING Alessandro (Alex) Orso School of Computer Science – College of Computing Georgia Institute of Technology Partially supported by: NSF, IBM, and MSR
DSE SBST FIELD FAILURE REPRODUCTION USING SYMBOLIC EXECUTION AND GENETIC PROGRAMMING Alessandro (Alex) Orso School of Computer Science – College of Computing Georgia Institute of Technology Partially supported by: NSF, IBM, and MSR
DSE SBST FIELD FAILURE REPRODUCTION USING SYMBOLIC EXECUTION AND GENETIC PROGRAMMING es are failur Field Alessandro (Alex)ble! oida Orso unav School of Computer Science – College of Computing Georgia Institute of Technology Partially supported by: NSF, IBM, and MSR
DSE SBST FIELD FAILURE REPRODUCTION USING SYMBOLIC EXECUTION AND GENETIC PROGRAMMING es are failur Field Alessandro (Alex)ble! oida Orso unav School of Computer Science – College of Computing Georgia Institute of Technology Partially supported by: NSF, IBM, and MSR
TYPICAL DEBUGGING PROCESS Bug Repository Very hard to (1) reproduce (2) debug
TYPICAL DEBUGGING PROCESS Recent survey of Apache, Eclipse, and Mozilla developers: Information on how to reproduce field failures is the most valuable, and difficult to obtain, piece of information for investigating such failures. [Zimmermann10] Bug Repository Very hard to (1) reproduce (2) debug
TYPICAL DEBUGGING PROCESS Recent survey of Apache, Eclipse, and Mozilla developers: Information on how to reproduce field failures is the most valuable, and difficult to obtain, piece of information for investigating such failures. [Zimmermann10] Bug Repository OVERARCHING GOAL: help developers (1) investigate field failures, (2) understand their causes, and (3) eliminate such causes. Very hard to (1) reproduce (2) debug
OUR WORK SO FAR Recording and replaying executions [icsm 2007, icse 2007] ✘ Input minimization [woda 2006, icse 2007] Input anonymization [icse 2011] Mimicking field failures [icse 2012, icst 2014] Explaining field failures [issta 2013, TR]
MIMICKING FIELD FAILURES User run (R) Mimicked run (R’) •F’ is analogous to F •R’ is an actual execution in the field F F’ in house
MIMICKING FIELD FAILURES User run (R) Relevant events Mimicked run (R’) (breadcrumbs)
In house OVERALL VISION Software developer Application In the field Instrumentation sed.c:8958 -> sed.c: 8958 sed.c:8993 -> sed.c: 9011 sed.c:8785 -> sed.c: 8786 sed.c:8786 -> sed.c: 8786 sed.c:990 -> sed.c: 990 Likely faults Field Failure Debugging Synthesized Executions Field Failure Reproduction Crash report (execution data)
DSE BUGREDUX/SBFR Synthesized Executions Field Failure Reproduction SBST Crash report (execution data)
ith Wei Joint wor k w Jin BUGREDUX Crash report (execution data) Synthesized Executions
ith Wei Joint wor k w Test Input Jin BUGREDUX Crash report (execution data)
ith Wei Joint wor k w Jin BUGREDUX Candidate input Oracle Test Input • Crash report (execution data) Execution data • • • • • Input generator Point of failure (POF) Failure call stack Call sequence Complete trace Input generation technique • Guided symbolic execution
ALGORITHM (SIMPLIFIED) Input icfg for P goals (list of code locations) Output If (candidate input) Main algorithm init; currGoal = first(goals) repeat currState = SelNextState() if (!currState) backtrack or fail if (currState.cl == currGoal) if (currGoal == last(goals)) return solve(currState.pc) else currGoal = next(goals) currState.goal = currGoal symbolicallyExec(currState) statesSet= {<cl, pc, ss, goal>} SelNextState minDis = ∞ retState = null foreach state in statesSet if (state.goal = currGoal) if (state.cl can reach currGoal) d = |shortest path state.cl, currGoal| if d < minDis minDis = d retState = state return retState
ALGORITHM (SIMPLIFIED) Input icfg for P goals (list of code locations) Output If (candidate input) statesSet= {<cl, pc, ss, goal>} Main algorithm SelNextState s /Heuristic ut space ns init; currGoal = first(goals) izatio minDiss=mbolic inp tim Op the y ∞ e e repeat null ting to reducretStater=ne the search spac Dyn=mic tain information to p u ion currState a SelNextState() th computat alysis shor test pa Program an if (!currState) backtrack orss in the foreach state in statesSet fail an omne e r==dcurrGoal) if (currState.cl if (state.goal = currGoal) Som if (currGoal == last(goals)) if (state.cl can reach currGoal) return solve(currState.pc) d = |shortest path state.cl, currGoal| else if d < minDis currGoal = next(goals) minDis = d currState.goal = currGoal retState = state symbolicallyExec(currState) return retState
BUGREDUX EVALUATION – FAILURES CONSIDERED Name sed grep gzip ncompress polymorph aeon glftpd htget socat tipxd aspell exim rsync xmail Repository SIR SIR SIR BugBench BugBench exploit-db exploit-db exploit-db exploit-db exploit-db exploit-db exploit-db exploit-db exploit-db Size(KLOC) 14 10 5 2 1 3 6 3 35 7 0.5 241 67 1 # Faults 2 1 2 1 1 1 1 1 1 1 1 1 1 1
BUGREDUX EVALUATION – FAILURES CONSIDERED Name sed grep gzip ncompress polymorph aeon glftpd htget socat tipxd aspell exim rsync xmail Repository Size(KLOC) # Faults SIR 14 2 SIR 10 1 SIR 5 2 BugBench 2 1 BugBench 1 1 exploit-db 3 scovered by 1 di faults can6be exploit-db se rs 1 ut of 72 hou None of the meo exploit-db EE with a ti 3 1 vanilla KL a exploit-db 35 1 exploit-db 7 1 exploit-db 0.5 1 exploit-db 241 1 exploit-db 67 1 exploit-db 1 1
BUGREDUX EVALUATION – RESULTS Name sed #1 sed #2 grep gzip #1 gzip #2 ncompress polymorph aeon rsync glftpd htget socat tipxd aspell xmail exim POF Call Stack Call Seq. One of three outcomes: ✘: fail ∼: synthesize ✔: (synthesize and) mimic Compl. Trace
16/16 2/16 Synth.: 9/16 BUGREDUX6/16 Synth.: 10/16 Synth.:– RESULTS EVALUATION 16/16 Synth.: 2/16 Mimic: 6/16 Mimic: Mimic: Mimic: Name sed #1 sed #2 grep gzip #1 gzip #2 ncompress polymorph aeon rsync glftpd htget socat tipxd aspell xmail exim POF ✘ ✘ ✘ ✔ ∼ ✔ ✔ ✔ ✘ ✔ ∼ ✘ ✔ ∼ ✘ ✘ Call Stack ✘ ✘ ∼ ✔ ∼ ✔ ✔ ✔ ✘ ✔ ∼ ✘ ✔ ∼ ✘ ✘ Call Seq. ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ Compl. Trace ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✔ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✔
16/16 2/16 Synth.: 9/16 BUGREDUX6/16 Synth.: 10/16 Synth.:– RESULTS EVALUATION 16/16 Synth.: 2/16 Mimic: 6/16 Mimic: Mimic: Mimic: Name POF Call Stack sed #1 ✘ ✘ sed #2 ✘ ✘ grep ✘ ∼ s: n gzip #1 Observatio ✔ ✔ gzip #2 ∼ ∼ from nt ncompress ults can be dista ✔ ✔ • Fa polymorph e failure ✔ oints: ✔ p th s aeon ✔nd call stack ✔ a => POFs ✘ rsync ✘ ely to help nlik t glftpd u ✔mation is no✔ r • More info htget ∼ ∼ t be✘ter s socat alway ✘ xecution can ce tipxd• Symboli ✔ ✔ factor ∼ ting aspell be a limi∼ xmail ✘ ✘ exim ✘ ✘ Call Seq. ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ Compl. Trace ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✔ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✔
16/16 2/16 Synth.: 9/16 BUGREDUX6/16 Synth.: 10/16 Synth.:– RESULTS EVALUATION 16/16 Synth.: 2/16 Mimic: 6/16 Mimic: Mimic: Mimic: Name POF Call Stack sed #1 ✘ ✘ sed #2 ✘ ✘ grep ✘ ∼ s: can n gzip #1 Observatiotion ✔ cu ✔ lic exe Sym gzip #2 bo ∼ ∼ e o fectivstafntrfrom be s ef ✔ ncompress ultincan be di ✔ • Fa polymorph e failure ✔ ointhighly ✔ p ith s: th rograms w all stacks aeon• p POFs ✔nd c ✔ a > =str uctured inputs rsync p a ✘ elyato✘htelat internctt nlik glftpd •u progr ms mation is o✔ ✔ h s nf t r • Moire iexoer nal libr ar ie ∼ htget ∼ w ths better r rams alwraye co✘ plex tpoogcan m ecu i n ✘ socat • la g ce Syn genlieralx tor ✔ tipxd• i mbo ✔ ting fac aspell be a limi∼ ∼ xmail ✘ ✘ exim ✘ ✘ Call Seq. ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ Compl. Trace ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✔ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✔
SBFR ith Joint wor k w nella iella, To Kifetew, Jin, T Crash report (execution data) • Execution data • • Call sequence Input generation technique • Genetic Programming Test Input
ith Joint wor k w nella iella, To Kifetew, Jin, T SBFR <a> ::= <b> |λ Grammar Crash report (execution data) Test Input
ith Joint wor k w nella iella, To Kifetew, Jin, T SBFR <a> ::= <b> |λ Grammar Derivation Tree Genetic Programming Crash report (execution data) Sentence derivation from the grammar: Random application of grammar rules • Uniform • 80/20 • Stochastic (from a corpus) Test Input
ith Joint wor k w nella iella, To Kifetew, Jin, T SBFR <a> ::= <b> |λ Grammar Derivation Tree Genetic Programming Crash report (execution data) Evolution: Test Input Fitness function: Sentence derivation from the grammar: Distance b/w execution traces Random application of grammar rules (candidate–actual failure) • Uniform • 80/20 • Stochastic (from a corpus)
ith Joint wor k w nella iella, To Kifetew, Jin, T SBFR <a> ::= <b> |λ Grammar Derivation Tree ✔︎ Genetic Programming Crash report (execution data) Stopping criterion: • Success • Ic reaches the point of failure • The program fails “in the same way” • Search budget exhausted Test Input
SBFR EVALUATION – FAILURES CONSIDERED Name Language Size(KLOC) # Productions # Faults calc Java 2 38 2 bc C 12 80 1 MSDL Java 13 140 5 PicoC C 11 194 1 Lua C 17 106 2
SBFR EVALUATION – FAILURES CONSIDERED Name Language Size(KLOC) # Productions # Faults calc Java 2 38 2 bc C 12 80 duce any of pro unable to re rs as 13 72 MSDL BugRedux w Java ut of 140 hou o s with a time these failure 1 PicoC C 11 194 1 Lua C 17 106 2 5
SBFR EVALUATION – RESULTS Name calc bug 1 calc bug 2 bc MSDL bug 1 MSDL bug 2 MSDL bug 3 MSDL bug 4 MSDL bug 5 PicoC FRP (SBFR) FRP (Random) 0.0 0.0 • Parameters: 0.0 • Population: 500 0.0 • Budget: 10,000 unique fitness evaluations 0.0 • Performed 10 runs 1.0 • Measured failure 0.0 reproduction probability 0.0 • Used both 80/20 and stochastic derivations 0.1 Lua bug 1 0.0 Lua bug 2 0.0
SBFR EVALUATION – RESULTS Name calc bug 1 FRP (SBFR) 0.6 FRP (Random) 0.0 calc bug 2 0.8 0.0 bc 1.0 0.0 MSDL bug 1 1.0 0.0 MSDL bug 2 1.0 0.0 MSDL bug 3 1.0 1.0 MSDL bug 4 1.0 0.0 MSDL bug 5 1.0 0.0 PicoC 0.8 0.1 Lua bug 1 0.0 0.0 Lua bug 2 0.5 0.0
SBFR EVALUATION – RESULTS Name calc bug 1 FRP (SBFR) 0.6 FRP (Random) 0.0 calc bug 2 0.8 0.0 bc 1.0 0.0 MSDL bug 1 1.0 0.0 MSDL bug 2 1.0 0.0 MSDL bug 3 1.0 1.0 MSDL bug 4 1.0 0.0 MSDL bug 5 1.0 0.0 PicoC 0.8 0.1 Lua bug 1 0.0 0.0 Lua bug 2 0.5 0.0
SBFR EVALUATION – RESULTS Name calc bug 1 FRP (SBFR) 0.6 FRP (Random) 0.0 calc bug 2 0.8 0.0 bc 1.0 0.0 1.0failure in bc le: 0.0 Lua bug 1 0.0 0.0 Lua bug 2 0.5 0.0 MSDL bug 1 MSDL bug 2 Examp 1.0 0.0 str uction in gered by an tri MSDL bug 3 tion fault 1.0g an arrays 1.0 d nta t 32 me eas seg allocates at l n MSDL bug ence that 4 1.0 ha0.0 sequ bles higher t o r ia umber1.0f va rays MSDLdbuglares a n 0.0 ec 5 ar d er of allocate PicoC numb 0.8 0.1 the
SBFR EVALUATION – RESULTS Name calc bug 1 FRP (SBFR) 0.6 FRP (Random) 0.0 calc bug 2 0.8 0.0 Lua bug 1 0.0 0.0 Lua bug 2 0.5 0.0 : ervations 1.0 0.0 Ob s c MSDL bug 1 1.0failure in an be effective in 0.0 : eroaches c b mplp Exa based ap1.0 annotchiandle rchMSDL bug 2 0.0 • Sea t on c i olic execubiy an ivnstr u t on b a e s a3es thot sfymlt 1.0ar s red effect e rays 1.0 d c MSDL bug i tin gau mtrigg are ast 32 ar ted an t segmentaas c raocmtes atulteless direc och hat all 1.0 le, b a n MSDL • Stence t e scalab bug 4 a0.0 u les h em r th seqSBST mor ber of vare bompilgheentar y, ia • um d DSE ar c ays MSDLdbuglares BST an 1.0 ec=5 S a n artrechniques 0.0 > of a ernatd er an allltocate ive PicoC rnuheb th 0.8 0.1 the at m r bc
FUTURE WORK / FOOD FOR THOUGHTS Relevant execution data identification • Which types? • Which specific ones? • Failure explanation • Reproduction is not enough • Can DSE and SBST help? • Use of different input generation techniques • Grammar-based symbolic execution • Backward symbolic analysis? • Other SBST approaches? • SBST targeted at different kinds of programs? • Combination of techniques •

Empfohlen

SparqlProg (BioHackathon 2019)
SparqlProg (BioHackathon 2019)SparqlProg (BioHackathon 2019)
SparqlProg (BioHackathon 2019)
Chris Mungall
 
How to Get My Paper Accepted at Top Software Engineering Conferences
How to Get My Paper Accepted at Top Software Engineering ConferencesHow to Get My Paper Accepted at Top Software Engineering Conferences
How to Get My Paper Accepted at Top Software Engineering Conferences
Alex Orso
 
CRAXweb: Automatic web application testing and attack generation
CRAXweb: Automatic web application testing and attack generationCRAXweb: Automatic web application testing and attack generation
CRAXweb: Automatic web application testing and attack generation
Shih-Kun Huang
 
Symnet
SymnetSymnet
Symnet
Radu Stoenescu
 
Symbolic execution: The next chapter of the game
Symbolic execution: The next chapter of the gameSymbolic execution: The next chapter of the game
Symbolic execution: The next chapter of the game
Khoai Dũng
 
Symbolic Reasoning and Concrete Execution - Andrii Vozniuk
Symbolic Reasoning and Concrete Execution - Andrii Vozniuk Symbolic Reasoning and Concrete Execution - Andrii Vozniuk
Symbolic Reasoning and Concrete Execution - Andrii Vozniuk
Andrii Vozniuk
 
A Survey on Automatic Test Generation and Crash Reproduction
A Survey on Automatic Test Generation and Crash ReproductionA Survey on Automatic Test Generation and Crash Reproduction
A Survey on Automatic Test Generation and Crash Reproduction
Sung Kim
 
Symbolic Execution And KLEE
Symbolic Execution And KLEESymbolic Execution And KLEE
Symbolic Execution And KLEE
Shauvik Roy Choudhary, Ph.D.
 

Empfohlen

SparqlProg (BioHackathon 2019)
SparqlProg (BioHackathon 2019)SparqlProg (BioHackathon 2019)
SparqlProg (BioHackathon 2019)
Chris Mungall
 
How to Get My Paper Accepted at Top Software Engineering Conferences
How to Get My Paper Accepted at Top Software Engineering ConferencesHow to Get My Paper Accepted at Top Software Engineering Conferences
How to Get My Paper Accepted at Top Software Engineering Conferences
Alex Orso
 
CRAXweb: Automatic web application testing and attack generation
CRAXweb: Automatic web application testing and attack generationCRAXweb: Automatic web application testing and attack generation
CRAXweb: Automatic web application testing and attack generation
Shih-Kun Huang
 
Symnet
SymnetSymnet
Symnet
Radu Stoenescu
 
Symbolic execution: The next chapter of the game
Symbolic execution: The next chapter of the gameSymbolic execution: The next chapter of the game
Symbolic execution: The next chapter of the game
Khoai Dũng
 
Symbolic Reasoning and Concrete Execution - Andrii Vozniuk
Symbolic Reasoning and Concrete Execution - Andrii Vozniuk Symbolic Reasoning and Concrete Execution - Andrii Vozniuk
Symbolic Reasoning and Concrete Execution - Andrii Vozniuk
Andrii Vozniuk
 
A Survey on Automatic Test Generation and Crash Reproduction
A Survey on Automatic Test Generation and Crash ReproductionA Survey on Automatic Test Generation and Crash Reproduction
A Survey on Automatic Test Generation and Crash Reproduction
Sung Kim
 
Symbolic Execution And KLEE
Symbolic Execution And KLEESymbolic Execution And KLEE
Symbolic Execution And KLEE
Shauvik Roy Choudhary, Ph.D.
 
Calculus-level Coding Overview
Calculus-level Coding OverviewCalculus-level Coding Overview
Calculus-level Coding Overview
Optimal Designs Enterprise
 
Jogging While Driving, and Other Software Engineering Research Problems (invi...
Jogging While Driving, and Other Software Engineering Research Problems (invi...Jogging While Driving, and Other Software Engineering Research Problems (invi...
Jogging While Driving, and Other Software Engineering Research Problems (invi...
David Rosenblum
 
Valerii Vasylkov Erlang. measurements and benefits.
Valerii Vasylkov Erlang. measurements and benefits.Valerii Vasylkov Erlang. measurements and benefits.
Valerii Vasylkov Erlang. measurements and benefits.
Аліна Шепшелей
 
SE2016 Exotic Valerii Vasylkov "Erlang. Measurements and benefits"
SE2016 Exotic Valerii Vasylkov "Erlang. Measurements and benefits"SE2016 Exotic Valerii Vasylkov "Erlang. Measurements and benefits"
SE2016 Exotic Valerii Vasylkov "Erlang. Measurements and benefits"
Inhacking
 
Embedded R Execution using SQL
Embedded R Execution using SQLEmbedded R Execution using SQL
Embedded R Execution using SQL
Brendan Tierney
 
Os Fetterupdated
Os FetterupdatedOs Fetterupdated
Os Fetterupdated
oscon2007
 
Test First, Refresh Second: Web App TDD in Grails
Test First, Refresh Second: Web App TDD in GrailsTest First, Refresh Second: Web App TDD in Grails
Test First, Refresh Second: Web App TDD in Grails
Tim Berglund
 
Test First Refresh Second: Test-Driven Development in Grails
Test First Refresh Second: Test-Driven Development in GrailsTest First Refresh Second: Test-Driven Development in Grails
Test First Refresh Second: Test-Driven Development in Grails
Tim Berglund
 
Recursive descent parsing
Recursive descent parsingRecursive descent parsing
Recursive descent parsing
Boy Baukema
 
Machine X Language
Machine X LanguageMachine X Language
Machine X Language
Yun-Yan Chi
 
Microchip Mfg. problem
Microchip Mfg. problemMicrochip Mfg. problem
Microchip Mfg. problem
Optimal Designs Enterprise
 
Headless Js Testing
Headless Js TestingHeadless Js Testing
Headless Js Testing
Brian Moschel
 
Cより速いRubyプログラム
Cより速いRubyプログラムCより速いRubyプログラム
Cより速いRubyプログラム
kwatch
 
Tips And Tricks For Bioinformatics Software Engineering
Tips And Tricks For Bioinformatics Software EngineeringTips And Tricks For Bioinformatics Software Engineering
Tips And Tricks For Bioinformatics Software Engineering
jtdudley
 
IBM Predictive analytics IoT Presentation
IBM Predictive analytics IoT PresentationIBM Predictive analytics IoT Presentation
IBM Predictive analytics IoT Presentation
Ian Skerrett
 
Clojure: Practical functional approach on JVM
Clojure: Practical functional approach on JVMClojure: Practical functional approach on JVM
Clojure: Practical functional approach on JVM
sunng87
 
MLconf NYC Shan Shan Huang
MLconf NYC Shan Shan HuangMLconf NYC Shan Shan Huang
MLconf NYC Shan Shan Huang
MLconf
 
my$talk=qr{((?:ir)?reg(?:ular )?exp(?:ressions?)?)}i;
my$talk=qr{((?:ir)?reg(?:ular )?exp(?:ressions?)?)}i;my$talk=qr{((?:ir)?reg(?:ular )?exp(?:ressions?)?)}i;
my$talk=qr{((?:ir)?reg(?:ular )?exp(?:ressions?)?)}i;
dankogai
 
Bidirectional Programming for Self-adaptive Software
Bidirectional Programming for Self-adaptive SoftwareBidirectional Programming for Self-adaptive Software
Bidirectional Programming for Self-adaptive Software
Lionel Montrieux
 
ECCB10 talk - Nextgen sequencing and SNPs
ECCB10 talk - Nextgen sequencing and SNPsECCB10 talk - Nextgen sequencing and SNPs
ECCB10 talk - Nextgen sequencing and SNPs
Jan Aerts
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 

Weitere ähnliche Inhalte

Ähnlich wie Field Failure Reproduction Using Symbolic Execution and Genetic Programming

Os Fetterupdated
Os FetterupdatedOs Fetterupdated
Os Fetterupdated
oscon2007
 
Recursive descent parsing
Recursive descent parsingRecursive descent parsing
Recursive descent parsing
Boy Baukema
 
IBM Predictive analytics IoT Presentation
IBM Predictive analytics IoT PresentationIBM Predictive analytics IoT Presentation
IBM Predictive analytics IoT Presentation
Ian Skerrett
 
MLconf NYC Shan Shan Huang
MLconf NYC Shan Shan HuangMLconf NYC Shan Shan Huang
MLconf NYC Shan Shan Huang
MLconf
 
ECCB10 talk - Nextgen sequencing and SNPs
ECCB10 talk - Nextgen sequencing and SNPsECCB10 talk - Nextgen sequencing and SNPs
ECCB10 talk - Nextgen sequencing and SNPs
Jan Aerts
 

Ähnlich wie Field Failure Reproduction Using Symbolic Execution and Genetic Programming (20)

Calculus-level Coding Overview
Calculus-level Coding OverviewCalculus-level Coding Overview
Calculus-level Coding Overview
 
Jogging While Driving, and Other Software Engineering Research Problems (invi...
Jogging While Driving, and Other Software Engineering Research Problems (invi...Jogging While Driving, and Other Software Engineering Research Problems (invi...
Jogging While Driving, and Other Software Engineering Research Problems (invi...
 
Valerii Vasylkov Erlang. measurements and benefits.
Valerii Vasylkov Erlang. measurements and benefits.Valerii Vasylkov Erlang. measurements and benefits.
Valerii Vasylkov Erlang. measurements and benefits.
 
SE2016 Exotic Valerii Vasylkov "Erlang. Measurements and benefits"
SE2016 Exotic Valerii Vasylkov "Erlang. Measurements and benefits"SE2016 Exotic Valerii Vasylkov "Erlang. Measurements and benefits"
SE2016 Exotic Valerii Vasylkov "Erlang. Measurements and benefits"
 
Embedded R Execution using SQL
Embedded R Execution using SQLEmbedded R Execution using SQL
Embedded R Execution using SQL
 
Os Fetterupdated
Os FetterupdatedOs Fetterupdated
Os Fetterupdated
 
Test First, Refresh Second: Web App TDD in Grails
Test First, Refresh Second: Web App TDD in GrailsTest First, Refresh Second: Web App TDD in Grails
Test First, Refresh Second: Web App TDD in Grails
 
Test First Refresh Second: Test-Driven Development in Grails
Test First Refresh Second: Test-Driven Development in GrailsTest First Refresh Second: Test-Driven Development in Grails
Test First Refresh Second: Test-Driven Development in Grails
 
Recursive descent parsing
Recursive descent parsingRecursive descent parsing
Recursive descent parsing
 
Machine X Language
Machine X LanguageMachine X Language
Machine X Language
 
Microchip Mfg. problem
Microchip Mfg. problemMicrochip Mfg. problem
Microchip Mfg. problem
 
Headless Js Testing
Headless Js TestingHeadless Js Testing
Headless Js Testing
 
Cより速いRubyプログラム
Cより速いRubyプログラムCより速いRubyプログラム
Cより速いRubyプログラム
 
Tips And Tricks For Bioinformatics Software Engineering
Tips And Tricks For Bioinformatics Software EngineeringTips And Tricks For Bioinformatics Software Engineering
Tips And Tricks For Bioinformatics Software Engineering
 
IBM Predictive analytics IoT Presentation
IBM Predictive analytics IoT PresentationIBM Predictive analytics IoT Presentation
IBM Predictive analytics IoT Presentation
 
Clojure: Practical functional approach on JVM
Clojure: Practical functional approach on JVMClojure: Practical functional approach on JVM
Clojure: Practical functional approach on JVM
 
MLconf NYC Shan Shan Huang
MLconf NYC Shan Shan HuangMLconf NYC Shan Shan Huang
MLconf NYC Shan Shan Huang
 
my$talk=qr{((?:ir)?reg(?:ular )?exp(?:ressions?)?)}i;
my$talk=qr{((?:ir)?reg(?:ular )?exp(?:ressions?)?)}i;my$talk=qr{((?:ir)?reg(?:ular )?exp(?:ressions?)?)}i;
my$talk=qr{((?:ir)?reg(?:ular )?exp(?:ressions?)?)}i;
 
Bidirectional Programming for Self-adaptive Software
Bidirectional Programming for Self-adaptive SoftwareBidirectional Programming for Self-adaptive Software
Bidirectional Programming for Self-adaptive Software
 
ECCB10 talk - Nextgen sequencing and SNPs
ECCB10 talk - Nextgen sequencing and SNPsECCB10 talk - Nextgen sequencing and SNPs
ECCB10 talk - Nextgen sequencing and SNPs
 

Kürzlich hochgeladen

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Kürzlich hochgeladen (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Field Failure Reproduction Using Symbolic Execution and Genetic Programming

  • 1. FIELD FAILURE REPRODUCTION USING SYMBOLIC EXECUTION AND GENETIC PROGRAMMING Alessandro (Alex) Orso School of Computer Science – College of Computing Georgia Institute of Technology Partially supported by: NSF, IBM, and MSR
  • 2. DSE SBST FIELD FAILURE REPRODUCTION USING SYMBOLIC EXECUTION AND GENETIC PROGRAMMING Alessandro (Alex) Orso School of Computer Science – College of Computing Georgia Institute of Technology Partially supported by: NSF, IBM, and MSR
  • 3. DSE SBST FIELD FAILURE REPRODUCTION USING SYMBOLIC EXECUTION AND GENETIC PROGRAMMING Alessandro (Alex) Orso School of Computer Science – College of Computing Georgia Institute of Technology Partially supported by: NSF, IBM, and MSR
  • 4. DSE SBST FIELD FAILURE REPRODUCTION USING SYMBOLIC EXECUTION AND GENETIC PROGRAMMING es are failur Field Alessandro (Alex)ble! oida Orso unav School of Computer Science – College of Computing Georgia Institute of Technology Partially supported by: NSF, IBM, and MSR
  • 5. DSE SBST FIELD FAILURE REPRODUCTION USING SYMBOLIC EXECUTION AND GENETIC PROGRAMMING es are failur Field Alessandro (Alex)ble! oida Orso unav School of Computer Science – College of Computing Georgia Institute of Technology Partially supported by: NSF, IBM, and MSR
  • 6. TYPICAL DEBUGGING PROCESS Bug Repository Very hard to (1) reproduce (2) debug
  • 7. TYPICAL DEBUGGING PROCESS Recent survey of Apache, Eclipse, and Mozilla developers: Information on how to reproduce field failures is the most valuable, and difficult to obtain, piece of information for investigating such failures. [Zimmermann10] Bug Repository Very hard to (1) reproduce (2) debug
  • 8. TYPICAL DEBUGGING PROCESS Recent survey of Apache, Eclipse, and Mozilla developers: Information on how to reproduce field failures is the most valuable, and difficult to obtain, piece of information for investigating such failures. [Zimmermann10] Bug Repository OVERARCHING GOAL: help developers (1) investigate field failures, (2) understand their causes, and (3) eliminate such causes. Very hard to (1) reproduce (2) debug
  • 9. OUR WORK SO FAR Recording and replaying executions [icsm 2007, icse 2007] ✘ Input minimization [woda 2006, icse 2007] Input anonymization [icse 2011] Mimicking field failures [icse 2012, icst 2014] Explaining field failures [issta 2013, TR]
  • 10. MIMICKING FIELD FAILURES User run (R) Mimicked run (R’) •F’ is analogous to F •R’ is an actual execution in the field F F’ in house
  • 11. MIMICKING FIELD FAILURES User run (R) Relevant events Mimicked run (R’) (breadcrumbs)
  • 12. In house OVERALL VISION Software developer Application In the field Instrumentation sed.c:8958 -> sed.c: 8958 sed.c:8993 -> sed.c: 9011 sed.c:8785 -> sed.c: 8786 sed.c:8786 -> sed.c: 8786 sed.c:990 -> sed.c: 990 Likely faults Field Failure Debugging Synthesized Executions Field Failure Reproduction Crash report (execution data)
  • 14. ith Wei Joint wor k w Jin BUGREDUX Crash report (execution data) Synthesized Executions
  • 15. ith Wei Joint wor k w Test Input Jin BUGREDUX Crash report (execution data)
  • 16. ith Wei Joint wor k w Jin BUGREDUX Candidate input Oracle Test Input • Crash report (execution data) Execution data • • • • • Input generator Point of failure (POF) Failure call stack Call sequence Complete trace Input generation technique • Guided symbolic execution
  • 17. ALGORITHM (SIMPLIFIED) Input icfg for P goals (list of code locations) Output If (candidate input) Main algorithm init; currGoal = first(goals) repeat currState = SelNextState() if (!currState) backtrack or fail if (currState.cl == currGoal) if (currGoal == last(goals)) return solve(currState.pc) else currGoal = next(goals) currState.goal = currGoal symbolicallyExec(currState) statesSet= {<cl, pc, ss, goal>} SelNextState minDis = ∞ retState = null foreach state in statesSet if (state.goal = currGoal) if (state.cl can reach currGoal) d = |shortest path state.cl, currGoal| if d < minDis minDis = d retState = state return retState
  • 18. ALGORITHM (SIMPLIFIED) Input icfg for P goals (list of code locations) Output If (candidate input) statesSet= {<cl, pc, ss, goal>} Main algorithm SelNextState s /Heuristic ut space ns init; currGoal = first(goals) izatio minDiss=mbolic inp tim Op the y ∞ e e repeat null ting to reducretStater=ne the search spac Dyn=mic tain information to p u ion currState a SelNextState() th computat alysis shor test pa Program an if (!currState) backtrack orss in the foreach state in statesSet fail an omne e r==dcurrGoal) if (currState.cl if (state.goal = currGoal) Som if (currGoal == last(goals)) if (state.cl can reach currGoal) return solve(currState.pc) d = |shortest path state.cl, currGoal| else if d < minDis currGoal = next(goals) minDis = d currState.goal = currGoal retState = state symbolicallyExec(currState) return retState
  • 19. BUGREDUX EVALUATION – FAILURES CONSIDERED Name sed grep gzip ncompress polymorph aeon glftpd htget socat tipxd aspell exim rsync xmail Repository SIR SIR SIR BugBench BugBench exploit-db exploit-db exploit-db exploit-db exploit-db exploit-db exploit-db exploit-db exploit-db Size(KLOC) 14 10 5 2 1 3 6 3 35 7 0.5 241 67 1 # Faults 2 1 2 1 1 1 1 1 1 1 1 1 1 1
  • 20. BUGREDUX EVALUATION – FAILURES CONSIDERED Name sed grep gzip ncompress polymorph aeon glftpd htget socat tipxd aspell exim rsync xmail Repository Size(KLOC) # Faults SIR 14 2 SIR 10 1 SIR 5 2 BugBench 2 1 BugBench 1 1 exploit-db 3 scovered by 1 di faults can6be exploit-db se rs 1 ut of 72 hou None of the meo exploit-db EE with a ti 3 1 vanilla KL a exploit-db 35 1 exploit-db 7 1 exploit-db 0.5 1 exploit-db 241 1 exploit-db 67 1 exploit-db 1 1
  • 21. BUGREDUX EVALUATION – RESULTS Name sed #1 sed #2 grep gzip #1 gzip #2 ncompress polymorph aeon rsync glftpd htget socat tipxd aspell xmail exim POF Call Stack Call Seq. One of three outcomes: ✘: fail ∼: synthesize ✔: (synthesize and) mimic Compl. Trace
  • 22. 16/16 2/16 Synth.: 9/16 BUGREDUX6/16 Synth.: 10/16 Synth.:– RESULTS EVALUATION 16/16 Synth.: 2/16 Mimic: 6/16 Mimic: Mimic: Mimic: Name sed #1 sed #2 grep gzip #1 gzip #2 ncompress polymorph aeon rsync glftpd htget socat tipxd aspell xmail exim POF ✘ ✘ ✘ ✔ ∼ ✔ ✔ ✔ ✘ ✔ ∼ ✘ ✔ ∼ ✘ ✘ Call Stack ✘ ✘ ∼ ✔ ∼ ✔ ✔ ✔ ✘ ✔ ∼ ✘ ✔ ∼ ✘ ✘ Call Seq. ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ Compl. Trace ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✔ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✔
  • 23. 16/16 2/16 Synth.: 9/16 BUGREDUX6/16 Synth.: 10/16 Synth.:– RESULTS EVALUATION 16/16 Synth.: 2/16 Mimic: 6/16 Mimic: Mimic: Mimic: Name POF Call Stack sed #1 ✘ ✘ sed #2 ✘ ✘ grep ✘ ∼ s: n gzip #1 Observatio ✔ ✔ gzip #2 ∼ ∼ from nt ncompress ults can be dista ✔ ✔ • Fa polymorph e failure ✔ oints: ✔ p th s aeon ✔nd call stack ✔ a => POFs ✘ rsync ✘ ely to help nlik t glftpd u ✔mation is no✔ r • More info htget ∼ ∼ t be✘ter s socat alway ✘ xecution can ce tipxd• Symboli ✔ ✔ factor ∼ ting aspell be a limi∼ xmail ✘ ✘ exim ✘ ✘ Call Seq. ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ Compl. Trace ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✔ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✔
  • 24. 16/16 2/16 Synth.: 9/16 BUGREDUX6/16 Synth.: 10/16 Synth.:– RESULTS EVALUATION 16/16 Synth.: 2/16 Mimic: 6/16 Mimic: Mimic: Mimic: Name POF Call Stack sed #1 ✘ ✘ sed #2 ✘ ✘ grep ✘ ∼ s: can n gzip #1 Observatiotion ✔ cu ✔ lic exe Sym gzip #2 bo ∼ ∼ e o fectivstafntrfrom be s ef ✔ ncompress ultincan be di ✔ • Fa polymorph e failure ✔ ointhighly ✔ p ith s: th rograms w all stacks aeon• p POFs ✔nd c ✔ a > =str uctured inputs rsync p a ✘ elyato✘htelat internctt nlik glftpd •u progr ms mation is o✔ ✔ h s nf t r • Moire iexoer nal libr ar ie ∼ htget ∼ w ths better r rams alwraye co✘ plex tpoogcan m ecu i n ✘ socat • la g ce Syn genlieralx tor ✔ tipxd• i mbo ✔ ting fac aspell be a limi∼ ∼ xmail ✘ ✘ exim ✘ ✘ Call Seq. ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ Compl. Trace ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✔ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✔
  • 25. SBFR ith Joint wor k w nella iella, To Kifetew, Jin, T Crash report (execution data) • Execution data • • Call sequence Input generation technique • Genetic Programming Test Input
  • 26. ith Joint wor k w nella iella, To Kifetew, Jin, T SBFR <a> ::= <b> |λ Grammar Crash report (execution data) Test Input
  • 27. ith Joint wor k w nella iella, To Kifetew, Jin, T SBFR <a> ::= <b> |λ Grammar Derivation Tree Genetic Programming Crash report (execution data) Sentence derivation from the grammar: Random application of grammar rules • Uniform • 80/20 • Stochastic (from a corpus) Test Input
  • 28. ith Joint wor k w nella iella, To Kifetew, Jin, T SBFR <a> ::= <b> |λ Grammar Derivation Tree Genetic Programming Crash report (execution data) Evolution: Test Input Fitness function: Sentence derivation from the grammar: Distance b/w execution traces Random application of grammar rules (candidate–actual failure) • Uniform • 80/20 • Stochastic (from a corpus)
  • 29. ith Joint wor k w nella iella, To Kifetew, Jin, T SBFR <a> ::= <b> |λ Grammar Derivation Tree ✔︎ Genetic Programming Crash report (execution data) Stopping criterion: • Success • Ic reaches the point of failure • The program fails “in the same way” • Search budget exhausted Test Input
  • 30. SBFR EVALUATION – FAILURES CONSIDERED Name Language Size(KLOC) # Productions # Faults calc Java 2 38 2 bc C 12 80 1 MSDL Java 13 140 5 PicoC C 11 194 1 Lua C 17 106 2
  • 31. SBFR EVALUATION – FAILURES CONSIDERED Name Language Size(KLOC) # Productions # Faults calc Java 2 38 2 bc C 12 80 duce any of pro unable to re rs as 13 72 MSDL BugRedux w Java ut of 140 hou o s with a time these failure 1 PicoC C 11 194 1 Lua C 17 106 2 5
  • 32. SBFR EVALUATION – RESULTS Name calc bug 1 calc bug 2 bc MSDL bug 1 MSDL bug 2 MSDL bug 3 MSDL bug 4 MSDL bug 5 PicoC FRP (SBFR) FRP (Random) 0.0 0.0 • Parameters: 0.0 • Population: 500 0.0 • Budget: 10,000 unique fitness evaluations 0.0 • Performed 10 runs 1.0 • Measured failure 0.0 reproduction probability 0.0 • Used both 80/20 and stochastic derivations 0.1 Lua bug 1 0.0 Lua bug 2 0.0
  • 33. SBFR EVALUATION – RESULTS Name calc bug 1 FRP (SBFR) 0.6 FRP (Random) 0.0 calc bug 2 0.8 0.0 bc 1.0 0.0 MSDL bug 1 1.0 0.0 MSDL bug 2 1.0 0.0 MSDL bug 3 1.0 1.0 MSDL bug 4 1.0 0.0 MSDL bug 5 1.0 0.0 PicoC 0.8 0.1 Lua bug 1 0.0 0.0 Lua bug 2 0.5 0.0
  • 34. SBFR EVALUATION – RESULTS Name calc bug 1 FRP (SBFR) 0.6 FRP (Random) 0.0 calc bug 2 0.8 0.0 bc 1.0 0.0 MSDL bug 1 1.0 0.0 MSDL bug 2 1.0 0.0 MSDL bug 3 1.0 1.0 MSDL bug 4 1.0 0.0 MSDL bug 5 1.0 0.0 PicoC 0.8 0.1 Lua bug 1 0.0 0.0 Lua bug 2 0.5 0.0
  • 35. SBFR EVALUATION – RESULTS Name calc bug 1 FRP (SBFR) 0.6 FRP (Random) 0.0 calc bug 2 0.8 0.0 bc 1.0 0.0 1.0failure in bc le: 0.0 Lua bug 1 0.0 0.0 Lua bug 2 0.5 0.0 MSDL bug 1 MSDL bug 2 Examp 1.0 0.0 str uction in gered by an tri MSDL bug 3 tion fault 1.0g an arrays 1.0 d nta t 32 me eas seg allocates at l n MSDL bug ence that 4 1.0 ha0.0 sequ bles higher t o r ia umber1.0f va rays MSDLdbuglares a n 0.0 ec 5 ar d er of allocate PicoC numb 0.8 0.1 the
  • 36. SBFR EVALUATION – RESULTS Name calc bug 1 FRP (SBFR) 0.6 FRP (Random) 0.0 calc bug 2 0.8 0.0 Lua bug 1 0.0 0.0 Lua bug 2 0.5 0.0 : ervations 1.0 0.0 Ob s c MSDL bug 1 1.0failure in an be effective in 0.0 : eroaches c b mplp Exa based ap1.0 annotchiandle rchMSDL bug 2 0.0 • Sea t on c i olic execubiy an ivnstr u t on b a e s a3es thot sfymlt 1.0ar s red effect e rays 1.0 d c MSDL bug i tin gau mtrigg are ast 32 ar ted an t segmentaas c raocmtes atulteless direc och hat all 1.0 le, b a n MSDL • Stence t e scalab bug 4 a0.0 u les h em r th seqSBST mor ber of vare bompilgheentar y, ia • um d DSE ar c ays MSDLdbuglares BST an 1.0 ec=5 S a n artrechniques 0.0 > of a ernatd er an allltocate ive PicoC rnuheb th 0.8 0.1 the at m r bc
  • 37. FUTURE WORK / FOOD FOR THOUGHTS Relevant execution data identification • Which types? • Which specific ones? • Failure explanation • Reproduction is not enough • Can DSE and SBST help? • Use of different input generation techniques • Grammar-based symbolic execution • Backward symbolic analysis? • Other SBST approaches? • SBST targeted at different kinds of programs? • Combination of techniques •