Transfer Function Synthesis without Quantifier Elimination

Traditionally, transfer functions have been designed manually for each operation in a program, instruction by instruction. In such a setting, a transfer function describes the semantics of a single instruction, detailing how a given abstract input state is mapped to an abstract output state. The net effect of a sequence of instructions, a basic block, can then be calculated by composing the transfer functions of the constituent instructions. However, precision can be improved by applying a single transfer function that captures the semantics of the block as a whole. Since blocks are program-dependent, this approach necessitates automation. There has thus been growing interest in computing transfer functions automatically, most notably using techniques based on quantifier elimination. Although conceptually elegant, quantifier elimination inevitably induces a computational bottleneck, which limits the applicability of these methods to small blocks. This paper contributes a method for calculating transfer functions that finesses quantifier elimination altogether, and can thus be seen as a response to this problem. The practicality of the method is demonstrated by generating transfer functions for input and output states that are described by linear template constraints, which include intervals and octagons.Comment: 37 pages, extended version of ESOP 2011 pape

Towards a quantitative alloy

Dissertação de mestrado integrado em Engenharia InformáticaWhen one comes across a new problem that needs to be solved, by abstracting from its associated details in a simple and concise way through the use of formal methods, one is able to better understand the matter at hand. Alloy (Jackson, 2012), a declarative specification language based on relational logic, is an example of an effective modelling tool, allowing high-level specification of potentially very complex systems. However, along with the irrelevant information, measurable data of the system is often lost in the abstraction as well, making it not as adequate for certain situations. The Alloy Analyzer represents the relations under analysis by Boolean matrices. By extending this type of structure to: • numeric matrices, over N0 , one is able to work with multirelations, i.e. relations whose arcs are weighted; each tuple is thus associated with a natural number, which allows reasoning in a similar fashion as in optimization problems and integer programming techniques; • left-Stochastic matrices, one is able to model faulty behaviour and other forms of quantitative information about software systems in a probabilistic way; in particular, this introduces the notion of a probabilistic contract in software design. Such an increase in Alloy’s capabilities strengthens its position in the area of formal methods for software design, in particular towards becoming a quantitative formal method. This dissertation explores the motivation and importance behind quantitative analysis by studying and establishing theoretical foundations through categorial approaches to accomplish such reasoning in Alloy. This starts by reviewing the required tools to support such groundwork and proceeds to the design and implementation of such a quantitative Alloy extension. This project aims to promote the evolution of quantitative formal methods by successfully achieving quantitative abstractions in Alloy, extending its support to these concepts and implementing them in the Alloy Analyzer.Quando se depara com um novo problema que precisa de ser resolvido, ao abstrair dos seus detalhes associados de forma simples e concisa recorrendo a métodos formais, é possível compreender melhor o assunto em questão. Alloy (Jackson, 2012), uma linguagem de especificação declarativa baseada em lógica relacional, é um exemplo de uma ferramenta de modelação eficaz, possibilitando especificações de alto-nível de sistemas potencialmente bastante complexos. Contudo, em conjunto com a informação irrelevante, os dados mensuráveis são muitas vezes também perdidos na abstração, tornando-a não tão adequada para certas situações. O Alloy Analyzer representa as relações sujeitas a análise através de matrizes Booleanas. Ao estender este tipo de estrutura para: • matrizes numéricas, em N0 , é possível lidar com multirelações, i.e., relações cujos arcos são pesados; cada tuplo é consequentemente associado a um número natural, o que proporciona uma linha de raciocínio semelhante à de técnicas de problemas de otimização e de programação inteira; • matrizes estocásticas, permitindo a modelação de comportamento defeituoso e de outros tipos de informação quantitativa de sistemas de software probabilisticamente; em particular, é introduzida a noção de contrato probabilístico em design de software. Tal aumento às capacidades do Alloy, fortalece a sua posição na área de métodos formais para design de software, em particular, a caminho de se tornar um método formal quantitativo. Esta dissertação explora a motivação e a importância subjacente à análise quantitativa, a partir do estudo e consolidação dos fundamentos teóricos através de abordagens categóricas de forma a conseguir suportar esse tipo de raciocínio em Alloy. Inicialmente, as ferramentas imprescindíveis para assegurar tal base são analisadas, passando de seguida ao planeamento e posterior implementação de tal extensão quantitativa do Alloy. Este projecto pretende promover a evolução dos métodos formais quantitativos através da concretização de abstracção quantitativa em Alloy, estendendo a sua base para suportar estes conceitos e assim implementá los no Alloy Analyzer

Evolving text classification rules with genetic programming

We describe a novel method for using genetic programming to create compact classification rules using combinations of N-grams (character strings). Genetic programs acquire fitness by producing rules that are effective classifiers in terms of precision and recall when evaluated against a set of training documents. We describe a set of functions and terminals and provide results from a classification task using the Reuters 21578 dataset. We also suggest that the rules may have a number of other uses beyond classification and provide a basis for text mining applications

A Survey of Constrained Combinatorial Testing

Combinatorial Testing (CT) is a potentially powerful testing technique, whereas its failure revealing ability might be dramatically reduced if it fails to handle constraints in an adequate and efficient manner. To ensure the wider applicability of CT in the presence of constrained problem domains, large and diverse efforts have been invested towards the techniques and applications of constrained combinatorial testing. In this paper, we provide a comprehensive survey of representations, influences, and techniques that pertain to constraints in CT, covering 129 papers published between 1987 and 2018. This survey not only categorises the various constraint handling techniques, but also reviews comparatively less well-studied, yet potentially important, constraint identification and maintenance techniques. Since real-world programs are usually constrained, this survey can be of interest to researchers and practitioners who are looking to use and study constrained combinatorial testing techniques

Automated Fixing of Programs with Contracts

This paper describes AutoFix, an automatic debugging technique that can fix faults in general-purpose software. To provide high-quality fix suggestions and to enable automation of the whole debugging process, AutoFix relies on the presence of simple specification elements in the form of contracts (such as pre- and postconditions). Using contracts enhances the precision of dynamic analysis techniques for fault detection and localization, and for validating fixes. The only required user input to the AutoFix supporting tool is then a faulty program annotated with contracts; the tool produces a collection of validated fixes for the fault ranked according to an estimate of their suitability. In an extensive experimental evaluation, we applied AutoFix to over 200 faults in four code bases of different maturity and quality (of implementation and of contracts). AutoFix successfully fixed 42% of the faults, producing, in the majority of cases, corrections of quality comparable to those competent programmers would write; the used computational resources were modest, with an average time per fix below 20 minutes on commodity hardware. These figures compare favorably to the state of the art in automated program fixing, and demonstrate that the AutoFix approach is successfully applicable to reduce the debugging burden in real-world scenarios.Comment: Minor changes after proofreadin

A Metric Encoding for Bounded Model Checking (extended version)

In Bounded Model Checking both the system model and the checked property are translated into a Boolean formula to be analyzed by a SAT-solver. We introduce a new encoding technique which is particularly optimized for managing quantitative future and past metric temporal operators, typically found in properties of hard real time systems. The encoding is simple and intuitive in principle, but it is made more complex by the presence, typical of the Bounded Model Checking technique, of backward and forward loops used to represent an ultimately periodic infinite domain by a finite structure. We report and comment on the new encoding technique and on an extensive set of experiments carried out to assess its feasibility and effectiveness

Search-driven string constraint solving for vulnerability detection

Constraint solving is an essential technique for detecting vulnerabilities in programs, since it can reason about input sanitization and validation operations performed on user inputs. However, real-world programs typically contain complex string operations that challenge vulnerability detection. State-of-the-art string constraint solvers support only a limited set of string operations and fail when they encounter an unsupported one; this leads to limited effectiveness in finding vulnerabilities. In this paper we propose a search-driven constraint solving technique that complements the support for complex string operations provided by any existing string constraint solver. Our technique uses a hybrid constraint solving procedure based on the Ant Colony Optimization meta-heuristic. The idea is to execute it as a fallback mechanism, only when a solver encounters a constraint containing an operation that it does not support. We have implemented the proposed search-driven constraint solving technique in the ACO-Solver tool, which we have evaluated in the context of injection and XSS vulnerability detection for Java Web applications. We have assessed the benefits and costs of combining the proposed technique with two state-of-the-art constraint solvers (Z3-str2 and CVC4). The experimental results, based on a benchmark with 104 constraints derived from nine realistic Web applications, show that our approach, when combined in a state-of-the-art solver, significantly improves the number of detected vulnerabilities (from 4.7% to 71.9% for Z3-str2, from 85.9% to 100.0% for CVC4), and solves several cases on which the solver fails when used stand-alone (46 more solved cases for Z3-str2, and 11 more for CVC4), while still keeping the execution time affordable in practice