4,813 research outputs found
Transfer Function Synthesis without Quantifier Elimination
Traditionally, transfer functions have been designed manually for each
operation in a program, instruction by instruction. In such a setting, a
transfer function describes the semantics of a single instruction, detailing
how a given abstract input state is mapped to an abstract output state. The net
effect of a sequence of instructions, a basic block, can then be calculated by
composing the transfer functions of the constituent instructions. However,
precision can be improved by applying a single transfer function that captures
the semantics of the block as a whole. Since blocks are program-dependent, this
approach necessitates automation. There has thus been growing interest in
computing transfer functions automatically, most notably using techniques based
on quantifier elimination. Although conceptually elegant, quantifier
elimination inevitably induces a computational bottleneck, which limits the
applicability of these methods to small blocks. This paper contributes a method
for calculating transfer functions that finesses quantifier elimination
altogether, and can thus be seen as a response to this problem. The
practicality of the method is demonstrated by generating transfer functions for
input and output states that are described by linear template constraints,
which include intervals and octagons.Comment: 37 pages, extended version of ESOP 2011 pape
Towards a quantitative alloy
Dissertação de mestrado integrado em Engenharia InformáticaWhen one comes across a new problem that needs to be solved, by abstracting from its associated details
in a simple and concise way through the use of formal methods, one is able to better understand the matter
at hand. Alloy (Jackson, 2012), a declarative specification language based on relational logic, is an example
of an effective modelling tool, allowing high-level specification of potentially very complex systems. However,
along with the irrelevant information, measurable data of the system is often lost in the abstraction as well,
making it not as adequate for certain situations.
The Alloy Analyzer represents the relations under analysis by Boolean matrices. By extending this type of
structure to:
• numeric matrices, over N0
, one is able to work with multirelations, i.e. relations whose arcs are
weighted; each tuple is thus associated with a natural number, which allows reasoning in a similar
fashion as in optimization problems and integer programming techniques;
• left-Stochastic matrices, one is able to model faulty behaviour and other forms of quantitative
information about software systems in a probabilistic way; in particular, this introduces the notion of
a probabilistic contract in software design.
Such an increase in Alloy’s capabilities strengthens its position in the area of formal methods for software
design, in particular towards becoming a quantitative formal method.
This dissertation explores the motivation and importance behind quantitative analysis by studying and
establishing theoretical foundations through categorial approaches to accomplish such reasoning in Alloy.
This starts by reviewing the required tools to support such groundwork and proceeds to the design and
implementation of such a quantitative Alloy extension.
This project aims to promote the evolution of quantitative formal methods by successfully achieving
quantitative abstractions in Alloy, extending its support to these concepts and implementing them in the
Alloy Analyzer.Quando se depara com um novo problema que precisa de ser resolvido, ao abstrair dos seus detalhes
associados de forma simples e concisa recorrendo a métodos formais, é possÃvel compreender melhor
o assunto em questão. Alloy (Jackson, 2012), uma linguagem de especificação declarativa baseada em
lógica relacional, é um exemplo de uma ferramenta de modelação eficaz, possibilitando especificações
de alto-nÃvel de sistemas potencialmente bastante complexos. Contudo, em conjunto com a informação
irrelevante, os dados mensuráveis são muitas vezes também perdidos na abstração, tornando-a não tão
adequada para certas situações.
O Alloy Analyzer representa as relações sujeitas a análise através de matrizes Booleanas. Ao estender
este tipo de estrutura para:
• matrizes numéricas, em N0
, é possÃvel lidar com multirelações, i.e., relações cujos arcos são
pesados; cada tuplo é consequentemente associado a um número natural, o que proporciona uma
linha de raciocÃnio semelhante à de técnicas de problemas de otimização e de programação inteira;
• matrizes estocásticas, permitindo a modelação de comportamento defeituoso e de outros tipos de
informação quantitativa de sistemas de software probabilisticamente; em particular, é introduzida a
noção de contrato probabilÃstico em design de software.
Tal aumento às capacidades do Alloy, fortalece a sua posição na área de métodos formais para design de
software, em particular, a caminho de se tornar um método formal quantitativo.
Esta dissertação explora a motivação e a importância subjacente à análise quantitativa, a partir do estudo
e consolidação dos fundamentos teóricos através de abordagens categóricas de forma a conseguir suportar
esse tipo de raciocÃnio em Alloy. Inicialmente, as ferramentas imprescindÃveis para assegurar tal base são
analisadas, passando de seguida ao planeamento e posterior implementação de tal extensão quantitativa
do Alloy.
Este projecto pretende promover a evolução dos métodos formais quantitativos através da concretização de
abstracção quantitativa em Alloy, estendendo a sua base para suportar estes conceitos e assim implementá los no Alloy Analyzer
Evolving text classification rules with genetic programming
We describe a novel method for using genetic programming to create compact classification rules using combinations of N-grams (character strings). Genetic programs acquire fitness by producing rules that are effective classifiers in terms of precision and recall when evaluated against a set of training documents. We describe a set of functions and terminals and provide results from a classification task using the Reuters 21578 dataset. We also suggest that the rules may have a number of other uses beyond classification and provide a basis for text mining applications
A Survey of Constrained Combinatorial Testing
Combinatorial Testing (CT) is a potentially powerful testing technique,
whereas its failure revealing ability might be dramatically reduced if it fails
to handle constraints in an adequate and efficient manner. To ensure the wider
applicability of CT in the presence of constrained problem domains, large and
diverse efforts have been invested towards the techniques and applications of
constrained combinatorial testing. In this paper, we provide a comprehensive
survey of representations, influences, and techniques that pertain to
constraints in CT, covering 129 papers published between 1987 and 2018. This
survey not only categorises the various constraint handling techniques, but
also reviews comparatively less well-studied, yet potentially important,
constraint identification and maintenance techniques. Since real-world programs
are usually constrained, this survey can be of interest to researchers and
practitioners who are looking to use and study constrained combinatorial
testing techniques
Automated Fixing of Programs with Contracts
This paper describes AutoFix, an automatic debugging technique that can fix
faults in general-purpose software. To provide high-quality fix suggestions and
to enable automation of the whole debugging process, AutoFix relies on the
presence of simple specification elements in the form of contracts (such as
pre- and postconditions). Using contracts enhances the precision of dynamic
analysis techniques for fault detection and localization, and for validating
fixes. The only required user input to the AutoFix supporting tool is then a
faulty program annotated with contracts; the tool produces a collection of
validated fixes for the fault ranked according to an estimate of their
suitability.
In an extensive experimental evaluation, we applied AutoFix to over 200
faults in four code bases of different maturity and quality (of implementation
and of contracts). AutoFix successfully fixed 42% of the faults, producing, in
the majority of cases, corrections of quality comparable to those competent
programmers would write; the used computational resources were modest, with an
average time per fix below 20 minutes on commodity hardware. These figures
compare favorably to the state of the art in automated program fixing, and
demonstrate that the AutoFix approach is successfully applicable to reduce the
debugging burden in real-world scenarios.Comment: Minor changes after proofreadin
A Metric Encoding for Bounded Model Checking (extended version)
In Bounded Model Checking both the system model and the checked property are
translated into a Boolean formula to be analyzed by a SAT-solver. We introduce
a new encoding technique which is particularly optimized for managing
quantitative future and past metric temporal operators, typically found in
properties of hard real time systems. The encoding is simple and intuitive in
principle, but it is made more complex by the presence, typical of the Bounded
Model Checking technique, of backward and forward loops used to represent an
ultimately periodic infinite domain by a finite structure. We report and
comment on the new encoding technique and on an extensive set of experiments
carried out to assess its feasibility and effectiveness
Search-driven string constraint solving for vulnerability detection
Constraint solving is an essential technique for detecting vulnerabilities in programs, since it can reason about input sanitization and validation operations performed on user inputs. However, real-world programs typically contain complex string operations that challenge vulnerability detection. State-of-the-art string constraint solvers support only a limited set of string operations and fail when they encounter an unsupported one; this leads to limited effectiveness in finding vulnerabilities.
In this paper we propose a search-driven constraint solving technique that complements the support for complex string operations provided by any existing string constraint solver. Our technique uses a hybrid constraint solving procedure based on the Ant Colony Optimization meta-heuristic. The idea is to execute it as a fallback mechanism, only when a solver encounters a constraint containing an operation that it does not support.
We have implemented the proposed search-driven constraint solving technique in the ACO-Solver tool, which we have evaluated in the context of injection and XSS vulnerability detection for Java Web applications. We have assessed the benefits and costs of combining the proposed technique with two state-of-the-art constraint solvers (Z3-str2 and CVC4). The experimental results, based on a benchmark with 104 constraints derived from nine realistic Web applications, show that our approach, when combined in a state-of-the-art solver, significantly improves the number of detected vulnerabilities (from 4.7% to 71.9% for Z3-str2, from 85.9% to 100.0% for CVC4), and solves several cases on which the solver fails when used stand-alone (46 more solved cases for Z3-str2, and 11 more for CVC4), while still keeping the execution time affordable in practice
- …