Path-Based Program Repair

We propose a path-based approach to program repair for imperative programs. Our repair framework takes as input a faulty program, a logic specification that is refuted, and a hint where the fault may be located. An iterative abstraction refinement loop is then used to repair the program: in each iteration, the faulty program part is re-synthesized considering a symbolic counterexample, where the control-flow is kept concrete but the data-flow is symbolic. The appeal of the idea is two-fold: 1) the approach lazily considers candidate repairs and 2) the repairs are directly derived from the logic specification. In contrast to prior work, our approach is complete for programs with finitely many control-flow paths, i.e., the program is repaired if and only if it can be repaired at the specified fault location. Initial results for small programs indicate that the approach is useful for debugging programs in practice.Comment: In Proceedings FESCA 2015, arXiv:1503.0437

SAT-based Automatic Test Pattern Generation

Abstract. Due to the rapidly growing size of integrated circuits, there is a need for new algorithms for Automatic Test Pattern Generation (ATPG). While classical algorithms reach their limit, there have been recent advances in algorithms to solve Boolean Satisfiability (SAT). Because Boolean SAT solvers are working on Conjunctive Normal Forms (CNF), the problem has to be transformed. During transformation, relevant information about the problem might get lost and therefore is not available in the solving process. In the following we briefly motivate the problem and provide the latest developments in the field. The technique was implemented and experimental results are presented. The approach was combined with the ATPG framework of NXP Semiconductors. Significant improvements in overall performance and robustness are demonstrated

DEL: Dynamic Symbolic Execution-based Lifter for Enhanced Low-Level Intermediate Representation

This work develops an approach that lifts binaries into an enhanced LLVM IR including indirect jumps. The proposed lifter combines both static and dynamic methods and strives to fully recover the Control-Flow Graph (CFG) of the program. Using Satisfiability Modulo Theories (SMT) supported by memory and register models, our lifter dynamically symbolically executes IR instructions after translating them into SMT expressions

Exploiting error detection latency for parity-based soft error detection

Local triple modular redundancy (LTMR) is often the first choice to harden a flash-based FPGA application against soft errors in space. Unfortunately, LTMR leads to at least 300% area overhead. We propose a parity-based error detection approach, to use the limited resources of space-proven flash-based FPGAs more area-efficiently; this method can be the key for fitting the application onto the FPGA. A drawback of parity-based hardening is the significant impact on the critical path. To alleviate this error detection latency, pipeline structures in the design can be utilized. According to our results, this eliminates from 22% to 65% of the critical path overhead of the unpipelined error detection. Compared with LTMR, the new approach increases the critical path overhead of LTMR by a factor varying from 2 to 7

Minimizing the Number of Paths in BDDs

BDDs are used in several fields as e.g. formal verification or synthesis. Minimizing the number of nodes in a BDD is a common technique, to reduce the memory needed to express a function. But recently applications like SAT-solving or synthesis have been shown to benefit from a small number of paths in a BDD. Here we present an algorithm and its implementation to carry out the minimization of a BDD with respect to the number of paths. After showing the existence of functions that can not be represented by a BDD that is minimal in the number of nodes and the number of paths at once, statistical experiments on the ISCAS89 benchmark set show the efficiency of the technique. In another set of experiments the minimization of numbers of paths is compared to that of the number of nodes