Advertisement

Repair of Boolean Programs with an Application to C

  • Andreas Griesmayer
  • Roderick Bloem
  • Byron Cook
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4144)

Abstract

We show how to find and fix faults in Boolean programs by extending the program to a game. In the game, the protagonist can select an alternative implementation for an incorrect statement. If the protagonist can do so successfully using a memoryless strategy that does not depend on the stack contents, we have found a correction for the Boolean program. We present a symbolic algorithm that localizes possibly faulty statements and provides corrections.

If the Boolean program is an abstraction of a C program, the repair for the Boolean program suggests a repair for the original C program. This yields a correct but incomplete approach to repairing C programs. We have applied this approach to Boolean programs that are produced as abstractions by SLAM and have thus successfully patched several faulty Windows device drivers.

Keywords

Model Checker Fault Model Binary Decision Diagram Device Driver Request Packet 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Alur, R., Henzinger, T.A.: Reactive modules. Formal Methods in System Design 15, 7–48 (1999)CrossRefGoogle Scholar
  2. 2.
    Alur, R., La Torre, S., Madhusudan, P.: Modular strategies for recursive game graphs. In: Garavel, H., Hatcliff, J. (eds.) ETAPS 2003 and TACAS 2003. LNCS, vol. 2619, pp. 363–378. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  3. 3.
    Ball, T., Bounimova, E., Cook, B., Levin, V., Lichtenberg, J., McGarvey, C., Ondrusek, B., Rajamani, S.K., Ustuner, A.: Thorough static analysis of device drivers. In: European Systems Conference (EuroSys 2006) (2006)Google Scholar
  4. 4.
    Ball, T., Naik, M., Rajamani, S.K.: From symptom to cause: Localizing errors in counterexample traces. In: 30th Symposium on Principles of Programming Languages (POPL 2003), pp. 97–105 (2003)Google Scholar
  5. 5.
    Ball, T., Rajamani, S.K.: Bebop: A symbolic model checker for Boolean programs. In: Havelund, K., Penix, J., Visser, W. (eds.) SPIN 2000. LNCS, vol. 1885, pp. 113–130. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Bouajjani, A., Esparza, J., Maler, O.: Reachability analysis of pushdown automata: Application to model checking. In: Mazurkiewicz, A., Winkowski, J. (eds.) CONCUR 1997. LNCS, vol. 1243, pp. 135–150. Springer, Heidelberg (1997)Google Scholar
  7. 7.
    Bryant, R.E.: Symbolic boolean manipulation with ordered binary decision diagrams. ACM Computing Surveys 24, 293–318 (1992)CrossRefGoogle Scholar
  8. 8.
    Chaki, S., Groce, A., Strichman, O.: Explaining abstract counterexamples. In: Proc. of the International Symposium on Foundations of Software Engineering, pp. 73–82 (2004)Google Scholar
  9. 9.
    Demsky, B., Rinard, M.: Automatic detection and repair of errors in data structures. In: Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA 2003), pp. 78–95 (2003)Google Scholar
  10. 10.
    Esparza, J., Hansel, D., Rossmanith, P., Schwoon, S.: Efficient algorithms for model checking pushdown systems. In: Emerson, E.A., Sistla, A.P. (eds.) CAV 2000. LNCS, vol. 1855, pp. 324–336. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  11. 11.
    Graf, S., Saïdi, H.: Construction of abstract state graphs with PVS. In: Grumberg, O. (ed.) CAV 1997. LNCS, vol. 1254, pp. 72–83. Springer, Heidelberg (1997)Google Scholar
  12. 12.
    Groce, A.: Error explanation with distance metrics. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 108–122. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  13. 13.
    Jobstmann, B., Griesmayer, A., Bloem, R.: Program repair as a game. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 226–238. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  14. 14.
    Khurshid, S., García, I., Suen, Y.: Repairing structurally complex data. In: Godefroid, P. (ed.) SPIN 2005. LNCS, vol. 3639, pp. 123–138. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  15. 15.
    Reps, T., Horwitz, S., Sagiv, S.: Precise interprocedural dataflow analysis via graph reachability. In: Symposium on Principles of Programming Languages, pp. 49–61 (1995)Google Scholar
  16. 16.
    Somenzi, F.: CUDD: CU Decision Diagram Package. University of Colorado at Boulder, ftp://vlsi.colorado.edu/pub/
  17. 17.
    Staber, S., Jobstmann, B., Bloem, R.: Finding and fixing faults. In: Borrione, D., Paul, W. (eds.) CHARME 2005. LNCS, vol. 3725, pp. 35–49. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  18. 18.
    Walukiewicz, I.: Pushdown processes: Games and model-checking. Information and Computation 157, 234–263 (2000)CrossRefMathSciNetGoogle Scholar
  19. 19.
    Zeller, A.: Isolating cause-effect chains from computer programs. In: 10th Int. Symp. on the Foundations of Software Engineering (FSE-10), pp. 1–10 (November 2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Andreas Griesmayer
    • 1
  • Roderick Bloem
    • 1
  • Byron Cook
    • 2
  1. 1.Graz University of Technology 
  2. 2.Microsoft Research 

Personalised recommendations