首页 > 最新文献

Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation最新文献

英文 中文
Execution reconstruction: harnessing failure reoccurrences for failure reproduction 执行重构:利用故障再现来实现故障再现
Gefei Zuo, Jiacheng Ma, Andrew Quinn, Pramod Bhatotia, Pedro Fonseca, Baris Kasikci
Reproducing production failures is crucial for software reliability. Alas, existing bug reproduction approaches are not suitable for production systems because they are not simultaneously efficient, effective, and accurate. In this work, we survey prior techniques and show that existing approaches over-prioritize a subset of these properties, and sacrifice the remaining ones. As a result, existing tools do not enable the plethora of proposed failure reproduction use-cases (e.g., debugging, security forensics, fuzzing) for production failures. We propose Execution Reconstruction (ER), a technique that strikes a better balance between efficiency, effectiveness and accuracy for reproducing production failures. ER uses hardware-assisted control and data tracing to shepherd symbolic execution and reproduce failures. ER’s key novelty lies in identifying data values that are both inexpensive to monitor and useful for eliding the scalability limitations of symbolic execution. ER harnesses failure reoccurrences by iteratively performing tracing and symbolic execution, which reduces runtime overhead. Whereas prior production-grade techniques can only reproduce short executions, ER can reproduce any reoccuring failure. Thus, unlike existing tools, ER reproduces fully replayable executions that can power a variety of debugging and reliabilty use cases. ER incurs on average 0.3% (up to 1.1%) runtime monitoring overhead for a broad range of real-world systems, making it practical for real-world deployment.
再现生产故障对于软件可靠性至关重要。唉,现有的bug复制方法不适合生产系统,因为它们不能同时高效、有效和准确。在这项工作中,我们调查了先前的技术,并表明现有的方法优先考虑了这些属性的子集,而牺牲了其余的属性。因此,现有的工具不能为生产故障启用过多的故障再现用例(例如,调试、安全取证、模糊测试)。我们提出了执行重建(ER),这是一种在再现生产故障的效率、有效性和准确性之间取得更好平衡的技术。ER使用硬件辅助控制和数据跟踪来指导符号执行和再现故障。ER的关键新颖之处在于识别数据值,这些数据值的监控成本低,而且有助于消除符号执行的可伸缩性限制。ER通过迭代地执行跟踪和符号执行来控制故障的再次发生,从而减少了运行时开销。以前的生产级技术只能重现短时间的执行,而ER可以重现任何反复出现的故障。因此,与现有的工具不同,ER再现了完全可重放的执行,可以为各种调试和可靠性用例提供支持。对于广泛的实际系统,ER平均产生0.3%(最高1.1%)的运行时监视开销,这使得它适用于实际部署。
{"title":"Execution reconstruction: harnessing failure reoccurrences for failure reproduction","authors":"Gefei Zuo, Jiacheng Ma, Andrew Quinn, Pramod Bhatotia, Pedro Fonseca, Baris Kasikci","doi":"10.1145/3453483.3454101","DOIUrl":"https://doi.org/10.1145/3453483.3454101","url":null,"abstract":"Reproducing production failures is crucial for software reliability. Alas, existing bug reproduction approaches are not suitable for production systems because they are not simultaneously efficient, effective, and accurate. In this work, we survey prior techniques and show that existing approaches over-prioritize a subset of these properties, and sacrifice the remaining ones. As a result, existing tools do not enable the plethora of proposed failure reproduction use-cases (e.g., debugging, security forensics, fuzzing) for production failures. We propose Execution Reconstruction (ER), a technique that strikes a better balance between efficiency, effectiveness and accuracy for reproducing production failures. ER uses hardware-assisted control and data tracing to shepherd symbolic execution and reproduce failures. ER’s key novelty lies in identifying data values that are both inexpensive to monitor and useful for eliding the scalability limitations of symbolic execution. ER harnesses failure reoccurrences by iteratively performing tracing and symbolic execution, which reduces runtime overhead. Whereas prior production-grade techniques can only reproduce short executions, ER can reproduce any reoccuring failure. Thus, unlike existing tools, ER reproduces fully replayable executions that can power a variety of debugging and reliabilty use cases. ER incurs on average 0.3% (up to 1.1%) runtime monitoring overhead for a broad range of real-world systems, making it practical for real-world deployment.","PeriodicalId":20557,"journal":{"name":"Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation","volume":"38 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2021-06-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"77227049","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 14
Unqomp: synthesizing uncomputation in Quantum circuits Unqomp:量子电路中的合成非计算
Anouk Paradis, Benjamin Bichsel, Samuel Steffen, Martin T. Vechev
A key challenge when writing quantum programs is the need for uncomputation: temporary values produced during the computation must be reset to zero before they can be safely discarded. Unfortunately, most existing quantum languages require tedious manual uncomputation, often leading to inefficient and error-prone programs. We present Unqomp, the first procedure to automatically synthesize uncomputation in a given quantum circuit. Unqomp can be readily integrated into popular quantum languages, allowing the programmer to allocate and use temporary values analogously to classical computation, knowing they will be uncomputed by Unqomp. Our evaluation shows that programs leveraging Unqomp are not only shorter (-19% on average), but also generate more efficient circuits (-71% gates and -19% qubits on average).
编写量子程序时的一个关键挑战是需要非计算:在计算过程中产生的临时值必须重置为零,然后才能安全地丢弃它们。不幸的是,大多数现有的量子语言都需要繁琐的人工解算,这常常导致程序效率低下且容易出错。我们提出了Unqomp,这是第一个在给定量子电路中自动合成非计算的程序。Unqomp可以很容易地集成到流行的量子语言中,允许程序员像经典计算一样分配和使用临时值,知道它们将不会被Unqomp计算。我们的评估表明,利用Unqomp的程序不仅更短(平均-19%),而且生成更高效的电路(平均-71%的门和-19%的量子比特)。
{"title":"Unqomp: synthesizing uncomputation in Quantum circuits","authors":"Anouk Paradis, Benjamin Bichsel, Samuel Steffen, Martin T. Vechev","doi":"10.1145/3453483.3454040","DOIUrl":"https://doi.org/10.1145/3453483.3454040","url":null,"abstract":"A key challenge when writing quantum programs is the need for uncomputation: temporary values produced during the computation must be reset to zero before they can be safely discarded. Unfortunately, most existing quantum languages require tedious manual uncomputation, often leading to inefficient and error-prone programs. We present Unqomp, the first procedure to automatically synthesize uncomputation in a given quantum circuit. Unqomp can be readily integrated into popular quantum languages, allowing the programmer to allocate and use temporary values analogously to classical computation, knowing they will be uncomputed by Unqomp. Our evaluation shows that programs leveraging Unqomp are not only shorter (-19% on average), but also generate more efficient circuits (-71% gates and -19% qubits on average).","PeriodicalId":20557,"journal":{"name":"Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation","volume":"41 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2021-06-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"78194146","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 13
JPortal: precise and efficient control-flow tracing for JVM programs with Intel processor trace JPortal:使用Intel处理器跟踪精确高效的JVM程序控制流跟踪
Zhiqiang Zuo, Kai Ji, Yifei Wang, W. Tao, Linzhang Wang, Xuandong Li, G. Xu
Hardware tracing modules such as Intel Processor Trace perform continuous control-flow tracing of an end-to-end program execution with an ultra-low overhead. PT has been used in a variety of contexts to support applications such as testing, debugging, and performance diagnosis. However, these hardware modules have so far been used only to trace native programs, which are directly compiled down to machine code. As high-level languages (HLL) such as Java and Go become increasingly popular, there is a pressing need to extend these benefits to the HLL community. This paper presents JPortal, a JVM-based profiling tool that bridges the gap between HLL applications and low-level hardware traces by using a set of algorithms to precisely recover an HLL program’s control flow from PT traces. An evaluation of JPortal with the DaCapo benchmark shows that JPortal achieves an overall 80% accuracy for end-to-end control flow profiling with only a 4-16% runtime overhead.
硬件跟踪模块(如Intel Processor Trace)以极低的开销执行端到端程序执行的连续控制流跟踪。PT已用于各种上下文中,以支持测试、调试和性能诊断等应用程序。然而,到目前为止,这些硬件模块仅用于跟踪本机程序,这些程序直接编译为机器码。随着Java和Go等高级语言(HLL)越来越流行,迫切需要将这些好处扩展到HLL社区。本文介绍了JPortal,这是一个基于jvm的分析工具,它通过使用一组算法精确地从PT跟踪中恢复HLL程序的控制流,弥合了HLL应用程序和低级硬件跟踪之间的差距。使用DaCapo基准测试对JPortal进行的评估表明,JPortal在端到端控制流分析方面实现了80%的总体准确度,而运行时开销仅为4-16%。
{"title":"JPortal: precise and efficient control-flow tracing for JVM programs with Intel processor trace","authors":"Zhiqiang Zuo, Kai Ji, Yifei Wang, W. Tao, Linzhang Wang, Xuandong Li, G. Xu","doi":"10.1145/3453483.3454096","DOIUrl":"https://doi.org/10.1145/3453483.3454096","url":null,"abstract":"Hardware tracing modules such as Intel Processor Trace perform continuous control-flow tracing of an end-to-end program execution with an ultra-low overhead. PT has been used in a variety of contexts to support applications such as testing, debugging, and performance diagnosis. However, these hardware modules have so far been used only to trace native programs, which are directly compiled down to machine code. As high-level languages (HLL) such as Java and Go become increasingly popular, there is a pressing need to extend these benefits to the HLL community. This paper presents JPortal, a JVM-based profiling tool that bridges the gap between HLL applications and low-level hardware traces by using a set of algorithms to precisely recover an HLL program’s control flow from PT traces. An evaluation of JPortal with the DaCapo benchmark shows that JPortal achieves an overall 80% accuracy for end-to-end control flow profiling with only a 4-16% runtime overhead.","PeriodicalId":20557,"journal":{"name":"Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation","volume":"239 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2021-06-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"78831376","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 4
Concolic program repair Concolic程序修复
Ridwan Shariffdeen, Yannic Noller, Lars Grunske
Automated program repair reduces the manual effort in fixing program errors. However, existing repair techniques modify a buggy program such that it passes given tests. Such repair techniques do not discriminate between correct patches and patches that overfit the available tests (breaking untested but desired functionality). We propose an integrated approach for detecting and discarding overfitting patches via systematic co-exploration of the patch space and input space. We leverage concolic path exploration to systematically traverse the input space (and generate inputs), while ruling out significant parts of the patch space. Given a long enough time budget, this approach allows a significant reduction in the pool of patch candidates, as shown by our experiments. We implemented our technique in the form of a tool called 'CPR' and evaluated its efficacy in reducing the patch space by discarding overfitting patches from a pool of plausible patches. We evaluated our approach for fixing real-world software vulnerabilities and defects, for fixing functionality errors in programs drawn from SV-COMP benchmarks used in software verification, as well as for test-suite guided repair. In our experiments, we observed a patch space reduction due to our concolic exploration of up to 74% for fixing software vulnerabilities and up to 63% for SV-COMP programs. Our technique presents the viewpoint of gradual correctness - repair run over longer time leads to less overfitting fixes.
自动程序修复减少了修复程序错误的人工工作。然而,现有的修复技术修改有bug的程序,使其通过给定的测试。这种修复技术不区分正确的补丁和过度拟合可用测试的补丁(破坏未测试但期望的功能)。我们提出了一种通过系统地共同探索补丁空间和输入空间来检测和丢弃过拟合补丁的集成方法。我们利用concolic路径探索系统地遍历输入空间(并生成输入),同时排除补丁空间的重要部分。如我们的实验所示,在足够长的时间预算下,这种方法可以显著减少候选补丁池。我们以一种名为“CPR”的工具的形式实现了我们的技术,并评估了其通过从合理的补丁池中丢弃过拟合的补丁来减少补丁空间的功效。我们评估了修复现实世界软件漏洞和缺陷的方法,用于修复软件验证中使用的SV-COMP基准程序中的功能错误的方法,以及用于测试套件指导修复的方法。在我们的实验中,我们观察到补丁空间减少了,因为我们对修复软件漏洞的整体探索高达74%,对SV-COMP程序的修补高达63%。我们的技术提出了渐进式校正的观点-修复运行的时间越长,导致过拟合修复的次数越少。
{"title":"Concolic program repair","authors":"Ridwan Shariffdeen, Yannic Noller, Lars Grunske","doi":"10.1145/3453483.3454051","DOIUrl":"https://doi.org/10.1145/3453483.3454051","url":null,"abstract":"Automated program repair reduces the manual effort in fixing program errors. However, existing repair techniques modify a buggy program such that it passes given tests. Such repair techniques do not discriminate between correct patches and patches that overfit the available tests (breaking untested but desired functionality). We propose an integrated approach for detecting and discarding overfitting patches via systematic co-exploration of the patch space and input space. We leverage concolic path exploration to systematically traverse the input space (and generate inputs), while ruling out significant parts of the patch space. Given a long enough time budget, this approach allows a significant reduction in the pool of patch candidates, as shown by our experiments. We implemented our technique in the form of a tool called 'CPR' and evaluated its efficacy in reducing the patch space by discarding overfitting patches from a pool of plausible patches. We evaluated our approach for fixing real-world software vulnerabilities and defects, for fixing functionality errors in programs drawn from SV-COMP benchmarks used in software verification, as well as for test-suite guided repair. In our experiments, we observed a patch space reduction due to our concolic exploration of up to 74% for fixing software vulnerabilities and up to 63% for SV-COMP programs. Our technique presents the viewpoint of gradual correctness - repair run over longer time leads to less overfitting fixes.","PeriodicalId":20557,"journal":{"name":"Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation","volume":"7 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2021-06-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"87601418","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 26
Concise, type-safe, and efficient structural diffing 简洁、类型安全、高效的结构划分
Sebastian Erdweg, Tamás Szabó, André Pacak
A structural diffing algorithm compares two pieces of tree-shaped data and computes their difference. Existing structural diffing algorithms either produce concise patches or ensure type safety, but never both. We present a new structural diffing algorithm called truediff that achieves both properties by treating subtrees as mutable, yet linearly typed resources. Mutation is required to derive concise patches that only mention changed nodes, but, in contrast to prior work, truediff guarantees all intermediate trees are well-typed. We formalize type safety, prove truediff has linear run time, and evaluate its performance and the conciseness of the derived patches empirically for real-world Python documents. While truediff ensures type safety, the size of its patches is on par with Gumtree, a popular untyped diffing implementation. Regardless, truediff outperforms Gumtree and a typed diffing implementation by an order of magnitude.
一种结构差分算法比较两段树状数据并计算它们的差值。现有的结构差分算法要么产生简洁的补丁,要么确保类型安全,但从来没有两者兼而有之。我们提出了一种新的结构差分算法truediff,它通过将子树视为可变的线性类型资源来实现这两个属性。需要进行突变才能获得只提及更改节点的简明补丁,但是,与之前的工作相反,truediff保证所有中间树都是类型良好的。我们将类型安全形式化,证明truediff具有线性运行时间,并根据实际Python文档经验评估其性能和派生补丁的简洁性。虽然truediff确保了类型安全,但它的补丁大小与Gumtree相当,后者是一种流行的无类型区分实现。无论如何,truediff的性能比Gumtree和一个类型区分实现高出一个数量级。
{"title":"Concise, type-safe, and efficient structural diffing","authors":"Sebastian Erdweg, Tamás Szabó, André Pacak","doi":"10.1145/3453483.3454052","DOIUrl":"https://doi.org/10.1145/3453483.3454052","url":null,"abstract":"A structural diffing algorithm compares two pieces of tree-shaped data and computes their difference. Existing structural diffing algorithms either produce concise patches or ensure type safety, but never both. We present a new structural diffing algorithm called truediff that achieves both properties by treating subtrees as mutable, yet linearly typed resources. Mutation is required to derive concise patches that only mention changed nodes, but, in contrast to prior work, truediff guarantees all intermediate trees are well-typed. We formalize type safety, prove truediff has linear run time, and evaluate its performance and the conciseness of the derived patches empirically for real-world Python documents. While truediff ensures type safety, the size of its patches is on par with Gumtree, a popular untyped diffing implementation. Regardless, truediff outperforms Gumtree and a typed diffing implementation by an order of magnitude.","PeriodicalId":20557,"journal":{"name":"Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation","volume":"175 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2021-06-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"74030942","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 3
SyRust: automatic testing of Rust libraries with semantic-aware program synthesis SyRust:自动测试带有语义感知程序合成的Rust库
Yoshiki Takashima, R. Martins, Limin Jia, C. Pasareanu
Rust’s type system ensures the safety of Rust programs; however, programmers can side-step some of the strict typing rules by using the unsafe keyword. A common use of unsafe Rust is by libraries. Bugs in these libraries undermine the safety of the entire Rust program. Therefore, it is crucial to thoroughly test library APIs to rule out bugs. Unfortunately, such testing relies on programmers to manually construct test cases, which is an inefficient and ineffective process. The goal of this paper is to develop a methodology for automatically generating Rust programs to effectively test Rust library APIs. The main challenge is to synthesize well-typed Rust programs to account for proper chaining of API calls and Rust’s ownership type system and polymorphic types. We develop a program synthesis technique for Rust library API testing, which relies on a novel logical encoding of typing constraints from Rust’s ownership type system. We implement SyRust, a testing framework for Rust libraries that automatically synthesizes semantically valid test cases. Our experiments on 30 popular open-source Rust libraries found 4 new bugs.
Rust的类型系统保证了Rust程序的安全性;然而,程序员可以通过使用不安全关键字来避开一些严格的类型规则。不安全Rust的常见用法是库。这些库中的bug破坏了整个Rust程序的安全性。因此,彻底测试库api以排除错误至关重要。不幸的是,这样的测试依赖于程序员手动构建测试用例,这是一个低效和无效的过程。本文的目标是开发一种自动生成Rust程序的方法,以有效地测试Rust库api。主要的挑战是综合类型良好的Rust程序,以解释API调用的正确链接以及Rust的所有权类型系统和多态类型。我们开发了一种用于Rust库API测试的程序合成技术,该技术依赖于Rust所有权类型系统中类型约束的新颖逻辑编码。我们实现了SyRust,一个用于Rust库的测试框架,可以自动合成语义上有效的测试用例。我们在30个流行的开源Rust库上的实验发现了4个新的bug。
{"title":"SyRust: automatic testing of Rust libraries with semantic-aware program synthesis","authors":"Yoshiki Takashima, R. Martins, Limin Jia, C. Pasareanu","doi":"10.1145/3453483.3454084","DOIUrl":"https://doi.org/10.1145/3453483.3454084","url":null,"abstract":"Rust’s type system ensures the safety of Rust programs; however, programmers can side-step some of the strict typing rules by using the unsafe keyword. A common use of unsafe Rust is by libraries. Bugs in these libraries undermine the safety of the entire Rust program. Therefore, it is crucial to thoroughly test library APIs to rule out bugs. Unfortunately, such testing relies on programmers to manually construct test cases, which is an inefficient and ineffective process. The goal of this paper is to develop a methodology for automatically generating Rust programs to effectively test Rust library APIs. The main challenge is to synthesize well-typed Rust programs to account for proper chaining of API calls and Rust’s ownership type system and polymorphic types. We develop a program synthesis technique for Rust library API testing, which relies on a novel logical encoding of typing constraints from Rust’s ownership type system. We implement SyRust, a testing framework for Rust libraries that automatically synthesizes semantically valid test cases. Our experiments on 30 popular open-source Rust libraries found 4 new bugs.","PeriodicalId":20557,"journal":{"name":"Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation","volume":"60 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2021-06-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"80552831","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 7
Fast and precise certification of transformers 快速、精确的变压器认证
Gregory Bonaert, Dimitar I. Dimitrov, Maximilian Baader, Martin T. Vechev
We present DeepT, a novel method for certifying Transformer networks based on abstract interpretation. The key idea behind DeepT is our new Multi-norm Zonotope abstract domain, an extension of the classical Zonotope designed to handle ℓ1 and ℓ2-norm bound perturbations. We introduce all Multi-norm Zonotope abstract transformers necessary to handle these complex networks, including the challenging softmax function and dot product. Our evaluation shows that DeepT can certify average robustness radii that are 28× larger than the state-of-the-art, while scaling favorably. Further, for the first time, we certify Transformers against synonym attacks on long sequences of words, where each word can be replaced by any synonym. DeepT achieves a high certification success rate on sequences of words where enumeration-based verification would take 2 to 3 orders of magnitude more time.
提出了一种基于抽象解释的变压器网络认证新方法deep。deep背后的关键思想是我们新的多范数zone otope抽象域,这是经典zone otope的扩展,用于处理1,2范数界摄动。我们介绍了处理这些复杂网络所需的所有多范数分区抽象变压器,包括具有挑战性的softmax函数和点积。我们的评估表明,deep可以证明比最先进的平均鲁棒性半径大28倍,同时扩展有利。此外,我们首次验证了transformer在长单词序列(其中每个单词都可以被任何同义词替换)上不受同义词攻击。deep在单词序列上实现了很高的认证成功率,而基于枚举的验证将花费2到3个数量级的时间。
{"title":"Fast and precise certification of transformers","authors":"Gregory Bonaert, Dimitar I. Dimitrov, Maximilian Baader, Martin T. Vechev","doi":"10.1145/3453483.3454056","DOIUrl":"https://doi.org/10.1145/3453483.3454056","url":null,"abstract":"We present DeepT, a novel method for certifying Transformer networks based on abstract interpretation. The key idea behind DeepT is our new Multi-norm Zonotope abstract domain, an extension of the classical Zonotope designed to handle ℓ1 and ℓ2-norm bound perturbations. We introduce all Multi-norm Zonotope abstract transformers necessary to handle these complex networks, including the challenging softmax function and dot product. Our evaluation shows that DeepT can certify average robustness radii that are 28× larger than the state-of-the-art, while scaling favorably. Further, for the first time, we certify Transformers against synonym attacks on long sequences of words, where each word can be replaced by any synonym. DeepT achieves a high certification success rate on sequences of words where enumeration-based verification would take 2 to 3 orders of magnitude more time.","PeriodicalId":20557,"journal":{"name":"Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation","volume":"101 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2021-06-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"82127605","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 20
Boosting SMT solver performance on mixed-bitwise-arithmetic expressions 提高SMT求解器对混合位算术表达式的性能
Dongpeng Xu, Binbin Liu, Weijie Feng, Jiang Ming, Qilong Zheng, Jing Li, Qiaoyan Yu
Satisfiability Modulo Theories (SMT) solvers have been widely applied in automated software analysis to reason about the queries that encode the essence of program semantics, relieving the heavy burden of manual analysis. Many SMT solving techniques rely on solving Boolean satisfiability problem (SAT), which is an NP-complete problem, so they use heuristic search strategies to seek possible solutions, especially when no known theorem can efficiently reduce the problem. An emerging challenge, named Mixed-Bitwise-Arithmetic (MBA) obfuscation, impedes SMT solving by constructing identity equations with both bitwise operations (and, or, negate) and arithmetic computation (add, minus, multiply). Common math theorems for bitwise or arithmetic computation are inapplicable to simplifying MBA equations, leading to performance bottlenecks in SMT solving. In this paper, we first scrutinize solvers' performance on solving different categories of MBA expressions: linear, polynomial, and non-polynomial. We observe that solvers can handle simple linear MBA expressions, but facing a severe performance slowdown when solving complex linear and non-linear MBA expressions. The root cause is that complex MBA expressions break the reduction laws for pure arithmetic or bitwise computation. To boost solvers' performance, we propose a semantic-preserving transformation to reduce the mixing degree of bitwise and arithmetic operations. We first calculate a signature vector based on the truth table extracted from an MBA expression, which captures the complete MBA semantics. Next, we generate a simpler MBA expression from the signature vector. Our large-scale evaluation on 3000 complex MBA equations shows that our technique significantly boost modern SMT solvers' performance on solving MBA formulas.
可满足模理论(SMT)解算器已广泛应用于自动化软件分析中,用于推理编码程序语义本质的查询,减轻了人工分析的繁重负担。许多SMT求解技术依赖于求解布尔可满足性问题(SAT),这是一个np完全问题,因此它们使用启发式搜索策略来寻找可能的解,特别是当没有已知定理可以有效地简化问题时。一个名为混合位算术(MBA)混淆的新挑战,通过使用位运算(和、或、否定)和算术计算(加、减、乘)构建单位方程,阻碍了SMT的求解。位或算术计算的常见数学定理不适用于简化MBA方程,导致SMT求解的性能瓶颈。在本文中,我们首先仔细研究求解器在求解不同类别的MBA表达式(线性、多项式和非多项式)时的性能。我们观察到,求解器可以处理简单的线性MBA表达式,但在求解复杂的线性和非线性MBA表达式时面临严重的性能放缓。根本原因是复杂的MBA表达式违反了纯算术或按位计算的约简定律。为了提高求解器的性能,我们提出了一种语义保留变换来降低位运算和算术运算的混合程度。我们首先基于从MBA表达式中提取的真值表计算一个签名向量,它捕获了完整的MBA语义。接下来,我们从签名向量生成一个更简单的MBA表达式。我们对3000个复杂MBA方程的大规模评估表明,我们的技术显著提高了现代SMT求解器在求解MBA公式方面的性能。
{"title":"Boosting SMT solver performance on mixed-bitwise-arithmetic expressions","authors":"Dongpeng Xu, Binbin Liu, Weijie Feng, Jiang Ming, Qilong Zheng, Jing Li, Qiaoyan Yu","doi":"10.1145/3453483.3454068","DOIUrl":"https://doi.org/10.1145/3453483.3454068","url":null,"abstract":"Satisfiability Modulo Theories (SMT) solvers have been widely applied in automated software analysis to reason about the queries that encode the essence of program semantics, relieving the heavy burden of manual analysis. Many SMT solving techniques rely on solving Boolean satisfiability problem (SAT), which is an NP-complete problem, so they use heuristic search strategies to seek possible solutions, especially when no known theorem can efficiently reduce the problem. An emerging challenge, named Mixed-Bitwise-Arithmetic (MBA) obfuscation, impedes SMT solving by constructing identity equations with both bitwise operations (and, or, negate) and arithmetic computation (add, minus, multiply). Common math theorems for bitwise or arithmetic computation are inapplicable to simplifying MBA equations, leading to performance bottlenecks in SMT solving. In this paper, we first scrutinize solvers' performance on solving different categories of MBA expressions: linear, polynomial, and non-polynomial. We observe that solvers can handle simple linear MBA expressions, but facing a severe performance slowdown when solving complex linear and non-linear MBA expressions. The root cause is that complex MBA expressions break the reduction laws for pure arithmetic or bitwise computation. To boost solvers' performance, we propose a semantic-preserving transformation to reduce the mixing degree of bitwise and arithmetic operations. We first calculate a signature vector based on the truth table extracted from an MBA expression, which captures the complete MBA semantics. Next, we generate a simpler MBA expression from the signature vector. Our large-scale evaluation on 3000 complex MBA equations shows that our technique significantly boost modern SMT solvers' performance on solving MBA formulas.","PeriodicalId":20557,"journal":{"name":"Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation","volume":"90 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2021-06-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"83533626","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 14
Canary: practical static detection of inter-thread value-flow bugs 金丝雀:线程间值流bug的实用静态检测
Yuandao Cai, Peisen Yao, Charles Zhang
Concurrent programs are still prone to bugs arising from the subtle interleavings of threads. Traditional static analysis for concurrent programs, such as data-flow analysis and symbolic execution, has to explicitly explore redundant control states, leading to prohibitive computational complexity. This paper presents a value flow analysis framework for concurrent programs called Canary that is practical to statically find diversified inter-thread value-flow bugs. Our work is the first to convert the concurrency bug detection to a source-sink reachability problem, effectively reducing redundant thread interleavings. Specifically, we propose a scalable thread-modular algorithm to capture data and interference dependence in a value-flow graph. The relevant edges of value flows are annotated with execution constraints as guards to describe the conditions of value flows. Canary then traverses the graph to detect concurrency defects via tracking the source-sink properties and solving the aggregated guards of value flows with an SMT solver to decide the realizability of interleaving executions. Experiments show that Canary is precise, scalable and practical, detecting over eighteen previously unknown concurrency bugs in large, widely-used software systems with low false positives.
并发程序仍然容易因线程的微妙交错而产生bug。并发程序的传统静态分析,如数据流分析和符号执行,必须显式地探索冗余控制状态,从而导致令人难以置信的计算复杂性。本文提出了一个用于并发程序的价值流分析框架Canary,它可以静态地发现各种线程间价值流错误。我们的工作是第一个将并发错误检测转换为源-接收器可达性问题,有效地减少冗余线程交织。具体来说,我们提出了一种可扩展的线程模块化算法来捕获值流图中的数据和干扰依赖性。价值流的相关边缘用执行约束进行注释,作为描述价值流条件的保护。然后,Canary遍历图,通过跟踪源-汇属性和使用SMT求解器解决价值流的聚合保护来检测并发缺陷,以确定交错执行的可实现性。实验表明,Canary是精确的、可扩展的和实用的,在大型、广泛使用的软件系统中检测出超过18个以前未知的并发错误,并且误报率很低。
{"title":"Canary: practical static detection of inter-thread value-flow bugs","authors":"Yuandao Cai, Peisen Yao, Charles Zhang","doi":"10.1145/3453483.3454099","DOIUrl":"https://doi.org/10.1145/3453483.3454099","url":null,"abstract":"Concurrent programs are still prone to bugs arising from the subtle interleavings of threads. Traditional static analysis for concurrent programs, such as data-flow analysis and symbolic execution, has to explicitly explore redundant control states, leading to prohibitive computational complexity. This paper presents a value flow analysis framework for concurrent programs called Canary that is practical to statically find diversified inter-thread value-flow bugs. Our work is the first to convert the concurrency bug detection to a source-sink reachability problem, effectively reducing redundant thread interleavings. Specifically, we propose a scalable thread-modular algorithm to capture data and interference dependence in a value-flow graph. The relevant edges of value flows are annotated with execution constraints as guards to describe the conditions of value flows. Canary then traverses the graph to detect concurrency defects via tracking the source-sink properties and solving the aggregated guards of value flows with an SMT solver to decide the realizability of interleaving executions. Experiments show that Canary is precise, scalable and practical, detecting over eighteen previously unknown concurrency bugs in large, widely-used software systems with low false positives.","PeriodicalId":20557,"journal":{"name":"Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation","volume":"2 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2021-06-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"74859245","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 9
Satisfiability modulo ordering consistency theory for multi-threaded program verification 多线程程序验证的可满足模序一致性理论
Fei He, Zhihang Sun, Hongyu Fan
Analyzing multi-threaded programs is hard due to the number of thread interleavings. Partial orders can be used for modeling and analyzing multi-threaded programs. However, there is no dedicated decision procedure for solving partial-order constraints. In this paper, we propose a novel ordering consistency theory for multi-threaded program verification under sequential consistency, and we elaborate its theory solver, which realizes incremental consistency checking, minimal conflict clause generation, and specialized theory propagation to improve the efficiency of SMT solving. We conducted extensive experiments on credible benchmarks; the results show significant promotion of our approach.
由于线程交错的数量,分析多线程程序是很困难的。偏序可用于对多线程程序进行建模和分析。然而,没有专门的决策过程来求解部分阶约束。本文提出了一种新的顺序一致性多线程程序验证理论,并详细阐述了其理论求解器,实现了增量一致性检验、最小冲突子句生成和专业化理论传播,提高了SMT求解效率。我们在可靠的基准上进行了广泛的实验;结果表明我们的方法有显著的推广作用。
{"title":"Satisfiability modulo ordering consistency theory for multi-threaded program verification","authors":"Fei He, Zhihang Sun, Hongyu Fan","doi":"10.1145/3453483.3454108","DOIUrl":"https://doi.org/10.1145/3453483.3454108","url":null,"abstract":"Analyzing multi-threaded programs is hard due to the number of thread interleavings. Partial orders can be used for modeling and analyzing multi-threaded programs. However, there is no dedicated decision procedure for solving partial-order constraints. In this paper, we propose a novel ordering consistency theory for multi-threaded program verification under sequential consistency, and we elaborate its theory solver, which realizes incremental consistency checking, minimal conflict clause generation, and specialized theory propagation to improve the efficiency of SMT solving. We conducted extensive experiments on credible benchmarks; the results show significant promotion of our approach.","PeriodicalId":20557,"journal":{"name":"Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation","volume":"25 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2021-06-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"86187245","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 10
期刊
Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation
全部 Acc. Chem. Res. ACS Applied Bio Materials ACS Appl. Electron. Mater. ACS Appl. Energy Mater. ACS Appl. Mater. Interfaces ACS Appl. Nano Mater. ACS Appl. Polym. Mater. ACS BIOMATER-SCI ENG ACS Catal. ACS Cent. Sci. ACS Chem. Biol. ACS Chemical Health & Safety ACS Chem. Neurosci. ACS Comb. Sci. ACS Earth Space Chem. ACS Energy Lett. ACS Infect. Dis. ACS Macro Lett. ACS Mater. Lett. ACS Med. Chem. Lett. ACS Nano ACS Omega ACS Photonics ACS Sens. ACS Sustainable Chem. Eng. ACS Synth. Biol. Anal. Chem. BIOCHEMISTRY-US Bioconjugate Chem. BIOMACROMOLECULES Chem. Res. Toxicol. Chem. Rev. Chem. Mater. CRYST GROWTH DES ENERG FUEL Environ. Sci. Technol. Environ. Sci. Technol. Lett. Eur. J. Inorg. Chem. IND ENG CHEM RES Inorg. Chem. J. Agric. Food. Chem. J. Chem. Eng. Data J. Chem. Educ. J. Chem. Inf. Model. J. Chem. Theory Comput. J. Med. Chem. J. Nat. Prod. J PROTEOME RES J. Am. Chem. Soc. LANGMUIR MACROMOLECULES Mol. Pharmaceutics Nano Lett. Org. Lett. ORG PROCESS RES DEV ORGANOMETALLICS J. Org. Chem. J. Phys. Chem. J. Phys. Chem. A J. Phys. Chem. B J. Phys. Chem. C J. Phys. Chem. Lett. Analyst Anal. Methods Biomater. Sci. Catal. Sci. Technol. Chem. Commun. Chem. Soc. Rev. CHEM EDUC RES PRACT CRYSTENGCOMM Dalton Trans. Energy Environ. Sci. ENVIRON SCI-NANO ENVIRON SCI-PROC IMP ENVIRON SCI-WAT RES Faraday Discuss. Food Funct. Green Chem. Inorg. Chem. Front. Integr. Biol. J. Anal. At. Spectrom. J. Mater. Chem. A J. Mater. Chem. B J. Mater. Chem. C Lab Chip Mater. Chem. Front. Mater. Horiz. MEDCHEMCOMM Metallomics Mol. Biosyst. Mol. Syst. Des. Eng. Nanoscale Nanoscale Horiz. Nat. Prod. Rep. New J. Chem. Org. Biomol. Chem. Org. Chem. Front. PHOTOCH PHOTOBIO SCI PCCP Polym. Chem.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1