ProveNFix: Temporal Property-Guided Program Repair

Model checking has been used traditionally for finding violations of temporal properties. Recently, testing or fuzzing approaches have also been applied to software systems to find temporal property violations. However, model checking suffers from state explosion, while fuzzing can only partially cover program paths. Moreover, once a violation is found, the fix for the temporal error is usually manual. In this work, we develop the first compositional static analyzer for temporal properties, and the analyzer supports a proof-based repair strategy to fix temporal bugs automatically. To enable a more flexible specification style for temporal properties, on top of the classic pre/post-conditions, we allow users to write a future -condition to modularly express the expected behaviors after the function call. Instead of requiring users to write specifications for each procedure, our approach automatically infers the procedure’s specification according to user-supplied specifications for a small number of primitive APIs. We further devise a term rewriting system to check the actual behaviors against its inferred specification. Our method supports the analysis of 1) memory usage bugs, 2) unchecked return values, 3) resource leaks, etc., with annotated specifications for 17 primitive APIs, and detects 515 vulnerabilities from over 1 million lines of code ranging from ten real-world C projects. Intuitively, the benefit of our approach is that a small set of properties can be specified once and used to analyze/repair a large number of programs. Experimental results show that our tool, P rove NF ix , detects <mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML" display="inline"> mml:mrow mml:mn72.2</mml:mn> mml:mi%</mml:mi> </mml:mrow> </mml:math> more true alarms than the latest release of the Infer static analyzer. Moreover, we show the effectiveness of our repair strategy when compared to other state-of-the-art systems — fixing <mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML" display="inline"> mml:mrow mml:mn5</mml:mn> mml:mi%</mml:mi> </mml:mrow> </mml:math> more memory leaks than SAVER, <mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML" display="inline"> mml:mrow mml:mn40</mml:mn> mml:mi%</mml:mi> </mml:mrow> </mml:math> more resource leaks than FootPatch, and with a <mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML" display="inline"> mml:mrow mml:mn90</mml:mn> mml:mi%</mml:mi> </mml:mrow> </mml:math> fix rate for null pointer dereferences.