Automatic bug fixing: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 02:53, 6 October 2016 edit 115.27.198.174 (talk) No edit summary ← Previous edit		Latest revision as of 11:56, 16 August 2025 edit undo Jnestorius (talk \| contribs) Autopatrolled, Extended confirmed users, Pending changes reviewers 80,490 edits test case (software)s
(171 intermediate revisions by 63 users not shown)
Line 1: {{short description\|Automatic repair of software bugs}} ~~'''Automatic bug-fixing''' is the automatic [[Patch (computing)\|repair]] of~~ '''Automatic bug-fixing''' is the automatic [[Patch (computing)\|repair]] of [[software bug]]s without the intervention of a human programmer.<ref>{{Cite journal \|last=Rinard \|first=Martin C. \|year=2008 \|title=Technical perspective ''Patching'' program errors \|journal=Communications of the ACM \|volume=51 \|issue=12 \|pages=86 \|doi=10.1145/1409360.1409381 \|s2cid=28629846}}</ref><ref>{{Cite journal \|last=Harman \|first=Mark \|year=2010 \|title=Automated patching techniques \|journal=Communications of the ACM \|volume=53 \|issue=5 \|pages=108 \|doi=10.1145/1735223.1735248 \|s2cid=9729944}}</ref><ref name="Gazzola2019">{{Cite journal \|last1=Gazzola \|first1=Luca \|last2=Micucci \|first2=Daniela \|last3=Mariani \|first3=Leonardo \|year=2019 \|title=Automatic Software Repair: A Survey \|url=https://boa.unimib.it/bitstream/10281/184798/2/08089448_final.pdf \|journal=IEEE Transactions on Software Engineering \|volume=45 \|issue=1 \|pages=34–67 \|doi=10.1109/TSE.2017.2755013 \|hdl=10281/184798 \|s2cid=57764123\|doi-access=free }}</ref> It is also commonly referred to as ''automatic patch generation'', ''automatic bug repair'', or ''automatic program repair''.<ref name="Gazzola2019">{{Cite journal \|last1=Gazzola \|first1=Luca \|last2=Micucci \|first2=Daniela \|last3=Mariani \|first3=Leonardo \|year=2019 \|title=Automatic Software Repair: A Survey \|url=https://boa.unimib.it/bitstream/10281/184798/2/08089448_final.pdf \|journal=IEEE Transactions on Software Engineering \|volume=45 \|issue=1 \|pages=34–67 \|doi=10.1109/TSE.2017.2755013 \|hdl=10281/184798 \|s2cid=57764123\|doi-access=free }}</ref> The typical goal of such techniques is to automatically generate correct [[Patch (computing)\|patches]] to eliminate bugs in [[software program]]s without causing [[software regression]].<ref>{{Cite book \|last1=Tan \|first1=Shin Hwei \|title=2015 IEEE/ACM 37th IEEE International Conference on Software Engineering \|last2=Roychoudhury \|first2=Abhik \|date=2015 \|publisher=IEEE \|isbn=978-1-4799-1934-5 \|pages=471–482 \|chapter=relifix: Automated repair of software regressions \|doi=10.1109/ICSE.2015.65 \|s2cid=17125466}}</ref> ~~[[software bug]]s without the intervention of a human programmer.~~ ~~<ref>Patching program errors (CACM 2008)~~ ~~{{DOI\|10.1145/1409360.1409381}}</ref><ref>Automated Patching Techniques: The~~ ~~Fix Is In (CACM 2010) {{DOI\|10.1145/1735223.1735248}}</ref> It is also commonly~~ ~~referred to as ''automatic patch generation'', ''automatic bug repair'', or~~ ~~''automatic program repair''. The typical goal of such techniques is to~~ ~~automatically generate correct [[Patch (computing)\|patches]] to eliminate~~ ~~[[software bug\|bugs]] in [[software program]]s without causing~~ ~~[[software regression]].~~ ==~~Basic~~ ~~concept~~Specification == Automatic bug fixing is made according to a specification of the expected behavior which can be for instance a [[formal specification]] or a [[test suite]].<ref name="genprog2009">{{Cite book \|last1=Weimer \|first1=Westley \|title=Proceedings of the 31st International Conference on Software Engineering \|last2=Nguyen \|first2=ThanhVu \|last3=Le Goues \|first3=Claire\|author3-link=Claire Le Goues \|last4=Forrest \|first4=Stephanie \|date=2009 \|publisher=IEEE \|isbn=978-1-4244-3453-4 \|pages=364–374 \|chapter=Automatically finding patches using genetic programming \|citeseerx=10.1.1.147.8995 \|doi=10.1109/ICSE.2009.5070536 \|s2cid=1706697}}</ref> ~~At a high level, automatic bug-fixing techniques generate a patch for a program~~ ~~in two steps. The first step is ''patch generation'', which [[program analysis \| analyzes]] the original~~ ~~program and produces one or more candidate patches with a variety of techniques~~ ~~such [[search-based software engineering \| search-based]] [[program mutation]], [[machine learning]], and [[genetic programming]].~~ ~~The second step is patch validation, which validates the produced candidate patches from~~ ~~the previous step with either a [[formal specification]] or a [[test suite]] of the program.~~ ~~<ref name=clearview> {{cite book~~ ~~\|last1=Perkins~~ ~~\|first1=Jeff H.~~ ~~\|last2=Kim~~ ~~\|first2=Sunghun~~ ~~\|last3=Larsen~~ ~~\|first3=Sam~~ ~~\|last4=Amarasinghe~~ ~~\|first4=Saman~~ ~~\|last5=Bachrach~~ ~~\|first5=Jonathan~~ ~~\|last6=Carbin~~ ~~\|first6=Michael~~ ~~\|last7=Pacheco~~ ~~\|first7=Carlos~~ ~~\|last8=Sherwood~~ ~~\|first8=Frank~~ ~~\|last9=Sidiroglou~~ ~~\|first9=Stelios~~ ~~\|last10=Sullivan~~ ~~\|first10=Greg~~ ~~\|date=2009~~ ~~\|chapter=Automatically patching errors in deployed software~~ ~~\|title=Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles~~ ~~\|series=SOSP '09~~ ~~\|publisher=ACM~~ ~~\|pages=87--102~~ ~~\|isbn=978-1-60558-752-3~~ ~~\|doi=10.1145/1629575.1629585~~ ~~\|ref=harv}}~~ ~~</ref>~~ ~~<ref name=genprog2009>{{cite book~~ ~~\|last1=Weimer~~ ~~\|first1=Westley~~ ~~\|last2=Nguyen~~ ~~\|first2=ThanhVu~~ ~~\|last3=Le Goues~~ ~~\|first3=Claire~~ ~~\|last4=Forrest~~ ~~\|first4=Stephanie~~ ~~\|date=2009~~ ~~\|chapter=Automatically finding patches using genetic programming~~ ~~\|title=Proceedings of the 31st International Conference on Software Engineering~~ ~~\|pages=364--374~~ ~~\|ref=harv}}</ref>~~ ~~<ref name=genprog2012>{{cite book~~ ~~\|last1=Le Goues~~ ~~\|first1=Claire~~ ~~\|last2=Dewey-Vogt~~ ~~\|first2=Michael~~ ~~\|last3=Forrest~~ ~~\|first3=Stephanie~~ ~~\|last4=Weimer~~ ~~\|first4=Westley~~ ~~\|date=2012~~ ~~\|chapter=A Systematic Study of Automated Program Repair: Fixing 55 out of 105 Bugs for \$8 Each~~ ~~\|title=Proceedings of the 2012 International Conference on Software Engineering~~ ~~\|series=ICSE 2012~~ ~~\|publisher=IEEE Press~~ ~~\|pages=3--13~~ ~~\|isbn=978-1-4673-1067-3~~ ~~\|ref=harv}}</ref>~~ ~~<ref name=kali> {{cite book~~ ~~\|last1=Qi~~ ~~\|first1=Zichao~~ ~~\|last2=Long~~ ~~\|first2=Fan~~ ~~\|last3=Achour~~ ~~\|first3=Sara~~ ~~\|last4=Rinard~~ ~~\|first4=Martin~~ ~~\|date=2015~~ ~~\|chapter=An Anlysis of Patch Plausibility and Correctness for Generate-and-Validate Patch Generation Systems~~ ~~\|title=Proceedings of the ACM/SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2015~~ ~~\|ref=harv}}~~ ~~</ref>~~ ~~<ref name=prophet> {{cite book~~ ~~\|last1=Long~~ ~~\|first1=Fan~~ ~~\|last2=Rinard~~ ~~\|first2=Martin~~ ~~\|date=~~ ~~\|chapter=Automatic patch generation by learning correct code~~ ~~\|title=Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2016, St. Petersburg, FL, USA, January 20 - 22, 2016~~ ~~\|pages=298--312~~ ~~\|ref=harv}}~~ ~~</ref>~~ A test-suite – the input/output pairs specify the functionality of the program, possibly captured in [[Assertion (software development)\|assertions]] can be used as a [[test oracle]] to drive the search. This oracle can in fact be divided between the ''bug oracle'' that exposes the faulty behavior, and the ''regression oracle'', which encapsulates the functionality any program repair method must preserve. Note that a test suite is typically incomplete and does not cover all possible cases. Therefore, it is often possible for a validated patch to produce expected outputs for all inputs in the test suite but incorrect outputs for other inputs.<ref name="kali">{{Cite book \|last1=Qi \|first1=Zichao \|title=Proceedings of the 2015 International Symposium on Software Testing and Analysis \|last2=Long \|first2=Fan \|last3=Achour \|first3=Sara \|last4=Rinard \|first4=Martin \|date=2015 \|publisher=ACM \|isbn=978-1-4503-3620-8 \|chapter=An Analysis of Patch Plausibility and Correctness for Generate-and-Validate Patch Generation Systems \|citeseerx=10.1.1.696.5616 \|doi=10.1145/2771783.2771791 \|s2cid=6845282}}</ref> The existence of such validated but incorrect patches is a major challenge for generate-and-validate techniques.<ref name="kali" /> Recent successful automatic bug-fixing techniques often rely on additional information other than the test suite, such as information learned from previous human patches, to further identify correct patches among validated patches.<ref name="prophet">{{Cite book \|last1=Long \|first1=Fan \|title=Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages \|last2=Rinard \|first2=Martin \|date=2016 \|publisher=ACM \|isbn=978-1-4503-3549-2 \|pages=298–312 \|chapter=Automatic patch generation by learning correct code \|doi=10.1145/2837614.2837617 \|s2cid=6091588}}</ref> ~~===Generate-and-validate techniques===~~ Another way to specify the expected behavior is to use [[formal specification]]s<ref name="autofixe">{{Cite journal \|last1=Pei \|first1=Yu \|last2=Furia \|first2=Carlo A. \|last3=Nordio \|first3=Martin \|last4=Wei \|first4=Yi \|last5=Meyer \|first5=Bertrand \|last6=Zeller \|first6=Andreas \|date=May 2014 \|title=Automated Fixing of Programs with Contracts \|journal=IEEE Transactions on Software Engineering \|volume=40 \|issue=5 \|pages=427–449 \|arxiv=1403.1117 \|bibcode=2014arXiv1403.1117P \|doi=10.1109/TSE.2014.2312918 \|s2cid=53302638}}</ref><ref>{{Cite journal \|title=Contract-based Data Structure Repair Using Alloy \|citeseerx=10.1.1.182.4390}}</ref> Verification against full specifications that specify the whole program behavior including functionalities is less common because such specifications are typically not available in practice and the computation cost of such [[formal verification\|verification]] is prohibitive. For specific classes of errors, however, implicit partial specifications are often available. For example, there are targeted bug-fixing techniques validating that the patched program can no longer trigger overflow errors in the same execution path.<ref name="codephage" /> ~~The generate-and-validate techniques are arguably the standard approach to generate repairs for a bug of a program.~~ ~~Such a technique typically starts with a test suite of the program, i.e., a set of [[test cases]], at least~~ ~~one of which exposes the bug<ref name=genprog2009/><ref name=semfix>{{cite book~~ ~~\|last1=Nguyen~~ ~~\|first1=Hoang Duong Thien~~ ~~\|last2=Qi~~ ~~\|first2=Dawei~~ ~~\|last3=Roychoudhury~~ ~~\|first3=Abhik~~ ~~\|last4=Chandra~~ ~~\|first4=Satish~~ ~~\|date=2013~~ ~~\|chapter=SemFix: Program Repair via Semantic Analysis~~ ~~\|title=Proceedings of the 2013 International Conference on Software Engineering~~ ~~\|series=ICSE '13'~~ ~~\|___location=Piscataway, NJ, USA~~ ~~\|publisher=IEEE Press~~ ~~\|pages=772--781~~ ~~\|isbn=978-1-4673-3076-3~~ ~~\|ref=harv}}~~ ~~</ref><ref name=rsrepair>{{cite book~~ ~~\|last1=Qi~~ ~~\|first1=Yuhua~~ ~~\|last2=Mao~~ ~~\|first2=Xiaoguang~~ ~~\|last3=Lei~~ ~~\|first3=Yan~~ ~~\|last4=Dai~~ ~~\|first4=Ziying~~ ~~\|last5=Wang~~ ~~\|first5=Chengsong~~ ~~\|date=2014~~ ~~\|chapter=The Strength of Random Search on Automated Program Repair~~ ~~\|title=Proceedings of the 36th International Conference on Software Engineering~~ ~~\|series=ICSE 2014~~ ~~\|___location=New York, NY, USA~~ ~~\|publisher=ACM~~ ~~\|pages=254--265~~ ~~\|isbn=978-1-4503-2756-5~~ ~~\|doi=10.1145/2568225.2568254~~ ~~\|ref=harv}}~~ ~~</ref><ref name=spr>{{cite book~~ ~~\|last1=Long~~ ~~\|first1=Fan~~ ~~\|last2=Rinard~~ ~~\|first2=Martin~~ ~~\|date=2015~~ ~~\|chapter=Staged Program Repair with Condition Synthesis~~ ~~\|title=Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering~~ ~~\|series=ESEC/FSE 2015~~ ~~\|___location=New York, NY, USA~~ ~~\|publisher=ACM~~ ~~\|pages=166--178~~ ~~\|isbn=978-1-4503-3675-8~~ ~~\|doi=10.1145/2786805.2786811~~ ~~\|ref=harv}}~~ ~~</ref><ref name=prophet/>.~~ ~~The technique assumes that the bug can be fixed with a series of [[program mutation\|mutation operations]]~~ ~~on the [[source code]] of the program. It first uses [[fault localization]]~~ ~~techniques to identify suspicious [[program statement\|statements]] in the program. It then applies~~ ~~the mutation operations to the identified statements to generate a space of~~ ~~candidate patches and searches this space to find validated patches that~~ ~~produce correct outputs for all cases in the test suite. <ref name=genprog2009/><ref name=genprog2012/><ref name=semfix/><ref name=kali/><ref name=spr/><ref name=prophet/>~~ == Techniques == ~~Generate-and-validate techniques for automatic bug-fixing are still in their~~ ~~infancy. Two earliest generate-and-validate bug-fixing systems are GenProg<ref name=genprog2009/> and~~ ~~ClearView<ref name=clearview/>. The effectiveness of~~ ~~generate-and-validate techniques remains controversial<ref name=kali/><ref name=criticalreview>{{cite book~~ ~~\|last=Monperrus~~ ~~\|first=Martin~~ ~~\|date=2014~~ ~~\|chapter=A Critical Review of "Automatic Patch Generation Learned from Human-written Patches": Essay on the Problem Statement and the Evaluation of Automatic Software Repair~~ ~~\|title=Proceedings of the 36th International Conference on Software Engineering~~ ~~\|series=ICSE 2014~~ ~~\|___location=New York, NY, USA~~ ~~\|publisher=ACM~~ ~~\|pages=234--242~~ ~~\|isbn=978-1-4503-2756-5~~ ~~\|doi=10.1145/2568225.2568324~~ ~~\|ref=harv}}~~ ~~</ref>, because they typically do not provide~~ ~~[[#Limitations of automatic bug-fixing \|patch correctness guarantees]].~~ ~~Nevertheless, the reported results of recent state-of-the-art techniques are generally~~ ~~promising. For example, on systematically collected 69 real world bugs in eight large C software~~ ~~programs, the state-of-the-art bug-fixing system Prophet generates correct patches for~~ ~~18 out of the 69 bugs<ref name=prophet/>.~~ === Generate-and-validate === ~~===Targeted techniques===~~ Generate-and-validate approaches compile and test each candidate patch to collect all validated patches that produce expected outputs for all inputs in the test suite.<ref name="genprog2009" /><ref name="kali" /> Such a technique typically starts with a test suite of the program, i.e., a set of [[test case (software)\|test case]]s, at least one of which exposes the bug.<ref name="genprog2009" /><ref name="prophet" /><ref name="rsrepair">{{Cite book \|last1=Qi \|first1=Yuhua \|title=Proceedings of the 36th International Conference on Software Engineering \|last2=Mao \|first2=Xiaoguang \|last3=Lei \|first3=Yan \|last4=Dai \|first4=Ziying \|last5=Wang \|first5=Chengsong \|date=2014 \|publisher=ACM \|isbn=978-1-4503-2756-5 \|series=ICSE 2014 \|___location=Austin, Texas \|pages=254–265 \|chapter=The Strength of Random Search on Automated Program Repair \|doi=10.1145/2568225.2568254 \|s2cid=14976851}}</ref><ref name="spr">{{Cite book \|last1=Long \|first1=Fan \|title=Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering \|last2=Rinard \|first2=Martin \|date=2015 \|publisher=ACM \|isbn=978-1-4503-3675-8 \|series=ESEC/FSE 2015 \|___location=Bergamo, Italy \|pages=166–178 \|chapter=Staged Program Repair with Condition Synthesis \|citeseerx=10.1.1.696.9059 \|doi=10.1145/2786805.2786811 \|s2cid=5987616}}</ref> An early generate-and-validate bug-fixing systems is GenProg.<ref name="genprog2009" /> The effectiveness of generate-and-validate techniques remains controversial, because they typically do not provide [[#Limitations of automatic bug-fixing\|patch correctness guarantees]].<ref name="kali" /> Nevertheless, the reported results of recent state-of-the-art techniques are generally promising. For example, on systematically collected 69 real world bugs in eight large [[C (programming language)\|C software programs]], the state-of-the-art bug-fixing system Prophet generates correct patches for 18 out of the 69 bugs.<ref name="prophet" /> ~~Targeted automatic bug-fixing techniques generate repairs for specific classes~~ ~~of errors such as [[null pointer exception]]~~ ~~<ref name=rcv>{{cite book~~ ~~\|last1=Long~~ ~~\|first1=Fan~~ ~~\|last2=Sidiroglou-Douskos~~ ~~\|first2=Stelios~~ ~~\|last3=Rinard~~ ~~\|first3=Martin~~ ~~\|date=2014~~ ~~\|chapter=Automatic Runtime Error Repair and Containment via Recovery Shepherding~~ ~~\|title=Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation~~ ~~\|series=PLDI '14'~~ ~~\|___location=New York, NY, USA~~ ~~\|publisher=ACM~~ ~~\|pages=227--238~~ ~~\|isbn=978-1-4503-2784-8~~ ~~\|doi=10.1145/2594291.2594337~~ ~~\|ref=harv}}~~ ~~</ref>~~ ~~<ref name=nullfix>{{cite journal~~ ~~\|last1=Dobolyi~~ ~~\|first1=Kinga~~ ~~\|last2=Weimer~~ ~~\|first2=Westley~~ ~~\|date=2008~~ ~~\|title=Changing Java's Semantics for Handling Null Pointer Exceptions~~ ~~\|journal=2013 IEEE 24th International Symposium on Software Reliability Engineering (ISSRE)~~ ~~\|volume=0~~ ~~\|pages=47-56~~ ~~\|ref=harv}}~~ ~~</ref>~~ ~~<ref name=par>{{cite book~~ ~~\|last1=Kim~~ ~~\|first1=Dongsun~~ ~~\|last2=Nam~~ ~~\|first2=Jaechang~~ ~~\|last3=Song~~ ~~\|first3=Jaewoo~~ ~~\|last4=Kim~~ ~~\|first4=Sunghun~~ ~~\|date=2013~~ ~~\|chapter=Automatic Patch Generation Learned from Human-written Patches~~ ~~\|title=Proceedings of the 2013 International Conference on Software Engineering~~ ~~\|series=ICSE '13'~~ ~~\|publisher=IEEE Press~~ ~~\|pages=802--811~~ ~~\|isbn=978-1-4673-3076-3~~ ~~\|ref=harv}}~~ ~~</ref>, [[integer overflow]]~~ ~~<ref name=codephage>{{cite book~~ ~~\|last1=Sidiroglou~~ ~~\|first1=Stelios~~ ~~\|last2=Lahtinen~~ ~~\|first2=Eric~~ ~~\|last3=Long~~ ~~\|first3=Fan~~ ~~\|last4=Rinard~~ ~~\|first4=Martin~~ ~~\|date=2015~~ ~~\|chapter=Automatic Error Elimination by Multi-Application Code Transfer~~ ~~\|title=Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation~~ ~~\|ref=harv}}~~ ~~</ref>,~~ ~~[[buffer overflow]]~~ ~~<ref name=codephage/>,~~ ~~[[memory leak]]~~ ~~<ref name=leakfix>{{cite book~~ ~~\|last1=Gao~~ ~~\|first1=Qing~~ ~~\|last2=Xiong~~ ~~\|first2=Yingfei~~ ~~\|last3=Mi~~ ~~\|first3=Yaqing~~ ~~\|last4=Zhang~~ ~~\|first4=Lu~~ ~~\|last5=Yang~~ ~~\|first5=Weikun~~ ~~\|last6=Zhou~~ ~~\|first6=Zhaoping~~ ~~\|last7=Xie~~ ~~\|first7=Bing~~ ~~\|last8=Mei~~ ~~\|first8=Hong~~ ~~\|date=2015~~ ~~\|chapter=Safe Memory-leak Fixing for C Programs~~ ~~\|title=Proceedings of the 37th International Conference on Software Engineering - Volume 1~~ ~~\|series=ICSE '15'~~ ~~\|___location=Piscataway, NJ, USA~~ ~~\|publisher=IEEE Press~~ ~~\|pages=459--470~~ ~~\|isbn=978-1-4799-1934-5~~ ~~\|ref=harv}}~~ ~~</ref>, etc.. Such techniques often use empirical fix templates to fix bugs~~ ~~in the targeted scope. For example, insert a [[conditional statement]] to check~~ ~~whether the value of a variable is null<ref name=par/>~~ ~~or insert missing memory deallocation~~ ~~statements<ref name=leakfix/>. Comparing to generate-and-validate techniques, targeted techniques~~ ~~tend to have better bug-fixing accuracy but a much narrowed scope<ref name=kali/><ref name=leakfix/>.~~ <!-- mutation based repair --> ~~==Patch generation==~~ One way to generate candidate patches is to apply [[program mutation\|mutation operators]] on the original program. Mutation operators manipulate the original program, potentially via its [[abstract syntax tree]] representation, or a more coarse-grained representation such as operating at the [[Statement (programming)\|statement]]-level or [[Block (programming)\|block]]-level. Earlier [[Genetic improvement (computer science)\|genetic improvement]] approaches operate at the statement level and carry out simple delete/replace operations such as deleting an existing statement or replacing an existing statement with another statement in the same source file.<ref name=genprog2009 /><ref name="genprog2012">{{Cite book \|last1=Le Goues \|first1=Claire\|author1-link=Claire Le Goues \|title=2012 34th International Conference on Software Engineering (ICSE) \|last2=Dewey-Vogt \|first2=Michael \|last3=Forrest \|first3=Stephanie \|last4=Weimer \|first4=Westley \|date=2012 \|publisher=IEEE \|isbn=978-1-4673-1067-3 \|pages=3–13 \|chapter=A Systematic Study of Automated Program Repair: Fixing 55 out of 105 Bugs for $8 Each \|citeseerx=10.1.1.661.9690 \|doi=10.1109/ICSE.2012.6227211 \|s2cid=10987936}}</ref> Recent approaches use more fine-grained operators at the [[abstract syntax tree]] level to generate more diverse set of candidate patches.<ref name=spr /> Notably, the statement deletion mutation operator, and more generally removing code, is a reasonable repair strategy, or at least a good fault localization strategy.<ref>{{Cite book \|last1=Qi \|first1=Zichao \|last2=Long \|first2=Fan \|last3=Achour \|first3=Sara \|last4=Rinard \|first4=Martin \|title=Proceedings of the 2015 International Symposium on Software Testing and Analysis \|chapter=An analysis of patch plausibility and correctness for generate-and-validate patch generation systems \|date=2015-07-13 \|chapter-url=http://dx.doi.org/10.1145/2771783.2771791 \|pages=24–36 \|___location=New York, NY, USA \|publisher=ACM \|doi=10.1145/2771783.2771791\|hdl=1721.1/101586 \|isbn=9781450336208 \|s2cid=6845282 }}</ref> <!-- fix templates --> ~~At the patch generation step, automatic bug-fixing techniques use one or more~~ Another way to generate candidate patches consists of using fix templates. Fix templates are typically predefined changes for fixing specific classes of bugs.<ref name=par /> Examples of fix templates include inserting a [[Conditional (computer programming)\|conditional statement]] to check whether the value of a variable is null to fix null pointer exception, or changing an integer constant by one to fix off-by-one errors.<ref name="par" /> ~~of the followings to generate a set of candidate patches.~~ ===~~Program~~ ~~mutation~~Synthesis-based === Repair techniques exist that are based on symbolic execution. For example, Semfix<ref name="semfix">{{Cite book \|last1=Nguyen \|first1=Hoang Duong Thien \|title=Proceedings of the 2013 International Conference on Software Engineering \|last2=Qi \|first2=Dawei \|last3=Roychoudhury \|first3=Abhik \|last4=Chandra \|first4=Satish \|date=2013 \|publisher=IEEE Press \|isbn=978-1-4673-3076-3 \|series=ICSE '13' \|___location=San Francisco, California \|pages=772–781 \|chapter=SemFix: Program Repair via Semantic Analysis}}</ref> uses symbolic execution to extract a repair constraint. Angelix<ref name="angelix">{{Cite book \|last1=Mechtaev \|first1=Sergey \|title=Proceedings of the 38th International Conference on Software Engineering, ICSE 2016, Austin, Texas, May 14-22, 2016 \|last2=Yi \|first2=Jooyong \|last3=Roychoudhury \|first3=Abhik \|date=2016 \|pages=691–701 \|chapter=Angelix: scalable multiline program patch synthesis via symbolic analysis}}</ref> introduced the concept of angelic forest in order to deal with multiline patches. ~~One way to generate candidate patches is to apply [[program mutation \| mutation operators]] on the~~ ~~original program. Mutation operators manipulate the original program,~~ ~~potentially via its [[abstract syntax tree]] representation, or a more~~ ~~coarse-grained representation such as operating at the [[Statement (programming) \| statement-]]level or~~ ~~[[Block (programming)\|block-]]level.~~ ~~Earlier [[Genetic improvement (computer science)\|genetic improvement]]~~ ~~approaches operate at the statement level and carry out simple delete/replace~~ ~~operations such as deleting an existing statement or replacing an existing statement with another statement in the same source file<ref name=genprog2009/><ref name=genprog2012/>.~~ ~~Recent [[machine learning]] and solver approaches use more fine-grained~~ ~~operators at the [[abstract syntax tree]] level to generate more diverse set of~~ ~~candidate patches<ref name=semfix/><ref name=spr/><ref name=prophet/><ref name=angelix>{{cite book~~ ~~\|last1=Mechtaev~~ ~~\|first1=Sergey~~ ~~\|last2=Yi~~ ~~\|first2=Jooyong~~ ~~\|last3=Roychoudhury~~ ~~\|first3=Abhik~~ ~~\|date=2016~~ ~~\|chapter=Angelix: scalable multiline program patch synthesis via symbolic analysis~~ ~~\|title=Proceedings of the 38th International Conference on Software Engineering, ICSE 2016, Austin, TX, USA, May 14-22, 2016~~ ~~\|pages=691--701~~ ~~\|ref=harv}}~~ ~~</ref>.~~ <!-- repair and synthesis --> ~~===Fix template===~~ Under certain assumptions, it is possible to state the repair problem as a synthesis problem. SemFix<ref name="semfix" /> uses component-based synthesis.<ref>{{Cite book \|last1=Jha \|first1=Susmit \|url=http://techreports.lib.berkeley.edu/accessPages/EECS-2010-15.html \|title=Oracle-guided component-based program synthesis \|last2=Gulwani \|first2=Sumit \|last3=Seshia \|first3=Sanjit A. \|last4=Tiwari \|first4=Ashish \|date=2010-05-01 \|publisher=ACM \|isbn=9781605587196 \|pages=215–224 \|doi=10.1145/1806799.1806833 \|s2cid=6344783}}</ref> Dynamoth uses dynamic synthesis.<ref>{{Cite book \|last1=Galenson \|first1=Joel \|title=CodeHint: dynamic and interactive synthesis of code snippets \|last2=Reames \|first2=Philip \|last3=Bodik \|first3=Rastislav \|last4=Hartmann \|first4=Björn \|last5=Sen \|first5=Koushik \|date=2014-05-31 \|publisher=ACM \|isbn=9781450327565 \|pages=653–663 \|doi=10.1145/2568225.2568250 \|s2cid=10656182}}</ref> S3<ref>{{Cite book \|last1=Le \|first1=Xuan-Bach D. \|url=https://ink.library.smu.edu.sg/sis_research/3917 \|title=Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering - ESEC/FSE 2017 \|last2=Chu \|first2=Duc-Hiep \|last3=Lo \|first3=David \|last4=Le Goues \|first4=Claire \|author4-link=Claire Le Goues\|last5=Visser \|first5=Willem \|date=2017-08-21 \|publisher=ACM \|isbn=9781450351058 \|pages=593–604 \|doi=10.1145/3106237.3106309 \|s2cid=1503790}}</ref> is based on [[syntax-guided synthesis]].<ref>{{Cite book \|last1=Alur \|first1=Rajeev \|title=2013 Formal Methods in Computer-Aided Design \|last2=Bodik \|first2=Rastislav \|last3=Juniwal \|first3=Garvit \|last4=Martin \|first4=Milo M. K. \|last5=Raghothaman \|first5=Mukund \|last6=Seshia \|first6=Sanjit A. \|last7=Singh \|first7=Rishabh \|last8=Solar-Lezama \|first8=Armando \|last9=Torlak \|first9=Emina \|author9-link=Emina Torlak\|year=2013 \|isbn=9780983567837 \|pages=1–8 \|chapter=Syntax-guided synthesis \|citeseerx=10.1.1.377.2829 \|doi=10.1109/fmcad.2013.6679385 \|last10=Udupa \|first10=Abhishek}}</ref> SearchRepair<ref name="searchrepair">{{Cite book \|last1=Ke \|first1=Yalin \|title=Proceedings of the 2015 30th IEEE/ACM International Conference on Automated Software Engineering \|last2=Stolee \|first2=Kathryn \|last3=Le Goues \|first3=Claire \|author3-link=Claire Le Goues\|last4=Brun \|first4=Yuriy \|date=2015 \|publisher=ACM \|isbn=978-1-5090-0025-8 \|series=ASE 2015 \|___location=Lincoln, Nebraska \|pages=295–306 \|chapter=Repairing Programs with Semantic Code Search \|doi=10.1109/ASE.2015.60 \|s2cid=16361458}}</ref> converts potential patches into an SMT formula and queries candidate patches that allow the patched program to pass all supplied test cases. === Data-driven === ~~Using fix templates is an alternative way to generate candidate patches. Fix~~ ~~templates are typically predefined program mutation rules for fixing specific classes of~~ ~~bugs<ref name=par/>. Examples of fix templates include inserting a [[conditional statement]] to~~ ~~check whether the value of a variable is null to fix null pointer exception<ref name=par/>,~~ ~~inserting memory deallocation statement to fix memory leaks<ref name=leakfix/>, and changing a~~ ~~integer constant by one to fix off-by-one errors<ref name=par/>.~~ ~~Comparing to program mutation techniques,~~ ~~fix templates tend to achieve better candidate patches for bugs~~ ~~within its scope<ref name=clearview/><ref name=par/>. Fix templates are therefore often adopted by targeted~~ ~~techniques<ref name=par/><ref name=rcv/><ref name=clearview/><ref name=leakfix/>.~~ [[Machine learning]] techniques can improve the effectiveness of automatic bug-fixing systems.<ref name="prophet" /> One example of such techniques learns from past successful patches from human developers collected from [[open-source software\|open source]] [[software repository\|repositories]] in [[GitHub]] and [[SourceForge]].<ref name="prophet" /> It then use the learned information to recognize and prioritize potentially correct patches among all generated candidate patches.<ref name="prophet" /> Alternatively, patches can be directly mined from existing sources. Example approaches include mining patches from donor applications<ref name="codephage" /> or from QA web sites.<ref name="QAFix" /> ~~===Code learning and transfer===~~ Getafix<ref name=":0">{{Cite journal \|last1=Bader \|first1=Johannes \|last2=Scott \|first2=Andrew \|last3=Pradel \|first3=Michael \|last4=Chandra \|first4=Satish \|date=2019-10-10 \|title=Getafix: learning to fix bugs automatically \|journal=Proceedings of the ACM on Programming Languages \|volume=3 \|issue=OOPSLA \|pages=159:1–159:27 \|doi=10.1145/3360585\|doi-access=free \|arxiv=1902.06111 }}</ref> is a language-agnostic approach developed and used in production at [[Facebook, Inc.\|Facebook]]. Given a sample of [[Commit (version control)\|code commits]] where engineers fixed a certain kind of bug, it learns human-like fix patterns that apply to future bugs of the same kind. Besides using Facebook's own [[Repository (version control)\|code repositories]] as training data, Getafix learnt some fixes from [[open source]] Java repositories. When new bugs get detected, Getafix applies its previously learnt patterns to produce candidate fixes and ranks them within seconds. It presents only the top-ranked fix for final validation by tools or an engineer, in order to save resources and ideally be so fast that no human time was spent on fixing the same bug, yet. ~~[[Machine learning]] techniques can improve the effectiveness of automatic~~ ~~bug-fixing systems<ref name=prophet/>. One example of such techniques learns from past successful~~ ~~patches from human developers collected from [[open source]] [[software repository\|repositories]] in [[GitHub]] and [[SourceForge]]<ref name=prophet/>. It then~~ ~~use the learned information to recognize and prioritize potentially correct~~ ~~patches among all generated candidate patches<ref name=prophet/>.~~ ~~Alternatively, patches can be directly mined from existing sources. Example approaches include mining patches from donor applications<ref name=codephage/> or from QA web sites<ref name=QAFix/>.~~ ===~~SMT~~ ~~Solver~~Template-based repair === For specific classes of errors, targeted automatic bug-fixing techniques use specialized templates: ~~Another way to generate candidate patches is to use solvers for~~ ~~[[satisfiability modulo theories]] (SMT). Solver-based techniques convert a~~ ~~program into SMT formulas. They then query SMT solvers to solve the converted SMT formulas to find candidate patches~~ ~~that allow the patched program to pass all supplied test cases<ref name=semfix/><ref name=angelix/>.~~ ~~The benefit of this approach is that SMT solvers can quickly find patches passing test cases~~ ~~for small to medium sized formulas.~~ ~~The limitation of this approach is that real~~ ~~world programs are often converted to intractably large formulas especially for~~ ~~modifying statements with [[side effect (computer science) \| side effects]]<ref name=semfix/><ref name=angelix/>.~~ * [[null pointer exception]] repair<ref name="rcv">{{Cite book \|last1=Long \|first1=Fan \|title=Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation \|last2=Sidiroglou-Douskos \|first2=Stelios \|last3=Rinard \|first3=Martin \|date=2014 \|publisher=ACM \|isbn=978-1-4503-2784-8 \|series=PLDI '14' \|___location=New York, New York \|pages=227–238 \|chapter=Automatic Runtime Error Repair and Containment via Recovery Shepherding \|doi=10.1145/2594291.2594337 \|s2cid=6252501}}</ref><ref name="nullfix">{{Cite book \|last1=Dobolyi \|first1=Kinga \|title=2008 19th International Symposium on Software Reliability Engineering (ISSRE) \|last2=Weimer \|first2=Westley \|year=2008 \|pages=47–56 \|chapter=Changing Java's Semantics for Handling Null Pointer Exceptions \|citeseerx=10.1.1.147.6158 \|doi=10.1109/ISSRE.2008.59 \|s2cid=1454939}}</ref><ref name="par">{{Cite book \|last1=Kim \|first1=Dongsun \|title=Proceedings of the 2013 International Conference on Software Engineering \|last2=Nam \|first2=Jaechang \|last3=Song \|first3=Jaewoo \|last4=Kim \|first4=Sunghun \|date=2013 \|publisher=IEEE Press \|isbn=978-1-4673-3076-3 \|series=ICSE '13' \|pages=802–811 \|chapter=Automatic Patch Generation Learned from Human-written Patches}}</ref> with insertion of a [[Conditional (computer programming)\|conditional statement]] to check whether the value of a variable is null. ~~==Patch validation==~~ * [[integer overflow]] repair<ref name="codephage">{{Cite book \|last1=Sidiroglou \|first1=Stelios \|title=Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation \|last2=Lahtinen \|first2=Eric \|last3=Long \|first3=Fan \|last4=Rinard \|first4=Martin \|date=2015 \|chapter=Automatic Error Elimination by Multi-Application Code Transfer}}</ref> * [[buffer overflow]] repair<ref name="codephage" /> * [[memory leak]] repair,<ref name="leakfix">{{Cite book \|last1=Gao \|first1=Qing \|title=Proceedings of the 37th International Conference on Software Engineering – Volume 1 \|last2=Xiong \|first2=Yingfei \|last3=Mi \|first3=Yaqing \|last4=Zhang \|first4=Lu \|last5=Yang \|first5=Weikun \|last6=Zhou \|first6=Zhaoping \|last7=Xie \|first7=Bing \|last8=Mei \|first8=Hong \|date=2015 \|publisher=IEEE Press \|isbn=978-1-4799-1934-5 \|series=ICSE '15' \|___location=Piscataway, New Jersey \|pages=459–470 \|chapter=Safe Memory-leak Fixing for C Programs}}</ref> with automated insertion of missing memory deallocation statements. Comparing to generate-and-validate techniques, template-based techniques tend to have better bug-fixing accuracy but a much narrowed scope.<ref name="kali" /><ref name="leakfix" /> ~~At the patch validation step, automatic bug-fixing techniques rely on either~~ ~~[[formal specification\|formal specifications]] or a [[test suite]] to validate generated candidate~~ ~~patches. [[formal specification\|Formal specifications]] specify the correct behavior of a program~~ ~~and are often only available for specific classes of errors in practice.~~ ~~Therefore, standard generate-and-validate techniques typically rely on the availability~~ ~~of a [[test suite]].~~ == Use == ~~===Validation with a test suite===~~ There are multiple uses of automatic bug fixing: ~~A test-suite - the input/output pairs specify the functionality of the program,~~ * In a development environment: When encountering a bug the developer activates a feature to search for a patch (for instance by clicking on a button). This search can also happen in the background, when the IDE proactively searches for solutions to potential problems, without waiting for explicit action from the developer.<ref>{{Cite journal \|last1=Muşlu \|first1=Kıvanç \|last2=Brun \|first2=Yuriy \|last3=Holmes \|first3=Reid \|last4=Ernst \|first4=Michael D. \|last5=Notkin \|first5=David \|last6=Muşlu \|first6=Kıvanç \|last7=Brun \|first7=Yuriy \|last8=Holmes \|first8=Reid \|last9=Ernst \|first9=Michael D. \|last10=Notkin \|first10=David \|date=19 October 2012 \|title=Speculative analysis of integrated development environment recommendations, Speculative analysis of integrated development environment recommendations \|journal=ACM SIGPLAN Notices \|volume=47 \|issue=10 \|pages=669, 669–682, 682 \|citeseerx=10.1.1.259.6341 \|doi=10.1145/2384616.2384665 \|issn=0362-1340 \|s2cid=5795141}}</ref> ~~possibly captured in [[Assertion (software development)\|assertions]] can be~~ * At runtime: When a failure happens at runtime, a binary patch can be searched for and [[Self-modifying code\|applied online]]. An example of such a repair system is ClearView,<ref name="clearview">{{Cite book \|last=Perkins \|first=Jeff H. \|title=Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles \|date=2009 \|publisher=ACM \|isbn=978-1-60558-752-3 \|pages=87–102 \|chapter=Automatically patching errors in deployed software \|citeseerx=10.1.1.157.5877 \|doi=10.1145/1629575.1629585 \|display-authors=etal \|s2cid=7597529}}</ref> which does repair on x86 code, with x86 binary patches. ~~used as an [[Oracle (software testing)\|oracle]] to validate candidate patches.~~ ~~This oracle can in fact be divided between the ''bug oracle'' that exposes the~~ ~~faulty behavior, and the ''regression oracle'', which encapsulates the~~ ~~functionality any program repair method must preserve. Generate-and-validate~~ ~~approaches use automated testing techniques to compile and test each candidate~~ ~~patch produced in the patch generation stop and collect all validated patches~~ ~~that produce expected outputs for all inputs in the test suite~~ ~~<ref name=genprog2009/><ref name=kali/><ref name=prophet/>.~~ == Search space == ~~Note that a test suite is typically incomplete and does not cover all possible~~ ~~cases. Therefore it is often possible for a validated patch to produce expected~~ ~~outputs for all inputs in the test suite but incorrect outputs for other~~ ~~inputs<ref name=kali/>. The existence of such validated but incorrect patches is a major~~ ~~challenge for generate-and-validate techniques<ref name=kali/>. Recent successful automatic~~ ~~bug-fixing techniques often rely on additional information other than the test~~ ~~suite, such as information learned from previous human patches, to further~~ ~~identify correct patches among validated patches<ref name=prophet/>.~~ In essence, automatic bug fixing is a search activity, whether deductive-based or heuristic-based. The search space of automatic bug fixing is composed of all edits that can be possibly made to a program. There have been studies to understand the structure of this search space. Qi et al.<ref>{{Cite book \|last1=Qi \|first1=Yuhua \|title=The strength of random search on automated program repair \|last2=Mao \|first2=Xiaoguang \|last3=Lei \|first3=Yan \|last4=Dai \|first4=Ziying \|last5=Wang \|first5=Chengsong \|date=2014-05-31 \|publisher=ACM \|isbn=9781450327565 \|pages=254–265 \|doi=10.1145/2568225.2568254 \|s2cid=14976851}}</ref> showed that the original fitness function of Genprog is not better than random search to drive the search. Long et al.'s<ref name="spaceanalysis" /> study indicated that correct patches can be considered as sparse in the search space and that incorrect overfitting patches are vastly more abundant (see also discussion about overfitting below). ~~===Validation with formal specifications===~~ == Overfitting == ~~Another way to validate candidate patch is to verify the patched program~~ ~~against [[formal specification\|formal specifications]] which specify the correct behavior of the~~ ~~program~~ ~~<ref name=autofixe>{{cite journal~~ ~~\|last1=Pei~~ ~~\|first1=Yu~~ ~~\|last2=Furia~~ ~~\|first2=Carlo A.~~ ~~\|last3=Nordio~~ ~~\|first3=Martin~~ ~~\|last4=Wei~~ ~~\|first4=Yi~~ ~~\|last5=Meyer~~ ~~\|first5=Bertrand~~ ~~\|last6=Zeller~~ ~~\|first6=Andreas~~ ~~\|date=May 2014~~ ~~\|title=Automated Fixing of Programs with Contracts~~ ~~\|journal=IEEE Trans. Softw. Eng.~~ ~~\|volume=40~~ ~~\|issue=5~~ ~~\|pages=427--449~~ ~~\|doi=10.1109/TSE.2014.2312918~~ ~~\|url=http://dx.doi.org/10.1109/TSE.2014.2312918~~ ~~\|ref=harv}}~~ ~~</ref>~~ ~~<ref>Contract-based Data Structure Repair Using Alloy~~ ~~http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.182.4390&rep=rep1&type=pdf</ref>.~~ ~~Verification against full specifications that specify the whole~~ ~~program behavior including functionalities is less common because such~~ ~~specifications are typically not available in practice and the computation cost~~ ~~of such verification is prohibitive. For specific classes of errors, however,~~ ~~implicit partial specifications are often available. For example, there are~~ ~~targeted bug-fixing techniques validating that the patched program can no~~ ~~longer trigger overflow errors in the same execution path<ref name=codephage/>.~~ Sometimes, in test-suite based program repair, tools generate patches that pass the test suite, yet are actually incorrect, this is known as the "overfitting" problem.<ref name="overfitting">{{Cite book \|last1=Smith \|first1=Edward K. \|title=Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering \|last2=Barr \|first2=Earl T. \|last3=Le Goues \|first3=Claire\|author3-link=Claire Le Goues \|last4=Brun \|first4=Yuriy \|date=2015 \|publisher=ACM \|isbn=978-1-4503-3675-8 \|series=ESEC/FSE 2015 \|___location=New York, New York \|pages=532–543 \|chapter=Is the Cure Worse Than the Disease? Overfitting in Automated Program Repair \|doi=10.1145/2786805.2786825 \|s2cid=6300790}}</ref> "Overfitting" in this context refers to the fact that the patch overfits to the test inputs. There are different kinds of overfitting: incomplete fixing means that only some buggy inputs are fixed, regression introduction means some previously working features are broken after the patch (because they were poorly tested). Early prototypes for automatic repair suffered a lot from overfitting: on the Manybugs C benchmark, Qi et al.<ref name="kali" /> reported that 104/110 of plausible GenProg patches were overfitting. In the context of synthesis-based repair, Le et al.<ref>{{Cite journal \|last1=Le \|first1=Xuan Bach D. \|last2=Thung \|first2=Ferdian \|last3=Lo \|first3=David \|last4=Goues \|first4=Claire Le \|date=2018-03-02 \|title=Overfitting in semantics-based automated program repair \|url=https://ink.library.smu.edu.sg/sis_research/3986 \|journal=Empirical Software Engineering \|language=en \|volume=23 \|issue=5 \|pages=3007–3033 \|doi=10.1007/s10664-017-9577-2 \|issn=1382-3256 \|s2cid=3635768}}</ref> obtained more than 80% of overfitting patches. ~~==Limitations of automatic bug-fixing==~~ One way to avoid overfitting is to filter out the generated patches. This can be done based on dynamic analysis.<ref>{{Cite book\|last1=Xin\|first1=Qi\|last2=Reiss\|first2=Steven P.\|title=Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis \|chapter=Identifying test-suite-overfitted patches through test case generation \|date=2017-07-10\|chapter-url=http://dx.doi.org/10.1145/3092703.3092718\|pages=226–236\|___location=New York, NY, USA\|publisher=ACM\|doi=10.1145/3092703.3092718\|isbn=978-1-4503-5076-1\|s2cid=20562134}}</ref> ~~Automatic bug-fixing techniques that rely on a test suite do not provide patch~~ Alternatively, Tian et al. propose heuristic approaches to assess patch correctness.<ref>{{cite news \|last1=Tian \|first1=Haoye \|last2=Liu \|first2=Kui \|last3=Kaboré \|first3=Abdoul Kader \|last4=Koyuncu \|first4=Anil \|last5=Li \|first5=Li \|last6=Klein \|first6=Jacques \|last7=Bissyandé \|first7=Tegawendé F. \|title=Evaluating representation learning of code changes for predicting patch correctness in program repair \|url=https://dl.acm.org/doi/abs/10.1145/3324884.3416532 \|work=Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering \|publisher=Association for Computing Machinery \|date=27 January 2021 \|pages=981–992 \|doi=10.1145/3324884.3416532\|isbn=9781450367684 }}</ref><ref>{{cite book \|last1=Tian \|first1=Haoye \|last2=Tang \|first2=Xunzhu \|last3=Habib \|first3=Andrew \|last4=Wang \|first4=Shangwen \|last5=Liu \|first5=Kui \|last6=Xia \|first6=Xin \|last7=Klein \|first7=Jacques \|last8=BissyandÉ \|first8=TegawendÉ F. \|title=Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering \|chapter=Is this Change the Answer to that Problem?: Correlating Descriptions of Bug and Code Changes for Evaluating Patch Correctness \|date=5 January 2023 \|pages=1–13 \|doi=10.1145/3551349.3556914 \|chapter-url=https://dl.acm.org/doi/abs/10.1145/3551349.3556914 \|publisher=Association for Computing Machinery\|s2cid=251403079 \|arxiv=2208.04125 \|isbn=9781450394758 }}</ref> ~~correctness guarantees, because the test suite is incomplete and does~~ ~~not cover all cases<ref name=kali/>. A weak test suite may cause generate-and-validate~~ ~~techniques to produce validated but incorrect patches that have negative~~ ~~effects such as eliminating desirable functionalities, causing memory leaks,~~ ~~and introducing security vulnerabilities<ref name=kali/>. This weak test suite issue is~~ ~~alternatively called as "overfitting" of bug-fixing systems~~ ~~<ref name=overfitting>{{cite book~~ ~~\|last1=Smith~~ ~~\|first1=Edward K.~~ ~~\|last2=Barr~~ ~~\|first2=Earl T.~~ ~~\|last3=Le Goues~~ ~~\|first3=Claire~~ ~~\|last4=Brun~~ ~~\|first4=Yuriy~~ ~~\|date=2015~~ ~~\|chapter=Is the Cure Worse Than the Disease? Overfitting in Automated Program Repair~~ ~~\|title=Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering~~ ~~\|series=ESEC/FSE 2015~~ ~~\|___location=New York, NY, USA~~ ~~\|publisher=ACM~~ ~~\|pages=532--543~~ ~~\|isbn=978-1-4503-3675-8~~ ~~\|doi=10.1145/2786805.2786825~~ ~~\|ref=harv}}~~ ~~</ref>.~~ ~~For example, a recent study shows that for 52 out of 55 cases that the previous~~ ~~bug-fixing system GenProg reports to generate repairs, all of the generated~~ ~~patches are incorrect<ref name=kali/>.~~ ~~Recent state-of-the-art systems with machine learning or~~ ~~SMT solver techniques are able to generate correct patches for much more cases~~ ~~on the same benchmark set, but there are still plenty of validated but~~ ~~incorrect patches generated by these systems<ref name=prophet/><ref name=angelix/>.~~ == Limitations of automatic bug-fixing == ~~Another limitation of generate-and-validate systems is the search space~~ ~~explosion<ref name=spaceanalysis>{{cite book~~ ~~\|last1=Long~~ ~~\|first1=Fan~~ ~~\|last2=Rinard~~ ~~\|first2=Martin~~ ~~\|date=2016~~ ~~\|chapter=An Analysis of the Search Spaces for Generate and Validate Patch Generation Systems~~ ~~\|title=Proceedings of the 38th International Conference on Software Engineering~~ ~~\|series=ICSE '16~~ ~~\|___location=New York, NY, USA~~ ~~\|publisher=ACM~~ ~~\|pages=702--713~~ ~~\|isbn=978-1-4503-3900-1~~ ~~\|doi=10.1145/2884781.2884872~~ ~~\|ref=harv}}~~ ~~</ref>. For a program, there are a large number of statements to change and~~ ~~for each statement there are a large number of possible modifications.~~ ~~State-of-the-art systems often explicitly or implicitly assume that a small~~ ~~modification is enough for fixing a bug. As a result, such systems can currently~~ ~~repair a small proportion of bugs in real world programs<ref name=prophet/><ref name=par/><ref name=angelix/>.~~ Automatic bug-fixing techniques that rely on a test suite do not provide patch correctness guarantees, because the test suite is incomplete and does not cover all cases.<ref name="kali" /> A weak test suite may cause generate-and-validate techniques to produce validated but incorrect patches that have negative effects such as eliminating desirable functionalities, causing memory leaks, and introducing security vulnerabilities.<ref name="kali" /> One possible approach is to amplify the failing test suite by automatically generating further test cases that are then labelled as passing or failing. To minimize the human labelling effort, an automatic [[test oracle]] can be trained that gradually learns to automatically classify test cases as passing or failing and only engages the bug-reporting user for uncertain cases.<ref name="learn2fix">{{Cite book \|last1=Böhme \|first1=Marcel \|title=Proceedings of the 13th International Conference on Software Testing, Validation and Verification \|last2=Geethal \|first2=Charaka \|last3=Pham \|first3=Van-Thuan \|date=2020 \|publisher=IEEE \|isbn=978-1-7281-5778-8 \|series=ICST 2020 \|___location=Porto, Portugal \|pages=274–285 \|chapter=Human-In-The-Loop Automatic Program Repair \|arxiv=1912.07758 \|doi=10.1109/ICST46399.2020.00036 \|s2cid=209386817}}</ref> ~~==Example tools==~~ A limitation of generate-and-validate repair systems is the search space explosion.<ref name="spaceanalysis">{{Cite book \|last1=Long \|first1=Fan \|title=Proceedings of the 38th International Conference on Software Engineering \|last2=Rinard \|first2=Martin \|date=2016 \|publisher=ACM \|isbn=978-1-4503-3900-1 \|series=ICSE '16 \|___location=New York, New York \|pages=702–713 \|chapter=An Analysis of the Search Spaces for Generate and Validate Patch Generation Systems \|arxiv=1602.05643 \|doi=10.1145/2884781.2884872 \|hdl=1721.1/113656 \|s2cid=7426809}}</ref> For a program, there are a large number of statements to change and for each statement there are a large number of possible modifications. State-of-the-art systems address this problem by assuming that a small modification is enough for fixing a bug, resulting in a search space reduction. ~~Automatic bug-fixing is an active research topic in computer science. There are~~ ~~many implementations of various bug-fixing techniques especially for C and Java~~ ~~programs. Note that most of these implementations are research prototypes for~~ ~~demonstrating their techniques, i.e., it is unclear whether their current~~ ~~implementations are ready for industrial usage or not.~~ The limitation of approaches based on symbolic analysis<ref name="semfix" /><ref name="angelix" /> is that real world programs are often converted to intractably large formulas especially for modifying statements with [[side effect (computer science)\|side effects]]. ~~GenProg<ref name=genprog2009/><ref name=genprog2012/> and ClearView<ref name=clearview/> are two earliest generate-and-validate bug-fixing tools~~ ~~published at 2009. The benchmark collected by GenProg authors contains 69 real~~ ~~world defects and it is widely used to evaluate many other bug-fixing tools in C as well<ref name=genprog2012/><ref name=spr/><ref name=prophet/><ref name=angelix/>.~~ ~~The state-of-the-art tool evaluated on GenProg benchmark is Prophet<ref name=prophet/>, generating correct patches for 18 out of 69 defects.~~ ==~~=Tools~~ ~~for~~Benchmarks C=== Benchmarks of bugs typically focus on one specific programming language. ~~Here is a list of bug-fixing tools for C programs ordered by the published year.~~ In C, the Manybugs benchmark collected by GenProg authors contains 69 real world defects and it is widely used to evaluate many other bug-fixing tools for C.<ref name=genprog2012 /><ref name=prophet /><ref name=spr /><ref name=angelix /> In [[Java (programming language)\|Java]], the main benchmark is Defects4J now extensively used in most research papers on program repair for Java.<ref name="capgen">{{Cite book \|last1=Wen \|first1=Ming \|last2=Chen \|first2=Junjie \|last3=Wu \|first3=Rongxin \|last4=Hao \|first4=Dan \|last5=Cheung \|first5=Shing-Chi \|title=Proceedings of the 40th International Conference on Software Engineering \|chapter=Context-aware patch generation for better automated program repair \|date=2018 \|___location=New York, New York, USA \|publisher=ACM Press \|pages=1–11 \|doi=10.1145/3180155.3180233 \|isbn=9781450356381 \|s2cid=3374770\|url=https://repository.hkust.edu.hk/ir/Record/1783.1-92186 \|chapter-url=https://repository.ust.hk/ir/Record/1783.1-92186 }}</ref><ref>{{Cite book \|last1=Hua \|first1=Jinru \|last2=Zhang \|first2=Mengshi \|last3=Wang \|first3=Kaiyuan \|last4=Khurshid \|first4=Sarfraz \|title=Proceedings of the 40th International Conference on Software Engineering \|chapter=Towards practical program repair with on-demand candidate generation \|date=2018 \|___location=New York, New York, USA \|publisher=ACM Press \|pages=12–23 \|doi=10.1145/3180155.3180245 \|isbn=9781450356381 \|s2cid=49666327\|doi-access=free }}</ref> Alternative benchmarks exist, such as the Quixbugs benchmark,<ref>{{Cite book \|last1=Lin \|first1=Derrick \|last2=Koppel \|first2=James \|last3=Chen \|first3=Angela \|last4=Solar-Lezama \|first4=Armando \|title=Proceedings Companion of the 2017 ACM SIGPLAN International Conference on Systems, Programming, Languages, and Applications: Software for Humanity \|chapter=QuixBugs: A multi-lingual program repair benchmark set based on the quixey challenge \|date=2017 \|___location=New York, New York, USA \|publisher=ACM Press \|pages=55–56 \|doi=10.1145/3135932.3135941 \|isbn=9781450355148 \|doi-access=free}}</ref> which contains original bugs for program repair. Other benchmarks of Java bugs include Bugs.jar,<ref>{{Cite book \|last1=Saha \|first1=Ripon K. \|last2=Lyu \|first2=Yingjun \|last3=Lam \|first3=Wing \|last4=Yoshida \|first4=Hiroaki \|last5=Prasad \|first5=Mukul R. \|title=Proceedings of the 15th International Conference on Mining Software Repositories \|chapter=Bugs.jar \|date=2018 \|chapter-url=http://dl.acm.org/citation.cfm?doid=3196398.3196473 \|series=MSR '18 \|language=en \|pages=10–13 \|doi=10.1145/3196398.3196473 \|isbn=9781450357166 \|s2cid=50770093}}</ref> based on past commits. ''ClearView''<ref name=clearview/>: A generate-and-validate tool of generating binary patches for deployed systems. It is evaluated on 10 security vulnerability cases. A later study shows that it generates correct patches for at least 4 of the 10 cases<ref name=kali/>. == Example tools == ~~''GenProg''<ref name=genprog2009/><ref name=genprog2012/>: A genetic improvement generate-and-validate bug-fixing tool. It~~ ~~is evaluated on 105 cases and reported to generate repairs for 55 cases. A~~ ~~later study shows that only 69 cases out of the 105 evaluated cases correspond~~ ~~to bugs and correct patches for only 2 cases out of the 69 cases are generated<ref name=kali/>.~~ Automatic bug-fixing is an active research topic in computer science. There are many implementations of various bug-fixing techniques especially for C and Java programs. Note that most of these implementations are research prototypes for demonstrating their techniques, i.e., it is unclear whether their current implementations are ready for industrial usage or not. ~~''SemFix''<ref name=semfix/>: The first solver-based bug-fixing tool for C.~~ === C === ''CodePhage''<ref name=codephage/>: The first bug-fixing tool that directly transfer code across programs to generate patch for C program. Note that although it generates C patches, it can extract code from [[machine code\|binary programs]] without source code<ref name=codephage/>. * ClearView:<ref name=clearview /> A generate-and-validate tool of generating binary patches for deployed systems. It is evaluated on 10 security vulnerability cases. A later study shows that it generates correct patches for at least 4 of the 10 cases.<ref name=kali /> ~~''LeakFix''<ref name=leakfix/>: A tool that automatically fixes memory leaks in C programs.~~ * GenProg:<ref name=genprog2009 /><ref name=genprog2012 /> A seminal generate-and-validate bug-fixing tool. It has been extensively studied in the context of the ManyBugs benchmark. * SemFix:<ref name=semfix /> The first solver-based bug-fixing tool for C. * CodePhage:<ref name=codephage /> The first bug-fixing tool that directly transfer code across programs to generate patch for C program. Note that although it generates C patches, it can extract code from [[machine code\|binary programs]] without source code.<ref name=codephage /> * LeakFix:<ref name=leakfix /> A tool that automatically fixes memory leaks in C programs. * Prophet:<ref name=prophet /> The first generate-and-validate tool that uses machine learning techniques to learn useful knowledge from past human patches to recognize correct patches. It is evaluated on the same benchmark as GenProg and generate correct patches (i.e., equivalent to human patches) for 18 out of 69 cases.<ref name=prophet /> * SearchRepair:<ref name=searchrepair /> A tool for replacing buggy code using snippets of code from elsewhere. It is evaluated on the IntroClass benchmark<ref name="introclassmanybugs">{{Cite journal \|last1=Le Goues \|first1=Claire\|author1-link=Claire Le Goues \|last2=Holtschulte \|first2=Neal \|last3=Smith \|first3=Edward \|last4=Brun \|first4=Yuriy \|last5=Devanbu \|first5=Premkumar \|last6=Forrest \|first6=Stephanie \|last7=Weimer \|first7=Westley \|date=2015 \|title=The Many ''Bugs'' and Intro ''Class'' Benchmarks for Automated Repair of C Programs \|journal=IEEE Transactions on Software Engineering \|volume=41 \|issue=12 \|pages=1236–1256 \|doi=10.1109/TSE.2015.2454513 \|doi-access=free}}</ref> and generates much higher quality patches on that benchmark than GenProg, RSRepair, and AE. * Angelix:<ref name=angelix /> An improved solver-based bug-fixing tool. It is evaluated on the GenProg benchmark. For 10 out of the 69 cases, it generate patches that is equivalent to human patches. * Learn2Fix:<ref name=learn2fix /> The first human-in-the-loop semi-automatic repair tool. Extends GenProg to learn the condition under which a semantic bug is observed by systematic queries to the user who is reporting the bug. Only works for programs that take and produce integers. === Java === ''Prophet''<ref name=prophet/>: The first generate-and-validate tool that uses machine learning techniques to learn useful knowledge from past human patches to recognize correct patches. It is evaluated on the same benchmark as GenProg and generate correct patches (i.e., equivalent to human patches) for 18 out of 69 cases<ref name=prophet/>. * PAR:<ref name=par /> A generate-and-validate tool that uses a set of manually defined fix templates. ~~''Angelix''<ref name=angelix/>: An improved solver-based bug-fixing tool. It is evaluated on the GenProg benchmark. For 10 out of the 69 cases, it generate patches that is equivalent to human patches.~~ * QACrashFix:<ref name="QAFix">{{Cite book \|last1=Gao \|first1=Qing \|title=2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE) \|last2=Zhang \|first2=Hansheng \|last3=Wang \|first3=Jie \|last4=Xiong \|first4=Yingfei \|last5=Zhang \|first5=Lu \|last6=Mei \|first6=Hong \|date=2015 \|publisher=IEEE \|isbn=978-1-5090-0025-8 \|pages=307–318 \|chapter=Fixing Recurring Crash Bugs via Analyzing Q&A Sites \|doi=10.1109/ASE.2015.81 \|s2cid=2513924}}</ref> A tool that fixes Java crash bugs by mining fixes from Q&A web site. * ARJA:<ref name="arja">{{Cite journal \|last1=Yuan \|first1=Yuan \|last2=Banzhaf \|first2=Wolfgang \|date=2020 \|title=ARJA: Automated Repair of Java Programs via Multi-Objective Genetic Programming \|url=https://doi.org/10.1109/TSE.2018.2874648 \|journal=IEEE Transactions on Software Engineering \|volume=46 \|issue=10 \|pages=1040–1067 \|arxiv=1712.07804 \|doi=10.1109/TSE.2018.2874648\|s2cid=25222219 }}</ref> A repair tool for Java based on multi-objective genetic programming. * NpeFix:<ref name="npefix">{{Cite book \|last=Durieux \|first=Thomas \|title=2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER) \|date=2017 \|isbn=978-1-5090-5501-2 \|pages=349–358 \|chapter=Dynamic Patch Generation for Null Pointer Exceptions Using Metaprogramming \|arxiv=1812.00409 \|doi=10.1109/SANER.2017.7884635 \|s2cid=2736203}}</ref> An automatic repair tool for NullPointerException in Java, available [https://github.com/Spirals-Team/npefix on Github]. ===~~Tools~~ ~~for~~Other languages ~~Java~~=== * AutoFixE:<ref name=autofixe /> A bug-fixing tool for [[Eiffel programming language\|Eiffel language]]. It relies the contracts (i.e., a form of formal specification) in Eiffel programs to validate generated patches. ''PAR''<ref name=par/>: A generate-and-validate tool that uses a set of manually defined fix templates. A later study raised concerns about the generalizability of the fix templates in PAR<ref name=criticalreview/>. Getafix:<ref name=":0" /> Operates purely on [[Abstract syntax tree\|AST]] transformations and thus requires only a [[parser]] and formatter. At Facebook it has been applied to [[Hack (programming language)\|Hack]], [[Java (programming language)\|Java]] and [[Objective-C]]. === Proprietary === ~~''NOPOL''<ref name=nopol>{{cite journal~~ ~~\|last1=Xuan~~ ~~\|first1=Jifeng~~ ~~\|last2=Martinez~~ ~~\|first2=Matias~~ ~~\|last3=DeMarco~~ ~~\|first3=Favio~~ ~~\|last4=Clément~~ ~~\|first4=Maxime~~ ~~\|last5=Lamelas~~ ~~\|first5=Sebastian~~ ~~\|last6=Durieux~~ ~~\|first6=Thomas~~ ~~\|last7=Le~Berre~~ ~~\|first7=Daniel~~ ~~\|last8=Monperrus~~ ~~\|first8=Martin~~ ~~\|date=2016~~ ~~\|title=Nopol: Automatic Repair of Conditional Statement Bugs in Java Programs~~ ~~\|journal={IEEE Transactions on Software Engineering}~~ ~~\|doi=10.1109/TSE.2016.2560811~~ ~~\|url=https://hal.archives-ouvertes.fr/hal-01285008/document~~ ~~\|ref=harv}}~~ ~~</ref>: A solver-based tool focusing on modifying condition statements.~~ DeepCode integrates public and private [[GitHub]], [[GitLab]] and [[Bitbucket]] [[Software repository\|repositories]] to identify code-fixes and improve software.<ref>{{Cite web \|title=AI is coming for your coding job \|url=https://sifted.eu/articles/ai-is-coming-for-your-coding-job/ \|access-date=2019-04-15 \|website=Sifted \|date=13 March 2019 \|language=en-US}}</ref> ~~''[http://sei.pku.edu.cn/~gaoqing11/qacrashfix/ QACrashFix]''<ref name=QAFix>{{cite book~~ ~~\|last1=Gao~~ ~~\|first1=Qing~~ ~~\|last2=Zhang~~ ~~\|first2=Hansheng~~ ~~\|last3=Wang~~ ~~\|first3=Jie~~ ~~\|last4=Xiong~~ ~~\|first4=Yingfei~~ ~~\|last5=Zhang~~ ~~\|first5=Lu~~ ~~\|last6=Mei~~ ~~\|first6=Hong~~ ~~\|date=2015~~ ~~\|chapter=Fixing Recurring Crash Bugs via Analyzing Q&A Sites~~ ~~\|title=Proceedings of 30th IEEE/ACM International Conference on Automated Software Engineering~~ ~~\|series=ASE 2015}}~~ ~~</ref>: A tool that fixes Java crash bugs by mining fixes from Q&A web site.~~ * [[Kodezi, Inc.\|Kodezi]] utilizes opensource data from [[GitHub]] [[Software repository\|repositories]], [[Stack Overflow]], and private trained models to analyze code, provide solutions, and descriptions about the coding bugs instantly.<ref>{{Cite web \|title=Ishraq Khan, Revolutionizing the Programming Scene in 2021 \|url=https://www.techtimes.com/articles/265325/20210913/ishraq-khan-revolutionizing-the-programming-scene-in-2021.htm \|access-date=2022-10-15 \|website=TechTimes\|date=13 September 2019 \|language=en-US}}</ref> == References == ~~===Tools for other languages===~~ {{Reflist}} == External links == ~~''AutoFixE''<ref name=autofixe/>: A bug-fixing tool for Eiffel language. It relies the contracts (i.e., a form of formal specification) in Eiffel programs to validate generated patches.~~ * {{URL\|https://program-repair.org/}} datasets, tools, etc., related to automated program repair research. ~~==References==~~ ~~{{Reflist}}~~ [[Category:Debugging]]