Marcelo F. Frias

• Ph.D.
• Professor (Full) at The University of Texas at El Paso

In this article, we empirically study the suitability of tests as acceptance criteria for automated program fixes, by checking patches produced by automated repair tools using a bug-finding tool, as opposed to previous works that used tests or manual inspections. We develop a number of experiments in which faulty programs from IntroClass , a known...

Metamorphic testing is a valuable technique that helps in dealing with the oracle problem. It involves testing software against specifications of its intended behavior given in terms of so called metamorphic relations , statements that express properties relating different software elements (e.g., different inputs, methods, etc). The effective appl...

Alloy is a formal specification language, which despite featuring a simple syntax and relational semantics, is very expressive and supports efficient automated specification analysis, based on SAT solving. While the language is sufficiently expressive to accommodate both static and dynamic properties of systems within specifications, the latter...

Bounded exhaustive input generation (BEG) is an effective approach to reveal software faults. However, existing BEG approaches require a precise specification of the valid inputs, i.e., a , that must be provided by the user. Writing s for BEG is challenging and time consuming, and they are seldom available in software. In this paper, we introduce ,...

Software model checkers are able to exhaustively explore different bounded program executions arising from various sources of non-determinism. These tools provide statements to produce non-deterministic values for certain variables, thus forcing the corresponding model checker to consider all possible values for these during verification. While the...

The rising popularity of declarative languages and the hard to debug nature thereof have motivated the need for applicable, automated repair techniques for such languages. However, despite significant advances in the program repair of imperative languages, there is a dearth of repair techniques for declarative languages. This paper presents BeAFix,...

Software reliability is a primary concern in the construction of software, and thus a fundamental component in the definition of software quality. Analyzing software reliability requires a specification of the intended behavior of the software under analysis, and at the source code level, such specifications typically take the form of assertions. U...

Fault localization is a practical research topic that helps developers identify code locations that might cause bugs in a program. Most existing fault localization techniques are designed for imperative programs (e.g., C and Java) and rely on analyzing correct and incorrect executions of the program to identify suspicious statements. In this work,...

Fork algebras are an extension of relation algebras obtained by extending the set of logical symbols with a binary operator called fork. This class of algebras were introduced by Haeberer and Veloso in the early 90's aiming at enriching relation algebra, an already successful language for program specification, with the capability of expressing som...

Many techniques for automated program repair involve syntactic program transformations. Applying combinations of such transformations on faulty code yields fix candidates whose correctness must be determined. Exploring these combinations leads to an explosion on the number of generated fix candidates that severely limits the applicability of such f...

Various tools for program analysis, including run-time assertion checkers and static analyzers such as verification and test generation tools, require formal specifications of the programs being analyzed. Moreover, many of these tools and techniques require such specifications to be written in a particular style, or follow certain patterns, in orde...

Various approaches to software analysis (e.g. test input generation, software model checking) require engineers to (manually) identify a subset of a module’s methods in order to drive the analysis. Given a module to be analyzed, engineers typically select a subset of its methods to be considered as object builders to define a so-called driver, that...

The failures that bugs in software lead to can sometimes be bypassed by the so-called workarounds: when a (faulty) routine fails, alternative routines that the system offers can be used in place of the failing one, to circumvent the failure. Existing approaches to workaround-based system recovery consider workarounds that are produced from equivale...

In this paper, we analyze the effect of reducing object redundancy in random testing, by comparing the Randoop random testing tool with a version of the tool that disregards tests that only produce objects that have been previously generated by other tests. As a side effect, this variant also identifies methods in the software under test that never...

In specification-based test generation, sometimes having a formal specification is not sufficient, since the specification may be in a different formalism from that required by the generation approach being used. In this paper, we deal with this problem specifically in the context in which, while having a formal specification in the form of an oper...

In goal-oriented requirements engineering approaches, conflict analysis has been proposed as an abstraction for risk analysis. Intuitively, given a set of expected goals to be achieved by the system-to-be, a conflict represents a subtle situation that makes goals diverge, i.e., not be satisfiable as a whole. Conflict analysis is typically driven by...

Formal requirements specifications, eg, software cost reduction (SCR) specifications, are challenging to analyse using automated techniques such as model checking. Since such specifications are meant to capture requirements, they tend to refer to real-world magnitudes often characterized through variables over large domains. At the same time, they...

The world of software development has become intrinsically heterogeneous. Many formal languages have been made available to help analysts and designers model different aspects of software. Some examples in the logic realm are equational logic and classical first-order logic, propositional temporal logics such as LTL and CTL (and their first-order v...

Faults are an important concept in the study of system dependability, and most approaches to dependability can be characterized by the way in which they deal with faults (e.g., fault avoidance, fault removal, fault tolerance, fault forecasting). In their seminal work on modeling dependable computing, Laprie et al. define a fault as the adjudged or...

We describe DynAlloy Analyzer, a tool that extends Alloy Analyzer with support for dynamic elements in Alloy models. The tool builds upon Alloy Analyzer in a way that makes it fully compatible with Alloy models, and extends their syntax with a particular idiom, inspired in dynamic logic, for the description of dynamic behaviours, understood as sequ...

The failures that bugs in software lead to can sometimes be bypassed by the so called workarounds: when a (faulty) routine fails, alternative routines that the system offers can be used in place of the failing one, to circumvent the failure. Previous works have exploited this workarounds notion to automatically recover from runtime failures in some...

Various tools for program analysis, including run-time assertion checkers and static analyzers such as verification and test generation tools, require formal specifications of the programs being analyzed. Moreover, many of these tools and techniques require such specifications to be written in a particular style, or follow certain patterns, in orde...

We present a testing approach for object oriented programs, which encompasses a testing criterion and an automated test generation technique. The criterion, that we call field-exhaustive testing, requires a user-provided limit n on the size of data domains, and is based on the idea of considering enough inputs so as to exhaustively cover the extens...

In earlier work, we had presented a definition of software fault as being any feature of a program that admits a substitution that would make the program more-correct. This definition requires, in turn, that we define the concept of relative correctness, i.e., what it means for a program to be more-correct than another with respect to a given speci...

We extend recent approaches for calculating the probability of program behaviors, to allow model counting for complex data structures with numeric fields. We use symbolic execution with lazy initialization to compute the input structures leading to the occurrence of a target event, while keeping a symbolic representation of the constraints on the n...

Lazy Initialization (LI) allows symbolic execution to effectively deal with heap-allocated data structures, thanks to a significant reduction in spurious and redundant symbolic structures. Bounded lazy initialization (BLI) improves on LI by taking advantage of precomputed relational bounds on the interpretation of class fields in order to reduce th...

We present a novel technique for producing bounded exhaustive test suites from hybrid invariants, i.e., invariants that are expressed imperatively, declaratively, or as a combination of declarative and imperative predicates. Hybrid specifications are processed using known mechanisms for the imperative and declarative parts, but combined in a way th...

While the effectiveness of bounded exhaustive test suites increases as one increases the scope for the bounded exhaustive generation, both the time for test generation and the time for test execution grow exponentially with respect to the scope. In this article, a set of techniques for reducing the time for bounded exhaustive testing, by either red...

Like all engineering disciplines, software engineering relies on quantitative analysis to support rationalized decision making. Software engineering researchers and practitioners have traditionally relied on software metrics to quantify attributes of software products and processes. Whereas traditional software metrics are typically based on a synt...

Tight field bounds contribute to verifying the correctness of object oriented programs in bounded scenarios, by restricting the values that fields can take to feasible cases only, during automated analysis. Tight field bounds are computed from formal class specifications. Their computation is costly, and existing approaches use a cluster of compute...

A fault is an attribute of a program that precludes it from satisfying its specification; while this definition may sound clear-cut, it leaves many details unspecified. An incorrect program may be corrected in many different ways, involving different numbers of modifications. Hence neither the location nor the number of of faults may be defined in...

We propose a conceptual reasoning method for an inference engine. Starting from a knowledge base made of decision rules, we first map each rule to its corresponding Truth Table Binary Relation (TTBR), considered as a formal context. Objects in the domain of TTBR correspond to all possible rule interpretations (in terms of their truth value assignme...

Automatic analysis of Alloy models is supported by the Alloy Analyzer, a tool that translates an Alloy model to a propositional formula that is then analyzed using off-the-shelf SAT solvers. The translation requires user-provided bounds on the sizes of data domains. The analysis is limited by the bounds and is therefore partial. Thus, the Alloy Ana...

In previous work, we presented TACO, a tool for efficient bounded verification. TACO translates programs annotated with contracts to a SAT problem which is then solved resorting to off-the-shelf SAT-solvers. TACO may deem propositional variables used in the description of a program initial states as being unnecessary. Since the worst-case complexit...

Nowadays, software artifacts are ubiquitous in our lives being an essential part of home appliances, cars, cell phones, and even in more critical activities like aeronautics and health sciences. In this context software failures may produce enormous losses, either economical or, in the worst case, in human lives. Software analysis is an area in sof...

We present a novel approach for parallel analysis of models written in Alloy, a declarative extension of first-order logic based on relations. The Alloy language is supported by the fully automatic Alloy Analyzer, which translates models into propositional formulas and uses off-the-shelf SAT technology to solve them. Our key insight is that the und...

In this article we present a novel technique for automated parallel bug-finding based on the sequential analysis tool TACO. TACO is a tool based on SAT-solving for efficient bug-finding in Java code with rich class invariants. It prunes the SAT-solver's search space by introducing precise symmetry-breaking predicates and bounding the relational sem...

Bounded verification is a technique associated with the Alloy specification language that allows one to analyze Alloy software models by looking for counterexamples of intended properties, under the assumption that data type domains are restricted in size by a provided bound (called the scope of the analysis). The absence of errors in the analyzed...

Tight field bounds have been successfully used in the context of bounded-exhaustive bug finding. They allow one to check the correctness of, or find bugs in, code manipulating data structures whose size made this kind of analyses previously infeasible. In this article we address the question of whether tight field bounds can also contribute to a si...

We present a novel and general technique for automated test generation that combines tight bounds with incremental SAT solving. The proposed technique uses incremental SAT to build test suites targeting a specific testing criterion, amongst various black-box and white-box criteria. As our experimental results show, the combination of tight bounds w...

Bounded-exhaustive exploration of test case candidates is a commonly employed approach for test generation in some contexts. Even when small bounds are used for test generation, executing the obtained tests may become prohibitive, despite the time for test generation not being prohibitive. In this paper, we propose a technique for reducing the size...

SAT-based bounded verification of programs consists of the translation of the code and its annotations into a propositional formula. The formula is then analyzed for specification violations using a SATsolver. This technique is capable of proving the absence of errors up to a given scope. SAT is a well-known NP-complete problem, whose complexity de...

In this chapter we present the class of fork algebras, an extension of relation algebras with an extra operator called fork. We will present results relating fork algebras both to logic and to computer science. The interpretability of first-order theories as equational theories in fork algebras will provide a tool for expressing program specificati...

We propose an automated approach for generating tests from formal tabular requirements specifications, such as SCR specifications. The technique is based on counterexample guided abstraction refinement and the use of SMT solving. Moreover, in order to effectively perform automated test generation, we take advantage of particular characteristics of...

The automated generation of test cases for heap allocated, complex, structures is particularly difficult. Various state of the art tools tackle this problem by bounded exhaustive exploration of potential test cases, using constraint solving mechanisms based on techniques such as search, model checking, symbolic execution and combinations of these....

The Dynamite Proving System (DPS) provides an assisted theorem prover for Alloy. In this paper we report our experiences on using DPS in the verication of an industrial size model for compositional bindings in network domains, developed by Pamela Zave at AT&T. We also review the DPS foundations, architecture, and some of its main features.

In previous articles we presented Arg entum, a tool for reasoning across heterogeneous specifications based on the language of fork algebras. Arg entum’s foundations were formalized in the framework of institutions. The formalization made simple to describe a methodology capable of producing a complete system desription from partial views, eventual...

According to the Verified Software Initiative manifesto, “Lightweight techniques and tools have been remarkably successful in finding bugs and problems in software. However, their success must not stop the pursuit of this projects long-term scientific ideals”. The Dynamite Proving System (DPS) blends the good qualities of the lightweight formal...

SAT-based bounded verification of annotated code consists of translating the code together with the annotations to a propositional formula, and analyzing the formula for specification violations using a SAT-solver. If a violation is found, an execution trace exposing the error is exhibited. Code involving linked data structures with intricate invar...

Alloy [Jac02a] is a widely adopted relational modeling language. Its appealing syntax and the support provided by the Alloy Analyzer [Jac02b] tool make model analysis accessible to a public of non-specialists. A model and property are translated to a propositional formula, which is fed to a SAT-solver to search for counterexamples. The translation...

Identifying a minimal unsatisfiable core in an Alloy model proved to be a very useful feature in many scenarios. We extend this concept to hot core, an approximation to unsat core that enables the user to obtain valuable feedback when the Alloy’s sat-solving process is abruptly interrupted. We present some use cases that exemplify this new feature...

SAT based analysis of code consists on providing an appro-priate translation of code to a SAT problem, and using a SAT solver to analyze properties of the source program. This process can be improved if bounds for relations modeling class fields are introduced ala KodKod. In this article we present a distributed algorithm for automated inference of...

We propose complementing tabular notations used in requirements specifications, such as those used in the SCR method, with a formalism for describing specific, useful, subclasses of computations, i.e., particular combinations of the atomic transitions specified within tables. This provides the specifier with the ability of driving the execution of...

DynAlloy is an extension of the Alloy language to better describe state change via actions and programs, in the style of dynamic logic. In this paper, we report on our experience in trying to provide abstraction based mechanisms for improving DynAlloy specifications with respect to SAT based analysis. The technique we employ is based on predicate a...

DynAlloy is an extension of Alloy to support the definition of actions and the specification of assertions regarding execution traces. In this article we show how we can extend the Alloy tool so that DynAlloy specifications can be automatically analyzed in an efficient way. We also demonstrate that DynAlloy's semantics allows for a sound technique...

This article contains two main contributions. On the the- oretical side, it presents a novel complete proof calculus for Alloy. On the applied side we present Dynamite, a tool that combines the semi- automatic theorem prover PVS with the Alloy Analyzer. Dynamite al- lows one to prove an Alloy assertion from an Alloy specification using PVS, while u...

We introduce a strategy for the verification of relational spec- ifications based on the analysis of monotonicity of variables within for- mulas. By comparing with the Alloy Analyzer, we show that for a rele- vant class of problems this technique outperforms analysis of the same problems using SAT-solvers, while consuming a fraction of the memory S...

Algebraization of computational logics in the theory of fork algebras has been a research topic for a while. This research allowed us to interpret classical first-order logic, several propositional monomodal logics, propositional and first-order dynamic logic, and propositional and first-order linear temporal logic in the theory of fork algebras....

In this paper we prove theorems on the interpretability of the first-order temporal logics LTL and TL into Fork Algebras. This result is part of a research project on the interpretability of logics in Fork Algebras, and has important applications towards the relational specification of properties of systems within the Argentum tool.

This article contains two main contributions. On the the- oretical side, it presents a novel complete calculus for Alloy. On the applied side we present DYNAMITE, a tool that com- bines the semi-automatic theorem prover PVS with the Alloy Analyzer. DYNAMITE allows one to prove Alloy assertion from Alloy specifications, while using the Alloy Analyze...

DynAHoy is an extension of the Alloy specification language that allows one to specify and analyze dynamic properties of models. The analysis is supported by the DynAlloy Analyzer tool. In this paper we present a method for translating sequential Java programs to DynAlloy. This allows one to use DynAlloy as a new formal method for the analysis of J...

ABSTRACT We introduce a strategy for the verification of relational specifications based on the analysis of monotonicity of variables within formulas. By comparing,with the Alloy Analyzer, we show that for a relevant class of problems this technique drastically outperforms analysis of the same problems using SAT-solvers, while consuming a fraction...

We study a number of restrictions associated with the first-order relational specification language Alloy. The main shortcomings we address are: — the lack of a complete calculus for deduction in Alloy’s underlying formalism, the so called relational logic, — the inappropriateness of the Alloy language for describing (and analyzing) properties rega...

We present DynAlloy, an extension to the Alloy specification language to describe dynamic properties of systems using actions. Actions allow us to appropriately specify dynamic properties, particularly, properties regarding execution traces, in the style of dynamic logic specifications. We extend Alloy's syntax with a notation for partial correctne...

We present DynAlloy, an extension to the Alloy specification language to describe dynamic properties of systems using actions. Actions allow us to appropriately specify dynamic properties, particularly, properties regarding execution traces, in the style of dynamic logic specifications. We extend Alloy's syntax with a notation for partial correctne...

In this paper we show that, by translating Alloy formulas to formulas in the language of fork algebras, we obtain a complete, equa- tional, and purely relational calculus for Alloy.

Fork algebras have interesting connections with Computing, Algebra and Logic. This paper presents a survey of ideas and results about fork algebras, with special emphasis on current developments and promising research lines.

We present a modified semantics and an extension of the Alloy specification language. The results presented in this paper are: (a) We show how the modified semantics of Alloy allows us to avoid the higher-order quantification currently used both in the composition of operations and in specifications, keeping the language first-order. (b) We show ho...

Dynamic logic has become a very useful tool in Computer Science, with direct applications in system specification. Here we show how to interpret first-order dynamic logic in an extension of the relational calculus of fork algebras. That is, reasoning in first-order dynamic logic can be replaced by equational reasoning in the extended relational cal...

The relational calculus MU was presented in Willem-Paul de Roever's dissertation as a framework for describing and proving properties of programs. MU is axiomatized by de Roever in stages. The next-to-last stage is the calculus MU2, namely MU without the recursive μ-operator. Its axioms include typed versions of Tarski's axioms for the calculus of...

In previous papers we have presented a relational calculus for program construction based on fork algebras. This calculus allows the specification of algorithm design strategies as for instance case-analysis, trivialization and divide-and-conquer. In this paper we present an algebraic formalization of exhaustive search and backtracking, which is il...

In this note we will show that the axioms defining the operator fork in the class of fork algebras are independent, i.e., none of them can be derived from the others.

The representation theorem for fork algebras was always misunderstood regarding its applications in program construction. Its application was always described as "the portability of properties of the problem domain into the abstract calculus of fork algebras". In this paper we show that the results provided by the representation theorem are by far...

The representation theorem for fork algebras was always misunderstood regarding its applications in program construction. Its application was always described as "the portability of properties of the problem domain into the abstract calculus of fork algebras". In this paper we show that the results provided by the representation theorem are by far...