Automated Program Repair (APR) techniques typically rely on a given test-suite to guide the repair process. Apart from the need to provide test oracles, this makes the produced patches prone to test data over-fitting. In this work, instead of relying on test cases, we show how to automatically repair memory safety issues, by leveraging static analysis (specifically Incorrectness Separation Logic) to guide repair. Our proposed approach learns what a desirable patch is by inspecting how close a patch is to fixing the bug based on the feedback from incorrectness separation logic based static analysis (specifically the Pulse analyser), and turning this information into a distribution of probabilities over context free grammars. Furthermore, instead of focusing on heuristics for reducing the search space of patches, we make repair scalable by creating classes of equivalent patches according to the effect they have on the symbolic heap, and then invoking the validation oracle only once per class of patch equivalence. This allows us to efficiently discover repairs even in the presence of a large pool of patch candidates offered by our generic patch synthesis mechanism. Experimental evaluation of our approach was conducted by repairing real world memory errors in OpenSSL, swoole and other subjects. The evaluation results show the scalability and efficacy of our approach in automatically producing high quality patches.

翻译：自动程序修复（APR）技术通常依赖给定的测试套件来指导修复过程。这不仅需要提供测试预言，还使得生成的补丁容易产生测试数据过拟合。在本文中，我们展示了如何不依赖测试用例，而是利用静态分析（具体为不正确性分离逻辑）来自动修复内存安全问题。我们提出的方法通过基于不正确性分离逻辑静态分析（特别是Pulse分析器）的反馈，检查补丁在多大程度上接近修复漏洞，从而学习什么是理想的补丁，并将这些信息转化为上下文无关语法上的概率分布。此外，我们不专注于简化补丁搜索空间的启发式方法，而是根据补丁对符号堆的影响创建等价补丁类别，并在每个等价补丁类别中仅调用一次验证预言，从而使得修复过程具有可扩展性。这使我们能够在通用补丁合成机制提供的大量补丁候选集中高效地发现修复方案。通过在OpenSSL、swoole及其他对象中修复真实世界的内存错误，我们对所提方法进行了实验评估。评估结果显示了该方法在自动生成高质量补丁方面的可扩展性和有效性。