Darjeeling is a language-agnostic search-based program repair tool. Unlike other repair tools, such as GenProg, SPR, and Nopol, Darjeeling delegates the responsibility of generating patches, obtaining coverage, analyzing code, and executing tests to other services. Once those auxillary concerns are removed, what is left is a lightweight framework for composing and executing repair algorithms: Darjeeling.
- Language Agnostic: delegates syntax transformation and static analysis to other services.
- Containerization: uses Docker to quickly and safely evaluate patches without executing arbitrary code on your machine.
- Custom Repair Templates: uses Rooibos to support rich, custom repair templates for arbitrary languages.
- Asynchronous Evaluation: accelerates patch evaluation by spreading the load across multiple threads.
- Test Redundancy Checking: uses coverage information to skip test executions that can't be affected by a given patch.
- Test Ordering: numerous test ordering schemes reduce the cost of patch evaluation by prioritizing likely failing tests.
- Equivalent Patch Detection: uses static analysis to remove duplicate transformations from the search space.
To use Darjeeling,
Docker must be
installed on your machine, and your user account must be a member of the
docker group in order to avoid problems related to insufficient privileges
.
Python 3.9 or greater and pip3 must also be installed; Darjeeling will not work with older versions of Python 3 nor will it work with any versions of Python 2.
We strongly recommend that you use pipenv to contain your installation of Darjeeling and avoid conflicting with system packages. To install pipenv, execute the following command:
$ pip install pipenv
To install Darjeeling from source via pipenv, execute the following from the root of the repository:
$ pipenv install
After installing Darjeeling via pipenv as shown above, you can drop into the newly created virtual environment by executing the following command from the root of the repository:
$ pipenv shell
To exit from the virtual environment, you can execute the following command:
(Darjeeling) $ exit
Darjeeling exposes a command-line interface (CLI) for performing program repair, as demonstrated below. The CLI provides a single command, repair, which accepts the path to a Darjeeling configuration file format, described below.
$ darjeeling repair my-config.yml
The Darjeeling configuration file format is written in YAML. Below is an example of a configuration file. The configuration file itself can be found in the example/gcd directory.
version: '1.0'
seed: 0
threads: 16
# provides information about the program under repair, including
# the name of the Docker image that is used to provide it, the
# location of the source code for the program within that image,
# and instructions for building and testing it.
program:
image: darjeeling/example:gcd
language: c
source-directory: /experiment/source
build-instructions:
time-limit: 10
steps:
- gcc gcd.c -o gcd
steps-for-coverage:
- gcc gcd.c -o gcd --coverage
tests:
type: genprog
workdir: /experiment
number-of-failing-tests: 1
number-of-passing-tests: 10
time-limit: 5
# specifies the method/tool that should be used to obtain coverage for
# the program.
coverage:
method:
type: gcov
files-to-instrument:
- gcd.c
localization:
type: spectrum
metric: tarantula
algorithm:
type: exhaustive
transformations:
schemas:
- type: delete-statement
- type: replace-statement
- type: append-statement
optimizations:
ignore-equivalent-insertions: yes
ignore-dead-code: yes
ignore-string-equivalent-snippets: yes
# places a limit on the resources (e.g., wall-clock time, test executions,
# candidate patches) that may be consumed during the search for a repair.
resource-limits:
candidates: 100Below, we describe the top-level options exposed by the configuration file:
version: the version of the Darjeeling configuration file format that was used to write the file.seed: a seed for the random number generator.threads: number of threads over which the repair workload should be distributed.
The program section is used to provide essential details about the
program that should be repaired. This section contains the following
properties:
image: the name of the Docker image that provides the program under repair.source-directory: the absolute path of the source code for the program within the provided Docker image.language: the language used by the program under repair. Note that, although Darjeeling supports multiple languages, it is not currently possible to fix bugs that involve more than one language.build-instructions: executable instructions for (re-)building the program inside the container. Discussed below.tests: details of the test suite used by the program. Discussed below.
Below is a list of the languages that are fully supported by Darjeeling. Darjeeling can automatically perform static analysis and compute coverage information for each of these languages.
- C:
c - C++:
cpp - Python:
python
The text option (i.e., language: text) may be used to ignore the language
of the program under repair and to treat each file as a text file. When this
option is used, users will need to manually provide coverage information, and
static analysis will not be performed.
This section provides instructions to Darjeeling for re-building the program
for purposes of (a) evaluating candidate patches, and (b) instrumenting the
program for coverage collection. Below is an except of the
build-instructions section from the example above.
build-instructions:
time-limit: 10
steps:
- gcc gcd.c -o gcd
steps-for-coverage:
- gcc gcd.c -o gcd --coverageThe time-limit specifies the maximum number of seconds that Darjeeling
should wait before cancelling a build attempt. The steps property
provides a sequence of shell commands that are used to build the program
for the purpose of patch evaluation. Similarly, the steps-for-coverage
property gives a sequence of shell commands that are used to build the
program with coverage instrumentation.
This section is used to describe the test suite used by the program.
Darjeeling uses the program's test suite to determine the correctness
of patches and to find acceptable patches that pass all tests.
Darjeeling offers a number of test suite options out of the box,
specified by the type property within the tests
section. We describe these below.
This type of test suite provides convenient support for GenProg-style test
scripts used by benchmarks such as ManyBugs, IntroClass, and the GenProg TSE
2012 benchmarks. GenProg-style test scripts accept a single argument specifying
the name of the positive or negative test case that should be executed.
Positive tests correspond to tests that pass on the original, unmodified
program, whereas negative tests correpond to tests that fail on the original
program. The positive tests are named using the form p{k}, where
{k} is replaced by the number of the positive test (starting from 1).
Similarly, negative tests are named n{k}, where {k} is replaced
by the number of the negative test (starting from 1).
Below is an example of a genprog test suite:
tests:
type: genprog
workdir: /experiment
number-of-failing-tests: 1
number-of-passing-tests: 10
time-limit: 5The time-limit property specifies the maximum number of seconds that may elapse
before a test execution is aborted and declared a failure. The
number-of-passing-tests and number-of-failing-tests
properties state the number of passing and failing tests.
The workdir property gives the absolute path of the directory
that contains the test.sh for the test harness.
This test suite is used by Python programs that support the popular pytest framework. Note that pytest can run unittest and nose tests natively.
Below is an except from a configuration file that uses pytest:
tests:
type: pytest
workdir: /opt/flask
tests:
- tests/test_config.py::test_get_namespace
- tests/test_config.py::test_config_from_pyfile
- tests/test_config.py::test_config_from_objectThe workdir directory specifies the location at which pytest
should be executed. The tests property gives a list of the names of
the individual tests belonging to the test suite. Each name is given the
format expected by pytest. That is, the name of the file containing the
test (relative to workdir), followed by :: and the name
of the test method.
Note that automated discovery of test cases is not currently
implemented, but is planned for a future release.
The coverage section provides Darjeeling with instructions for computing
test coverage for the program under repair. Below, we describe the properties
contained within this section:
method: the tool that should be used to compute coverage for the program under repair. This information is necessary since Darjeeling deals with multiple languages, and each languages may have more than one associated tool for obtaining coverage. Out of the box, Darjeeling provides support forgcov, used for C and C++ programs, andpycoverage, used for Python programs. Support for additional coverage methods may be added via Darjeeling's plugin mechanism. Further details on these two methods are provided below.load-from-file: optionally specifies the location of a file from which coverage should be read. An example of such a coverage file can be found in example/flask/coverage.yml.restrict-to-files: optionally gives a list of files to which the coverage collection should be restricted to. Files should be given as paths relative to the specifiedsource-directoryfor the program. Coverage that is generated for files outside of this set will be automatically discarded by Darjeeling. Note that this property uses the same format aslocalization.restrict-to-files.restrict-to-lines: optionally gives a list of lines that the coverage coverage collection should be restricted to. Lines outside of this set will be automatically ignored. This method uses the same format aslocalization.restrict-to-lines, shown below.
Below is an excerpt from an example configuration that uses gcov for
coverage collection.
coverage:
method:
type: gcov
files-to-instrument:
- gcd.cThis method accepts a single, optional property, files-to-instrument.
This property is very important.
By default, programs compiled with the appropriate --coverage option
set in their CFLAGS, CXXFLAGS, and LDFLAGS will produce
.gcda files at runtime. The gcov tool computes coverage by reading both
those .gcda files and their associated .gcno files, generated
during compilation. More specifically, programs compiled with the --coverage
option will write coverage data to disk during the normal termination of the
program (i.e., the program exits with code zero). If the program abruptly
terminates (e.g., due to memory corruption), .gcda files will NOT be
produced.
This behavior is problematic for Darjeeling. It prevents collection from being
obtained for failing tests that crash the program. As a workaround, Darjeeling
adds source-based instrumentation to the program (in the form of a signal
handler) that causes the program to (attempt to) flush its coverage information
in thee event of abrupt termination. The files-to-instrument property
gives the names of the source code files that provide entrypoints to the program
binaries (i.e., main functions).
The localization section provides instructions for localizing the fault
inside the program under repair. Currently, the configuration file
format supports a single type of fault localization: spectrum-based fault
localization, which assigns a suspiciousness value to each line in
the program under repair based on the number of passing and failing tests
that touch that line. A suspiciousness metric is used to compute
individual suspiciousness values. The configuration file exposes a number of
metrics via its metric property:
tarantulagenprogjaccardochiai
The localization section also exposes an exclude-files
property, which may be used to exclude certain files from the fault
localization. Each file should be given by its location relative to the source
directory for the program under repair.
In the example below, the files foo.c and bar.c are excluded
from the fault localization.
exclude-files:
- foo.c
- bar.cIndividual source code lines can also be excluded using the exclude-lines
property, as shown below. The exclude-lines property states which lines should
be excluded from specified files. In the example below, lines 1, 2, 3 and 4 from
foo.c, and lines 4, 6, 7 from bar.c are excluded from the fault
localization.
exclude-lines:
foo.c: [1, 2, 3, 4]
bar.c: [4, 6, 7]The fault localization can also be restricted to only consider certain files
by using the restrict-to-files property, as shown below.
restrict-to-files:
- foo.cSimilarly, the fault localization can also be restricted to individual source
code lines using the restrict-to-lines property:
restrict-to-lines:
foo.c: [11, 14, 16]The algorithm section outlines the search algorithm that should be used
to search the space of candidate repairs. A description of the types of
search algorithm exposed by the configuration file format is given below.
exhaustive: iterates over all single-transformation patches within the search space until the termination criteria are met.genetic: implements a customisable genetic algorithm, inspired by GenProg.
The transformations section describes the space of program
transformations from which candidate patches should be composed. The
schemas property of this section specifies a list of the program
transformation schemas, along with any parameter values for those schemas, that
should may be used to construct concrete program transformations. Each entry in
the schemas list must specify a type.
The configuration format supports three "classical" statement-based
transformation schemas based on those introduced by
GenProg:
delete-statement, replace-statement, and prepend-statement;
swap-statement has not been implemented at the time of writing.
To learn more about why Darjeeling uses prepend-statement rather than the
traditional append-statement schema, see the
Darjeeling design document.
Below is an example of schemas property that uses all of the classical
statement-based schemas.
schemas:
- type: delete-statement
- type: replace-statement
- type: prepend-statementThe configuration format also supports custom repair templates via
match-rewrite patterns for Rooibos.
Below is an example of a simple repair template that replaces all calls to
foo with calls to bar.
- type: template
match: "foo(:[1])"
rewrite: "bar(:[1])"The type property is set to template to indicate that this schema
represents a Rooibos-based repair template. The match and rewrite
sections are used to specify match and rewrite patterns, respectively.
Darjeeling also provides support for naive line-based transformations,
given below, which can be used for programs that use languages that are
not fully supported (i.e., programs that use the text language).
- type: delete-line
- type: insert-line
- type: replace-lineThe optimizations section is used to toggle various optimizations available
to the repair process. By default, all optimizations are enabled. Below is a
list of optimizations that can be toggled by the configuration file.
use-scope-checking: ensures that all variable and function references that occur in a given transformation are visible from the scope into which they are being inserted.use-syntax-scope-checking: ensures that any keywords introduced by a transformation (e.g.,breakandcontinue) are permitted by their surrounding context.ignore-dead-code: prevents the insertion of code that exclusively writes to dead variables.ignore-equivalent-insertions: uses an approach inspired by instruction scheduling to prevent equivalent insertions of code.ignore-untyped-returns: prevents insertion of areturnstatement into a context where the type of the retval is incompatible with the return type of the enclosing method or function.ignore-string-equivalent-snippets: transforms donor code snippets into their canonical form, thus preventing the insertion of string-equivalent snippets.ignore-decls: prevents transformations that are either applied to declaration statements, or else solely introduce a declaration statement.only-insert-executed-code: prevents the insertion of code that has not been executed by at least one test case.
The resource-limits section of the configuration file is used to impose
limits on the resources that may be consumed during the search. The search will
be terminated upon hitting any of these limits. The limits specified in this
section of the configuration file may be overridden by command-line options. If
a limit for a particular resource is not given in either the configuration file
or as a command-line argument, then the use of that resource will be unbounded
(i.e., no limit will be imposed).
Below is a list of the resource limits that may be specified in the configuration file:
candidates: the maximum number of candidate patches that may be evaluated. May be overriden at the command line by the--max-candidatesoption.time-minutes: the maximum length of wall-clock time that may be spent searching for a patch, given in minutes. May be overriden at the command line by the--max-time-minsoption.
This section describes the different search algorithms that are supported by Darjeeling.
The exhaustive search algorithm exhaustively searches over all legal
single-transformation patches within the search space until the termination
criteria are fulfilled.
The genetic search algorithm implements a genetic algorithm that is inspired
by the one used by GenProg, a
formative search-based program repair tool for C. Below is an excerpt from a
configuration file that uses a genetic search algorithm.
algorithm:
type: genetic
population: 80
generations: 20
tournament-size: 3
mutation-rate: 0.6
crossover-rate: 0.1
test-sample-size: 0.4Below is a list of the parameters that are exposed by genetic:
population: the size of the (initial) population. Used to control the number of individuals that are selected as parents.generations: the maximum number of generations.tournament-size: the size of the tournament when performing tournament selection to choose parents. Larger tournament sizes lead to an increased selective pressure.mutation-rate: the probability of an individual mutation event.crossover-rate: the probability of an individual crossover event between two parents.test-sample-size: controls test sampling. When test sampling is enabled, the fitness of an individual is computed using a randomly selected subset of the test suite, rather than the entire test suite. (More specifically, test sampling selects a subset of the passing tests whilst keeping all of the failing tests.) The value oftest-sample-sizeis used to specify the size of the subset (or sample). Iftest-sample-sizeis given as a float, then it will be treated as a fraction. Iftest-sample-sizeis given as an integer, then its value will be used as the absolute number of (passing) tests that should be included in the sample. Iftest-sample-sizeis omitted or set tonull, test sampling will be disabled.
Users may extend Darjeeling's capabilities with their own plugins.
Upon launch, Darjeeling will find and automatically import all installed
Python packages whose name starts with darjeeling_ (e.g.,
darjeeling_ardupilot).
Darjeeling treats the following features as framework extension points, allowing variants to be added by plugins:
- Search algorithms
- Transformation schemas
- Test harnesses
- Coverage tools (e.g.,
jacoco,pycoverage,sancov) - Spectrum-based fault localisation suspiciousness metrics