1. Data Structure Repair

2. Data structure repair problem F = 20 G = 5 F = 20 G = 10 I = 5 J = 2 Broken Data Structure Errors Missing elements Inappropriate sharing Dangling references Out of bounds array indices Inconsistent values

3. F = 10 G = 5 F = 2 G = 1 I = 3 J = 2 F = 20 G = 10 F = 20 G = 5 F = 20 G = 10 I = 5 J = 2 Broken Data StructureConsistent Data Structure Repair Algorithm Solution

4. Repair is computed over abstract model 10111001011 10101011101 10101110110 00011001011 10101011101 10101110110 Broken Bits Repaired Bits Broken Abstract Model Repaired Abstract Model Abstract Repair Concrete Data Structure Updates Model Definition Rules

5. Reasoning at Compile Time Compile specifications into repair algorithms Goal-directed reasoning takes place at compile time Consider possibility that |Bitmap| = 0 Abstract repair Choose a block in Free set Add block to Bitmap set Concrete repair Find relevant model definition rule: true  d.block[d.blockbitmap]  Bitmap Goal-directed reasoning finds following update: d.blockbitmap = index of block in d.block array Check that block is an element of d.block array:  b in [0..numblocks-1], d.block[b]  Used  d.block[b]  Free

6. Multiple Repairs Some broken data structures may require multiple repairs Reconstruct model Reevaluate consistency constraints Perform any required additional repairs

7. Architecture 10111001011 10101011101 10101110110 01011001011 10101011101 10101110110 00011001011 10101011101 10101110110 Broken Bits Repaired Bits Broken Abstract Model Repaired Abstract Model Abstract Repair Automatically Generated Concrete Repair.. Model Translation

8. Acyclic Repair Dependences Questions Isn’t it possible for the repair of one constraint to invalidate another constraint? What about infinite repair loops? What about unsatisfiable specifications? Answer We require specifications to have no cyclic repair dependences between constraints So all generated repair sequences terminate Repair can fail only because of resource limitations But, some repairs are never attempted

9. Repair Dependence Graph 2. Add block to Bitmap 4. Satisfy Rule 6 (BlockStatus) 6. Replace with in BlockStatus 1. |Bitmap|=1 5. f.BlockStatus=false 3. d.blockbitmap=indexof(b free ) 7. b.bitmap[j]=false for j=indexof(f) 8. Remove from BlockStatus by removing Bitmap

10. Repair Dependence Graph 2. Add block to Bitmap 4. Satisfy Rule 6 (BlockStatus) 6. Replace with in BlockStatus 1. |Bitmap|=1 5. f.BlockStatus=false 3. d.blockbitmap=indexof(b free ) 7. b.bitmap[j]=false for j=indexof(f) 8. Remove from BlockStatus by removing Bitmap

11. Repair Dependence Graph 2. Add block to Bitmap 4. Satisfy Rule 6 (BlockStatus) 6. Replace with in BlockStatus 1. |Bitmap|=1 5. f.BlockStatus=false 3. d.blockbitmap=indexof(b free ) 7. b.bitmap[j]=false for j=indexof(f)

12. When to Test for Consistency and Repair Persistent data structures Repair can be independent activity, or Repair when data written out or read in Volatile data structures in running program Under programmer control Transaction-based approach Identify transaction start and end Repair at start, end, or both Failure-based approach Wait until program fails Repair and restart from latest safe point

13. Experience We acquired five benchmarks (written in C/C++) AbiWord x86 emulator CTAS (air-traffic control tool) Simplified Linux file system Freeciv interactive game We developed specifications for all five Little development time (days, not weeks) Most of time spent figuring out Freeciv and CTAS Each benchmark has Workload Bug or fault insertion methodology Ran benchmarks with and without repair