People of ACM - Abhik Roychoudhury

January 23, 2025

 Let’s start with your research. For those who are unfamiliar with your field, what are automated program repair methods and why are they important?

My research team at NUS has been actively involved in automated program repair, and lately, automatic programming. This research is deeply rooted in the discipline of software engineering. One of the core difficulties in engineering software systems comes from an accurate capture of the intent—which is what the software is trying to achieve. However, the intent is often never captured fully or formally. Automated program repair techniques take in a buggy program and an incomplete description of intent (often given as tests) and produce a rectified program. Thus, a key challenge is to accurately infer or extrapolate intent from the given tests. The techniques have wide applications in managing software evolution, software security, and even language translation.

In your ICSE Most Influential Paper “SemFix: Program Repair Via Semantic Analysis,” you and your co-authors introduce a new tool that achieves a higher success rate and produces faster repair. How was this an improvement over the existing state-of-the art?

Earlier works on program repair used heuristic search in the domain of edits to find a repair. The issue with such an approach is the quality of patches. For example, while repairing a security vulnerability, earlier approaches might achieve security, but potentially delete functionality. Our outlook is different. When fixing a concrete failure given by a failing test, we produce abstract or symbolic fixes. This is achieved by symbolic execution of the given tests in a novel way. It infers desired properties of patches which then leads to higher quality program repair. Though symbolic execution was suggested almost 50 years ago in 1976, it had been used primarily for testing and verification of programs. So, our usage of symbolic execution in program repair was novel as well, using it for specification inference.

What made you start researching fuzzing and software security?

It started with my teaching. I was preparing for a new course, Software Security, to be taught in NUS as part of a new Bachelor’s in Information Security program. When we looked at the fuzzing techniques for finding security vulnerabilities, we realized that people are mostly using fuzzing tools like American Fuzzy Lop (AFL) like a black box, without having an explanation of why AFL is so effective in finding software vulnerabilities. We ended up modeling the working of the AFL tool as an algorithmic framework. As soon as we did that, there was a lot of follow up of our work—since researchers could see different ways of improving or optimizing the algorithm. All of these led to a lot of research in fuzzing—not just from my team, but many academic and industrial teams worldwide.

Why is ACM TOSEM a valuable resource for the community and what will be your goals as Editor-in-Chief?

TOSEM is ACM’s flagship journal in software engineering. As incoming Editor-in-Chief, I would like to take a forward-looking outlook of the field deriving value from classical and foundational research, while at the same time embracing research emerging from disruptive innovations promising increased automation in software engineering. Thus, TOSEM will continue to be one of the guideposts for the entire community. We plan to have regular interactions with the community at large via blog posts. For this purpose, we are setting up an Information Directorate. Cristian Cadar and Aldeida Aleti will serve as Information Directors sharing blog posts on the journal with the community via the SIGSOFT blog. In addition, we are working on starting a system where software engineering papers submitted to the journal are earmarked into sub-areas by authors such as Software Testing, AI and Software Engineering, Software Maintenance, Requirements, and so on. This way, reviewers can get a better understanding of where the authors see their contributions to be and reviewers can then read the paper in this light.

Your recently developed a presentation called “Imagination in Computer Science Research” which was given at the FSE24 New Faculty Symposium. Will you tell us a little about the Three “I”s of Research that you outline in the presentation?

Three “I”s of Research refer to Initiative, Intuition and Imagination—ingredients for a strong research plan and program. Many students or young faculty focus on initiative and intuition (i.e. solving research problems). However, it is equally important to focus on the third “I”—imagination, which helps us to formulate new research problems or provide a completely new outlook on existing problems. In my mentoring, I have always asked my PhD students and post-docs to focus more on imaginative ideas, rather than problem solving. Many of my past PhD students are today faculty members all over the world—hopefully this focus on imagination in research has been useful to them! I am also heartened to have been the inaugural recipient of Outstanding Graduate Mentor Award at NUS.

What is an exciting project you and your team at NUS are working on now?

We are actively working on a project called AutoCodeRover  It follows up on our past work on program repair and builds on it, by constructing a Large Language Model (LLM) agent for software maintenance tasks such as fixing errors and feature additions. Our LLM agent uses LLM as back-end while employing testing and analysis tools in the front-end in an autonomous fashion. Thus you could think of it as an autonomous program improvement technology (see here and here). Instead of using tests as correctness criteria, these agents are more powerful in the sense that they can work with natural language descriptions of the correctness criterion. I see this as a really cool, forward-looking technology where in the future automatically generated code can be autonomously improved and possibly integrated into larger software projects. Recently we also worked with Google’s Open-Source Security (OSS) team to study the automated repair of vulnerabilities (found by fuzzing) in critical projects using AutoCodeRover. Stay tuned for further developments!