Deep Dive into Probabilistic Delta Debugging: Insights and Simplifications

The ddmin algorithm [1] is the first algorithm to systematically minimize a bug-triggering input to its essence. It takes the following two inputs:

• •

  $L$: a list of elements representing a bug-triggering input. For example, $L$ can be a list of bytes, characters, lines, tokens, or parse tree nodes extracted from the bug-triggering input.

• •

  $\psi$ψぷさい: a property that $L$ has. Formally, $\psi$ψぷさい can be defined as a predicate that returns T if a list of elements preserves the property, F otherwise.

and returns a minimal subset of $L$ that still preserves $\psi$ψぷさい, from which excluding any single element will make the minimal subset lose $\psi$ψぷさい. This algorithm has been widely used in practice to facilitate developers in debugging [12, 9, 8, 24]. It generally consists of the following three steps.

Table II illustrates the step-by-step minimization process of ddmin with the running example in Fig. 1(a). Initially, the input $L$ is [${l}_{1}$, ${l}_{2}$, $\cdots$, ${l}_{8}$]. The ddmin algorithm iteratively generates variants by gradually decreasing the size of subsets from 4, 2 to 1.

1. 1.

   Round 1 ($s$=4). At the beginning, ddmin splits $L$ into two subsets and generates two variants v₁ and v₂. However, neither of them preserves $\psi$ψぷさい.

2. 2.

   Round 2 ($s$=2). Next, ddmin continues to subdivide these two subsets into smaller ones, and generates eight variants (i.e., v₃, v₄, $\cdots$, v₁₀) by using these subsets and their complements. Specifically, the first four variants (v₃, v₄, v₅, v₆) are the subsets, and the next four variants (v₇, v₈, v₉, v₁₀) are the complements of these subsets. Again, none of these eight variants preserves $\psi$ψぷさい.

3. 3.

   Round 3 ($s$=1). Finally, ddmin decreases subset size $s$ from 2 to 1, and generates more variants. This time, v₂₃, which is the complement of the subset {${l}_{5}$}, preserves $\psi$ψぷさい. Hence, the subset {${l}_{5}$} is permanently removed from $L$. Then for each of the remaining subsets {${l}_{1}$}, {${l}_{2}$}, $\cdots$, {${l}_{8}$}, ddmin restarts testing the complement of each subset, i.e., from v₂₄ to v₃₀. However, none of these variants preserves $\psi$ψぷさい, and no subset can be further divided, so ddmin terminates with the variant v₂₃ as the final result.

Wang et al. [14] proposed the state-of-the-art algorithm ProbDD, significantly surpassing ddmin in minimizing bug-triggering programs on C compilers and benchmarks in software debloating. ProbDD employs Bayesian optimization [18] to model the minimization problem. ProbDD assigns a probability to each element in $L$, representing its likelihood of being essential for preserving the property $\psi$ψぷさい. At each step during the minimization process, ProbDD selects a subset of elements expected to yield the highest Expected Reduction Gain, and targets these elements in the subset for deletion. In this section, we outline ProbDD’s workflow in Algorithm 1, paving the way for a deeper understanding and analysis of ProbDD.

Table III illustrates the step-by-step results of ProbDD. Following the study of ProbDD [14], the initial probability $p_{0}$ is set to 0.25, resulting in subsets with a size of 4 as per Equation 2.

1. 1.

   Round 1 ($s$=4). Similar to the example in the original paper of ProbDD [14], we assume ProbDD selects (${l}_{1}$, ${l}_{4}$, ${l}_{5}$, ${l}_{8}$) to delete due to the randomness, thus resulting the variant v₁. However, v₁ fails to exhibit $\psi$ψぷさい, leading to the probability of these selected elements being updated from 0.25 to $\frac{0.25}{1-(1-0.25)^{4}}\approx 0.37$, based on Equation 3. Next, the remaining elements with lower probability, i.e., (${l}_{2}$, ${l}_{3}$, ${l}_{6}$, ${l}_{7}$), are prioritized and selected for deletion, resulting in v₂. This time, the property test passes and these elements are removed.

2. 2.

   Round 2 ($s$=2). Given that all probabilities of remaining elements become 0.37, the next subset size becomes 2. Subsequently, subset (${l}_{1}$, ${l}_{5}$) are attempted to remove in v₃ and later subset (${l}_{4}$, ${l}_{8}$) are attempted to remove in v₄, though no subset can be successfully removed. After these two attempts, all probabilities update to $\frac{0.37}{1-(1-0.37)^{2}}\approx 0.61$.

3. 3.

   Round 3 ($s$=1). Finally, the subset size becomes 1, so each individual element is selected to remove alone. The elements ${l}_{4}$ and ${l}_{1}$ are finally removed from the final result in v₅ and v₇, respectively, while ${l}_{5}$ and ${l}_{8}$ are verified as non-removable, thus being returned as the final result.

Besides the above observation from a concrete example, theoretical analysis is necessary. To refine the mathematical model of ProbDD for easier representation, analysis and derivation, we assume that the number of elements in $L$ is always divisible by the subset size. With this assumption, the probability of each element will be updated in the same manner; as a result, before and after each round, the probabilities of all elements are always the same, as shown in III.1. This assumption is often applicable in practice. For instance, in the running example in Table III, before each round, the probabilities associated with each remaining element are identical, ensuring that all subsets are of identical size. Furthermore, the probabilities of elements are updated to the same next value after the round.

While it is not always possible for the number of elements to be divisible by the subset size, the elements will still be partitioned as evenly as possible. However, such indivisibilities make the theoretical simplification of ProbDD nearly impossible. Based on our observation when running ProbDD, being slightly uneven during partitioning does not significantly affect probability updates. Moreover, we will demonstrate that the simplified algorithm derived from this assumption has no significant difference from ProbDD in section VI, via thorough experimental evaluation.

In the second step, we derive the correlation between probability and subset size. Based on the assumption in the previous step, the probability of each element is identical and represented as $p_{r}$ in round $r$, thus the formula of Expected Reduction Gain from Equation 1 can be simplified to

Given the probability of elements $p_{r}$ in the round $r$, $s_{r}$ can be derived through gradient-based optimization, i.e., $E^{\prime}(s_{r})=0$. Therefore, the optimal size $s_{r}$ to maximize $E(s)$ is $-\frac{1}{\ln(1-p_{r})}$. Subsequently, we can also deduce the next probability to be $p_{r+1}=\frac{p_{r}}{1-(1-p_{r})^{s_{r}}}$. In summary, the correlation between probability and subset size can be simplified as Equation 5 and Equation 6, in which subset size $s_{r}$ is determined by probability $p_{r}$, and probability $p_{r+1}$ in the next round is determined by both $p_{r}$ and $s_{r}$.

Through Equation 6, $p_{r+1}>p_{r}$ always holds, indicating a monotonic increase of the probability of elements. However, there is still room for simplification, as $s_{r}$ can be represented by $p_{r}$, implying that $p_{r+1}$ can be represented solely by $p_{r}$.

Therefore, through empirical observations on the running example, coupled with theoretical derivation and simplification, we have identified the pattern of probability changes w.r.t. the round number $r$, i.e., $p_{r}=\frac{p_{0}}{(1-e^{-1})^{r}}\approx 1.582^{r}\times p_{0}$.

Based on our previous finding that the probability can be approximately estimated by the current round number via a factor. Consequently, we observe a similar pattern in the changes of the subset size in each round.

Despite deriving that $s_{r+1}$ depends solely on $s_{r}$, the trend of subset size is still implicit and obscure. For a clearer approximation, we propose the linear boundaries of $s_{r+1}$ in terms of $s_{r}$,

Aided by these two bounds, we obtain a complete representation Equation 11 to model subset size $s$. It is worth noting that the size decreases approximately by a factor $1-e^{-1}$ $\approx$ 0.632, until reaching 1. Alternatively speaking, the subset size $s_{r}$ after round $r$ is roughly $s_{0}\times 0.632^{r}$, allowing the subset size to be analytically pre-determined, and thus providing the potential for simplification of ProbDD and leading to the proposal of CDD (see details in section VI).

To extensively evaluate ddmin, ProbDD and CDD, we use the following three benchmark suites ( $76$ benchmarks in total), covering various use scenarios of minimization algorithms.

• •

  Benchmark-C ($\text{BM}_{\text{C}}$): 20 large bug-triggering programs in C language, each of which triggers a real-world compiler bug in either LLVM or GCC. The original size of benchmarks ranges from 4,397 tokens to 212,259 tokens. This benchmark suite has been used to evaluate test input minimization work [9, 14, 19].

• •

  Benchmark-Debloat ($\text{BM}_{\text{DBT}}$): source programs of 10 command-line utilities. The original size of benchmarks ranges from 34,801 tokens to 163,296 tokens. This benchmark suite was collected by Heo et al. [13] and used to evaluate software debloating techniques [13, 20, 21].

• •

  Benchmark-XML ($\text{BM}_{\text{XML}}$): 46 XML inputs triggering 8 unique bugs in Basex, a widely-used XML processing tool. The original size of benchmarks ranges from 19,290 tokens to 20,750 tokens. This benchmark suite is generated via Xpress [22] and collected by the authors of this study, as the original XML dataset used in ProbDD paper is not publicly available.

We measure the following aspects as metrics.

The ddmin algorithm and its variants usually serve as the fundamental algorithm. To apply them to a concrete scenario, an outer wrapping framework is generally needed to handle the structure of the input. In our evaluation, we choose the same wrapping frameworks as those used by ProbDD paper. For those tree-structured bug-triggering inputs, i.e., $\text{BM}_{\text{C}}$ and $\text{BM}_{\text{XML}}$, we use Picireny 21.8 [23], an implementation of HDD [10]. Picireny parses such inputs into trees, and then invokes Picire 21.8 [24], an open-sourced Delta Debugging library with ddmin, ProbDD and CDD implemented, to reduce each level of the trees. For software debloating on $\text{BM}_{\text{DBT}}$, Chisel [13] is employed, in which ddmin, ProbDD and CDD are integrated.

All experiments are conducted on a server running Ubuntu 22.04.3 LTS, equipped with Intel Xeon Gold 6348 CPUs @ 2.60GHz, providing a total of 120 threads, and 4 TB of RAM. To ensure the reproducibility, we employ docker images to release the source code and the configuration. Each benchmark is reduced using a single thread. Following the ProbDD paper, we run each algorithm on each benchmark 5 times and calculate the geometric average results.

To comprehensively reproduce the results of ProbDD [14], we evaluate ddmin and ProbDD using three benchmark suites, containing a total of $76$ benchmarks. Following the settings of ProbDD [14], we set the empirically estimated remaining rate as the initialization probability $p_{0}$, specifically, 0.1 for $\text{BM}_{\text{C}}$ and $\text{BM}_{\text{DBT}}$, and 2.5e-3 for $\text{BM}_{\text{XML}}$. Same as ProbDD’s paper, we employ three hours (10,800 seconds) as the timeout threshold. If the algorithm does not complete a benchmark within the time limit, the smallest result achieved and the corresponding query numbers are still recorded. Due to the significant differences between completed and uncompleted results, we only consider benchmarks completed by all algorithms when calculating averages and p-values. The detailed results are shown in Table IV.