IIIT Hyderabad professor develops tool to detect software bugs early
HYDERABAD: As artificial intelligence systems increasingly generate software code, ensuring that such code is safe and reliable has become a critical challenge. A research team led by Abhishek Kr Singh, professor at the Software Engineering Research Center, International Institute of Information Technology Hyderabad, is working on automated methods to detect bugs at the design stage—before software failures occur.
Singh said software development itself has become automated, but this has also led to the creation of large numbers of hidden bugs. “The process of developing software is now automated, but in the process, many bugs are generated as well,” he said.
Bugs begin before code is written
According to Singh, many errors originate even before programming starts. He said problems often arise during the transition from informal human intent to formal software implementation.
“The issue is that intent is described in natural language, which is ambiguous,” he said. “English sentences can have multiple meanings, but code has no room for ambiguity.” Even small mismatches between intent and implementation can result in errors that are difficult to detect later.
Correctness by construction
Instead of fixing bugs after software is written, Singh advocates what he calls “correctness by construction”. The approach focuses on making software correct during its creation by embedding precise specifications and assertions that computers can automatically verify.
“If you can specify your intention in a more formal language, there is a possibility of checking whether those intentions are met or not,” he said.
Parallel programs pose higher risks
The challenge is significantly greater in modern software systems that run multiple tasks simultaneously. Singh said parallel or concurrent programs are particularly vulnerable to subtle timing issues, known as race conditions, which may surface only under rare circumstances.
“These bugs may appear years after deployment,” he said.
To address this, Singh’s team uses fuzzing, a testing technique that automatically generates large numbers of inputs to check whether software violates key safety properties. “Industry spends a lot of time testing using input-output pairs, but that is not systematic,” he said. “If even one property is broken, you know something went wrong.”
Semantic-guided fuzzing
Singh said random fuzzing is often insufficient for detecting complex concurrency bugs. His team instead uses semantic-guided fuzzing, which relies on a deep understanding of how parallel programs behave on real hardware.
“There is no tool right now that actually deals with fuzzing of weak-memory programs running on modern architectures,” he said, noting that while standard fuzzers such as AFL exist, very few research groups understand the underlying semantics of parallel programs.
From theory to practical tools
The project is being carried out in collaboration with Ashish Mishra of IIT Hyderabad, with students from both IIT Hyderabad and IIIT Hyderabad working full-time. The team is developing a tool aimed at real-world software, focusing on commonly used programming languages such as C++ and architectures like x86 and ARM.
Singh said the work builds on his earlier research in formal verification and mathematical proofs of correctness. “Now we want to translate those theoretical results into actual tool building,” he said.
He added that the industry impact could be substantial, as major technology and semiconductor companies already rely heavily on fuzzing. Future plans include extending the approach to graphics processing units and hardware accelerators, where correctness challenges are more severe.
